An Investigation of Factors Influencing the Use of Computer-Related ...

Name /9671/05

05/20/2009 04:15PM

Plate # 0

JIS (AAA)

JOURNAL OF INFORMATION SYSTEMS Vol. 23, No. 1 Spring 2009 pp. 000–000

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures Diane Janvrin Iowa State University James Bierstaker Villanova University D. Jordan Lowe Arizona State University ABSTRACT: We provide data on the extent to which computer-related audit procedures are used and whether two factors, control risk assessment and audit firm size, influence computer-related audit procedures use. We used a field-based questionnaire to collect data from 181 auditors representing Big 4, national, regional, and local firms. Results indicate that computer-related audit procedures are generally used when obtaining an understanding of the client system and business processes and testing computer controls. Furthermore, 42.9 percent of participants indicate that they relied on internal controls; however, this percentage increases significantly for auditors at Big 4 firms. Finally, our results raise questions for future research regarding computer-related audit procedure use. Keywords: computer-related audit procedures; IT specialists; control risk assessment; firm size. Data Availability: Data used in this study are available from the first author upon request.

A

I. INTRODUCTION dvances in client information technology (IT) are rapidly changing the way auditors evaluate control risk and recent audit standards suggest that control risk may influence computer-related audit procedure use when examining clients with complex

We appreciate the helpful comments of Joseph Brazel, Mary Curtis, Julie Smith David, William Dilla, Julie Anne Dilley, Stephanie Farewell, Gary Hackbarth, Frank Hodge, Cynthia Jeffrey, Eric Johnson, Brian Mennecke, Bill Messier, Ed O’Donnell, Kurt Pany, G. Premkumar, Sue Ravenscroft, Janet Samuels, Dan Stone, Tony Townsend, Scott Vandervelde, Kristi Yuthas, two reviewers, and participants in the Iowa State Accounting / Finance Research Seminar Series, the 2005 Information Systems New Scholars Workshop, and the 2007 Auditing Section Midyear Meeting. Finally, we gratefully acknowledge the assistance of Sarah Erdmann, Krissy Gronborg, Cory Heilmann, Jon Hobbs, Breanne Kruger, Omar Torren, Allan Trapp, Pat Wagaman, Katie Wallace, Tara Wilkins, the AICPA, and the study participants.

1

pg 1 # 1

Name /9671/05

05/20/2009 04:15PM

Plate # 0

2

JIS (AAA)

Janvrin, Bierstaker, and Lowe

IT1 (AICPA 2001; PCAOB 2007). For example, SAS No. 94 alerts auditors that assessing control risk at maximum and relying only on substantive testing may not be effective for clients with complex IT (AICPA 2001). Instead, auditors are advised to consider using computer-related audit procedures, including IT specialists, when they obtain an understanding of client internal controls during audit planning (AICPA 2008, AU 319.29-32). Moreover, the Public Company Accounting Oversight Board’s (PCAOB) Auditing Standard No. 5 requires auditors of all publicly traded companies to express an opinion on the effectiveness of the client’s internal control system over financial reporting (PCAOB 2007). This study examines the extent to which computer-related audit procedures are used and whether two factors, control risk assessment and audit firm size, influence computer-related audit procedure use. Audit firm size may impact the use of computer-related audit procedures given that clients of Big 4 firms are more likely than those of smaller firms to have more complex IT. Previous research has not addressed the extent to which firm size affects the use of computer-related audit procedures. Moreover, recent research suggests that national audit firms have gained market share in the post-Andersen period (Cassell et al. 2007; Krishnan et al. 2008). National firms’ clients are likely to have more complex IT than local or regional firms, but less than Big 4 firms. Therefore, an open question is whether national firms’ use of computer-related audit procedures resembles that of the Big 4 firms or smaller firms? We examine computer-related audit procedure use, as well as how control risk assessment and audit firm size influences use, via a field-based instrument. The instrument was completed by 181 auditors representing Big 4, national, regional, and local firms. Results suggest that computer-related audit procedures are generally used when obtaining an understanding of the client systems and business processes and when testing application and general computer controls. Moreover, 42.9 percent of participants assess control risk less than maximum, which is almost double the rate found in previous research based on a single international audit firm (Waller 1993). In engagements where control risk is assessed at less than maximum, computer-related audit procedures and IT specialists are more likely to be used, than when control risk is assessed at maximum. Findings indicate that in engagements involving Big 4 audit firms, control risk is more likely to be assessed at less than maximum and computer-related audit procedures and IT specialists are more likely to be used than in engagements involving smaller audit firms. Furthermore, while auditors employed by national audit firms are more likely to have control risk assessed below maximum than those working for smaller audit firms, use of computer-related audit procedures is surprisingly similar. This study fills a void in the research by examining how control risk and audit firm size impact computer-related audit procedure use. These factors are important given that: (1) failure to consider control risk for clients with complex IT may lead to audit efficiency and effectiveness issues (AICPA 2001; Mock and Wright 1999), (2) standards suggest that auditors consider control risks during planning when they examine clients with complex IT (AICPA 2001, 2002b), and (3) understanding the degree to which auditors consider control risks given advances in client IT and newer audit methodologies may provide guidance to the PCAOB’s Standing Advisory Group and the Auditing Standards Board as these groups examine new risk-based standards (AICPA 2006; PCAOB 2007). Furthermore, this

1

Current audit standards use the term clients with complex, highly integrated financial reporting systems (AICPA 2008, AU 319.16). For parsimony, we shorten this term to clients with complex IT.

Journal of Information Systems, Spring 2009

pg 2 # 2

Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 3 # 3

JIS (AAA)

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

3

study provides evidence that audit firm size is a significant factor related to the use of computer-related procedures, and the degree to which audit procedures are altered in response to control risk assessments and client IT complexity. The remainder of the paper is organized as follows. In the next section we review relevant literature and develop research questions. Next, we discuss the methodology of our study. In the following section we present results and offer future research questions from our findings. Finally, we discuss the implications of the study and offer additional research directions. II. LITERATURE REVIEW AND RESEARCH QUESTION DEVELOPMENT PCAOB Auditing Standard No. 5 provides increased emphasis on examining the effectiveness of the client’s internal control system over financial reporting. More specifically, this standard advises auditors to examine the extent of IT in the year-end financial reporting process. In their examination, financial auditors often examine clients with complex IT. Regulatory standards codify how increased client IT use and related risks may influence the use of computer-related audit procedures (AICPA 2001, 2002a, 2002b, 2002c). For instance, SAS No. 94 describes how client IT impacts auditors’ consideration of internal controls and suggests that auditors include client IT when assessing risk (AICPA 2001, AU 319.39). Auditors are expected to gain an understanding of client systems and business processes by examining (1) significant transactions supporting the client’s financial statements, (2) procedures used to initiate, record, process, and report transactions, (3) means by which client’s systems capture events and conditions (other than transactions), and (4) processes used to prepare client financial statements (AICPA 2001, AU 319.49-51). Auditors are also encouraged to review automated controls (AICPA 2001, AU 319.44, 319.45). Given the importance of these controls, auditors need to determine if these controls are functioning as intended and are continuing to operate effectively (AICPA 2001, AU 319.78). Automated controls include both application and general controls (e.g., program change controls, access controls, and systems software controls). The new audit risk standards (AICPA 2006) expand upon several SAS No. 94 concepts. For instance, the standard on audit evidence suggests that auditors employ computer-assisted audit techniques (CAATs) to check the accuracy of the summarization of a file or to re-perform procedures (i.e., aging of accounts receivable, etc.; AICPA 2006, AU 308.33-34). Furthermore, SAS No. 99 codifies certain fraud detection procedures that relate to client IT evaluation. For example, auditors are encouraged to consider how a client may use IT to commit a fraud. Auditors may use computerized audit application techniques (CAATs) to evaluate these fraud risks (AICPA 2002b, AU 316.52) and identify journal entries and other adjustments to be tested (AICPA 2002b, AU 316.61; Lanza and Gilbert 2007). Finally, there may be certain circumstances (i.e., significant client IT-related risks and/ or limited auditor IT expertise) in which it is necessary to use an IT specialist (Hunton et al. 2004). For instance, as suggested by the planning and supervision standard, auditors may elect to use IT specialists to perform the following procedures: (1) inquiry of client IT personnel about how transactions are initiated, recorded, processed, and reported, and how IT controls are designed, (2) inspect systems documentation, (3) observe the operation of IT controls, and (4) plan and perform tests of IT controls (AICPA 2006; AU 314.15).


