The Internal Audit Function: A Study Examining the Impact ...vurore.nl/images/vurore/downloads/1074_Definitief... · W.A. Honselaar 2012 – Thesis Postgraduate IT Auditing Acknowledgements

The Internal Audit Function: A Study Examining the

Impact of Emerging IT on the Development of the

Function

Wesley A. Honselaar1

Vrije Universiteit Amsterdam, Faculty of Economics and Business Administration, Department of

IT Audit, De Boelelaan 1105, 1081HV Amsterdam, The Netherlands

Abstract

Purpose The purpose of this study is to explore the impact of emerging IT on the task description of the internal audit

function and to explore which developments internal audit has to undertake in order to be able to adequately audit the

increasing complexity of IT within their organizations.

Design/methodology/approach Two case studies have been performed for which interviews are held with internal

audit directors and managers in order to collect information on their view on the research questions central to this study.

Further, a review of existing literature has been performed based on which the sub questions of this study are answered.

Findings Emerging IT does not have an impact on the existing roles and responsibilities of the internal auditors

working for mature internal audit functions. As mature internal audit functions of Dutch multinationals are well prepared

in the area of IT there is no specific need for further development as they already have professionals employed who

possess the required knowledge and skills to adequately audit the increasing complexity of IT. For internal audit

functions that do not have professionals specialized in the area of IT, the impact of emerging IT can be great on the

existing roles and responsibilities of the internal auditors as they may need to address the risks related to the use of IT and

the controls to mitigate such risks. When examining the impact of emerging IT on the roles and responsibilities of the

internal auditors, different business models should be explored as the study results indicate that this will affect the

significance of the impact. The increasing complexity of IT can lead to a more advising role of the internal IT auditor as

organizations will focus on making their IT environment less complex and the use of IT more efficient in order to become

stronger competitors. It is the internal IT auditor who has the expert knowledge of the IT systems and business processes

of the organization required to advise the business in achieving this goal. Regarding the development in the area of IT,

internal audit functions can pursue different strategies to address the human resources and organizational needs in IT

audit. These strategies range from increasing the knowledge and core skills of the current internal audit staff to increasing

the use of sophisticated technology tools and third-party experts.

Practical implications This study provides internal audit executives with a description of possible strategies that can be

followed by the internal audit function to address the human resources and organizational needs in IT audit in case this is

required. Further, this study shows the potential added value that internal IT auditors can provide in advising the

organization in decreasing the complexity of the IT environment and thereby enhancing the efficiency of the use of IT.

Keywords: Internal Audit; IT Audit; Emerging IT; Information Technologies

1 Corresponding author: Tel.: +31 6 13127213 Studentnr: 1534254 Email: [email protected]

mailto:[email protected]

Page | 2 W.A. Honselaar 2012 – Thesis Postgraduate IT Auditing

Acknowledgements

This paper is the final version of the thesis that I have written in order to graduate for my Postdoc

degree EDP-auditing. By writing a thesis for graduation the student in question is judged on his academic

capability and whether he is capable of producing a scientific research paper independently. However,

without the support of the reviewers from the VU Amsterdam as well as from Deloitte it would have been

harder to produce a profound thesis that provides scientific as well as practical value. Therefore, this special

word of thanks goes to Rene Matthijsse (VU Amsterdam), Olaf Helmond (Deloitte), and Rob de Leeuw

(Deloitte) who have been willing to support and advise me when needed. With pleasure I look back to the

valuable discussions with the reviewers that we had about the progress of this thesis.

The field research conducted for this research has been interesting and provided valuable insights in

addition to the information obtained from the scientific literature. I am very thankful for the opportunities I

was given to interview several internal audit directors and IT audit managers responsible for the internal audit

functions examined for the case studies. My thanks go to the organizations willing to participate in this study.

The organizations which participated are Ahold and Achmea. More importantly, I would specially like to

thank the internal audit directors and IT audit managers who devoted their time to me and provided me with

valuable information needed to complete this research.

Finally, I would like to thank my family who has been motivating me from the very beginning to

finalize my thesis. Special thanks go to my girlfriend, Arminija, who has given me the time and support

needed to be able to complete this thesis.

Wesley A. Honselaar


Management summary

In the current economy organizations are becoming increasingly dependent on Information Technology

(IT). As IT is still evolving and is becoming more and more essential for an increasing number of

organizations, it can be stated that the internal auditor nowadays receive considerably more exposure to IT

than in the past. Previous research indicates that IT is playing a more fundamental role in the way modern

organizations function and that almost every audit requires at least some consideration of possible IT issues.

Whereas technology once has been considered as the domain of specialized IT auditors it is now the concern

of all auditors. With this study the impact of emerging IT on the task description of the internal audit function

has been explored and which developments internal audit can undertake in order to be able to adequately

audit the increasing complexity of IT within their organizations.

Due to the evolving role of IT within organizations and the use of IT within the core business processes

it is expected that the lines separating IT en non-IT audits will continue to blur in the coming years. This

causes internal auditors to be faced with the challenge of monitoring the IT processes and controls as well as

providing assurance over the IT environment of their organizations. As the roles of internal auditors include,

among others, monitoring, assessing, and analyzing organizational risks and controls, it can be concluded that

emerging technologies are impacting the role of internal auditors by bringing new risks to the organization.

Based on the literature it is concluded that the Risk Assessment and Control Assurance roles of internal

auditors are affected by the use of emerging technologies within organizations. The impact of emerging IT on

the internal control of organizations is also emphasized by the Committee of Sponsoring Organizations

(COSO), which has provided an update of the COSO framework that reflects the increased relevance of

technology. With the increasing reliance on IT by organizations, it becomes the responsibility of the internal

auditor to assist the Audit Committee and management in assessing the IT skill set of the organization,

promote greater IT risk involvement, and identify overlaps and/or gaps in IT risk coverage. Due to emerging

IT and the increasing complexity of IT within organizations internal audit functions need to focus on the

development within the area of IT audit. As previous studies have shown, generalist auditors do not possess

the required knowledge to fully understand the risks and controls that come with emerging IT. It, therefore,

becomes important for the function to train the generalist auditors in the area of information

systems/technology and related controls as they will also have to deal with an increasing number of

automated controls within the business processes they audit. Besides this, due to the rapid developments and

changes in information technologies it is a must for internal auditors to keep up to date with the current

developments within the field of information technology and with the threats that come along with utilizing

new technologies. For obtaining the required knowledge (basic audit and specialized) internal audit functions

should encourage its staff to obtain one or more of the recognized audit certificates related to IT such as the

RE, CISA, CISM, and CISSP certifications. Based on the literature some strategies have been formulated that

internal audit functions can follow in order to realize the further development of the function in the area of

IT. These strategies range from increasing the knowledge and core skills of the current internal audit staff to

increasing the use of sophisticated technology tools and third-party experts.


The case studies show that the impact of emerging IT on the task description of the internal audit function is

low for mature internal audit functions as they employ specialized IT auditors that have the knowledge and

skills to address the new risks and controls that come with emerging IT. This means that the roles and

responsibilities of the other internal auditors (financial, compliance, operational) are not affected as they do

not have to focus on the IT risks and controls. It has been argued that this will probably be different for

small-sized internal audit functions as they probably do not have specialized IT auditors employed. Further, it

is concluded that the impact of emerging IT on the roles and responsibilities of internal auditors is moderated

in case the organization has outsourced its IT function or parts of it. This finding demonstrates that before

making conclusions regarding the impact of emerging IT on the required knowledge and skills of auditors,

different situations and business models should be examined in order to obtain an accurate and valid

conclusion regarding this relationship. To be able to respond to the changes in IT and to address the new

auditing risks the internal audit function should have talented professionals with IT skills. Mature internal

audit functions of Dutch multinationals do have such professionals who also hold the relevant certifications

(e.g. RE, CISA, CISSP, and CISM) and therefore are able to respond to the changes in IT and new IT risks. It

can therefore be concluded that these type of internal audit functions do not have to develop their function in

the area of IT audit as they are already sufficient equipped to audit the increasing complexity of IT within

their organizations. It has been demonstrated that due to the increasing complexity of IT organizations are, on

the other hand, putting effort in trying to standardize their IT environment and thereby making it less

complex and more efficient. In order for organizations to remain strong or even become stronger competitors

in the markets they operate, they can benefit from increasing the efficiency and effectiveness of their use of

IT. This can be seen as an opportunity for the internal IT auditor as they can assist their organizations in

achieving the goal of standardizing the IT environment and thereby increasing the efficiency of its use of IT.

It is the internal IT auditor who has the expert knowledge of the IT systems and business processes of the

organization required to advise the business in achieving this goal. Further, the study results show that

internal audit executives can follow several strategies to address the needs for IT audit knowledge and skills.

Internal audit executives can determine the knowledge and skill needs based on preparing a yearly audit plan

and assessing what the impact of the audit plan will be on the task description of the employees. If it turns out

that the use of information technology by the organization is impacting the audit plan, internal audit

executives can follow several strategies to be able to address the IT risks and controls. The case studies

showed that internal audit executives are mainly focused on the strategies to provide training possibilities to

the current internal audit staff for increasing the knowledge and core skill level, and to hire expert knowledge

for performing audits in specialized areas. This research ends with providing research questions which have

been developed based on the study results and can be used for performing future research on the impact of

emerging IT on the task description of the internal auditor.


Table of contents

Acknowledgements ...................................................................................................................................................... 2

Management summary ................................................................................................................................................ 3

1. Introduction and research question .................................................................................................................. 7

2. Research design ................................................................................................................................................. 10

2.1 Crystallization of research question ........................................................................................................... 10

2.2 Data collection method .............................................................................................................................. 10

2.3 Control of variables by researcher.............................................................................................................. 11

2.4 Study’s purpose .......................................................................................................................................... 11

2.5 The time dimension .................................................................................................................................... 11

2.6 The topical scope ....................................................................................................................................... 12

2.7 Research environment ................................................................................................................................ 12

2.8 Perceptions of participants ......................................................................................................................... 12

2.9 Approach for answering the research questions ......................................................................................... 13

3. Literature review .............................................................................................................................................. 14

3.1 The role of IT in organizations and the essence of good IT control ........................................................... 14

3.1.1 The role of IT in organizations .................................................................................................................. 14

3.1.2. CobiT ........................................................................................................................................................ 16

3.1.3 IT Control quality and firm performance ................................................................................................... 19

3.2 Internal audit function ................................................................................................................................ 20

3.2.1 Definition of the internal audit function ..................................................................................................... 20

3.2.2 Roles and responsibilities of the internal audit function ............................................................................ 21

3.2.3 COSO framework for internal control ....................................................................................................... 24

3.2.4 An update to the COSO framework ........................................................................................................... 27

3.3 Impact of emerging IT on the internal audit function ................................................................................ 28

3.3.1 The impact of emerging IT on the roles and responsibilities of the internal audit function ....................... 28

3.3.2 IT audit knowledge and skills development ............................................................................................... 30

3.3.3 Ensuring an appropriate level of IT knowledge within the internal audit function .................................... 33

3.4 Summary of literature review ..................................................................................................................... 35

4. Case study results .............................................................................................................................................. 40

4.1 Case study 1 - Ahold .................................................................................................................................. 40

4.1.1 Organization description ............................................................................................................................ 40

4.1.2 The internal audit function of Ahold .......................................................................................................... 41


4.1.3 Impact of emerging IT on the roles & responsibilities of the internal audit function ................................ 42

4.1.4 The development of the (IT) internal audit function .................................................................................. 43

4.1.5 Strategies to address the needs for IT audit knowledge and skills ............................................................. 44

4.2 Case study 2 - Achmea ............................................................................................................................... 45

4.2.1 Organization description ............................................................................................................................ 45

4.2.2 The internal audit function of Achmea ...................................................................................................... 47

4.2.3 Impact of emerging IT on the roles & responsibilities of the internal audit function ................................ 48



5. Analysis and Conclusions ................................................................................................................................. 53

5.1 Comparison of case study results ...................................................................................................................... 53

5.1.1 Impact of emerging IT on the roles and responsibilities of the internal audit function .............................. 53



5.2 Conclusions ....................................................................................................................................................... 61

5.2.1 Answer to sub question 1 ........................................................................................................................... 61



5.2.4 Answer to the central research question ..................................................................................................... 64

6. Personal reflection and future research suggestions ...................................................................................... 66

References .................................................................................................................................................................. 69


1. Introduction and research question

In the current economy organizations are becoming increasingly dependent on Information Technology

(IT). This dependency is reflected in the way organizations try to compete with each other in fast changing

global business environments. In order to beat the competition, organizations nowadays find their ways to

more efficiency - and related to that less operating costs - by incorporating fully integrated information

systems used to increase the speed of transaction processing.

However, as IT can be used by organizations to increase their competitive advantage it also has its

downsides that need to be addressed appropriately for organizations to profit from the economic benefits

generated by IT. Abu-Musa (2008) states that there are many types of risks associated with IT. Among

others, these include the loss of computer assets, the risk of fraud, theft or loss of data, privacy violations,

business disruption, and competitive disadvantages in cases where the wrong IT is selected. In order for

organizations to control these risks organizations and their auditors are using frameworks as guidance for

their design and evaluation of internal controls (Tuttle and Vandervelde, 2007). According to Tongren (1997)

internal auditors are struggling to maintain their identity and purpose as the organizations they audit undergo

radical changes. Changes and developments in IT are continuously causing current control procedures to be

obsolete. Moreover, as changes in IT occur frequently and fast, auditors (internal as well as external) need to

keep pace with emerging technological changes and their impact on their own audit procedures and their

organization’s data processing system (Rezaee and Reinstein, 1998).

The Public Company Accounting Oversight Board (PCAOB) has recognized the need for auditors to

constantly maintain and develop their knowledge and skills related to the audit of internal controls and IT

systems (Curtis, Jenkings, Bedard, and Deis, 2009). According to Abdolmohammadi and Boss (2010) the

introduction of the U.S. Sarbanes-Oxley Act (SOX, 2002) made it difficult for organizations to fully rely on

their external auditors to provide guidance to the firms relating to IT audits. They further argue that due to the

relatively central nature of information systems within the organization, the burden has increasingly fallen on

the internal audit function to be the primary IT auditors of the organization.

The International Standard on Auditing 401 – Auditing in a Computer Information Systems Environment

– states that auditing processes for internal audit as well as external auditors have rapidly changed. Factors

causing these changes are among others the globalization of businesses, advances in technology, the demand

for value-added audits, the organizational structure of the clients automated information systems activities,

the degree of concentration and distribution of computer processing throughout the organization (especially if

this affects segregation of duties), and the availability of source documents of relevant data. Looking at these

changes it can be said that the internal auditor should have sufficient knowledge of automated information

systems in order to be able to plan, to give direction, to monitor, and to review the work performed related to

the audit of information systems and electronic data processing (EDP) within organizations. Additionally,

Abu-Musa (2008) states that the internal auditor should also consider whether specific IT knowledge is


required for an audit. This statement is highly relevant for organizations that go with the time and invest in

new, emerging, IT solutions that are to be used to support the business operations of the organization. For

example, Moorthy, Seetharaman, Mohamed, Gopalan, and Har San (2011) argue that the audit universe is

subject to change, which sometimes can even be significant. The authors explain this by providing an

example of Internet Electronic Commerce, which five years ago has been a small item on the audit universe

inventory. However, as of today this is a big item on most audit inventories that deals with issues related to

information security, privacy, and secure electronic commerce (especially over the unsecured medium of the

Internet). For a large number of organizations nowadays, these types of items are of major importance. This

example, therefore, shows that internal auditors in many cases will soon be required to demonstrate expertise

in area’s they currently cannot yet explain (Moorthy et al., 2011).

As IT is still evolving and is becoming more and more essential for an increasing number of

organizations, it can be stated that the internal auditor nowadays receive considerably more exposure to IT

than in the past (Silltow, 2003). Silltow mentions that IT is playing a more fundamental role in the way

modern organizations function and that almost every audit requires at least some consideration of possible IT

issues. Whereas technology once has been considered as the domain of specialized IT auditors it is now the

concern of all auditors. As Pathak (2003) suggested:

[. . .] the integration of applications and enterprise-wide IS will be a key trend for the future and will surely

have a great impact on the entire set of knowledge, skills, methods, algorithms, and strategies of IA.