Name /9671/05

05/20/2009 04:15PM

Plate # 0

4

JIS (AAA)


Research Questions During evidence planning, auditors determine the nature, timing, and extent of audit procedures based upon the results of the risk assessment process.2 Prior research, however, yields conflicting results regarding whether audit plans reflect these risk assessments. Several archival studies have been conducted to assess whether evidential planning is adaptive to variations in risk assessment (see Bedard 1989; Elder and Allen 2003; Johnstone and Bedard 2001; Mock and Wright 1993, 1999). Overall, the results from these archival studies suggest that audit program plans are not appropriately risk-adjusted in practice, and specifically, that control risk assessment has very little if any influence on subsequent audit plans. Experimental studies have also been performed in this area. Bedard and Wright (1994) report that program plans are not closely related to risks while Wright (1988) finds evidential plans are adjusted to address increases in risk, but the adjustment may be inefficient. Hill (2001) suggests that auditors are sensitive to prior error information in adjusting audit plans. Finally, Bierstaker and Wright (2005) report that partner’s efficiency preferences potentially interact with risk assessments and subsequent audit plan adjustments. In other words, auditors may be reluctant to increase planned hours and tests when efficiency pressure is high, even if risks are high. It is important to note that the majority of these prior studies focused only on Big 4 firms. In this study, we assess whether control risk assessment leads to differential use of computer-related audit procedures for clients with complex IT. We conjecture that for these clients, auditors may be more likely to rely on controls and use computer-related audit procedures. For example, auditors may be unable to evaluate clients with complex IT without obtaining electronic records from the client or using CAATs. Moreover, regulatory standards encourage the use of CAATs in the process of understanding and auditing controls and suggest that client IT considerations be reflected in risk assessments (AICPA 2001, 2006). Alternatively, some may argue that high IT complexity influences some auditors to seek non-CAAT audit solutions because auditors cannot adequately deal with this level of complexity. Given that prior research has found conflicting results regarding whether program plans are subsequently adapted to risks and, further, that little if any research has directly examined the relationship between control risk assessments and computer audit procedures, we propose the following research question: RQ1a: When examining clients with complex IT, does the use of computer-related audit procedures vary by control risk assessment? Computer-related audit procedures vary from requesting that the client provide electronic records to testing automated and general controls to use of IT specialists. The use of IT specialists has recently attracted significant research interest (Brazel 2005; Brazel and Agoglia 2007; Curtis and Viator 2000; Hunton et al. 2004), some of which suggests that IT specialists may be underused (Carmichael 2004). SAS No. 94 suggests that auditors consider several factors when deciding whether to use IT specialists. These factors include: (1) the complexity of the client’s IT, (2) the significance of changes made to existing client systems or implementation of new systems, (3) the extent to which data is shared among 2

Nature refers to the specific type of audit procedures selected to gather evidence about an account or area. Timing refers to when the audit procedures are performed (interim or year-end). Extent refers to the amount or scope of testing (Bedard et al. 1999, 96).


pg 4 # 4

Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 5 # 5

JIS (AAA)


5

client systems, (4) the client’s use of emerging technologies, and (5) the significance of audit evidence that is available only in electronic form (AICPA 2008, AU 319.31). Theoretically, these factors are related to control risk. Hence we investigate: RQ1b: When examining clients with complex IT, does the use of an IT specialist vary by control risk assessment? Larger audit firms have more resources available to them and have a larger international base of operations in which to respond to current developments and clients’ needs than smaller firms (Gist and Davidson 1999; Palmrose 1986). These differences may enable larger firms to provide IT-related audit training and to better use computer-related audit procedures. Larger audit firms may be more adaptive and more likely to adjust their audit procedures to changes in client IT by incorporating more computer-related procedures. Of particular note is the use of IT specialists. Since larger firms generally have more resources, they may be more likely to develop, support, and employ IT specialists than smaller firms. Furthermore, auditors employed by larger firms are more likely to audit larger clients who possess more complex IT. Given the fact that audit standards advise auditors to rely more heavily on internal controls for clients with complex IT (AICPA 2001), we surmise that computer-related audit procedures use may vary by firm size. Since most prior research has focused on Big 4 firms, it is unclear to what extent auditors employed by national firms will use computer-related audit procedures and IT specialists when examining clients with complex IT.3 Therefore, the following research questions are posed: RQ2a: When examining clients with complex IT, does the use of computer-related audit procedures vary by firm size? RQ2b: When examining clients with complex IT, does the use of an IT specialist vary by firm size? III. METHOD Participants Participants included 181 auditors representing Big 4, national, regional, and local firms from geographically different regions of the U.S. One researcher attended an AICPA training seminar to obtain responses from 109 auditors from national, regional, and local firms. We also contacted local offices of each Big 4 firm and one national firm. From these contacts, we collected data from 72 auditors. As shown in Table 1, participants averaged 12.7 years of financial audit experience and their average age was 36.5 years. Many participants (86.2 percent) held CPA certificates. The majority of the participants (71.0 percent) were male. Participants worked for a variety of firms; 36.7 percent of participants were employed at local firms, 14.7 percent at regional firms, 17.5 percent at national firms, and 31.1 percent at Big 4 firms. Instrument Development and Validation In developing our field-based instrument, we sought several sources in which to obtain credible evidence on computer-related audit procedure use, including use of IT audit specialists and whether control risk assessment and audit firm size are associated with use. 3

Recent research (Cassell et al. 2007) suggests that national audit firms have gained market share in the postAndersen period.


Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 6 # 6

JIS (AAA)

6


TABLE 1 Participant Demographics Total Responses Years as an External Auditor

a

Agea

12.7 (9.4) 36.5 (10.0)

Big 4 Firms 8.0 (7.9) 31.0 (7.3)

National Firms

Regional Firms

Means (Std. Dev.) 10.0 15.7 (9.7) (7.8) 33.9 40.2 (10.4) (9.1)

Local Firms 16.5 (8.8) 40.7 (9.4)

Frequencies (Percent) Highest Education Levela Bachelor’s Degree Master’s Degree and Beyond Certificationa,b Certified Public Accountant Other (CIA, CISA, CMA, CFE, CFP, etc.) Gender a Male Female Audit Firm Sizea IT Expertisea Novice Intermediate Expert a b

149 (82.8%) 31 (17.2%) 156 11

43 (78.29%) 12 (21.8%) 40 1

27 (87.1%) 4 (12.9%) 24 0

24 (92.3%) 2 (7.7%) 26 3

53 (81.5%) 12 (18.5%) 63 5

127 (71.0%) 52 (29.0%) 181

38 (69.1%) 17 (30.9%) 55 (31.1%)

19 (61.3%) 12 (38.7%) 31 (17.5%)

20 (76.9%) 6 (23.1%) 26 (14.7%)

48 (75.2%) 16 (25.0%) 65 (36.7%)

30 (16.7%) 127 70.5%) 23 (12.8 %)

9 (16.4%) 44 (80.0%) 2 (3.6%)

6 (19.4%) 21 (67.7%) 4 (12.9%)

4 (15.4%) 18 (69.2%) 4 (15.4%)

11 (17.2%) 40 (62.5%) 13 (20.3%)

One or more participants did not answer question. Participants could list more than one certification.

Specifically, we examined SAS Nos. 94, 96, 99, 100 and various audit risk standards for computer-related audit procedures and recommendations for IT audit specialist use. We employed a broad definition of computer-related audit procedures that included procedures used to examine client general and application IT controls as well as CAATs. To the degree possible, we used audit standard wording in our field-based instrument. For example, the wording in the instrument describing computer-related procedures to obtain understanding of client systems and business processes is from SAS No. 94 (i.e., AICPA 2008, AU 319.49). Measurement Issues As noted above, since computer-related audit procedure use varies significantly by audit, pilot tests indicated that due to the wide diversity of client IT, participants would Journal of Information Systems, Spring 2009

Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 7 # 7

JIS (AAA)


7

have difficulty determining their typical client. Therefore, we asked participants to select one client with highly computerized systems and indicate if they used each audit procedure for that selected client, rather than for a typical client. To measure control risk assessment, participants indicated whether they assess control risk below maximum level due to the highly computerized transaction and financial reporting systems for the selected client.4 Consistent with recent research on client IT and audit planning (Bedard et al. 2005), we measure computer-related audit procedure use, including IT specialists, at the individual auditor level. Obtaining audit procedure use data at the firm level is impractical and would be less sensitive to individual client attributes.5 We used two measures of IT specialist use. First, participants indicated if they used an IT specialist during the audit for the selected client. Second, participants indicated if they used an IT specialist to perform four specific audit procedures (i.e., inquire of client IT personnel, inspect systems documentation, observe IT control operations, and test IT controls) for the selected client. Audit firm size is measured with four categories: Big 4, national, regional, and local. Prior research generally compares data from Big 4 firms to smaller firms (Manson et al. 1997, 1998). While it is commonly known that large CPA firms have made significant investments in IT (Banker et al. 2002; O’Donnell and Schultz 2003), little descriptive research exists that documents use of computer-related audit procedures and IT audit specialists by non-Big 4 firms. Finally, we added two covariates to our logistic regressions: client IT complexity and external audit experience. Since IT use may vary by client IT complexity, we asked participants to rate the IT complexity for their selected client on a seven-point scale where 1 ⫽ manual processing and 7 ⫽ highly automated financial reporting system. Also, previous research has found IT use to vary by external audit experience (e.g., Curtis and Viator 2000; Hunton et al. 2004; Viator and Curtis 1998). IV. RESULTS Descriptive Statistics Table 2 displays the demographics and audit characteristics for the selected clients. The audits were conducted between 2003 and 2005. Client asset size varies greatly with the average reported at $1.8 billion in assets.6 On average, participants rated the IT complexity for their selected client as 5.3 on the seven-point scale described above. Sixty-four percent classified the role of information technology in the selected client as being used to provide information to empower management and employees (i.e., informate up/down [Chatterjee et al. 2001]). Approximately 43 percent of participants assessed control risk below the maximum level when examining clients with complex IT. Thirty-eight percent spent one to three weeks on the audit, 32 percent spent one month, and 30 percent spent greater than two months. 4

5

6

As a result, only control risk related to system complexity is measured here. This provides a strong examination of our research questions because materiality differences due to non-IT factors are controlled. Consistent with prior research (Apostolou et al. 2001; Lowe and Reckers 2000; Sprinkle and Tubbs 1998), participants also rated the importance of each procedure in a typical audit of a client with highly computerized transaction and financial reporting systems on a seven-point scale with endpoints of 1 ⫽ not important and 7 ⫽ very important. The two measures for each individual audit procedure, importance and use, were highly statistically correlated with Pearson correlation coefficients ranging from 0.55 for obtaining electronic records to 0.74 for evaluating general access controls. Results for importance using ANCOVA rather than logistic regression analysis (since importance was collected using a seven-point scale) were qualitatively similar to those reported in the paper. As expected, client asset size is statistically significantly correlated with audit firm size (r ⫽ 0.52; p ⬍ 0.0001).


Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 8 # 8

JIS (AAA)

8


TABLE 2 Selected Client Demographics and Audit Characteristicsa Panel A: Selected Client Demographics Total Big 4 Responses Firms Average Client Asset Size IT Complexity for Clientb

National Firms

Regional Firms

Local Firms

Means (Std. Dev.) $1.8 billion $16.6 billion $2.6 billion $145 million $99 million ($10.4 billion) ($47.6 billion) ($11.8 billion) ($165 million) ($202 million) 5.29 5.69 5.18 5.06 5.06 (1.16) (1.10) (0.77) (1.24) (1.27) Frequencies (Percent)

Role of IT in Client c,d Automate Informate up / down Transform

47 (29.8%) 101 (63.9%) 10 (6.3%)

15 (28.3%) 34 (64.2%) 4 (7.65%)

8 (30.8%) 16 (61.5%) 2 (7.7%)

6 (26.1%) 16 (69.6%) 1 (4.3%)

18 (34.0%) 32 (60.4%) 3 (5.6%)

National Firms

Regional Firms

Local Firms

Panel B: Characteristics of Audit of Selected Client Total Responses

Big 4 Firms

Frequencies (Percent) Assessed control risk below maximum level due to selected client’s highly computerized transaction and financial reporting systemsd Yes 75 34 15 7 15 (42.9%) (61.8%) (51.7%) (26.9%) (24.6%) No 100 21 14 19 46 (57.1%) (38.2%) (48.3%) (73.1%) (75.4%) Time Spent on Annual Audit of Selected Clientd 1 to 3 Weeks 60 2 6 13 37 (38.0%) (3.7%) (46.2%) (50.0%) (60.7%) 1 Month 51 19 6 8 17 (32.0%) (35.2%) (46.2%) (30.8%) (27.9%) ⬎ 2 Months 47 33 1 5 7 (30.0%) (61.1%) (7.6%) (19.2%) (11.4%) Evidence Collection Method for Selected Clientd Paper Evidence 15 0 1 4 9 Only (8.7%) (0%) (3.6%) (15.4%) (14.8%) Both Paper and 156 54 26 22 51 Electronic (90.2%) (100.0%) (92.8%) (84.6%) (83.6%) Evidence Electronic 2 0 1 0 1 Evidence Only (1.1%) (0%) (3.6%) (0%) (1.6%) Made changes to information requests and / or audit procedures due to selected client’s electronic data retention policiesd Yes 60 18 11 6 23 (34.7%) (33.3%) (39.3%) (23.1%) (37.7%) No 113 36 17 20 38 (65.3%) (66.7%) (60.7%) (76.9%) (62.3%) (continued on next page) Journal of Information Systems, Spring 2009

Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 9 # 9

JIS (AAA)

9

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures TABLE 2 (continued) Total Responses

Big 4 Firms

National Firms

Regional Firms

Frequencies (Percent) Use of IT specialist during audit of selected clientd Yes 77 50 8 10 (44.8%) (90.9%) (27.6%) (38.5%) No 95 5 21 16 (55.2%) (9.1%) (72.4%) (61.5%)

Local Firms

8 (13.6%) 51 (86.4%)

a

Participants were asked to select one client with highly computerized transaction and financial reporting systems that they audited within the last year. Demographics for these selected clients and audit characteristics are reported. b Participants rated the IT complexity for their selected client where 1 ⫽ manual processing and 7 ⫽ highly automated financial reporting system. c Participants were told that automate refers to IT replacing human labor by automating business processes; informate up / down indicates IT provides data / information to empower management and employees; transform refers to IT fundamentally altering traditional ways of doing business by redefining business processes and relations. d One or more participants did not answer question.

Forty-five percent responded that an IT specialist was used during the selected audit. The most common evidence collection method was using both paper and electronic methods (90.2 percent) versus using strictly paper evidence (8.7 percent) or only electronic evidence (1.1 percent). Finally, standards suggest that auditors may be required to make changes to information requests and/or audit procedures due to client electronic data retention policies.7 A majority of our participants (65.3 percent) did not make changes to information requests and/or audit procedures due to the selected client’s electronic data retention policies. Descriptive statistics indicate that audit procedure use varies significantly by audit phase (see Panel A of Table 3). Use was high during the audit planning phase as most participants consider client IT in the risk assessment process (RiskAssessment) (88.2 percent), obtain an understanding of client system and business processes (ranging from 82.6 percent for reviewing processes used to prepare the client’s financial statements, ProcessesToPrepareFinancialStatements, to 94.8 percent for examining significant transactions supporting the client’s financial statements, SignificantTransactionsSupportingStatements), and request that their client provide electronic records (RequestClientElectronicRecords, 93.1 percent). Use during control testing was lower as the percent of participants that use automated, application, and general controls varied from 54.1 percent for testing automated controls to determine if they function effectively throughout the audit period (AutomatedControlEffectiveness) to 72.0 percent for evaluating access controls (AccessGeneralControl). However, fewer participants used CAATs for substantive testing (ranging from 35.3 percent to 54.8 percent). Finally, as shown in Panel B of Table 3, of the participants who used IT specialists when examining clients with complex IT, 76.0 percent used IT specialists to plan and perform IT control tests (SpecialistTestITControls), 85.3 percent 7

For example, if a client retains supporting documentation electronically for specific account balances for only six months, the auditor needs to either adjust his / her data collection plan or audit procedures accordingly.


Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 10 # 10

JIS (AAA)

10


TABLE 3 Descriptive Statistics: Procedure and IT Specialist Use Percentage Panel A: Audit Procedures

Include client technology considerations in risk assessment process (RiskAssessment) Obtain Understanding of Client System and Business Processes by Examining: ● Significant transactions supporting the client’s financial statements (SignificantTransactionsSupportingStatements) ● Procedures and records (both automated and manual) to initiate, process, and report significant transactions (ProceduresToProcessTransactions) ● How system captures events and conditions (other than transactions) that are significant to the financial statements (HowSystemCapturesEvents) ● Processes used to prepare the client’s financial statements (including significant accounting estimates and disclosures) (ProcessesToPrepareFinancialStatements) Test Automated Controls to Determine if They: ● Function as intended (AutomatedControlFunction) ●

Continue to function effectively throughout the audit period (AutomatedControlEffectiveness) ● Evaluate client computer controls related to specific applications (ApplicationControl) Evaluate the Following Client General Computer Controls: ● Program change controls (ProgramChangeGeneralControl) ● ●

Access controls (AccessGeneralControl) Systems software controlsb (SystemsSoftwareGeneralControl) Use Computer-Assisted Audit Techniques (CAATs) to: ● Evaluate fraud risks (EvaluateFraudRisksCAAT) ● Identify journal entries and other adjustments to be tested (IdentifyJournalEntriesCAAT) ● Check accuracy of electronic files (CheckFileAccuracyCAAT) ● Re-perform procedures (i.e., aging of accounts receivable, etc.) (RePerformProceduresCAAT) ● Select sample transactions from key electronic files (SelectSampleTransactionsCAAT) ● Sort transactions with specific characteristics (SortTransactionsCAAT) ● Test an entire population instead of a sample (TestEntirePopulationCAAT) ● Obtain evidence about control effectiveness (ObtainControlEffectivenessEvidenceCAAT) ● Evaluate inventory existence and completeness (EvaluateInventoryCAAT) Request that client provide electronic records to examine (RequestClientProvideElectronicRecords)

Reference in Standard

Use in Selected Client Percenta

AU 318.15

88.17

AU 319.49

94.80

AU 319.49

93.64

AU 319.49

83.04

AU 319.49

82.56

AU AU AU AU AU

319.29, 319.78 319.29, 319.78 319.44

65.90

AU AU AU AU

319.45, 319.96 319.45 319.45

72.02 60.71

AU 316.52 AU 316.64

37.87 49.11

AU 308.33

54.76

AU 308.34

41.32

AU 327.19

51.79

AU 327.19

49.40

AU 327.19, AU 327.61 AU 327.27

35.33 35.50

AU 316.54

35.93

AU 314.11

93.10

54.07 66.27 60.36

(continued on next page) Journal of Information Systems, Spring 2009

Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 11 # 11

JIS (AAA)

11

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures TABLE 3 (continued) Panel B: Use IT Audit Specialistc

●

● ● ●

To inquire of client’s IT personnel about how data and transactions are initiated, recorded, processed, and reported, and how IT controls are designed (SpecialistInquiryClientPersonnel) To inspect system documentation (SpecialistInspectSystemDocumentation) To observe the operation of IT controls (SpecialistObserveITControlsOperations) To plan and perform tests of IT controls (SpecialistTestITControls)

Reference in Standard

Use in Selected Client Percenta

AU 319.32, AU 314.15

90.41

AU AU AU AU AU AU

86.67

319.32, 314.15 319.32, 314.15 319.32, 314.15

85.33 76.00

a

Percentage of participants that indicated they used procedure when auditing selected client. Systems software controls refer to general computer controls over the operating systems and utility programs that manage the computer resources. c Includes only participants who initially indicated that they used IT audit specialists on selected audit as shown in Table 2. Two participants failed to answer these questions. b

to observe the operation of IT controls (SpecialistObserveITControlOperations), 86.7 percent to inspect system documentation (SpecialistInspectSystemDocumentation) and 90.4 percent to inquire about client’s IT processing (SpecialistInquiryClientPersonnel).8 Implications for Future Research Our descriptive results suggest that computer-related audit procedure use varies by audit phase. Future research examining why computer-related audit procedure use is higher during audit planning and control testing than during substantive testing may be warranted. Perhaps, in order to evaluate controls, many of which are embedded in the client’s IT, auditors have no choice but to use computer-related audit procedures. However, in the substantive testing phase, auditors used a mix of procedures, despite potential advantages of using computer-related procedures (i.e., continuous auditing). Future research could examine why the use of CAATs in general and IT specialists is somewhat low. For example, perhaps individual auditors are uncomfortable with certain computer-related procedures because of their own IT knowledge limitations, suggesting more education and/or training in this area is needed. The level of training and support that auditors receive from their firm may govern the extent to which CAATs are used. This may be coupled by a scarcity of IT specialists, the degree to which subordinates have discretion regarding the extent to which they comply with the requests of their managers (Kennedy et al. 2008), or perhaps there is no need for more IT specialists (Hunton et al. 2004). Alternatively, is it more of a function of firm-wide policy, including recommendedversus-required audit procedures such as CAATs (Venkatesh et al. 2003) or budget time frame issues as examined in Curtis and Payne (2008)? Thus, future research could rely on information systems theories such as technology acceptance model (Davis 1989), theory of planned behavior (Ajzen 1991; Taylor and Todd 1995), innovation diffusion theory (Moore and Benbasat 1991), or social cognitive theory (Compeau and Higgins 1995) to examine 8