Accordingly, the audit practitioners and educators need to expand their skill sets and knowledge bases to

cope not only with current changes but also with future challenges.

As stated above rapid changes in IT require auditors (internal as well as external) to be able to adapt their

knowledge, skills, and audit procedures to the ever changing environments in which they operate. With the

current study the focus is primarily aimed at the impact of IT on the functioning of internal auditors. The

purpose of this study, therefore, is to explore the impact of emerging IT on the task description of the internal

audit function and to explore which developments the internal audit function has to undertake in order to be

able to adequately audit the increasing complexity of IT within their organizations. The task description is

defined in the current study as the roles and responsibilities of the internal auditors working for the internal

audit function. This means that the current study is exploring how the existing roles and responsibilities of

internal auditors are affected by the use of emerging IT by their organizations. This study is, therefore, not

aimed at exploring whether emerging IT will lead to new defined roles of the internal auditor. Based on the

purpose of this study, the following research question has been formulated:

“What is the impact of emerging IT on the task description of the internal audit function and which

development processes has the internal audit function to undertake in order to be able to adequately audit the

increasing complexity of IT within their organizations?”


To answer this research question the following sub questions are formulated:

1. What is the impact of emerging IT within organizations on the roles and responsibilities of the internal

audit function?

2. How does the internal audit function of Dutch organizations need to develop in order to be able to

adequately audit the increasing complexity of IT?

3. Which strategies can be followed by the internal audit function in order to realize the further

development of the function in the area of IT?

The motivation for conducting this research and finding the answers to the posed research questions is

based on the conclusions reached by prior studies that developments in information technology are one of the

most significant changes that will affect business operations and the internal audit profession (see, for

example, Rezaee & Reinstein, 1998; Rezaee, Elam, and Sharbatoghlie, 2001; Oxner, Hawkins, and Rivers,

1995; Bierstaker, Burnaby, and Thibodeau, 2001). Elaborating on these conclusions it is interesting to

perform research on the impact that emerging IT will have on the roles and responsibilities of the internal

audit function and if, based on the impact, internal audit functions need to take measures in order to stay able

to adequately audit the increasing complexity of today’s and future IT environments. As internal audit

functions are providing assurance on the efficiency of business operations, compliance with laws &

regulations, and the reliability of financial reporting, a good understanding of information technology

systems and the ability to identify risks associated with computerized environments has become critical in

performing the internal audit activity. This study is practically relevant in that it provides internal audit

managers and directors with information about the impact of developments in IT on their audit and audit

planning activities. Further, this study provides internal audit managers and directors with suggestions for

possible strategies to address technology risks and IT resource needs.

The structure of this paper is as follows. The next section (Chapter 2 – Research design) provides a

description of the research design chosen for the current study. Following this section is an extensive review

of the scientific literature that is related to the research questions central to this study (Chapter 3 – Literature

review). Chapter 4 (Case study results) shows the results of the case studies performed at two internal audit

functions of Dutch organizations. Following the case study results is a discussion on the similarities and

differences between the two cases investigated and how the case study results correspond with the

information gathered from the scientific literature (Chapter 5 – Analysis and Conclusion). Based on this

analysis a conclusion on the research findings is provided and answers are given to the research questions

central to this study.


2. Research design

This chapter provides a description of the research design chosen for answering the research questions

central to this study. It is explained how the different concepts and topics related to this study are to be

investigated in order to achieve reliable and valid conclusions regarding the research questions. Blumberg,

Cooper, and Schindler (2005) state that no simple classification system regarding different design approaches

exists that define all the variations that must be considered. Though, Blumberg et al. (2005) provide eight

different descriptors for classifying a research design. In order to produce a clear and accurate research

design for the current study, the eight descriptors provided by Blumberg et al. (2005) are followed and

applied. An explanation of the eight descriptors and how they are applied within the current study is provided

in the following paragraphs.

2.1 Crystallization of research question

According to Blumberg et al. (2005) a study may be viewed as formal or exploratory. The essential

differences between these two alternatives are the immediate objective and the degree of structure of the

study. The objective of exploratory studies is discovering future research tasks by developing hypotheses

and/or questions for future research. On the other hand, the objective of a formal study is to provide a valid

representation of the current state and to test the hypotheses posed. Another distinction between exploratory

and formal research designs is that exploratory studies tend towards loose structures, whereas formal studies

follow precise procedures and data source specifications. The purpose of the current study is to explore the

impact of emerging IT on the task description of the internal audit function. The current study is not aimed at

answering hypotheses but, instead, is aimed at providing a profound explanation of how the internal audit

function is impacted by emerging IT and which strategies are available for ensuring an appropriate level of IT

knowledge and skills within the function. Further, this study will lead to questions for further research and,

therefore, must be viewed as an exploratory research.

2.2 Data collection method

Following Blumberg et al. (2005) this research should be classified as a communication study, in which

the data is collected through having interviews with the subjects and collecting their responses. For the

current study interviews are held with internal audit directors and managers in order to collect information on

their view on the research questions central to this study. As Blumberg et al. (2005) also mention, it is not

always necessary for a researcher to collect new information. This is the case for the current study as it relies

not only on interview data, but also on secondary data collected through an extensive desk research.

In order to enhance the generalization of the conclusions two organizations are selected that operate in

different industries. By doing this it becomes possible to examine whether the situation regarding the

research question is different between industries. The organizations selected are Royal Ahold (consumer


business industry) and Achmea (finance/insurance industry). The interviews held with the internal audit

directors and managers were semi-structured and provided an in-depth understanding of how the internal

audit functions of the organizations selected are impacted by emerging IT and how they ensure an

appropriate level of IT knowledge and skills within their internal audit function. The interview questions are

developed based on the research question and sub-questions posed. Further, an extensive literature review has

been performed which led to a good understanding of the possible situation within the internal audit function

of the organizations selected. Based on the results from the scientific literature interview questions have been

defined. All the interviews were taped and subsequently converted into text for further analysis.

2.3 Control of variables by researcher

According to Blumberg et al. (2005) variables related to the research can be manipulated by the

researcher in order to discover whether certain variables produce effects in other variables. In this case the

research design to follow is called an experiment. In the current study there is no control over any variables.

The purpose of this study is to describe a situation within internal audit functions and to report on what is

happening. Following Blumberg et al. (2005) this is called an ex post facto design. The situation as it is

within the internal audit functions selected for research is obviously not influenced by the researcher.

2.4 Study’s purpose

The purpose of the current study is to find out what the impact of emerging IT is on the task description

of the internal audit function and which development processes internal audit functions have to undertake in

order to be able to adequately audit the increasing complexity of IT within their organizations. Following

Blumberg et al. (2005) this research therefore should be classified as a descriptive study. The other

classification regarding this descriptor is a causal study, in which the objective is to find out how one variable

produces changes in another. However, the current research is only aimed at providing a clear description of

internal audit functions and how they can deal with the increasing need for IT audit knowledge and skills.

2.5 The time dimension

Concentrating on the time dimension of a study, a distinction is made by Blumberg et al. (2005)

between so called cross-sectional studies and longitudinal studies. As the current research is only performed

once it is classified as a cross-sectional study. With a longitudinal research design the study must be repeated

over an extended period, with the aim to track changes over time. The current research focuses on the

situation as it is now and how internal audit functions can and/or will react on the current developments

related to IT within their organizations. However, Blumberg et al. (2005) state that cross-sectional studies can

use some of the benefits of longitudinal research designs by, for example, adroit questioning about history,

past attitudes, and/or future expectations. Within the current research it is tried to incorporate some of the


benefits of longitudinal studies by questioning respondents about their future expectations related to the

impact of emerging IT on the task description of the internal audit function and which measures need to be

taken in order to able to respond to these developments in the most effective way. It will be interesting to

recall this study in five years from now to determine whether the situation described in the current study and

the proposed measures to take are still relevant and deemed successful.

2.6 The topical scope

Regarding the topical scope a research can be classified as a statistical or case study (Blumberg et al.,

2005). With statistical studies the researcher is testing the hypotheses quantitatively. On the other hand, case

studies place more emphasis on a full contextual analysis of events or conditions. According to Blumberg et

al. (2005) this kind of emphasis on detail provides valuable insight for problem-solving, evaluation and

strategy. For the current study a case study approach is pursued with the objective to obtain detailed insight

into the current situation within internal audit functions and how they deal with the developments around

information technology. The different cases studied constitute the two internal audit functions used for this

study. Based on the data gathered from two different organizations an attempt is made to provide an objective

description of current situation related to the research questions central to the current study.

2.7 Research environment

For obtaining relevant information for conducting the literature review, secondary data is gathered from

the internet. The environments from which secondary was gathered are the Vrije Universiteit Amsterdam and

the home office of the researcher. The secondary data obtained for conducting the literature review (see

Chapter 2) is derived from a great diversity of scientific journals and white papers. For obtaining the

empirical data needed for this study actual field research is performed. Interviews with the internal audit

directors and managers are held at the headquarters of the organizations they work for.

2.8 Perceptions of participants

According to Blumberg et al. (2005) the perceptions of participants can influence the outcomes of the

research in subtle ways. The authors explain this by using the example of the ‘mystery shopper’. A retail

sales associate will likely change his/her performance if he/she knows that he/she is being observed and

evaluated. Blumberg et al. (2005) state that researchers need to be aware of this and that results must be

qualified based on the perceived perceptions of participants. As the current study is not trying to falsify

hypotheses and is only aimed at providing a clear description of the current situation related to the research

questions, it is assumed that the study participants will not behave less naturally nor will they try to please the

researcher by guessing the right answers as there are no right or wrong answers. By only selecting highly


experienced internal audit directors and managers for the case studies, an attempt is made to obtain reliable,

accurate, and valuable responses.

2.9 Approach for answering the research questions

By having performed an extensive literature review an attempt is made to find answers to sub questions

1 – 3 (see Chapter 1 – Introduction). The field research is performed to obtain additional insights related to

the information found for the literature review. Especially for sub question 2, which is specifically focused on

internal audit functions of Dutch organizations, additional information was required from field research as the

scientific literature is not particularly aimed at Dutch organizations. The two cases will be compared with

each other as well as with the information obtained from the available scientific literature. Based on this

analysis (see paragraph 5.1) answers can be provided to the sub questions posed. Based on these answers a

final conclusion of the research can be formulated by which the research question central to this study will be

answered (see paragraph 5.2).


3. Literature review

3.1 The role of IT in organizations and the essence of good IT control

3.1.1 The role of IT in organizations

The competitive landscape in which organizations operate has changed dramatically over the last few

decades. We have witnessed a transformation from the Industrial Age into the Information Age, in which

competitive advantage is gained by using and managing information is the best possible way. Having timely,

accurate, and complete information based on which management decisions are to be made is now more than

ever crucial to the surviving of almost every organization. To be able to manage information, organizations

are investing substantial capital in the development and maintenance of information systems and information

technologies (Borek, Helvert, Ge, and Parlikad, 2011). Based on the existing literature information systems

are known as software platforms and databases encompassing enterprise-wide systems designed to manage

all major functions of the organization (Dewett and Jones, 2001). Companies that provide these enterprise-

wide systems are among others SAP, Oracle, PeopleSoft, and JD Edwards. On the other hand, information

technologies include devices and communication media which link information systems and people.

Examples include the Internet, e-mail, personal digital assistants, video conferencing, voicemail, groupware

and corporate intranets, and smartphones (Dewett and Jones, 2001). Both terms are overlapping and often

inextricably linked. It is therefore that the two terms are often interchangeably used in the literature on

information technology. As this is the case I will refer to them jointly as information technology (IT) for the

rest of this paper.

Exhibit 2-1 on the next page shows the role of information technologies within organizations according

to Dewett and Jones (2001). These authors have drawn their research based on the analysis performed by

Huber (1990) in which he suggested that IT is a variable that can be used for promoting organizational

performance by enhancing the quality and timeliness of organizational intelligence and decision making. In

his research Huber treated the organizational characteristics as the dependent variable with IT positioned as

the independent variable. In order to offer a more encompassing view of IT and organizational functioning,

Dewett and Jones have examined IT as a moderator of the relationship between organizational characteristics

and organizational outcomes (See Exhibit 2-1).


The organizational characteristics used in the model of Dewett and Jones are selected based on previous

research and have proven to be important to organizational performance, and clearly related to IT. This also

holds for the organizational outcomes that emerged from an extensive review of the literature in which it is

proven that they have the most performance enhancing potential in relation to IT. The justification for the

moderating role of IT is based on the contention from the authors that, in general, IT changes or alters the

impact of organizational characteristics on outcomes. The feedback loop from the organizational outcomes to

IT is provided to reflect the continuous and/or periodic modifications that are required to fit a given IT to its

context. Based on the organizational outcomes as a result of the use of IT the management of the organization

must determine whether or not modifications in IT are necessary to ensure the IT’s maximum utility.

Additionally, Dewett and Jones (2001) acknowledge that the effects of IT are not always positive. However,

in case they are applied appropriately they can be a very powerful addition to an organization’s

communications infrastructure. This indirectly implies that strong control over IT within organizations is

important in order to ensure that the use of IT is reliable and correct and thereby enhancing the quality and

timeliness of organizational intelligence and decision making, which in their turn have a positive impact on

organizational performance.

Taking a closer look at the moderating role of IT on the relationship between organizational

characteristics and organization outcomes (See Exhibit 2-1) it can be noted that according to Dewett and

Jones (2001) IT has this moderating role through its ability to generate information efficiencies and

information synergies.

Information efficiencies are the cost and time savings that result when IT allows individual employees

to perform their current tasks at a higher level, assume additional tasks, and expand their roles in the

organization due to advances in the ability to gather and analyze data (Dewett and Jones, 2001). In other

Organizational Characteristics Organizational Outcomes

Information Technologies· Structure

· Size

· Learning

· Culture

· Interorganizational

Relationships

· Linking/Enabling

Employees

· Codifying the

Knowledge Base

· Increasing Boundary

Spanning

· Organizational

Efficiency

· Organizational

Innovation

· Information

Efficiencies

· Information

Synergies

Learn/Adapt

Exhibit 2-1


words, by the use of IT it becomes possible to increase the efficiency of existing processes by increasing the

amount and quality of information which can be adequately processed. Information synergies are the

performance gains that result when IT allows two or more individuals or subunits to pool their resources and

cooperate and collaborate across role or subunit boundaries, a between-person or between-group effect

(Dewett and Jones, 2001).

Based on these two benefits of IT, Dewett and Jones have identified the following organizational

outcomes: improved ability to link and enable employees, improved ability to codify the organizations’

knowledge base, improved boundary spanning capabilities, improved information processing that leads to

increased efficiency, and improved collaboration and coordination that promotes innovation. I would like to

refer to the paper of Dewett and Jones (2001) for a full explanation of the effect of IT on the identified

organizational outcomes as mentioned here above, as this goes beyond the scope of the current paper. This

also holds for the link between the identified organizational characteristics and organizational outcomes.

Relevant for the current study is the argument set forth by Dewett and Jones (2001) that IT is a moderator of

organizational characteristics and processes that are already present before the use of IT. This is supported by

Powell and Dent-Micallef (1997), who on their turn suggested that IT will only lead to competitive

advantages in case it leverages or exploit existing, complementary business and human resources.

Additionally, previous research (e.g., Neo, 1988) has found that strategic planning and management vision

and support had more to do with IT success than did IT itself. Powell and Dent-Micallef (1997) provided

empirical support to these findings by analyzing IT and various aspects of human resources (flexibility, CEO

commitment, IT/strategy integration, openness of culture, openness of communication, consensus) to show

that only when IT is used in support of these factors it is able to produce performance advantages.

Based on these findings it can be concluded that there is a strong need for tight coupling between

strategy and IT within organizations. Furthermore, given the reliance on technology within most

organizations, it is important for organizations to have a framework that addresses technology in order to be

functional in today’s audit environment (Tuttle and Vandervelde, 2007). It is therefore that organizations and

auditors working in computerized environments are adopting so called specialized frameworks, of which

CobiT (Control Objectives for Information and related Technology)2 is one of the most popular ones. The

following paragraph provides an explanation of CobiT.