Two participants who indicated they used IT specialists in Table 2 failed to provide responses when asked to indicate which specific audit procedures IT specialists performed.


Name /9671/05

05/20/2009 04:15PM

Plate # 0

12

JIS (AAA)


if CAATs use is related to the IT knowledge of the individual auditor, the skill set of the IT specialist, the amount of training and support provided by the audit firm, the budget timeframe, or perceived lack of need or limitations inherent with current CAATs. RQ1 Findings Our first research question examines whether computer-related audit procedure use varies by control risk assessment. Descriptive statistics presented in the first two columns in Table 4 suggests that, in general, auditors who assessed control risk below maximum are more likely to use computer-related auditor procedures. Further, we ran logistic regressions for each IT with use as our dependent variable, control risk and firm size as the independent variables, and client IT complexity and external audit experience as covariates.9 To determine if computer-related audit procedure use varies by control risk assessment when examining clients with complex IT (i.e., RQ1a), we examine the odds ratio for control risk as shown in the second column in Table 5. To illustrate the odds ratio of 2.797 to 1 for RiskAssessment suggests that holding all other variables constant, participants who assessed control risk below maximum are approximately three times more likely to include client technology considerations in the risk assessment process than those who did not rely on controls. Results suggest that in complex IT environments when auditors relied on controls (that is assessed control risk below maximum), they were more likely to use computer-related audit procedures. Specifically, Panel A indicates that participants who relied on controls were more likely to consider client IT issues to test application controls and access general controls, and to use CAATs for several tasks. Similarly, to examine if use of IT specialists is associated with control risk assessment when examining clients with complex IT (i.e., RQ1b), we ran logistic regressions for each audit procedure using IT specialists with use as our dependent variable, control risk and firm size as the independent variables, and client IT complexity and external audit experience as covariates.10 Logistic regression results (see Panel B of Table 5) found no differences in audit procedure use between those respondents who use IT audit specialists and assess control risk below maximum and those who assess control risk as maximum. Implications for Future Research These results suggest that auditors are more likely to use computer-related audit procedures when they rely on internal controls. However, results vary as to which computerrelated procedures were significantly related to internal control reliance. Future research is needed to investigate why some computer-related procedures were significantly related to internal control reliance (i.e., evaluate fraud risks), while others were not (i.e., inventory evaluation). Perhaps some tasks still require some manual procedures (i.e., inventory observation) whereas others have specific software applications developed for them (i.e., client risk assessments). In addition, future research could examine if there is a general trend to use more computer-related audit procedures as client IT becomes increasingly complex over time. Moreover, if auditors tend to rely more on client controls in complex IT environments, 9

10

External audit experience was not statistically significant for each audit procedure, thus we do not report its odds ratio in Table 5. In addition, cross-tabulating IT specialist use and control risk assessment finds that 46 of the 74 participants (62 percent who assess control risk below maximum also use IT specialists while only 31 of the 98 participants (32 percent) who assess control risk at maximum used IT specialists. One participant who accessed control risk below maximum and two participants who accessed control risk at maximum did not answer the question regarding IT specialist use. Chi-Square results indicated that this relation is statistically significant (Chi-Square value ⫽ 15.9; p ⫽ 0.0001).


pg 12 # 12

RiskAssessment Obtain Understanding of System and Processes by Examining SignificantTransactionsSupportingStatements ProceduresToProcessTransactions HowSystemCapturesEvents ProcessToPrepareFinancialStatements Test Automated Controls to Determine if They: AutomatedControlFunction AutomatedControlEffectiveness ApplicationControl Evaluate the Following General Computer Controls ProgramChangeGeneralControl AccessGeneralControl SystemsSoftwareGeneralControl

97.10 95.89 94.52 86.11 88.89 80.82 68.49 83.10 72.86 85.71 71.43

83.33 93.81 93.81 81.25 77.32 55.67 43.75 54.74 52.08 63.16 53.68

Percent of Participants in Each Control Risk Group Using Specific IT Assessed Control Assessed Control Risk at Maximum Risk below Maximum

90.57 94.34 83.02

57.14 67.86 57.14

65.52 41.38 64.29

93.10 93.10 79.31 82.76

85.19

41.38 56.14 50.88

52.54 40.68 51.72

89.83 91.53 74.58 72.88

83.05

(continued on next page)

52.00 72.00 48.00

56.00 44.00 58.33

99.90 92.00 83.33 68.00

80.00

Plate # 0

85.45 81.48 87.04

98.18 96.36 92.73 98.18

98.15

Percent of Participants from Each Firm Size Group Using Specific IT Big 4 National Regional Local Firms Firms Firms Firms

05/20/2009 04:15PM

Panel A: Audit Proceduresa

TABLE 4 Descriptive Statistics: Percent of Participants from Each Control Risk Assessment and Firm Size Group Using IT

Name /9671/05

JIS (AAA) pg 13 # 13


13



b

a

95.74 93.88 91.84 83.67

Complete descriptions of each audit procedure are shown in Table 3. Includes only participants who initially indicated that they used IT audit specialists on selected audit as shown in Table 2.

90.91 88.64 88.64 84.09

16.00 36.00 54.17 37.50 41.67 41.67 32.00 20.00 13.04 92.00

22.03 25.42 38.98 28.81 45.76 42.37 25.86 22.03 30.51 85.00

75.00 75.00 75.00 62.50

90.00 80.00 80.00 50.00

85.71 71.43 71.43 85.71

14

89.66 83.87 80.65 64.52

42.86 53.57 53.57 46.43 64.29 46.43 40.74 42.86 46.43 100.00


62.26 77.36 71.70 53.85 56.60 60.38 43.40 50.94 45.28 100.00

Plate # 0

SpecialistInquiryClientPersonnel SpecialistInspectSystemDocumentation SpecialistObserveITControlsOperations SpecialistTestITControls

54.29 67.14 67.14 52.17 65.71 64.29 44.93 57.14 44.93 97.26


25.00 36.46 45.26 32.63 41.05 37.89 28.42 19.79 28.42 89.69


05/20/2009 04:15PM

Panel B: Use IT Audit Specialistb

Use CAATs for: EvaluateFraudRiskCAAT IdentifyJournalEntriesCAAT CheckFileAccuracyCAAT RePerformProceduresCAAT SelectSampleTransactionsCAAT SortTransactionsCAAT TestEntirePopulationCAAT ObtainControlEffectivenessEvidenceCAAT EvaluateInventoryCAAT RequestClientProvideElectronicRecords


TABLE 4 (continued)

Name /9671/05



0.972 0.335 0.654 0.784 0.061 0.077 0.030g 0.275 0.029g 0.162

2.199 2.001 2.625 1.591 3.012 1.763

0.218

0.971 0.466 0.799 1.154

2.797

15 9.844 6.583 3.524

0.004h 0.006g

⬍0.001h

0.016g

6.910 7.025 2.750

2.488 4.929 3.038

0.020g

⬍0.001h

4.456 0.937 2.619 10.588

6.110

0.976 0.420 0.103 0.014g

0.066

0.002h 0.009h 0.069

0.114 0.003h 0.065

0.237 0.959 0.184 0.037g

0.138

1.701 0.907 1.451

1.322 0.975 1.133

0.004 3.406 1.078 1.413

1.342

1.109 1.176 1.221

1.331 1.230 1.431

0.935 1.497 1.186 1.287

2.136

0.543 0.355 0.217

0.080 0.200 0.035g

0.836 0.149 0.368 0.183

0.004h


0.307 0.862 0.469

0.591 0.959 0.816

0.959 0.303 0.904 0.569

0.713

Plate # 0

2.997 4.846 3.302

0.126 2.121 2.755 13.331

7.432

Firm Size Big 4 versus Big 4 versus National versus Client IT Control Risk Others Contrast National Contrast Smaller Contrast Complexity Odds p ⬎ Wald Odds p ⬎ Wald Odds p ⬎ Wald Odds p ⬎ Wald Odds P ⬎ Wald Ratioa Chi-Square Ratiob Chi-Square Ratioc Chi-Square Ratiod Chi-Square Ratioe Chi-Square

05/20/2009 04:15PM

RiskAssessment Obtain Understanding of System and Processes by Examining SignificantTransactionsSupportingStatements ProceduresToProcessTransactions HowSystemCapturesEvents ProcessToPrepareFinancialStatements Test Automated Controls to Determine if They: AutomatedControlFunction AutomatedControlEffectiveness ApplicationControl Evaluate the Following General Computer Controls ProgramChangeGeneralControl AccessGeneralControl SystemsSoftwareGeneralControl

Panel A: Audit Proceduresf

TABLE 5 Logistic Regression Results: Interaction of Control Risk and Audit Firm Size on Audit Procedure and IT Specialist Use

Name /9671/05



Use CAATs for: EvaluateFraudRiskCAAT IdentifyJournalEntriesCAAT CheckFileAccuracyCAAT RePerformProceduresCAAT SelectSampleTransactionsCAAT SortTransactionsCAAT TestEntirePopulationCAAT ObtainControlEffectivenessEvidenceCAAT EvaluateInventoryCAAT RequestClientProvideElectronicRecords 2.565 2.551 1.661 2.077 2.442 2.780 1.818 4.851 1.766 2.928

0.019g 0.020g 0.183 0.055 0.017g 0.007h 0.122 ⬍0.001h 0.153 0.341 4.559 5.471 2.752 2.048 0.929 1.429 1.356 2.508 1.781 0.614 0.014g 0.071 0.855 0.367 0.444 0.031g 0.175 0.958

⬍0.001h ⬍0.001h

2.417 3.380 2.243 1.545 0.615 1.754 1.197 1.585 0.977 0.799

0.084 0.024g 0.116 0.383 0.350 0.271 0.723 0.381 0.962 0.999

2.591 2.060 1.359 1.526 1.861 0.735 1.205 1.991 2.463 0.673

0.918 0.862 1.106 0.789 1.162 1.015 0.908 0.791 0.884 1.287

0.627 0.379 0.518 0.137 0.330 0.923 0.548 0.181 0.458 0.352

Plate # 0


16


0.083 0.159 0.542 0.405 0.229 0.549 0.723 0.215 0.104 0.950

05/20/2009 04:15PM


TABLE 5 (continued)

Name /9671/05


0.834 0.878 0.384 0.188

8.416 9.695 8.967 2.019

0.068 0.015g 0.016g 0.317

18.274 8.571 7.062 4.608

0.023g 0.051g 0.076 0.096

0.313 1.203 1.431 0.290

0.462 0.878 0.773 0.277

2.531 1.542 0.973 1.901

0.119 0.316 0.947 0.059

Odds ratio reports likelihood of audit procedure use given control risk is assessed below maximum (i.e., respondent relies on controls) versus at maximum and all other variables remain constant. b Odds ratio reports likelihood of audit procedure use for Big 4 versus other firms holding all other variables constant. c Odds ratio reports likelihood of audit procedure use for Big 4 versus national firms holding all other variables constant. d Odds ratio reports likelihood of audit procedure use for national versus smaller firms holding all other variables constant. e Odds ratio reports likelihood of audit procedure use given client IT complexity is high versus low and all other variables remain constant. f Complete descriptions of each audit procedure are shown in Table 3. g p ⱕ 0.05 level. h p ⱕ 0.01 level. i Includes only participants who initially indicated that they used IT audit specialists on selected audit as shown in Table 2.

a

1.253 1.141 2.049 2.385


05/20/2009 04:15PM

SpecialistInquiryClientPersonnel SpecialistInspectSystemDocumentation SpecialistObserveITControlsOperations SpecialistTestITControls

Panel B: Use IT Audit Specialisti

TABLE 5 (continued)

Name /9671/05 Plate # 0

JIS (AAA)

17


pg 17 # 17

Name /9671/05

05/20/2009 04:15PM

Plate # 0

18

JIS (AAA)


future research could investigate if the relationship between control risk assessments and audit procedures has strengthened over time. Auditors may increasingly gravitate away from manual audit procedures and reconsider the balance of manual and computerized audit procedures that is most appropriate for each client. RQ2 Findings Next, descriptive statistics examining whether computer-related audit procedure use (RQ2a) and use of IT specialist (RQ2b) vary by audit firm size are presented in Table 4. Results suggest that, in general, auditors from Big 4 firms are more likely to use computerrelated audit procedures. To further examine our data, we used firm size planned contrasts. Our planned contrasts examine whether the use varied between Big 4 and non-Big 4 firms, Big 4 and national firms, and national and smaller firms.11 Results for RQ2a, shown in Panel A of Table 5, indicate that auditors employed by Big 4 firms are more likely than those working for smaller firms to use computer-related audit procedures such as (1) obtaining an understanding of the client’s systems and processes by examining the process to prepare the financial statements, (2) testing automated controls, (3) evaluating general computer controls, and (4) using CAATs to evaluate fraud risk, identify journal entries to be tested, check accuracy of electronic files, and obtain evidence about control effectiveness. Furthermore, auditors from Big 4 firms are more likely than auditors from national firms to use computer-related audit procedures to (1) obtain an understanding of the client’s systems and processes by examining the process to prepare the financial statements, (2) test the effectiveness of automated controls, (3) evaluate program change and access general computer controls, and (4) use CAATs to identify journal entries to be tested. Results regarding RQ2b indicate that auditors from Big 4 firms who used IT specialists are more likely to use the specialists to inspect system documentation and observe IT control operations than are auditors from smaller firms. In addition, auditors from Big 4 firms who used IT specialists are more likely than auditors from national firms to use the specialists to inquire of client personnel and inspect system documentation. Implications for Future Research Our results suggest that computer-related audit procedure use varies by audit firm size.12 Future research could examine if this creates barriers to entry for small audit firms given that even small public companies are now subject to Sarbanes-Oxley Section 404a requirements and will soon be subject to Section 404b (mandating an auditor evaluation of internal controls). For example, do smaller firms have sufficient numbers of IT specialists available to perform audits? Another avenue of research related to firm size would be to examine whether other audit procedures (not involving technology) are differentially used depending on the size of the firm and their respective clients. Future research could investigate the reasons for these differences and the effects on systems and audit quality. Are universities providing appropriate education? Is there a shortage of college graduates with a combination 11