3.1.2. CobiT

In the beginning (1996) the CobiT framework was intended for use by the management of an

organization as a benchmarking tool consisting of the best practices related to IT controls. However, because

of its strong focus on controls, auditors (internal as well as external) have applied the framework to financial

statement audits as well as to operational and compliance audits (Tuttle and Vandervelde, 2007). The CobiT

framework is based on three dimensions. The first dimension contains seven well-known quality criteria that

2 http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx


information must meet in order to satisfy business requirements (Lindgreen, 2005). These criteria are:

effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability. The second

dimension consists out of four categories of IT resources: people, information, applications, and

infrastructure. The third dimension consists out of four different domains, in which control can be grouped:

(i) Plan and Organize, (ii) Acquire and Implement, (iii) Deliver and Support, and (iv) Monitor and Evaluate.

The domains within this dimension are logically matching the different phases of the lifecycle of information

systems: Strategy and Planning, Development and Implementation, and Production and Maintenance

(Lindgreen, 2005). Exhibit 2-2 provides an overview of the CobiT framework.

The CobiT framework as depicted on the next page in exhibit 2-2 relates each CobiT process to the

CobiT information criteria that is affected by the process. Tuttle and Vandervelde (2007) therefore state that

this framework should provide an auditor with a means of directly assessing specific controls for their effect

on the quality of information, whether it is a financial, operational, or compliance audit.

According to Lindgreen (2005) operational auditors and accountants experience the framework as too

comprehensive and too technical in practice. The 34 control objectives of CobiT will not cause many

problems for the average IT-auditor, but for example network security, Service Level Agreements, or

capacity management can be difficult to understand for persons with no technical background. This implies

that for an organization to have adequate control over IT used by the organization, the organization should

have enough employees with required technical skills and knowledge in order to identify and assess the

relevant IT controls. Having said this, it becomes relevant to know what the relation is between IT control

quality and firm performance. If good IT control quality leads to better firm performance, it should be taken

serious by organizations that are aimed at growing and expanding their business. Even more, they should take

everything in mind that affects IT control quality within an organization. The following paragraph provides a

discussion about the relationship between IT control quality and firm performance and indicates the

importance of good IT control within the organization.


Exhibit 2-2

Source: Tuttle and Vandervelde, 2007.


3.1.3 IT Control quality and firm performance

Modern organizations are becoming more and more reliant on information technology. This, coupled

with the interconnected nature and growing complexity of IT systems and infrastructure as well as the

constantly changing threat and regulatory environments, entails increased risks and related to that the need to

implement IT internal controls to mitigate those risks (Stoel & Muhanna, 2011). According to NIST (2006),

IT controls refer to: the management, operational, and technical safeguards or countermeasures prescribed

for an information system to protect the confidentiality, integrity, and availability of the system and its

information. As we witness a growing importance of IT controls it remains, however, a challenge to establish

the business case for management focus on IT controls (Power, 2009). It can be argued that this should

change, especially if it can be showed that investing in quality IT internal controls leads to better overall

financial performance. Given this statement, Stoel & Muhanna (2011) argue in their study on the effect of IT

internal control weaknesses on firm performance that IT internal control weaknesses adversely impact

corporate performance by reducing the ability of the organization to meet the essential needs for reliable

information and systems to perform daily operations. In addition, the authors argue that IT internal control

weaknesses also reduce the ability of the organization to effectively and efficiently deliver customer service,

management support and productivity gains. The study of Stoel & Muhanna (2011) therefore complements

previous research, which is mainly based on the IT-enabled “competitive advantage” theoretical lens (see, for

example, Jeffers, Muhanna, and Nault 2008; Wang & Alam 2007; Aral & Weill 2007; Ray, Muhanna, and

Barney 2005; Ravichandran & Lertwongsatien 2005; Wade & Hulland 2004), by using an organizational

liability perspective. Instead of focusing on the distinctive advantages to which IT can lead to, the focus has

been on the pitfalls and increased IT-induced risks that are related to poor IT internal controls (Stoel &

Muhanna, 2011). As modern organizations are increasingly dependent on IT, Stoel and Muhanna argue that

not properly attending to IT internal controls can result in deficiencies that lead to a liability (competitive

disadvantage) for the firm.

According to Krishnan, Peters, Padman, and Kaplan (2005) the reliability and integrity of data produced

by the information systems of the organization are critical for overall business success, and not just for the

production of reliable financial reports. Material weaknesses in IT internal controls can have a broad impact

on the organization as they can impact both the production of reliable financial reports as well as the

underlying business operations (i.e., the execution, recording, and safeguarding of raw transaction data

associated with core business activities). Additionally, looking at the integrated nature of today’s financial,

operational, and decision-support systems, it can be stated that the presence of material weaknesses in IT

internal controls indicates that the organization is not likely to meet its objectives of providing reliable

systems and quality data necessary to support managerial decision making and operational activities. It can

further indicate that the organization is unlikely to meet the confidentiality and availability expectations of its

customers and suppliers (Stoel & Muahnna, 2011). These statements imply that the presence of material

weaknesses in IT internal controls within an organization will lead to lower accounting earnings and


therefore have a negative impact on firm performance. Next to this, it is suggested by prior research that IT

can contribute to the future performance of organizations. This is based on the thought that IT can lead to

higher product and service quality, better flexibility, or can enable support for reengineering efforts and

improved customer service. Prior research has shown that these types of IT-enablement are strongly

recognized and priced by investors (see, for example, Anderson, Banker, and Ravindran 2006; Wang & Alam

2007; Sambamurthy, Bharadwaj, and Grover 2003; Brynjolfsson, Hitt, and Yang 2002). Based on these

studies, Stoel & Muhanna (2011) state that IT internal control weaknesses can also in this context be seen as

a liability as it reflects a reduced ability to capture future value from IT assets. They further state that when

investors will impound these IT internal control weaknesses and potential future inabilities into stock prices,

the firm’s market value will be negatively impacted in case IT internal control weaknesses are present within

the organization.

Stoel & Muhanna (2011) have provided empirical evidence showing that IT controls are an

organizational necessity and that information systems-related risk is priced by the capital markets. Their

findings further support the organizational liability perspective, by which it is argued that it is essential to

have effective IT internal controls for realizing the full potential of IT while at the same time reducing the

associated risks. On the other hand, with this perspective it is argued that deficiencies in IT internal controls

will have a negative impact on firm performance (Stoel & Muhanna, 2011).

Having explained the benefits of good quality IT internal controls within organizations and the

importance of effective IT controls, it has become visible that organizations and their internal audit functions

can benefit from paying sufficient management attention to IT controls. As IT is becoming more and more

critical in today’s organizations it can be argued that management focus on IT controls should increase in the

coming years so that organizations can benefit from the effect that quality IT internal controls have on the

performance of the organization. The following paragraph (3.2) provides a description of the internal audit

function and its roles and responsibilities within the organization. The paragraph also describes the role of the

internal audit function in providing assurance on the internal control environment of the organization and

provides examples of best practices that can be followed in order to obtain the required assurance.

3.2 Internal audit function

3.2.1 Definition of the internal audit function

A review of the literature reveals a great number of studies performed on the existence and purpose of

internal audit functions within organizations. Through the decades the meaning and definition of the internal

audit function has changed. Historically, the internal audit function has been viewed as a so called

“policeman and watchdog of the organization”, fulfilling the role of a monitoring function and tolerated as a


necessary component of organizational control (Spira and Page, 2003). With this view the internal audit

function was deemed subservient to the achievement of important organizational objectives.

Nowadays, this view has shifted towards a more positive vision on the role of the internal audit

function. During the 1980’s outsourcing of the internal audit function became a popular strategy for

organizations in order to decrease the costs of internal control. This move to outsourcing has been one of the

driving forces behind the changing role of internal audit (Spira and Page, 2003). Bruce (1996) advocated that

the drive towards the integration of external and internal audit was a risk management approach by top

management and the desire to view this in an integrated way. However, a countervailing pressure was present

because of the need for independence of external auditors. The internal audit community responded to this by

emphasizing professionalism and the potential to add value to the organization by helping it achieve the

major corporate objectives (Spira and Page, 2003).

Having introduced a shift in the role of the internal audit function, the Institute of Internal Auditors

(IIA) officially adopted a new definition of the internal audit function in June 1999 (Nagy and Cenker, 2002).

This new definition has been developed by the Guidance Task Force (GTF) and is as follows:

‘The internal audit function is an independent, objective assurance, and consulting activity designed to add

value and improve an organization’s operations. It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,

control, and governance processes (IIA, 2000)’

Looking at this new definition it becomes clear that the focus of the internal audit function has shifted

from one of assurance to that of adding value to the organization. The new definition provided by the IIA

attempts to move the profession towards a standard-driven approach with a heightened identity (Bou-Raad,

2000).

3.2.2 Roles and responsibilities of the internal audit function

During the past decades the growing concern for corporate governance has been beneficial to the

standing of internal auditors. By emphasizing the benefits of objectivity in their reports and the independence

of judgment it also boosted their claim to professional status (Spira and Page, 2002). Corporate governance is

a broad concept and has been used by board of directors, regulators, investors, and accountants. The former

SEC (Securities and Exchange Commission) chairman, Arthur Levitt, has underscored the importance of

effective corporate governance. Levitt (1999) defined corporate governance as:

“The link between a company’s management, directors and its financial reporting system.”


A broader definition of corporate governance has been developed by the Organization for Economic

Co-operation and Development (OECD, 1999). They define corporate governance as follows:

“Corporate governance…involves a set of relationships between a company’s management, its board, its

shareholders, and other stakeholders. Corporate governance also provides the structure through which the

objectives of the company are set, and the means of attaining those objectives and monitoring performance

are determined. Good corporate governance should provide proper incentives for the board and

management to pursue objectives that are in the interest of the company and shareholders and should

facilitate effective monitoring…”

Looking at the definition provided by the OECD (1999) it can be seen that this one is much broader

described than the definition provided by Levitt. Important concepts that are introduced within the definition

of corporate governance as provided by the OECD are incentives, goal congruence, monitoring, and control.

Some of the elements within the definition of corporate governance do also appear in the definition of the

internal audit function as outlined in the previous paragraph (par. 3.2.1). These shared elements are

assurance, risk, and control. According to Hermanson and Rittenberg (2003) an effective internal audit

function is an important “frontline player” in the two fundamental governance activities – providing

assurance regarding controls and monitoring of risks. A broader description of the internal audit function’s

role within corporate governance is given by the Institute of Internal Auditors (IIA). The IIA describes the

role of the internal audit function within corporate governance as follows:

“[Internal auditors’] roles include monitoring, assessing, and analyzing organizational risks and controls;

and reviewing and confirming information and compliance with policies, procedures, and laws. Working in

partnership with management, internal auditors provide the board, the audit committee, and executive

management assurance that risks are held at bay and that the organization’s corporate governance is strong

and effective. And, when there is room for improvement anywhere within the organization, the internal

auditors make recommendations for enhancing processes, policies, and procedures.”3

On the next page – in exhibit 2-3 – a graphical overview is provided of the different key roles of internal

auditors that together make up the internal audit function within an organization. According to the definition

provided by the IIA’s International Standards for the Professional Practice of Internal Auditing4, Risk

Assessment is a systematic process for assessing and integrating professional judgments about probable

adverse conditions or events. Selim and McNamee (1999b) state that risk is a concept used to express a

degree of uncertainty about events and/or their outcomes that could have a negative impact on achieving the

goals and objectives of the organization. It is therefore of great importance to manage the risks to which the

organization is exposed to. In this regard it is the job of the internal auditor to identify all the activities that

3 http://www.theiia.org/theiia/about-the-profession/about-the-internal-audit-profession/ 4 http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/

http://www.theiia.org/theiia/about-the-profession/about-the-internal-audit-profession/

http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/


Roles of the internal auditor

Confirming

Information

Analyzing

Operations

Reviewing

Compliance

Control

AssuranceConsulting

Risk

Assessment

Exhibit 2-3

need to be audited, the relevant risk factors within those activities, and to assess the significance of the risks

identified.

The role of Confirming Information is an important step in the audit process and includes the

responsibility of keeping the organization informed on all discoveries and observations that are made during

an audit. According to the explanation provided by the IIA5 confirming information continuously with the

client helps the auditor to quickly analyze information and to make accurate and well-founded judgments on

the research object. This also means that it is a must for the internal auditor to have excellent communication

skills that will help the auditor in building a good relationship with the client.

Important to the well-being of an organization is that set up protocols are being followed and that

organizational goals that flow out of the organization’s strategy are achieved. Here it is the role of the internal

auditor to Analyze Operations to make sure that appropriate procedures are being followed and that goals

throughout the whole organization are reached. To be able to fulfill this role internal auditors must be aware

and well known with the objectives of their organization. They also need to have the required knowledge on

the audit object in order to be able to examine and analyze the effectiveness of operations.

Organizations, whether they are national or global, big or small, public or private, all need to adhere to

rules and regulations. It is the responsibility of management to implement policies and to maintain the

necessary knowledge of the compliance requirements that are based on applicable contracts, laws and

regulations. The internal auditor’s role of Reviewing Compliance is reviewing the compliance objectives of

the organization and providing insight into the impact that non-compliance with rules and regulations can

have on the organization.4 Here it is important that senior management is timely informed on any indications

of significant non-compliance, so that timely actions can be defined in making sure that the organization

complies with all applicable laws and regulations. What is making this role difficult is that compliance issues

are always changing as laws and regulations are continuously being revised and adjusted and also

organization policies are being altered. Besides analyzing whether the organization is compliant with laws

5 http://www.theiia.org/theiia/about-the-profession/about-the-internal-audit-profession/

http://www.theiia.org/theiia/about-the-profession/about-the-internal-audit-profession/


and regulations, the internal auditor needs also to ensure that objectives set by management are in line with

and adhere to the overall mission, culture, and climate of the organization.

In providing Control Assurance the internal auditors examine and evaluate the efficiency and

effectiveness of implemented controls by the organization. They further determine whether the implemented

controls are adequate and are mitigating the risks identified that threaten or have the potential to threatening

the well-being of the organization. There exist multiple frameworks that are developed throughout the years

to provide guidelines for effective internal control implementation within organizations and the monitoring of

the internal control environment. The two most important examples for this study are the framework of

internal control of the Committee of Sponsoring Organizations of the Treadway Commission (COSO)6 and

the Control Objectives for Information Related Technology (CobiT)7 framework. These frameworks will be

discussed in following paragraphs.

The last role of the internal auditor discussed here is the role of Consulting. This role has evolved over

time and has changed the tasks and responsibilities of the internal audit function. This also led to the new

developed definition of internal auditing by the Institute of Internal Auditors as described above (paragraph

3.2.1). Following the statement of Brody and Lowe (2000) this new definition puts internal auditing into both

the assurance and the consulting arena. The authors explain that consulting differs in its overall objective and

context from assurance. Assurance implies that value can be added by providing an assessment of the

reliability of data, processes and operations, whether consulting attempts to make direct improvements to the

conditions or circumstances of an organization. According to Fernandes (2000) organizations have been

recruiting internal auditors to provide consulting services in various activities such as strategic alliances,

mergers, and acquisitions. Extensive research exists on the issues related to the conflict between providing

assurance and consulting services at the same time. As pointed out by Brody and Lowe (2000) consulting

done by internal auditors may create a conflict of interest as internal auditors must concurrently satisfy line

managers and conduct audits in the same department. They are therefore required to play both the role of

monitor and advisor which makes it difficult for the internal auditor to remain objective in his/her judgments.

As an in-depth discussion on this topic goes beyond the scope of the current study no further analysis on

this conflict is performed. In the next paragraph the internal control framework of the Committee of

Sponsoring Organizations of the Treadway Commission (COSO) will be discussed.

3.2.3 COSO framework for internal control

The Internal Control-Integrated Framework is a product of the 1970s’ Treadway Commission that has

been issued by the Committee of Sponsoring Organizations (the “COSO framework”). The framework

remains, however, a valid and frequently used basis for the management of risks in today’s organizations,

particularly with respect to SOX and Sarbanes-Oxley Rule 404. Its value has also been recognized by private

6 http://www.coso.org/

7 http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

http://www.coso.org/

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx


companies that use the framework for organizing their approach to internal controls. This is mainly due to the

fact that the framework enables executives to customize controls according to their most significant risks and

complexities (Deloitte, 2009).

According to Damianides (2005) internal control is defined by COSO as a process, affected by an

entity’s board of directors, management, and other personnel, designed to provide reasonable assurance

regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations.