12

Before grouping responses from regional and local firms together, we ran an initial planned contrast to identify any differences between responses from these two groups. Results noted only one statistically significant difference between responses from regional and local firms: use of IT audit specialist to test IT controls (SpecialistTestITControls). To examine whether the interaction between control risk assessment and firm size is statistically significant, we added an interaction term to each logistic regression. The interaction term was not statistically significant in any of the regression models.


pg 18 # 18

Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 19 # 19

JIS (AAA)


19

of IT and accounting skills? Do SOX regulations go too far or does the audit profession need to rise up to expectations? V. CONCLUSIONS, IMPLICATIONS, AND FUTURE RESEARCH In contrast to some previous research, our results suggest that client IT complexity influences the nature of audit testing, and gives standard setters insights into how auditors adjust audit programs in response to control risk assessments. While previous research has found mixed results on the relation between client risks and audit planning, and often focused on audit effort, our study shows a clear linkage between auditors’ control risk assessments and the nature of tests used with respect to computer-related audit procedures. The results also indicate a wide range of variability in terms of the procedures auditors select for high IT clients. Future research should examine whether these differences are due to auditors tailoring their audit programs based on individual client-related factors or whether they arise because of individual or audit firm differences in audit approaches. Unlike previous research, which focused primarily on Big 4 firms, our study considers the role of audit firm size. For example, our results indicate that while auditors employed by national audit firms are more likely to have control risk assessed below maximum than those working for smaller audit firms, use of computer-related audit procedures is surprisingly similar. Future research needs to examine the extent to which these computer-related audit procedures improve audit effectiveness and efficiency. For example, are auditors willing to reduce substantive tests if control risk is low, consistent with AS No. 5? Or are they still reluctant to reduce their own work given concerns about liability? Moreover, recent research by Hoitash et al. (2008) finds a link between internal control quality and audit costs. Therefore, future research could examine if increased reliance on internal controls leads to reductions in substantive testing, manual procedures, and possibly audit costs. In addition, Hermanson et al. (2000) found that internal auditors are sensitive to traditional IT controls such as asset safeguarding and data integrity, but did not focus on risks related to systems development and acquisition. Future research could investigate if external auditors have a similar tendency to focus on traditional IT controls, and how that may be linked to their choice of computer-related audit procedures. The results of our study should be interpreted in light of the following limitations. First, this paper examines audit procedures discussed in current standards (AICPA 2002a, 2002b, 2002c, 2006) but not in relation to a specific internal control framework. Several professional organizations have developed internal control frameworks and corresponding audit procedures (Colbert and Bowen 1996; Hermanson et al. 2000; Kerr and Murthy 2008; Tuttle and Vandervelde 2007). Additional research could examine the use of these frameworks as a basis for selecting audit procedures, as well as new frameworks that may emerge from recently formed standard-setting bodies (e.g., PCAOB).13 Second, auditors may assess control risk at maximum for audit efficiency reasons, although they are required to test key controls for large publicly held clients (PCAOB 2007). We cannot determine if our participants who elected not to rely on controls did so after finding poor client internal controls or whether their lack of control reliance was due to audit efficiency issues. Future research could examine this important issue. Third, our study requires participants to self-report control risk assessment for a single client with highly computerized transaction and financial 13

Since the majority of our participants were members of the AICPA, it is likely that the framework we used was most familiar to them at the time that the data was collected for this study.


Name /9671/05

05/20/2009 04:15PM

Plate # 0

JIS (AAA)

20


reporting systems. Although we have some evidence that suggests data collected for selected clients is highly correlated with data collected for typical clients, future archival research similar to Mock and Wright (1993, 1999) may be useful to determine if the relation between control risk assessment and audit procedure use as noted in our study holds in the current audit environment. Furthermore, different auditors may define IT complexity differently. Although our pilot study participants interpreted this term similarly, we are unable to guarantee that study participants from different firms defined the term similarly. Also, since auditors employed by larger firms are more likely to audit larger clients, our firm size is somewhat confounded with client size. Finally, we acknowledge that auditors from some of the smaller firms may not have had access to IT auditors or had individuals trained to conduct CAATs. Our study, however, did not collect data on these variables.

REFERENCES Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes 50 (December): 179–211. Allen, R. D., D. R. Hermanson, T. M. Kozloski, and R. J. Ramsay. 2006. Auditor risk assessment: Insights from the academic literature. Accounting Horizons 20 (June): 157–177. American Institute of Certified Public Accountants (AICPA). 2001. The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit. Statement of Auditing Standards No. 94. New York, NY: AICPA. ———. 2002a. Audit Documentation. Statement of Auditing Standards No. 96. New York, NY: AICPA. ———. 2002b. Consideration of Fraud in Financial Statement Audit. Statement of Auditing Standards No. 99. New York, NY: AICPA. ———. 2002c. Interim Financial Information. Statement of Auditing Standards No. 100. New York, NY: AICPA. ———. 2006. Risk Assessment Standards. New York, NY: AICPA. ———. 2008. Codification of Statements on Auditing Standards. New York, NY: AICPA. Apostolou, B. A., J. M. Hassell, S. A. Weber, and G. E. Sumners. 2001. The relative importance of management fraud risk factors. Behavioral Research in Accounting 13: 1–24. Arnold, V., and S. Sutton. 1998. The theory of technology dominance: Understanding the impact of intelligent decision aids on decision maker’s judgments. Advances in Accounting Behavioral Research 1: 175–194. Banker, R. D., H. Chang, and Y. Kao. 2002. Impact of information technology on public accounting firm productivity. Journal of Information Systems 16 (Fall): 209–222. Bedard, J. 1989. An archival survey of audit program planning. Auditing: A Journal of Practice & Theory 8 (Fall): 81–102. ———, and A. Wright. 1994. The functionality of decision heuristics: Reliance on prior audit adjustments in evidential planning. Behavioral Research in Accounting 6: 62–71. ———, T. Mock, and A. Wright. 1999. Evidential planning in auditing: A review of the empirical research. Journal of Accounting Literature 18: 96–142. ———, L. Graham, and C. Jackson. 2005. Information systems risk and audit planning. International Journal of Auditing 9 (July): 147–163. Bierstaker, J., and A. Wright. 2004. The impact of the adoption of a business risk audit approach on internal control documentation and testing practices: A longitudinal investigation. International Auditing Journal (March): 67–78. ———, and ———. 2005. The interaction between auditors’ risk perceptions and partner preferences on audit program planning. Advances in Accounting 21: 1–24.


pg 20 # 20

Name /9671/05

05/20/2009 04:15PM

Plate # 0

pg 21 # 21

JIS (AAA)