Reliability of financial reporting.

Compliance with applicable laws and regulations.

Damianides (2005) further explains that the COSO framework offers the following key concepts:

Internal control is a process. It is a means to an end, not an end in itself.

Internal control is affected by people. It is not merely policy manuals and forms, but people at every

level of an organization.

Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an

entity’s management and board.

Internal control is geared to the achievement of objectives in one or more separate but overlapping

categories.

The COSO framework is depicted as a cube. Within the horizontal axis the business elements strategy,

financial reporting, and compliance are incorporated. This is a much broader focus than the Sarbanes-Oxley

Rule 404, as this rule only focuses on financial reporting. The broader focus of the COSO framework is

beneficial to the organization as it is looking at risks across the enterprise. When designing the approach to

managing risks, private companies should consider the five elements of the framework which are:

monitoring, information and communication, control activities, risk assessment, and control environment.

Each area provides options that may be considered by organizations in designing their approach to managing

risk (Deloitte, 2009).

Control environment: this element of the framework represents the conscience of the organization,

which can be describes as the tone from the top. The main question here is how important risk management is

to the organization. Organizations with strong control environments do not only pay attention to strategy and

growth, but their boards also focus on risk and complexity in the business. These organizations are

characterized by:

Having documented company principles and values.


Having strong and clear governance and organizational structures, including charters, responsibilities,

and the composition of advisory boards.

Managing the material numbers and risks that can impact shareholder value through utilizing key

performance indicators and dashboards.

Requiring managers to attest to their view of risk areas, reconciliations, or other data, which enhances

accountability.

Having human resources policies and practices employed that support internal controls and also address

situations such as conflicts of interest, gifts, and related parties.

Encouraging employees to report on incidents that happen within the organization that involve fraud or

significant risk.

Risk assessment: the significant internal and external issues related to the organization are evaluated by

performing a risk assessment, which is a quantitative and qualitative approach. Risk assessments are effective

when the assessment incorporates not only the material financial numbers, but also the drivers of values and

risks within the company. The risks assessment examines multiple elements of the financial statements with

considering factors like the materiality of the account balance, the importance to operations, susceptibility to

loss or fraud, volatility in account balance, and the complexity of the calculation. These elements are

classified on a grid based on magnitude of the account and the likelihood of misstatement. The outcomes of

the risk assessment must be reported to the board. This enables the organization to evaluate and address its

risks and define a customized approach for addressing them from the top down (Deloitte, 2009).

Control activities: for mitigating the risks identified the organization should implement control

activities, which are the policies and procedures designed to address the controls that mitigate the risks.

These controls should be documented and followed. Typical controls include segregation of duties,

approvals, and reconciliations (Deloitte, 2009).

Information and communication: for an organization to be able to monitor and understand business

and control performance, the organization should have timely and accurate communication of information.

Timely and accurate information also helps employees to understand what is expected from them. Besides

that, it also provides managers the information needed to make the right decisions and avoid surprises

(Deloitte, 2009).

Monitoring: to be able to determine whether internal controls are adequately designed, executed, and

are effective the organization should implement monitoring processes. Monitoring processes exist throughout

the COSO cube. In order to substantiate that the monitoring activities are actually performed it is advisable to

position this element atop the model. It is important that employees know that they can be checked in order to

confirm that they are doing what they are supposed to be doing. With this it is important, however, to align


the scope and frequency of the monitoring activities with the significance of the risk and the importance of

the value driver in question (Deloitte, 2009).

3.2.4 An update to the COSO framework

After 20 years since the inception of the original COSO framework in 1992, COSO has made an update

to the COSO Internal Control – Integrated Framework. During the last 20 years business and operating

environments have changed dramatically, becoming increasingly complex, technologically driven, and global

in scope (COSO, 2011). Based on these changes COSO has updated the Internal Control – Integrated

Framework and believes that the updated framework will enable organizations to effectively and efficiently

develop and maintain systems of internal control that can enhance the likelihood of achieving the entity’s

objectives and can adapt to changes in the business and operating environments (COSO, 2011). Among the

most significant changes across all areas of the framework are:

· Applies a principles-based approach – The new COSO framework explicitly states the principles that

represent the fundamental concepts associated with the components of internal control. These principles

are to be used by management to assess whether an entity has effective internal control.

· Reflects the increased relevance of technology – Nowadays organizations are using or relying more on

technology than ever. It is therefore important to reflect on the increased relevance of technology,

especially as changes in technology can impact how all components of internal control are implemented.

· Enhances governance concepts – The updated framework includes an expanded discussion on

governance relating to the Board of Directors and committees of the Board, including

nomination/governance committees, compensation, and audit.

· Expands the reporting category of objectives – The financial reporting objective is expanded and now

includes other external reporting beyond financial reporting, as well as internal reporting (financial and

non-financial).

· Enhances considerations of anti-fraud expectations – Due to many scandals and the growing

importance of fraud detection, the new framework includes an expanded discussion on fraud. Further,

the new framework also considers the potential for fraud as a principle of internal control.

· Considers different business models and organizational structures – Over the past 20 years we have

witnessed a change in business models and organizational structures. Due to the globalization of

business new organizational structures evolve. Further, business models change as many organizations

are using third parties for providing products or services necessary to the ongoing operation of the entity.

This change in business models and organizational structures requires management to look in new ways

at their systems of internal control. The new COSO framework therefore explicitly considers the

extended business model including the responsibilities for internal control in this model and the

achievement of effective internal control.


With this paragraph a description of the role of the internal audit function in providing assurance on the

internal control environment of the organization has been provided. Further, a description of one of the most

popular best practices has been provided that can be followed in order to obtain the required assurance on the

inter control environment of a company. The following paragraph (3.3) discusses how the increasing reliance

on IT of organizations is impacting the internal audit function and how the internal audit function should

develop in order to be able, especially in the coming years, to design good quality IT internal controls and

striving for these IT controls to be effective.

3.3 Impact of emerging IT on the internal audit function

3.3.1 The impact of emerging IT on the roles and responsibilities of the internal audit function

According to Hall & Singleton (2005) the field of auditing is impacted by the emerging developments in

Information Technology (IT). As they refer to the field of auditing as a whole this, therefore, also relates to

the activities performed by the internal audit function. Nowadays, IT is present in almost every business

process because of its advantages to make the existing processes more efficient and to improve

communications within the organization as well as between the organization and its customers/suppliers.

Because of the presence of IT, auditors therefore should have both IT and task expertise in order to be able to

perform their daily tasks efficiently and effectively (Bedard, Jackson, Ettredge and Johnstone, 2003).

Kimpton & Martin (2001) state that due to the evolving role of IT within organizations auditors are

required to be involved in the planning and organizing of IT-related projects and the implementation,

delivery and support of information systems. Moreover, auditors are also faced with the challenge of

monitoring the IT processes and controls, and providing assurance over the IT environment of organizations.

It is therefore no longer effective to audit “around the computer”, which has been the case in the past when

only manual processes and controls were audited. This makes it now essential for auditors to follow an audit

approach through and with the computer (Carrol, Merwe, and Lubbe, 2009). As the focus of the current study

is on internal auditors it is argued that internal auditors are required to obtain knowledge of auditing as well

as IT to be successful in their role to provide assurance over the IT environment of their organizations.

It has been confirmed by the International Standard on Auditing 401 (2002) that although the scope and

overall objective of an audit in a computerized information system environment (CIS) does not change, the

processing, storage and communication of financial information will with the use of a computer.

Additionally, the use of computers (technology) may also affect the accounting and internal control systems

as implemented within the organization. Following the International Standard on Auditing 401 (2002) a CIS

environment may affect:


· The procedures followed by auditors in order to obtain sufficient understanding of the accounting and

internal control systems.

· The consideration of control risk and inherent risk through which the auditor arrives at the risk

assessment.

· The design and execution of tests of controls by the auditor, as well as the design and execution of

substantive testing procedures necessary for achieving the audit objectives.

The use of complex computer systems (including, for example, distributed databases, end-user

processing applications, and business management systems) can result in more risk for the organization and

therefore require further consideration by the auditor. By doing so, the auditor should obtain a clear

understanding of the complexity and significance of the information systems activities and the availability of

data that needs to be obtained in performing the audit.

Moorthy et al. (2011) state that in the current age, in which organizations rely on IT and multiple

participants in governance, it is the responsibility of internal auditors to assist the Audit Committee and

management in assessing the IT skill set of the organization, promote greater IT risk involvement on part of

the external auditors and the Audit Committee, and identify overlaps and/or gaps in IT risk coverage. Internal

auditors should, according to Moorthy et al. (2011), also encourage the organization to explore Enterprise

Risk Management (ERM) techniques and tools in order to address IT and other risks at an enterprise level.

Hadden, DeZoort, and Hermanson (2003), who have performed research on the role of internal auditors and

the Audit Committee in the IT area, suggested based on their study results that all corporate governance

players (management, internal auditors, Audit Committee, external auditors) should increase their IT-related

efforts, thereby minimizing the probability of an IT-related control failure. This is something that should be

taken seriously, given the results of the study provided by Stoel & Muhanna (2011) that deficiencies in IT

internal controls will have a negative impact on firm performance (see subparagraph 3.1.3 above).

Based on the statements above it can be concluded that the internal audit function activities are

impacted by emerging IT. The ever increasing role of IT within organizations therefore causes Chief Audit

Executives of today to think about the necessary actions to take in order to prepare their internal audit

function for the Information age. One in which information technology and control over IT will be important

factors for overall business success. A study performed by PricewaterhouseCoopers (2007) on the future of

internal audit involving 72 Chief Audit Executives (CAEs) from Fortune 250 companies revealed that CAEs

indeed are expecting that emerging IT will impact the activities performed by the internal audit function. For

example, one of the CAEs interviewed said that he expects the lines separating IT and non-IT audits will

continue to blur in the coming years. Another CAE explained that his organization is providing IT training

for its internal auditors. These statements suggest that internal audit leaders are realizing that the activities

performed by the internal audit function will be impacted by the increasing role that technology will play in


future organizations. The study of PricewaterhouseCoopers (2007) further reveals that CAEs are thinking

about the needed skills and capabilities for their internal auditors in the coming years. It is stressed that it will

become essential for the organization to have talented audit professionals that are able to evaluate and test

internal controls, and to audit and assess complex IT environments. The CAEs interviewed further expect a

significant increase of internal audit professionals in the technology area and also gave the highest priority to

skill sets in the area of technology and risk management. In addition to this, some of the CAEs interviewed

said that it becomes increasingly important to find talented professionals with integrated skills in finance and

technology, and that IT skills are a must. Taking these findings into account it can be assumed that emerging

IT, and with that the evolving role of IT within organizations, leads to an integration of IT audit with

traditional auditing operations. As the results of the study by PricewaterhouseCoopers (2007) suggest, IT

skills will be an essential complement to traditional auditing skills and an understanding of IT risks needs to

be gained by internal audit.

Based on the discussion above it becomes relevant to know the best ways to develop IT audit

knowledge and skills for internal auditors. The following subparagraph will go deeper into this question by

explaining ways to develop the required IT audit knowledge and skills based on previous research performed.

3.3.2 IT audit knowledge and skills development

The need for continuous development of (IT) audit knowledge and skills is important for auditors to be

able to perform their tasks efficiently and effectively. Pathak (2005) stated that the modern auditor must be

seen as a complex, trained and educated person that must possess skills beyond traditional financial audit,

including knowledge related to information technology and management, sociology, security and forensics,

and professional judgment. The U.S. General Accounting Office (GAO) and the National State Auditors

Association (NSAA) conducted a survey (2001) by which they provided a skill-assessment of state

government audit agencies. The results of the study indicated that, overall, auditors had a minimum

understanding of the information technologies they audited. The survey included 75 technical categories, and

the results of the survey revealed that in 55 out of the 75 categories, more than 40 percent of the respondents

wanted more experience and training in those areas of technology (McCollum, 2002). These findings are

supported by the results of the study performed by Hunton, Wright, and Wright (2004), who with their study

performed a comparison of risk assessments between clients with non-ERP systems and ERP systems and

between IS (Information Systems) and generalist auditors. The results showed that control risks presented by

more complex ERP systems are more difficult for generalist auditors to understand than it is for IS auditors.

The implication of this finding is that there is an increased need for auditors to gain knowledge in the area of

information systems/technology and related controls, considering the ever increasing complexity of systems

along with the need for automated controls (Curtis, Jenkins, Bedard, and Deis, 2009). A more recent study,

performed by Brazel & Agoglia (2007), also found that the IS expertise of generalist auditors is a significant


determinant of control risk judgments in complex computer environments. Additionally, Brazel and Agoglia

provided empirical evidence showing that auditors with greater IS proficiency are better at identifying ERP

risks.

Moorthy et al. (2011) conclude that it is important to recognize the increasing reliance on information

technology to accomplish and/or support the audit activities. The authors state that the auditor’s professional

knowledge and skills set is made up of an ever-increasing percentage of technology topics. In addition, they

emphasize the importance of continuous acquisition of new knowledge due to the rapid changes in IT and the

use of IT within organizations. For example, the use of internet by organizations changes quickly and,

therefore, the knowledge and skills of auditors in this area must be constantly updated with the new changes

in order for the auditors to be of value in audits and audit planning. Not only knowledge and skills related to

changes in information technology are important. Besides this, emerging information technologies also

causes auditors to worry about new auditing risks (Moorthy et al., 2011). Examples of new auditing risks can

be, among others, risks related to the use of Cloud computing services (e.g., Heiser & Nicolett, 2008), Social

Media (e.g., Kaplan & Haenlein, 2010), and portable devices such as mobile phones (e.g., Furnell, 2006). It is

evident that the use of these emerging technologies brings new risks to the organization and, therefore, need

to be well understood by the internal auditors in case their organization utilizes them.

Auditors that enter the field of IT audit usually hold a bachelor’s degree with a major in Accounting,

computer science, and/or Management Information Systems (MIS) (Hunton et al., 2004). It is added by

Hunton et al. that besides having sufficient knowledge of information technology, such as network security,

operating systems, and e-commerce, it is essential for a person who wants to enter the world of IT audit to

just genuinely like technology and computers. This statement is supported by the results of the study

performed by Merhout & Cothran (2006), in which one of the IT audit hiring managers interviewed

emphasized that a student should simply have a good aptitude for technology. Based on these statements it

can be assumed that internal audit functions should have auditors that have a feeling with information

technology, as this will probably lead to greater IT audit knowledge and skills given the simple fact that these

persons will continuously learn and update their knowledge in the arena of technology.

Given the relevance of gaining knowledge about information technology, the accounting curriculum has

integrated specific IT courses in order to prepare future accountants/auditors in this area. One of the instances

that looked at the significance of IT in the accounting curriculum is the International Federation of

Accountants (IFAC). In 1995, the IFAC published the Education Committee Guideline 11 in which it is

stated that “Competence with this technology is an imperative for professional accountants.” Additionally, it

is stated that IT “… requires special attention due to its explosive growth and its rapid rate of change.”

(IFAC, 1995, pp. 1-2). Reviewing the scientific literature related to this topic shows that various studies have

been performed that focus on the need to include information technology courses into the accounting

curriculum (e.g., Curtis et al., 2009; Greenstein & Mckee, 2004; Merhout & Cothran, 2006). Next to this,


auditors or other professionals that want to enhance their knowledge and skills in IT auditing should go for

obtaining one of the recognized audit certificates related to IT.

The CISA designation offered by ISACA is probably the most prestigious international credential

available for entry-level IT auditors (Hunton et al., 2004). The value of CISA is evident by the time it has

been around. The certification is lasting for the past thirty years within the information era, which is proof of

its value from both the employees’ and employers’ perspectives (Ryan & Schou, 2004). In the UK there has

been a remarkable increase of practitioners that are CISA certified, this also indicates the international appeal

of CISA (Mansour, 2005). The requirements for the CISA certification are: a successful completion of the

CISA examination, five years professional experience in IS auditing, control or security, adhering to the code

of auditing standards and code of professional ethics, and maintaining the obtained skills by continuous

education. The exam has been divided into content areas of which there are seven of them. Each section is

weighted according to its importance. The two sections which are accountable for the highest weights are:

‘’Protection of Information Assets’’ (25% of the exam) and ‘’Business Application System Development,

Acquisition, Implementation and Maintanance’’ (16% of the exam), while ‘’IS Audit Process’’ is only 10%

of the exam. Entry-level IT auditors with a MIS or related degree are given an advantage when preparing for

the exams as many of the IT subject areas are often already included in MIS curriculums (Merhout &

Cothran, 2006).

ISACA also offers another potential designation the CISM, Certified Information Security Manager,

this designation is aimed at experienced security managers. Hunton et al. (2004) noted also other valuable

certifications such as the Certified Information Technology Professional (CITP), Certified Internal Auditor

(CIA) and Certified Fraud Examiner (CFE). Next to these there are numerous other certifications available,

though these seem to have their focus on the information security professionals rather than IT auditors.

Whiteman and Mattord (2005) add the following relevant certifications for practitioners in the field of IT

auditing: System Security Certified Practitioner (SSCP), Global Information Assurance Certification (GIAC),

Certified Information Systems Security Professional (CISSP) and Certified Information Forensics

Investigator (CIFI). The numerous certifications available are a clear indication that the IT audit profession

aims for high ideals in terms of service to its stakeholders and to the development of its workforce (Merhout

& Cothran, 2006). Moreover, Merhout and Cothran found in their content analysis of IT audit job

advertisement that 69% of the ads between 2004 and 2005 al mention holding certifications as a must or at

least a plus such as CISA, CISSP, CISM and/or CFE.

The amount of experience professionals need for a job in IT audit varies. This is subsidiary to the

seniority of the level of support and whether the IT auditor will work alone or be part of a team. An

individual’s success is usually equal to the depth of their IT and business experience prior to becoming an IT

auditor, coupled with their willingness for further development and on the job learning. Once hired as an IT


auditor, undistorted professional and personal development is more than gaining the required amount of

‘’CPEs’’ (Continues Professional Education credits) to renew qualifications such as, CISM, CISA and

CISSP. The undistorted and most successful IT auditors are the ones with an everlasting thrive for further

development and a great fascination for audit, technology and related topics (Merhout & Cothran, 2006).

This clearly implies that besides having a good basic understanding of IT audit, which can be obtained by

following the educational courses as previously outlined, professionals within this profession should

continuously update their knowledge related to new emerging technologies. As emerging technologies can

have an impact on the way an organization conducts its business, it also brings with it new risks that must be

well understood in order for organizations to be able to be in control over their current and future IT

environments. Therefore, it is a must for internal auditors to keep up to date with the current developments

within the field of information technology and with the threats that come along with utilizing the new

technologies.

3.3.3 Ensuring an appropriate level of IT knowledge within the internal audit function

So what can internal audit functions do to ensure an appropriate level of information technology

knowledge among their internal auditors? An interesting study that can be used to answer this question is the

study performed by PricewaterhouseCoopers (2007), by which they examined the future of internal audit.

Through responses on the surveys send to 72 Chief Audit Executives (CAEs) and 10 thought leaders, and in-

depth interviews held with 19 individuals representing a cross-section of the survey population,

PricewaterhouseCoopers has defined multiple strategies to address information technology risks and the need

for competent IT audit resources. Based on the survey responses it is noted that CAEs intend to employ a

variety of organizational, infrastructure, and human reseource strategies to address information technology

risks and the need for IT audit resources. These strategies range from using technology tools for supporting

auditors in their daily tasks to enhance the IT audit skills of the core internal audit staff and/or maintaining a

fully separate IT audit group for addressing technology risks. The results of the study performed by

PricewaterhouseCoopers (2007) show that most of the CAEs intend to go for the strategy to increase the core

skill level of the general internal audit staff in order for them to understand and audit technology risks. The

table on the next page (Exhibit 2-4) provides an overview of the 10 strategies defined by

PricewaterhouseCoopers for addressing technology risks and the need for IT audit resources, including

projected usage (%) of the CAEs surveyed. A discussion on the top 3 ranked strategies is provided.

Looking at the number 1 ranked strategy by CAEs (increase the core skill level of the general internal

audit staff), it can be argued that CAEs want to strengthen the knowledge and skills of the current staff. This

finding is supported by the results of the study performed by Saharia, Koch, and Tucker (2008), who found

that internal audit departments satisfied their needs for ERP-skills and related technology risks by providing

the staff with in-house training instead of hiring external parties with expert knowledge. Results of the study


Projected

usage (%)

Strategy to address HR & organizational needs in IT audit

76 Increase the core skill level of the general internal audit staff for

understanding and auditing technology risks

68 Acquire more sophisticated technology tools to address technology risks

60 Increase the use of third-party experts

57 Embed some auditors with IT audit skills in the larger internal audit

function while maintaining a separate IT audit group to support audit teams

in addressing technology risks

54 Deploy higher-level/more experienced IT auditors

49 Increase the number of IT auditors with relevant certifications

47 Increase the percentage of total staff who are IT auditors

37 Deploy technology professionals who are not auditors

26 Maintain a separate IT audit group within internal audit to address

technology risks

14 Embed auditors with IT audit skill sets within larger internal audit function

without maintaining a separate IT audit group to address technology risks

Source: PricewaterhouseCoopers, 2007

also indicate that the primary means of staying up to date with knowledge related to ERP systems and related

risks is to have the possibility of independent study for staff, classroom instructions, and/or seminars where

current issues are being discussed around the topic of interest (Saharia, Koch, and Tucker, 2008).

68% of the respondents indicated that they intend to acquire more sophisticated technology tools to

address technology risks. This holds that internal audit departments should focus on the use of, for example,

the so called Computer-Assisted Audit Tools (CAATs). CAATs include a variety of tools consisting of

operating systems and database management system security evaluation software, network security

evaluation software, data analysis software, and software and code testing tools (Sayana, 2003). There are

multiple situations in which CAATs can be used to assist auditors during the audit to test IT controls present.

These situations are present if the client uses, for example: (1) systems and/or applications that involve

electronic data interchange, (2) systems to electronically provide services to customers, (3) electronic

payment systems, or (4) decision support systems involving automatic reasoning in order to support decision

making within the organization (Gallegos, Senft, Manson, and Gonzales, 2004). When using CAATS it is

Exhibit 2-4


important for the audit team during the planning phase to link the available CAATs with high risk areas. In

this case the auditors can take full advantage of the ability of CAATs to test specific risks and audit 100% of

large volume of data easily (Suen, 2009). According to Suen (2009) CAATs will only improve audit

efficiency and the strength of audit evidence if the auditors using the tools have a good understanding of the

client’s business processes and if they have experience with the audit tools. With the focus in the current

study on internal auditors, it can be argued that internal auditors possess a good understanding of the business

processes as they are part of the organization they are working for. If internal audit executives choose to

make use of CAATs, they must arrange training activities in order to increase the experience with the audit

tools among their staff.

60% of the respondents of the study performed by PricewaterhouseCoopers (2007) indicated that they

intend to make use of third-party experts for addressing technology risks and IT audit resources needs.

Following this strategy by internal audit executives is also highlighted by Flemming (2003), who states that

the internal audit function more often obtains the required audit capacity and competency through in-sourcing

or co-sourcing contracts. Organizations that can provide these services are the large accounting firms,

business service providers, and/or consultancy firms. The question should always be: can we achieve

sufficient assurance? If this is not the case the internal audit function should determine in which area’s

insufficient resources are available in terms of capacity and/or competency. For those areas where the

internal resources are insufficient to achieve the required assurance, external resources must be obtained

through possible in-sourcing and/or co-sourcing arrangements in order to have the necessary skills for

performing the audit.

3.4 Summary of literature review

Based on the literature review answers can be defined for the sub questions central to this study. As is

already pointed out in paragraph 2.9 (Answering the research questions), the search for relevant scientific

literature related to the current study’s topics is performed to find answers to sub questions 1 – 3. This

paragraph describes the answers found to these research questions by providing a summary of the literature

as described and discussed within the previous paragraphs (3.1, 3.2, and 3.3).

Sub question 1: What is the impact of emerging IT within organizations on the roles and responsibilities

of the internal audit function?

Based on the information provided by previous research it can be stated that the field of auditing is

impacted by the emerging developments in IT. More than ever it has become crucial to the surviving of

almost every organization to have timely, accurate, and complete information based on which management

can make its decisions. In order to be able to manage this information, organizations are investing substantial

capital in the development and maintenance of information systems and information technologies. Besides


providing only advantages to the organization, the use of complex information technologies can result in

more risk for the company and therefore require further consideration by the internal auditor. Due to the

evolving role of IT within organizations and the use of IT within the core business processes it is expected

that the lines separating IT en non-IT audits will continue to blur in the coming years. This causes internal

auditors to be faced with the challenge of monitoring the IT processes and controls, and providing assurance

over the IT environment of their organizations.

One of the purposes of this study is to investigate what the impact of emerging IT within organizations

is on the existing roles and responsibilities of internal auditors. Based on the literature review the roles of

internal auditors include, among others, monitoring, assessing, and analyzing organizational risks and

controls. It can be concluded that emerging technologies are impacting the role of internal auditors by

bringing new risks to the organization that are related to the use of emerging IT. The new IT risks that come

with the use of emerging technologies by the organization on their turn lead to the need for the internal audit

function to implement IT internal controls in order to mitigate those risks. It therefore becomes important for

organizations to have a framework that addresses technology in order to be functional in today’s audit

environment. For this, internal auditors are adopting specialized frameworks such as CobiT with which they

are able to implement adequate IT internal controls within the organization. Based on this it can be concluded

that the Risk Assessment and Control Assurance roles of internal auditors are affected by the use of

emerging technologies within organizations. Having the role of Risk Assessment, internal auditors will need

to identify all new activities that exist due to the use of emerging technology and the relevant risk factors

within those activities. Therefore, this role is impacted as internal auditors will need to possess the IT

knowledge and skills needed to be able to perform this role correctly. The same is true for the internal

auditors’ role to provide Control Assurance. As for performing this role within organizations that use

emerging technologies, internal auditors are also required to have the specific IT audit knowledge and skills

in order to be able to examine and evaluate the efficiency and effectiveness of implemented controls around

the use of IT by the organization. The impact of emerging IT on the internal control of organizations is also

emphasized by the Committee of Sponsoring Organizations (COSO), which has provided an update of the

COSO framework that reflects the increased relevance of technology. Especially as changes in technology

can impact how all components of internal control are implemented. With the increasing reliance on IT by

organizations, it becomes the responsibility of the internal auditor to assist the Audit Committee and

management in assessing the IT skill set of the organization, promote greater IT risk involvement, and

identify overlaps and/or gaps in IT risk coverage. Moreover, internal auditors will have the responsibility of

encouraging their organizations to explore enterprise risk management (ERM) techniques and tools in order

to address IT risks at an enterprise level.


Sub question 2: How does the internal audit function of Dutch organizations needs to develop in order to

be able to adequately audit the increasing complexity of IT?

For organizations to have adequate control over the information technologies it uses they should have

enough employees with the required technical knowledge and skills in order to identify and assess the

relevant IT controls. Due to emerging IT and the increasing complexity of IT within organizations internal

audit functions need to focus on the development within the area of IT audit. As previous studies have

shown, generalist auditors do not possess the required knowledge to fully understand the risks and controls

that come with emerging IT. Besides having a pool of IT auditors within the internal audit function it,

therefore, becomes important for the function to train the generalist auditors in the area of information

systems/technology and related controls as they will also have to deal with an increasing number of

automated controls within the business processes they audit.

Having the required IT audit knowledge at one point in time is, however, not enough for ensuring that

the internal auditors will be able to adequately audit the increasing complexity of IT within their

organizations. In order for the internal auditors to perform their tasks efficiently and effectively there should

be continuous development of (IT) audit knowledge and skills. The importance of this continuous acquisition

of new knowledge is emphasized as businesses are witnessing rapid changes within the use of IT. This has

been illustrated with the use of internet by organizations. As the way organizations use the internet to

perform their businesses changes quickly, the knowledge and skills of auditors in this area must be constantly

updated with these new changes. Therefore, it is a must for internal auditors to keep up to date with the

current developments within the field of information technology and with the threats that come along with

utilizing the new technologies. The literature review has shown that due to the increasing use of IT within

organizations the accounting curriculum has integrated specific IT courses in order to prepare future

accountants and auditors in the area of IT audit. In order to obtain the required knowledge (basic audit and

specialized), internal auditors have the possibility of obtaining one or more of the recognized audit

certificates such as the CISA, CISM, and CISSP certification. It should be noted however that only obtaining

a certificate such as the ones mentioned above will probably not be sufficient for training the internal audit

staff in the area of IT audit. Certificates such as the CISA, CISM, and CISSP are obtained by following one

multiple choice exam for which the person trying to obtain the certificate has to perform a self-study.

Preparing yourself for a CISA exam, for example, will take one or two weeks of preparation. Based on these

rather short studies it can be argued that only obtaining one of the recognized certificates will not be

sufficient, and that therefore prior experience such as a bachelor’s degree with a major in Computer Science

and/or Management Information Systems should be considered when hiring IT auditors to become part of the

internal audit function. Next to this, some countries such as The Netherlands provide full postgraduate master

courses through which people can become a recognized IT auditor. If this course is successfully completed

the IT auditor can opt for becoming a member of the professional association NOREA (Nederlandse Orde


van Register EDP-Auditors)8. Being a member of the professional association NOREA means that you are an

expert in the area of IT audit. These persons are therefore valuable when developing the internal audit

function in the area of IT audit. For the development of the internal audit function to be able to adequately

audit the increasing complexity of IT, internal audit management should not only focus on the knowledge and

skills development of the current internal audit staff. Next to that, they must ensure that they have auditors

which have a deep fascination with technology as this will probably lead to greater IT audit knowledge and

skills given that these persons will need to continuously learn and update their knowledge in the field of

information technology. This can mean that internal audit executives should consider refreshing their current

IT audit staff with new and young IT auditors that are fully focused on a career in IT audit. These new and

young trained IT auditors are flexible and can easily adapt their knowledge to the changes in IT that will

rapidly occur within their organizations.

Sub question 3: Which strategies can be followed by the internal audit function in order to realize the

further development of the function in the area of IT?

Based on the literature some strategies have been formulated that internal audit functions can follow in

order to realize the further development of the function in the area of IT. Chief Audit Executives are mostly

considering following the strategy of increasing the core skill level of the internal audit staff to make them

understand and be able to audit technology risks. Ways to achieve this is to provide the internal audit staff

with in-house training possibilities such as independent study, classroom instructions, and/or seminars where

current issues in the area of IT are being discussed.

Another possible strategy for internal audit functions is to start using or increase the use of sophisticated

technology tools with which technology risks within the organization can be addressed. This means that the

internal audit function can choose to make use of computer-assisted audit tools (CAATs). Using such tools

for substantive testing to search for specific errors and frauds or to provide total assurance on the data

processing significantly increases the credibility of and value provided by the internal audit function. A

prerequisite for using such tools is that the auditor has a good understanding of the client’s business processes

and has experience with the audit tools. Internal audit functions that choose to follow this strategy should,

therefore, also devote enough time in training the internal audit staff in the use of these tools in order to

increase the experience.

For addressing the need for IT audit knowledge and skills, internal audit functions can make use of

third-party experts. Making use of third-party experts makes it possible to address specific technology risks

for which the required knowledge is not available among the current internal audit staff. Obtaining the

specialized knowledge can be done through engaging in in-sourcing or co-sourcing contracts with

Consultancy firms, Accounting firms, and/or business service providers. When following this strategy it will

be valuable to let the in house auditors shadow the experts that are hired for performing the audits. In this

8 http://www.norea.nl/

http://www.norea.nl/


way, the current internal audit staff will at the same time be trained in the specialist areas. Thereby, the

internal audit function can maintain the knowledge within the organization after the audits have been

performed.


4. Case study results

This chapter provides an overview of the answers gained from the multiple interviews held with internal

audit directors and managers. Based on the information gathered during the interviews a good description can

be provided of how the internal audit functions selected for this research are being impacted by emerging IT

and how they need to develop to ensure an appropriate level of IT knowledge and skills among their internal

audit staff to be able to adequately audit the increasing complexity of IT within their organizations. The

following paragraphs provide an overview of the answers obtained.

4.1 Case study 1 - Ahold

One of the organizations selected for the case study is Ahold. The following subparagraphs provide a

description of the organization and the internal audit function of Ahold. Further, the answers gained during

the interviews that are related to the research questions central to this study are described.