21

Brazel, J. 2005. A measure of auditor AIS expertise: Development, assessment, and uses. Managerial Auditing Journal 20: 619–632. ———, and C. Agoglia. 2007. An examination of auditor planning judgments in a complex accounting information system environment. Contemporary Accounting Research 24 (Winter): 1059– 1083. Carmichael, D. R. 2004. The PCAOB and the social responsibility of the independent auditor. Accounting Horizons (June): 127–133. Cassell, C. A., G. Giroux, L. Myers, and T. Omer. 2007. The emergence of second-tier auditors: Evidence from investor perceptions of financial reporting credibility. Working paper, Texas A&M University. Chatterjee, D., V. J. Richardson, and R. W. Zmud. 2001. Examining the shareholder wealth effects of announcements of newly created CIO positions. MIS Quarterly 25 (March): 43–70. Colbert, J., and P. Bowen. 1996. A comparison of internal controls: CobiT, SAC, COSO, and SAS 55 / 78. IS Audit & Control Journal: 25–35. Compeau, D. R., and C. A. Higgins. 1995. Computer self-efficacy: Development of a measure and initial test. MIS Quarterly 23 (June): 145–158. Cook, T. D., and D. T. Campbell. 1979. Quasi-Experimentation Design & Analysis Issues for Field Settings. Boston, MA: Houghton Mifflin Company. Curtis, M. B., and R. E. Viator. 2000. An investigation of multidimensional knowledge structure and computer auditor performance. Auditing: A Journal of Practice & Theory 19 (Fall): 83–103. ———, and E. A. Payne. 2008. An examination of contextual factors and individual characteristics affecting technology implementation decisions in auditing. International Journal of Accounting Information Systems 9 (June): 104–121. Davis, F. D. 1989. Perceived usefulness, perceived ease of use, and user acceptance of informational technology. MIS Quarterly 13 (September): 318–339. Elder, R. J., and R. D. Allen. 2003. A longitudinal field investigation of auditor risk assessments and sample size decisions. The Accounting Review 78 (October): 983–1002. Ghosh, A., and S. Lustgarten. 2006. Pricing of initial audit engagements by large and small audit firms. Contemporary Accounting Research 23 (Summer): 333–368. Gist, W. E., and R. A. Davidson. 1999. An exploratory study of the influence of client factors on audit time budget variances. Auditing: A Journal of Practice & Theory 18 (Spring): 101–116. Hermanson, D. R., M. C. Hill, and D. M. Ivancevich. 2000. Information technology-related activities of internal auditors. Journal of Information Systems 14 (Supplement): 39–53. Hill, M. C. 2001. Planned audit hours: Do auditors use a same as last year strategy? Advances in Accounting Behavioral Research 4: 281–302. Hoitash, R., U. Hoitash, and J. C. Bedard. 2008. Internal control quality and audit pricing under the Sarbanes-Oxley Act. Auditing: A Journal of Practice & Theory 27 (May): 105–126. Hunton, J. E., A. Wright, and S. Wright. 2004. Are financial auditors overconfident in their ability to assess risks associated with enterprise resource planning systems? Journal of Information Systems 18 (Fall): 7–29. International Accounting Bulletin. 2005. Interview—BDO Seidman: Grabbing new opportunities. International Accounting Bulletine London, England (September 5): 5. Johnstone, K. M., and J. Bedard. 2001. Engagement planning, bid pricing, and client response in the market for initial attest engagements. The Accounting Review 76 (April): 199–221. Kennedy, S. J., T. W. Vance, and A. Webb. 2008. Creating bias in accounting estimates: The effects of subordinate independence and ethicality concerns. Working paper, University of Washington and University of Waterloo. Kerr, D. S., and U. S. Murthy. 2008. The importance of CobiT IT processes for effective internal control over the reliability of financial reporting: An international survey. Working paper, University of North Carolina at Charlotte and University of South Florida. Krishnan, G. V., M. S. Park, and J. Vijayakumar. 2008. Does the flight of clients from the Big 4 to second tier auditors indicate lower audit quality? Working paper, Lehigh University.


Name /9671/05

05/20/2009 04:15PM

Plate # 0

22

JIS (AAA)


Lanza, R. B., and S. Gilbert. 2007. A risk-based approach to journal entry testing. Journal of Accountancy 204 (July): 32–35. Liang, D., F. Lin, and S. Wu. 2001. Electronically auditing EDP systems with the support of emerging information technologies. International Journal of Accounting Information Systems 2 (June): 130–147. Lowe, D. J., and P. M. J. Reckers. 2000. The use of foresight decision aids in auditors’ judgments. Behavioral Research in Accounting 12: 97–118. Manson, S., S. McCartney, and M. Sherer. 1997. Audit Automation: The Use of Information Technology in the Planning, Controlling and Recording of Audit Work. Edinburgh, Scotland: Institute of Chartered Accountants of Scotland. ———, ———, ———, and W. A. Wallace. 1998. Audit automation in the UK and the US: A comparative study. International Journal of Auditing 2: 233–246. Mock, T., and A. Wright. 1993. An exploratory study of auditor evidential planning judgments. Auditing: A Journal of Practice & Theory 12 (Fall): 39–61. ———, and ———. 1999. Are audit program plans risk-adjusted? Auditing: A Journal of Practice & Theory 18 (Spring): 55–74. Moore, G., and I. Benbasat. 1991. Development of an instrument to measure the perceptions of adopting an information technology innovation. Information Systems Research 2 (September): 192–222. O’Donnell, E., and J. Schultz. 2003. The influence of business-process-focused audit support software on analytical procedures judgments. Auditing: A Journal of Practice & Theory 22 (September): 265–279. Palmrose, Z-V. 1986. Audit fees and auditor size: Further evidence. Journal of Accounting Research 24 (Spring): 97–111. Peecher, M. E., and I. Solomon. 2001. Theory and experimentation in studies of audit judgments and decisions: Avoiding common research traps. International Journal of Auditing 5: 193–203. Public Company Accounting Oversight Board (PCAOB). 2004. An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing Standard No. 2. Washington, D.C.: Government Printing Office. ———. 2007. An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. Auditing Standard No. 5. Washington, D.C.: Government Printing Office. Roybark, H. M. 2007. Analysis of audit deficiencies based on PCAOB inspection reports issued during 2005. Journal of Accounting, Ethics, & Public Policy 6 (2): 125–154. Simunic, D. 1980. The pricing of audit services: Theory and evidence. Journal of Accounting Research 18 (1): 161–190. Sprinkle, G. B., and R. M. Tubbs. 1998. The effects of audit risk and information importance on auditor memory during working paper review. The Accounting Review 73 (October): 475–502. Taylor, S., and Todd, P. A. 1995. Assessing IT usage: The role of prior experience. MIS Quarterly 19 (June): 561–570. Tuttle, B., and S. D. Vandervelde. 2007. An empirical examination of CobiT as an internal control framework for information technology. International Journal of Accounting Information Systems 8 (December): 240–263. Venkatesh, V., M. Morris, G. Davis, and F. Davis. 2003. User acceptance of information technology: Toward a unified view. MIS Quarterly 27 (3): 425–478. Viator, R. E., and M. B. Curtis. 1998. Computer auditor reliance on automated and non-automated controls as a function of training and experience. Journal of Information Systems 12 (Spring): 19–30. Waller, W. 1993. Auditors’ assessments of inherent and control risk in field settings. The Accounting Review (October): 783–803. Wright, A. 1988. The impact of prior working papers on auditor evidential planning judgments. Accounting, Organizations and Society: 595–606.


pg 22 # 22