Interviewees:

Internal audit director Peter van de Fliert

IT audit manager Co Wenker

4.1.1 Organization description

Ahold is an organization based in the Netherlands and is known as an international retailing group9.

The organization holds strong consumer brands in Europe as well as in the United States. Currently, Ahold

has 3,008 stores around the world and is employing 218,000 employees. Total sales in 2011 added up to

€30.3 billion, making it belong to the biggest organizations in the world (ranked 104 in Fortune 50010

). The

foundation of Ahold is to sell great food with having supermarkets as its core business. Ahold also operates

in other formats including: Online; Convenience stores; and Fuel Stations. With the online businesses Peapod

and albert.nl, Ahold serves people within the Netherlands and the United States. The convenience stores

(“Albert Heijn To Go”) are known as small size stores located in busy areas such as train stations and

shopping streets. These stores are focused on the on-the-go customers with fast food solutions. In countries

such as the United States, Czech Republic, and Slovakia Ahold is also selling its products through fuel

stations.

The international headquarters of Ahold are based in Amsterdam, the Netherlands. Next to the

headquarters in the Netherlands, Ahold also holds offices in Switzerland and the United States. Ahold

Corporate is responsible for the functions that support the business, including strategy, finance, legal,

9 https://www.ahold.com/

10 http://money.cnn.com/magazines/fortune/global500/2007/snapshots/7908.html

https://www.ahold.com/

http://money.cnn.com/magazines/fortune/global500/2007/snapshots/7908.html


compliance, insurance, human resources, communications, mergers & acquisitions, corporate responsibility,

information management, and internal audit. The picture below provides a good overview of the

organizational structure of Ahold, including all of its brands (source:

http://2011yearreview.ahold.com/downloads/Ahold-Full-AR-2011.pdf):

4.1.2 The internal audit function of Ahold

The internal audit function of Ahold falls under the responsibility of Ahold Corporate. The function

adds up to approximately 40 employees of which 50% is working in the United States and 50% in Europe.

Within the internal audit function in Europe a dedicated IT audit group exists. The size of the European IT

audit group is rather small as it only consists of 2 IT auditors. In addition to the IT auditors there are also 2

operational auditors that have finished the RE (Register EDP-auditor) post graduate education.

The internal audit function of Ahold can be viewed as a mature function given its size and many years

of existence and experience. In 2003 Ahold has been involved in a public scandal causing the management of

Ahold to implement a policy of ‘zero tolerance’ in the areas of compliance and controls in which the internal

audit function played a strong role in improving controls and providing assurance. In 2006, Ahold decided to

delist from the New York Stock Exchange. Following this decision was a new period in which the Executive

Board of Ahold announced that the internal audit function should take up the role of ‘trusted business

advisor’. This led to the implementation of a new organizational model for the internal audit function. The

implementation started with the appointment of a new Chief Internal Audit. Under the leadership of the new

Chief Internal Audit the internal audit function has been able to put more focus on what is happening in the

business, leading to more knowledge of the operational risks instead of only focusing on compliance and

controls. After the retirement of the Chief Internal Audit, again a new Chief Internal Audit was appointed.

After his appointment he took the time to analyze the developments within the market. Based on this analysis

it became clear that having proper control over strategic risks is significantly important to the organization.

Therefore, the goal of the internal audit function became to provide assurance over strategic risks related to

http://2011yearreview.ahold.com/downloads/Ahold-Full-AR-2011.pdf


the overall strategy of Ahold. With this new goal the internal audit function is now fully focused on the

strategic risks of the Ahold Group. Having such a focus means that there is no area within the businesses of

Ahold that is now not being audited by the internal audit function.

The audits performed by the internal audit function of Ahold are partially based on the COSO

Committee of Sponsoring Organizations of the Treadway Commission) framework. To be more precise,

Ahold is maintaining its own control framework called the ABC Framework (Ahold Business Control

Framework). The aim of this framework is to provide reasonable assurance that the risks to not achieving

strategic objectives are identified and mitigated as such. The ABC Framework developed by Ahold is based

on the recommendations of COSO. Further, elements of CobiT are also incorporated into the framework in

order to control the risks related to the use of information technology by the organization.

The internal audit function is not making use of in-sourcing/co-sourcing services in performing the

audits. In the past this has been the case, however, nowadays this is becoming less and less relevant. This can

be explained by the fact that the second line of defense within the organization – the Internal Control function

– is hiring experts if needed. For example, when implementing a new website the Internal Control function

hires experts for conduction attacking penetration tests in order to see how well secured the access to the

website is. The interviewees indicated, however, that when needed the internal audit function will hire

experts through in-sourcing/co-sourcing agreements.

4.1.3 Impact of emerging IT on the roles & responsibilities of the internal audit function

According to the interviewees the impact of emerging IT on the roles and responsibilities of the internal

audit function of Ahold will not be significant. However, the function should always move along with the

developments within the business, as is the case for IT related topics. Emerging IT can lead to a change in

scope and the execution of audits. According to the internal auditor director developments such as “bring

your own device” calls for specific attention looking from an audit perspective. The use of mobile devices

definitely brings new risks to the organization that must be identified and mitigated. This is also true for the

developments within the business related to the online web services provided by Ahold. Due to the increasing

use of web services the risk of being hacked is increasing and should be acted upon appropriately. As these

types of emerging IT are also present within Ahold and do lead to new (IT) risks it can be expected that these

developments will also have an impact on the roles and responsibilities of the internal auditors of Ahold.

Though, according to the internal audit director and IT audit manager interviewed this will not impact or

change the roles and responsibilities of their current internal audit staff. They state that instead of having an

impact on the roles and responsibilities, it will have an impact on the content of the knowledge required.

According to the internal audit director and IT audit manager there will be more need for specialist

knowledge in the coming years. To illustrate this, the internal audit director provided an example that relates


to the use of Cloud Computing services by Ahold. Ahold is using the Cloud Computing services from Google

for its email traffic (Gmail). Ahold must obtain assurance on the Cloud services delivered and this assurance

is provided by Google. In order for Ahold to assess whether the assurance provided by Google is sufficient

enough for achieving its own organizational objectives, the internal audit function should have experts related

to this type of service for conducting the assessment. This should however not impact the task activities of

the current internal audit staff. If this knowledge is not available then it should be obtained by simply hiring a

subject matter expert for performing the analysis. This again was illustrated with an example focused on the

use of websites by the organization. The security around the use of websites by Ahold is tested by an ethical

hacker who is hired by the organization to perform professional security checks on the websites. Another

reason for explaining why the roles and responsibilities of the current internal audit staff are not significantly

impacted by the increasing reliance on technology is the fact that Ahold has started to outsource the

administration of its IT since the beginning of 2005 and has extended the outsourcing contract in 200911

. By

outsourcing the IT function, the controls around the use of IT are mainly being performed by the outsourcing

party. New IT solutions therefore do not have a direct impact on the audit activities of the current staff.

Instead, Ahold internal audit is relying on the assurance provided by its IT service providers. What is needed

therefore is the knowledge to assess whether the assurance provided by the IT service providers is sufficient.

Again, if this knowledge is not available experts will be hired in by the company.

4.1.4 The development of the (IT) internal audit function

According to the internal audit director and IT audit manager interviewed, how the internal audit

function should develop is mostly dependent on the business activities performed by the organization. It is

always important to look at the ratio of the audit function relative to the business. If, for example, IT is only

good for 10% of the business activities and the remaining 90% consists of other business processes then this

ratio should also be considered within the internal audit function. Further, if the organization has outsourced

most of its IT and therefore will get assurance from the service providers on the IT risks then this will also be

reflected within the lines of defense and therefore the internal audit function. It is therefore always necessary

for the internal audit function to mirror with the risk level as it is in the business. Another development

within the internal audit function of Ahold is, according to the interviewees, that the IT-auditor is taking more

distance from the role of only testing controls and reporting on what is effective and what is not. Instead, the

business is being more involved by asking them how they know that they are in control over their own

processes and what they have implemented to warrant that they are actually in control. Within Ahold, this

will probably lead to less need for IT audit resources and being able to rely more on the activities already

performed within the business. Next to this, due to the outsourcing of the IT by Ahold all audits that have

previously been performed on the Unix, Oracle, and Windows environments will not be that extensive

11

http://www.computable.nl/artikel/nieuws/infrastructuur/3179908/2379248/ahold-besteedt-ict-opnieuw-uit-aan-

hp.html

http://www.computable.nl/artikel/nieuws/infrastructuur/3179908/2379248/ahold-besteedt-ict-opnieuw-uit-aan-hp.html

http://www.computable.nl/artikel/nieuws/infrastructuur/3179908/2379248/ahold-besteedt-ict-opnieuw-uit-aan-hp.html


anymore in the future. For assurance on the risks related to these environments Ahold now relies on Third

Party assurance reports (e.g. ISAE3402, ISAE3000, and SSAE16)12

from its service providers. This also

leads to less need for IT audit resources for the technical compliance activities within the internal audit

function of Ahold. Given these developments the interviewees do not see the need for specifically focusing

on the development of the internal audit function in the area of IT audit.

4.1.5 Strategies to address the needs for IT audit knowledge and skills

The respondents were asked how they will address the need for IT audit knowledge and skills in the

coming years. Both the internal audit director and the IT audit manager answered that the knowledge and

skills needed by the internal audit function are becoming visible when developing the yearly audit plan.

Based on the audit plan the needed capacity of the internal staff will be determined. The aim of the audit plan

is to identify all the relevant risks within the organization that can potentially cause the organization to not

achieve its strategic objectives. Whenever the risks have been identified it also becomes known which

business processes are affected. By having clear which processes need to be controlled, and therefore also

audited, the internal audit director knows which resources he will need in order to be able to adequately

execute the audit plan. In case risks are identified that are related to the use of IT within the organization then

there need to be enough resources available that can address those risks. However, the interviewees indicated

that these resources do not necessarily have to come from within the organization. If there is a strong need for

expert knowledge to address specific risks the best strategy to follow is to hire experts from outside the

organization as this is the easiest and most efficient way for obtaining the knowledge required. Additionally,

the respondents also indicated that they have the possibility to swap resources with the internal audit function

of Ahold USA. This can be very helpful when it turns out that the internal audit function of Ahold USA

possesses the expert knowledge needed for adequately performing the audits. The respondents emphasized

that with preparing the audit plan the internal audit function also takes the developments within the business

and the market into account. If there are developments which in the long run will require the internal audit

function to respond to, the management of the function should determine if it is necessary and useful to have

the current internal audit staff or part of it being trained so that they will possess the required knowledge and

skills when needed.

The internal audit director and IT audit manager interviewed particularly stressed the importance of

keeping up to date with the developments within the use of information technology. In order to keep up to

date with the developments it is important for the internal audit staff to attend seminars related to emerging

IT to learn about the consequences it can have for the organization. The respondents indicated that they have

recently attended a seminar in which the development of IT within the next 10 years has been discussed. By

attending such seminars it can be determined whether or not it is useful to facilitate training days for the

current internal audit staff. Next to this, the IT audit manager also indicated that as an IT audit manager one

12

http://www.ifac.org/sites/default/files/downloads/b014-2010-iaasb-handbook-isae-3402.pdf



should not ignore invites that are received from training bureaus or for attending seminars. As these

institutions are always focused on the latest trends and developments within their discipline, in this case IT,

you will notice what is important and what is not. For example, if ten or more invites are received which are

focused on Cloud Computing and/or ‘bring your own device’, than as an IT audit manager you have an

indication of the hot topics in this area. Based on this you can decide if it is needed to pay attention to these

topics and how they can impact the business of your organization. The internal audit director added that as a

pro-active internal audit function you should always keep in touch with the contacts within the business and

IT in order to know what kind of developments they see within the business and IT and how they think this

will impact the day-to-day activities of the company. By doing this the internal audit director and IT audit

manager of Ahold are aware of the fact that the topic ‘bring your own device’ is becoming increasingly

important to focus on as this will be used by the organization in an extended way during the coming years. It

is therefore important for the internal audit function to realize that this will also bring new security threats to

the organization that needs to be sufficiently controlled in order to reduce/mitigate the risks related to the use

of mobile devices. This triggers the internal audit function of Ahold to facilitate trainings and technical

courses related to this topic for its current internal audit staff.

On the question if people from the business, specifically those working for the IT function of Ahold,

will be trained to become an IT auditor the interviewees responded that this is certainly something they

would consider given the fact that those persons possess great knowledge related to the information

technology used by the organization. The internal audit director, however, emphasized that these persons

must also have or be able to obtain the required professional audit skills.

4.2 Case study 2 - Achmea

The second organization selected for the case study is Achmea. Again, the following subparagraphs

provide a description of the organization and the internal audit function of Achmea. Further, the answers

gained during the interviews that are related to the research questions central to this study are described.

Interviewees:

Senior internal audit manager (RA) Ad Smits

Senior internal audit manager (RE) Corné Mulders

4.2.1 Organization description

The second internal audit function used for the case study is the one from Achmea. Achmea is an

insurer company based in the Netherlands. The company is not listed on the Stock Exchange. Worldwide

Achmea is employing 21,000 employees (of which 17,000 are working in the Netherlands) and has gross

premium revenue close to €20 billion. Within the Netherlands Achmea is the largest insurer, and also in other

parts of Europe Achmea holds sometimes significant positions. For instance, the organization holds strong


positions in Russia, Turkey, Greece, Ireland, Bulgaria, Romania, and Slovakia. Achmea distinguishes itself

from its competitor insurers as the company has a cooperative background. A cooperative is: “a legal entity

owned and democratically controlled by its members. Members often have a close association with the

enterprise as producers or consumers of its products or services, or as its employees.”13

Achmea has

retained its cooperative identity throughout its 200-year history guided by the idea that the organization forms

an integral part of the communities it serves14

. The primary goal of the organization is to be innovative and

develop products and services that meet the needs of its customers. Customers of Achmea include private

individuals, companies and other organizations. Within the Netherlands and Europe the focus of Achmea is

on its core competences that are applied in Achmea’s core segments: Income protection, Health, Non-life,

term insurance and standard pension products. In the Netherlands Achmea also offers the full range of

insurances and related financial products. Achmea is active under the names of several brands, of which the

six largest are Interpolis, Zilveren Kruis Achmea, Agis Zorgverzekeringen, FBTO, Centraal Beheer Achmea,

and Avéro Achmea. The company is using different distribution channels through which it provides its

products and services to its customers. The insurance products are mainly provided to customers via the

direct channel (internet or telephone) of Achmea or via the local banks (Rabobank - Interpolis). The brand

Avéro Achmea is used to provide a great diversity of insurance products to customers via brokers and

intermediaries. Achmea has an organizational structure consisting of distribution- and product divisions. The

distribution divisions are fully focused on the customer, whether the product divisions are aimed at the

developing and maintaining accessible, understandable, and affordable products and services which are being

offered to the market via the distribution divisions. Within the division ‘Zorg & Gezondheid’ (Healthcare),

familiar from brands such as Zilveren Kruis Achmea and Agis, the distribution and product development are

bundled. The following picture provides a good overview of the organizational structure of Achmea,

including all of its divisions (source: http:// www.achmea.nl/over-achmea/organisatie/Paginas/Organogram-

groot.aspx):

13

http://en.wikipedia.org/wiki/Cooperative 14

http://www.achmea.nl/financieel/jaarverslagen/Documents/ACHMEA_Jaarverslag_2011.pdf

http://en.wikipedia.org/wiki/Legal_person

http://www.achmea.nl/over-achmea/organisatie/Paginas/Organogram-groot.aspx

http://www.achmea.nl/over-achmea/organisatie/Paginas/Organogram-groot.aspx

http://en.wikipedia.org/wiki/Cooperative

http://www.achmea.nl/financieel/jaarverslagen/Documents/ACHMEA_Jaarverslag_2011.pdf


4.2.2 The internal audit function of Achmea

Managing risks is for insurance companies such as Achmea a daily activity. It is a fundamental part of

its business. With a well-organized risk management, which is underpinned by the risk appetite of Achmea

and the integrated risk management framework, Achmea is able to identify, assess, mitigate and control all

the risk categories that are applicable to its business. Having implemented a strong three lines of defence

model, Achmea is striving for obtaining as much assurance as possible on achieving its organizational

objectives. The management of the Achmea Group, the divisions and operating companies are together

making up the first line of defence. This first line of defence refers to the risk management as it is embedded

within the business itself. The second line of defence comprises the Risk & Compliance, actuarial and

compliance departments in the divisions and operating companies. The third line of defence is focused on

providing additional assurance on governance, risk management, and internal controls. This third line is

composed of the internal audit function of Achmea. The picture below provides a clear overview of the three

lines of defence model implemented by Achmea (source: http://www.achmea.com/corporate-

governance/risk-management):

The internal audit function of Achmea, which is the third line of defence (see picture above), consists of

82 FTEs within the Netherlands. Outside the Netherlands another 28 FTEs are working for the internal audit

function. Compared to other organizations the internal audit function of Achmea can be rated as a mature

function which is reflected by its size and years of existence and experience (approximately 30 years). Within

http://www.achmea.com/corporate-governance/risk-management

http://www.achmea.com/corporate-governance/risk-management


the overall group of internal auditors there are approximately 25 auditors with IT audit knowledge and skills.

Of this 25, 11 IT auditors are within the central IT audit team which focuses on Information management and

Information technology within Achmea. Besides the central team, the internal audit function also provides

specific audit teams for the different divisions of the company and within those audit teams there are IT

auditors who are responsible for auditing the specific applications that are used by the divisions. The internal

audit function of Achmea does not have a separate IT audit department, which is also not preferred by the

management of the function. Instead, the function works with integrated audit teams consisting of

compliance, financial, operational, and IT auditors. With the integrated approach audit teams are always

created by looking at the needed technical expertise for performing the audit but also at the required

knowledge of the organization.

The audit approach by the internal audit function of Achmea is mainly based on the COSO framework

for internal control. This is reflected in the functions focus for achieving objectives related to the following

categories: reliability of financial reporting, compliance with applicable laws and regulations, and the

effectiveness and efficiency of operations. For identifying the relevant control environments related to the

information technology used by the organization, the internal audit function is using the CobiT framework as

a reference. However, the audits related to IT are not based on all the objectives and controls stated by CobiT

but, instead, the framework is only used as a tool to identify possible control activities. The relevant areas to

audit within the organization are identified based on a Risk Based Approach. This holds that the function and

the business are identifying the critical risks that are present to the organization and the related processes in

which the identified risks are present. Based on this identification process it will be determined by the

internal audit function which controls need to be in place and tested in order to mitigate the risks.

The interviewees indicated that the internal audit function is not making use of in-sourcing/co-sourcing

services for performing the audits. Only in case of capacity issues the function will consider to hire external

parties for assisting during the audits. But, as the current formation consists of more than enough auditors and

also IT auditors it will not be quite often necessary to hire external parties.

4.2.3 Impact of emerging IT on the roles & responsibilities of the internal audit function

The processes of Achmea have changed over the years and the reliance on IT has increased which is

reflected by the increasing automation throughout the supply chain. In the past orders were received via

mailings or phone calls from customers. These orders were than typed in to the computer systems by the back

office of Achmea. Today, the automation of the process already starts at the beginning with customers being

able to communicate about products and services with Achmea via the internet. If the IT will fail this will

bring much more risks than in the past as Achmea will than not be able to fulfill its commitments to its

customers. Even though the reliance on information technology is increasing the interviewees do not expect


that this will have a significant impact on the roles and responsibilities of the current internal audit staff. The

current internal audit staff includes a great number of IT auditors who possess the required knowledge and

skills to execute the audits on the controls related to the IT risks identified within the organization’s business

processes. The roles and responsibilities they have will therefore not change. The interviewees both have a

very different view on the impact of emerging IT on their internal audit function. At the moment, the IT

environment and the automation of processes is very complex due to the fact that Achmea is a fusion

company which still holds a great number of legacy systems which are all interconnected with each other.

However, instead of making the IT environment more complex in the coming years by increasing the

automation of current processes, the senior managers indicated that the organization is now fully focused on

making the use of IT and the whole IT environment less complex. By doing that Achmea is attempting to

make its products and services easier for the clients. If Achmea succeeds in standardizing the complex

business processes and the related information technology, this will have a direct impact on the need for IT

audit resources, as there will be less needed compared to the current situation. The interviewees added that by

making the current use of IT more complex by constantly incorporating new emerging technologies

whenever available, the company will become less competitive in the markets it operates. This is due to the

reason that the business processes can become less efficient because of non-standardized procedures and

technologies, which is also true for the internal audit function. On the other hand, going through such a

transformation are of course interesting times for the IT employees as well as the IT auditors. Moving from

an old to a new situation means that migrations have to be performed between complex IT environments.

Obtaining assurance on these migration processes is required in order to prevent the risk of losing valuable

data.

The objective of the internal audit function of Achmea is to increase the collaboration between persons

from different backgrounds with different competences to jointly perform the audits that need to be executed.

An example was provided about the introduction of KKV (Keurmerk Klantgericht Verzekeren)15

. As the

requirements from the KKV are very complex and difficult to understand the internal audit function should

have an expert on this subject to answer the related questions. But, in order to realize the KKV the

organization must also implement this correctly within the IT systems used. Therefore, audit teams must be

created that include auditors from multiple disciplines in order to adequately respond to the issues at hand.

The interviewees acknowledged that all internal auditors should possess some basic IT knowledge. However,

their opinion is that for specific technical IT related questions you must have a specialized IT auditor who is

able to perform the job. Meaning that it is not realistic to think that training the financial, compliance, and/or

operational auditors with some basic IT knowledge will be sufficient for the internal audit function to be able

to perform specific technical IT audits throughout the organization. This holds that the role and responsibility

of the current internal audit staff will not be impacted by the use of emerging technologies by the

organization.

15

http://www.keurmerkverzekeraars.nl/

http://www.keurmerkverzekeraars.nl/



To the question how the internal audit function of Achmea should develop in order to be able to

adequately audit the increasing complexity of IT within the organizations the interviewees responded that

instead of increasing the complexity of IT Achmea is focusing on standardizing the IT environment. By

doing this the organization is trying to make the use of IT more efficient and more easy to use for the

organization as well as the customers. This development should eventually lead to a better to understand and

better to manage IT environment which, in turn, will also decrease the need for the number of IT auditors

needed if the goal of standardizing the IT is achieved.

Next to the development described above, the interviewees also indicated that the complete IT

infrastructure of Achmea has been outsourced since 5 years now. Comparing the current situation with the

situation of 10 years ago therefore also shows a difference in how and which IT risks need to be audited by

the internal audit function of Achmea. 10 years ago, when all IT was still managed in-house the internal audit

function was aimed at mitigating risks such as the reliability of information processing through the systems

and continuity of the IT infrastructure. As these IT risks are still present they are, however, now managed by

the outsourcing party who is managing and hosting the IT infrastructure of Achmea. This causes that the

internal audit function of Achmea had to change the way in which the organization would obtain assurance

on the IT risks controlled by the outsourcing parties. For assurance on the risks related to these environments

Achmea now relies on Third Party assurance reports (e.g. ISAE3402, ISAE3000, and SSAE16)16

from its

service providers for obtaining the required assurance. Having outsourced the complete IT infrastructure also

had an impact on the need for IT audit resources for the internal audit function of Achmea. These

developments should eventually lead to less need for IT audit resources.

The interviewees expect that the IT risks as they are currently present within the organization will

change due to changes within the business and the way in which the business is performed. It is, however, not

expected that the number of IT risks compared to the number of Business risks (manual) will increase. Only

that they will change due to the developments within the market (e.g. Cloud Computing, internet services,

and the use of mobile devices). The senior managers indicated that as the internal audit function of the

organization they should know and understand how the developments within IT can impact the internal

control environment when the organization chooses to implement and use it. The internal audit function

needs to know what the strategy of the organization is and will be so it can prepare the internal audit staff on

the changes the new strategy will bring to the control environment of the organization and with that the

required knowledge and skills to be able to provide assurance.

16





The internal audit function of Achmea assesses yearly the availability of the required resources for

being able to answer the audit questions. This is not only done for IT, but also for the financial, compliance,

and operational auditors. Three times a year all the developments within the market and their potential impact

on the internal audit function are discussed. Furthermore, the internal audit function is preparing a business

plan each year which also includes a paragraph: Employee. Within this paragraph it is described how the

business plan will impact the internal auditor’s task activities. The interviewees do not expect troubles with

obtaining the required IT audit knowledge and skills. By having multiple assessments of the internal audit

function and its capacity and available knowledge, the management of the function is able to anticipate on

potential shortages in a timely manner. These shortages are, however, not expected. One explanation for this

is that Achmea is not a frontrunner in the area and use of IT. Achmea will always follow the developments in

IT which leads to the fact that new risks due to the use of emerging IT will not be playing a role within the

organization directly. This gives the internal audit function of Achmea enough time to anticipate on the

changes emerging IT will bring to the internal control environment. Next to this, the interviewees stipulated

that due to its size and brand Achmea is an attractive employer to work for. This also helps with attracting

educated and knowledgeable internal (IT) auditors. The question of how to address the needs for IT audit

knowledge and skills therefore becomes less relevant for the internal audit function of Achmea.

A possible strategy to follow when needed is to hire external experts that can assist the internal audit

function in developing the audit plan and/or performing the audits. This was explained by the example of the

use of Sharepoint by the organization for the automation of the business processes. Sharepoint is developing

fast and expertise related to the new developments will not be available at the moment new releases are

introduced. For having the expertise needed the internal audit function will therefore hire the expert

knowledge from outside the company. When it is expected that the knowledge need to be embedded within

the internal audit function itself, than it will be decided which persons will have to follow the specific

training courses related to the topic. These trainings can be facilitated within the company or at the training

schools specialized in the topics relevant for the organization. The interviewees emphasized that great

attention is being paid to the continuous development of the internal auditors. All the auditors have to

maintain their knowledge and keep up to date with the developments occurring within their area of interest.

This is realized by committing to the permanent education (PE) that needs to be followed by the auditors to

ensure they maintain their auditor title (e.g. RE, RO, RA, RC). Additionally, the internal audit function has

also set up the Business School IA in 2011. Based on the developments within the business, the management

of the internal audit function will select the subjects that are relevant to include within the training courses of

the Business School IA. For example, in the area of IT Achmea is currently involved in the implementation

of Identity Management17

. When having such an implementation it is important to train the IT auditors on

17

http://en.wikipedia.org/wiki/Identity_management

http://en.wikipedia.org/wiki/Identity_management


this subject so that they will fully understand what it means. This is done through the Business School IA of

Achmea, which is aimed at the continuous development of the internal audit staff.

Another strategy sometimes followed by the internal audit function of Achmea to address the needs for

IT knowledge regarding the IT environment of the organization is to attract people from the business and to

retrain them in becoming auditors of the company. One clear advantage of this is that the people from the

business have a good understanding of how the IT is working and how the controls designed around the use

of IT are being performed. A requirement from the internal audit function is that these persons will follow the

relevant basic audit courses as they will be required to possess the fundamental audit skills needed to be able

to perform audits.

As the world is changing, as an organization you will need to change with it. Especially if you are

working within the audit profession you should be willing to constantly develop yourself as the profession

never stands still. The management of the internal audit function of Achmea is confident that they have the

proper measures in place to be able to anticipate on what is happening within the business and to attract

educated persons. Furthermore, the internal audit function has made good arrangements with persons that

hold specific expertise in areas that need to be controlled by the internal audit function and for which no in-

house knowledge is available. It certainly helps when the internal audit staff is eager to learn and wants to

constantly develop itself.


5. Analysis and Conclusions

This chapter provides an analysis of the results obtained from the different case studies. The results of

the two case studies are compared with each other and with the literature provided in order to formulate final

answers to the research questions central to this study. The case study results are analyzed and discussed

regarding each sub question (1 – 3, see chapter 1) in paragraph 5.1. Based on the analysis and discussion a

concluding answer is provided to the research question of this study (see paragraph 5.2).

5.1 Comparison of case study results

5.1.1 Impact of emerging IT on the roles and responsibilities of the internal audit function

A great number of scientific studies, as they have been discussed in the literature review (see Chapter 3)

are pointing out to the fact that it becomes significantly important for auditors to obtain IT-audit knowledge

and skills as developments in IT will have a great impact on their day-to-day audit activities. This sounds

logical and is also true to a certain degree. However, what is missing in the scientific articles on this topic and

used for this study is the distinction between different business models (e.g., outsourcing of IT) and structures

of internal audit functions (only generalists auditors vs a fully integrated IT audit team). This should be

considered when making general conclusions on the impact of emerging IT on the roles and responsibilities

of the internal auditor. This is indicated by the results of both case studies examined for this research. Both

cases indicated that emerging IT will not have a significant impact on the roles and responsibilities of the

internal audit function. The internal audit function of Achmea already includes a great number of IT auditors

who possess the knowledge and skills required to execute the audits related to IT. This can be explained by

the intense reliance on information technology by organizations in the financial services industry. On the

other hand, there are much less IT auditors within the internal audit function of Ahold. However, results

indicated that emerging IT will not impact the roles and responsibilities of the current internal audit staff.

This is in contrast with the results of the study performed by PricewaterhouseCoopers (2007), which revealed

that Chief Audit Executives (CAEs) are expecting that the lines separating IT and non-IT audits will continue

to disappear in the coming years. This means that also the activities performed by the internal auditors are

impacted as they are required to take technology risks into account when establishing the audit plan. This is

consistent with the view provided by the International Standard on Auditing 401 (2002) that the use of

information technologies within an organization can affect the procedures followed by auditors in order to

obtain sufficient understanding of the accounting and internal control systems implemented within the

organization. Further, the use of information technologies also can affect the design and execution of tests of

controls by the internal auditor and it clearly affects the risk assessment performed to identify the relevant

risks for an organization. The reason that emerging IT will not have a significant impact on the existing roles

and responsibilities of the current internal audit staff of the internal audit functions examined is that these

functions have experienced IT auditors employed who have the knowledge and skills needed to anticipate on


the changes in IT within their organization. Based on the results from the case studies risk assessments will

be impacted by the use of new technologies as completely new risks are to be considered by the organization.

This has been illustrated with the use of new technologies such as ‘bring your own device’ and Cloud

Computing, which entails new risks that need to be well understood by the organization in order to be able to

control them. The risk assessment can be adequately performed as the knowledge required for this seems to

be in-house at mature internal audit functions such as the internal audit functions of Ahold and Achmea. A

note that needs to be made here is that having a pool of experienced IT (audit) personnel does not guarantee

that the use of emerging technology by an organization will be successfully controlled. A good example of an

organization that has a mature internal audit function and failed in implementing a new ERP system is the

Dutch Ministry of Defense. The project called ‘Speer’ is considered as one of the biggest SAP

implementation projects within The Netherlands and even within Europe.18

Having a pool of 60 IT auditors

did not, however, prevent the project from failure. The end-responsible for the project, Walter van der Garde,

acknowledged that the internal IT auditor was not given the right role and responsibility for providing

assurance over different parts of the project. This implies that the roles and responsibilities of IT auditors

should be well defined when asked to provide assurance over the IT environment of the organizations they

work for.

The results of both case studies performed show that the impact of emerging IT on the roles and

responsibilities of the internal auditors is moderated in case the IT is outsourced to an IT service provider.

Both Ahold and Achmea have outsourced most of its IT environment to IT service providers. Using such

business models is consistent with the update of the COSO framework provided by COSO (2011) in which it

is emphasized that business models change as many organizations are using third parties for providing

products and services. It is remarkable that the scientific literature aimed at examining the impact of

information technology on the task activities of the (internal) auditor does not investigates this impact for

different business model. When outsourcing the IT, the implementation of new IT solutions will not have a

direct impact on the audit activities of the current internal audit staff. However, it is emphasized by Ray and

Ramaswamy (2007) that it is critical for internal auditors to evaluate the effectiveness of the risk and controls

framework of the service provider in order to mitigate internal control risks throughout the lifespan of the

outsourcing agreement. Further, Ray and Ramaswamy state that the internal auditor is facing another

challenge when the organization has outsourced its IT environment. One of the key issues that come with

outsourcing the IT environment is the internal auditor’s role in ensuring adherence to the various compliance

and security standards. Besides that, the internal auditors must assess the extent to which they can rely on the

work performed by independent service auditors and other specialists. This has also been stressed by the case

study participants, who indicated that they are hiring experts in the area of assurance on activities performed

by service providers to assess whether the assurance provided by these outsourcing vendors is sufficient.

18 http://www.norea.nl/ReadFile.aspx?ContentID=37495&FileID=23048&Type=2

http://www.norea.nl/ReadFile.aspx?ContentID=37495&FileID=23048&Type=2


An interesting finding obtained from the case studies is that Achmea indicated that it is focusing on

making the IT environment less complex. This is in contrast to most of the studies used within the literature

review, which emphasize on the increasing complexity of IT within organization (see, for example, Stoel &

Muhanna, 2011; Curtis et al., 2009; Hermanson, Hill, and Ivancevic, 2000) and the impact it will have on the

information technology related activities of internal auditors. By making the IT environment less complex

there will also be less need for IT audit resources. This, therefore, will not impact the existing roles and

responsibilities of the current staff. The statement of Achmea to make the IT environment less complex will

be crucial for most organizations if they want to compete with their competitors within the markets they

operate. Therefore, based on the case study results of the current study it can be argued that the increasing

complexity of IT within organizations also impacts the role and responsibility of the internal IT auditor as it

requires the IT auditor to support the organization not only with providing assurance on the IT environment,

but also with consulting the organization in making the IT environment less complex. By assisting the

organization in making the IT environment less complex, the use of IT by the organization will become more

efficient and effective. This can lead to a stronger organization as opposed to its competitors and eventually

even better financial performance. The case study results therefore indicate that the increasing complexity of

IT within organizations have an impact on the Consulting role of the internal IT auditor, as it has been

explained in paragraph 3.2.2 in this paper. By performing the consulting role the internal IT auditor will add

value to the business as outlined above. However, as the internal IT auditor is therefore required to play both

the role of monitor and advisor this will make it difficult for the auditor to remain objective in his/her

judgments. So, when asking the internal IT auditor to advise in how to enhance the efficiency and

effectiveness of the IT used, internal audit executives should clearly define the segregation between the

advising auditors and monitoring auditors. Here, it is important that the IT auditor who performs the role of

consultant will not also perform the eventual audit on the implementation of his/her advice. This will be in

conflict with the independence and objective role the IT auditor should have. Therefore, when giving the

internal IT auditors the role of consultant, the internal audit executives should consider whether they have

enough IT audit resources available to be able to have this segregation between advising and monitoring in

place. If the pool of current internal IT auditors is not sufficient it should be considered to hire external IT

auditors specialized in performing the tasks required, either as advisor or as auditor.

Looking at the maturity level of the internal audit functions used for the case study, it can be argued that

emerging IT will not have a significant impact on the existing roles and responsibilities of the internal

auditors because these function are well equipped to respond to the risks that arise from the use of new

technologies by the organizations. It can be expected that this will somewhat be different for internal audit

functions that hold a low level of maturity and have few auditors with sufficient knowledge of IT. The

reasoning for this is based on the assumption that immature and/or small-sized internal audit functions have

mainly financial and/or operational auditors employed. If the organizations where these types of internal

audit functions are part of choose to make extensive use of information technologies, this also means that the


organization will be exposed to numerous IT risks that need to be well understood in order to be able to

mitigate those risks. This will therefore than have an impact on the existing roles and responsibilities of the

current internal audit staff consisting of the financial and/or operational auditors. As their knowledge will

probably not be sufficient enough to identify the new IT risks, or at least all of them, it should be considered

by the internal audit executives to either develop the knowledge of the current staff in the area of IT audit

(e.g. by following a postgraduate IT audit course) or to hire external expertise in order to obtain the required

assurance on the new implemented IT environment. The assumption that generalists auditors

(financial/operational) will probably not have sufficient knowledge to identify all the relevant risks that come

with the use of emerging IT (e.g, implementation of a new ERP-system) is supported by the study performed

by Curtis et al. (2009) which provide empirical results that show that control risks presented by more

complex ERP systems are more difficult for generalists auditors to understand than it is for IS auditors. In

addition, the study of Brazel & Agoglia (2007) provides empirical prove that auditors with greater IS

proficiency are better at identifying ERP risks than generalists auditors. Besides having an impact on the

existing roles and responsibilities of the internal auditors it also becomes the responsibility of the internal

auditor to assist management and the Audit Committee (if present) in assessing the IT skill set of the

organization and to promote greater IT risk involvement. This is important, given the findings of Stoel and

Muhanna (2011) that not properly attending to IT risks and IT internal controls can result in deficiencies that

lead to a liability (competitive disadvantage) to the firm. Additionally, low maturity internal audit functions

should, whenever the organization is going to make extensive use of information technology, encourage the

organization to explore enterprise risk management (ERM) techniques and tools in order to address IT risks

at an enterprise level (Moorthy et al., 2011). The internal audit functions selected for the case studies already

have a professional enterprise risk management system implemented. This makes the organizations strong in

addressing IT and other risks and responding to new risks whenever they occur.


The results obtained through the case studies show that internal audit functions need to mirror their

activities and the risk level with those in the business. The development of the internal audit function of

Ahold is largely dependent on the business activities performed by the organization. Likewise, the case study

on Achmea shows that the internal audit function of Achmea is always focusing on the strategy of the

organization and what the strategy will be in order to prepare the internal audit staff on the changes the new

strategy will bring to the current control environment. In case the business activities and/or strategy changes

it can have an impact on the required knowledge and skills of the internal audit staff to be able to provide

assurance. The results of both case studies also show that there is no strong need for the internal audit

functions to develop within the area of IT. This can be explained by the outsourcing of IT which is done by

both organizations. Due to the outsourcing of IT, all previous audits performed by the internal audit function

on the IT environments of their organizations are now being performed by the independent auditors of the


service providers. This eventually leads to less need for IT auditors and with that the development of the

function within the field of information technology. These results show that the impact of emerging IT on the

task activities of internal auditors is dependent on the type of business model pursued by the organization. It

can therefore not be stated that the increasing complexity of IT within organizations impacts the internal

audit activity without considering the business model of the organization under investigation. Both

organizations examined in the current study have outsourced their IT function to IT service providers. By

having outsourced the IT function, the internal audit function is not directly impacted by emerging IT as this

will be managed by the IT service provider. Instead, it can be argued that this will impact the external (IT)

auditors who are performing the third party assurance audits (e.g., ISAE3402 and ISAE3000) on behalf of the

organization who has outsourced its IT environment or parts of it. They are required to possess the

knowledge and expertise needed to provide reasonable assurance on the audit object, which in this study can

be defined as the IT environments of Ahold and Achmea. Besides outsourcing, the case study results also

provide insight into other reasons for not having the need for development within the area of IT. According to

the results of the Ahold case study, there can be less need for IT audit resources in case the business itself is

more involved and already has performed many of the controls itself. The other reason provided by Achmea

is that the organization is focusing on making the IT more standardized and thereby less complex. In contrast

to many previous research performed, in which it is stated that IT is becoming more complex within

organizations, Achmea is aimed at making the IT less complex and more efficient. As already discussed in

paragraph 5.1.1 this is a very logical development because organizations will have to compete with their

competitors to stay profitable in the short- and long term of their existence. One aspect that becomes

increasingly important for organizations in order to compete is the efficiency and effectiveness of the

information technologies used. Having more efficient and effective information technologies than your

competitors also means that your organization has fewer costs than your competitors. As organizations are

becoming increasingly reliant on IT, making the use of IT more efficient and effective will only increase in

importance for the profitability of organizations in the future. Eventually this can lead to a decrease in the

need for IT audit resources which is why the internal audit function of Achmea is not specifically aimed at

further developing the function in the area of IT. However, it can be stressed that the development of

decreasing the complexity of the IT environment within organizations to make the use of IT more efficient

may lead to the need for IT auditors in the role of consultant. As less IT audit resources are required when the

environment has been standardized and made less complex, in order to achieve such a state requires a lot of

expert knowledge in the area of IT. This role can be fulfilled by IT auditors as they possess the knowledge of

IT and business processes and are also able to identify the risks within the new situation and the controls that

can be implemented in order to mitigate the identified risks. Internal audit executives therefore should

consider to utilize the full potential of their IT audit resources by also making them business advisors and let

them assist the organization in achieving the goal of making the use of IT more efficient and effective. The

finding that a decrease in the need for IT audit resources is expected by Achmea is somewhat unexpected and

is also not very consistent with the scientific literature provided within this research. For example, Curtis et


al. (2009) have stated that due to the ever increasing complexity of systems and the need for automated

controls, there will be an increased need for auditors to gain knowledge in the area of information

systems/technology and related controls. As this sounds logical, the current study shows that this is not

necessarily true for all auditors. Auditors within internal audit functions that have dedicated IT auditors to

focus on IT and related controls, such is the case for Ahold and Achmea, do not have the need to gain much

knowledge in the area of IT as this is addressed by their IT audit colleagues. The findings of Curtis et al.

(2009) are expected to be more true for small-sized internal audit functions of which the internal audit staff is

required to audit all the business processes including those in which information technology is used. These

auditors should consider developing their IT audit knowledge and skills whenever the use of IT is increased

by their organizations. Another way for these types of internal audit functions to address the need for IT audit

resources is to hire expert knowledge from third parties like the big Accountancy or other IT consulting/audit

firms. Further, it can be argued that the development of IT audit knowledge and skills is more important in

developing countries as the use of IT by organizations in those countries is still in the initial phase. This is

supported by the study of Abu-Musa (2008) in which it is stated that there is a lack of efficient and effective

professional standards in Saudi Arabia in the area of IT and internal auditing compared with other highly

developed countries such as the USA. In those countries, for example, there have many standards been issued

by the American Institute of Certified Public Accountants (AICPA)19

that relate to IT and its impact on the

auditor’s consideration and evaluation of internal controls such as the SAS No. 3, SAS No. 48, and SAS No.

94.

Following the statements of Moorthy et al. (2011) it is important for auditors to continually acquire new

knowledge of IT due to the rapid changes in IT and the use of IT within organizations. These rapid changes

also cause auditors to worry about new auditing risks. This is also acknowledged by the respondents of the

case studies, who have indicated that they constantly follow the changes within the organization and

determine what the impact of the changes will be on the internal audit function. For an internal audit function

to be able to respond to the changes in IT and to address the new auditing risks it is a must to have talented

professionals with IT skills (PWC, 2007). The internal audit functions of Ahold and Achmea do have such

professionals with relevant certifications (e.g. RE, CISA, CISSP, and CISM), and therefore are able to

respond to the changes in IT and new IT risks. This is also a reason why these internal audit functions do not

need to further develop within the area of IT audit. The management of these functions, which have already

talented professionals employed, do need to ensure that these auditors besides having sufficient knowledge

also have a great fascination for technology as these persons will have to continuously learn and update their

knowledge in the field of IT auditing. As was already stressed in the conclusion of the literature review, this

can mean that internal audit executives should consider refreshing their current IT audit staff with new and

young IT auditors that are fully focused on a career in IT audit. These new and young trained IT auditors are

flexible and can easily adapt their knowledge to the changes in IT that will rapidly occur within their

19

http://www.aicpa.org/Pages/Default.aspx

http://www.aicpa.org/Pages/Default.aspx


organizations. Again, it can be argued that small-sized internal audit functions do need to develop as they will

probably not have the availability of professionals with the required IT audit skills. Therefore, when the

organization is adopting emerging IT, these functions should consider developing the basic IT audit

knowledge within the current internal audit staff. For obtaining the required knowledge these internal audit

functions should encourage its staff to obtain one or more of the recognized audit certificates related to IT

such as the RE, CISA, CISM, and CISSP certifications. On the other hand, it can also be decided to hire the

required IT audit knowledge from expert third parties when needed. This will be a better option when, for

example, the current internal audit staff is not eager to learn the knowledge and skills needed to be able to

perform IT audits and identify all the relevant risks that come with the use of emerging IT by their

organizations.


The results of both case studies show that the management of the internal audit functions yearly prepare

the audit plan which includes the audits that need to be performed in order to obtain the required assurance on

the organizations business processes. With preparing the yearly audit plan the needed capacity of the internal

audit staff is determined. When doing this it is important to take the developments within the business and

market into account. It will be assessed how these developments can or will impact the task activities of the

internal auditors. This is done by the internal audit function of Achmea by including a specific paragraph

within the yearly business plan aimed at the impact of the business plan on the task description of the

employees. Both case studies revealed that the management of the internal audit functions is concerned with

constantly updating and enhancing the knowledge of its current internal audit staff. For the internal auditors

this is a necessity as the information technology changes rapidly, meaning that also the risks and controls

need to be adapted to these changes. The internal audit function of Achmea has set up the Business School IA

through which trainings are provided to the internal audit staff regarding relevant and current topics. This is

also being done in a less formal manner by the internal audit function of Ahold. So, based on the case study

results it is clearly shown that the internal audit functions are focused on maintaining and increasing the

knowledge and skills of its current internal audit staff. This is consistent with the findings of the study

performed by PricewaterhouseCoopers (2007), of which the results clearly indicated that Chief Audit

Executives are mostly considering following the strategy of increasing the core skill level of the internal audit

staff to understand and to be able to audit technology risks. According to Saharia et al. (2008) the best ways

to achieve this is to provide in-house trainings and seminars through which relevant topics are explained and

discussed. This is consistent with the results of the case studies which show the importance of attending

seminars and to facilitate trainings for the internal audit staff.

Both case studies also point out the value of hiring expert knowledge to address specific risks. These

results are consistent with the study performed by Flemming (2003) in which it is stated that internal audit


functions more often obtain the required audit capacity and competency through in-sourcing or co-sourcing

agreements. This can be a very efficient strategy as the required knowledge is not always available in-house.

When choosing for co-sourcing arrangements with external parties the company can enjoy incremental

benefits such as knowledge sharing and access to technical expertise (Desai, Gerard, and Tripathy, 2008). To

gain such benefits from co-sourcing arrangements the internal auditors should shadowing the experts hired in

performing the audits. By doing this the internal audit staff will be trained in the specialist areas, thereby

ensuring that the knowledge is maintained within the organization after the contract with the experts end.

The respondents of both case studies indicated that they are also considering attracting people from the

business and retraining them in becoming (IT) auditors for the organization. This can, however, be difficult

as the persons from the business also need to obtain the basic knowledge needed for becoming a valuable

auditor. This can take some time before the required knowledge is obtained, which maybe is also the reason

that only few of the Chief Audit Executives (37%) within the study by PricewaterhouseCoopers (2007)

intended to follow such a strategy to address the needs for IT audit knowledge and skills.

Interesting is the fact that the respondents of both case studies did not mention the strategy of acquiring

more sophisticated technology tools in order to address technology risks. This strategy is ranked number 2

within the study performed by PricewaterhouseCoopers (2007), with 68% of the CAEs who indicated that

they intend to follow this strategy.


5.2 Conclusions

Having analyzed and discussed the results of this research, both from the literature and the case studies,

conclusions can be made regarding the sub questions and subsequently the research question central to the

current study. To recap, the purpose of this study was to explore the impact of emerging IT on the task

description of the internal audit function and to explore which developments internal audit has to undertake

in order to be able to adequately audit the increasing complexity of IT within their organizations. This has led

to the following research question:

“What is the impact of emerging IT on the task description of the internal audit function and which

development processes has internal audit to undertake in order to be able to adequately audit the increasing

complexity of IT within their organizations?”

To answer this research question the following sub questions have been formulated:

1. What is the impact of emerging IT within organizations on the roles and responsibilities of the internal

audit function?

2. How does the internal audit function of Dutch organizations needs to develop in order to be able to


3. Which strategies can be followed by the internal audit function in order to realize the further

development of the function in the area of IT?

The following sub-paragraphs are providing concluding answers to these questions based on the study

results.

5.2.1 Answer to sub question 1

What is the impact of emerging IT within organizations on the roles and responsibilities of the internal audit

function?

Based on the study results it can be concluded that the existing roles and responsibilities of internal

auditors are affected by the use of emerging IT within their organizations. Emerging IT will face internal

auditors with the challenge of monitoring the IT processes and controls, and providing assurance over the IT

environment of their organizations. The impact, however, is low for mature internal audit functions as they

employ specialized IT auditors that have the knowledge and skills to address the new risks and controls that

come with emerging IT. This means that the existing roles and responsibilities of the other internal auditors

(financial, compliance, operational) are not affected because they do not have to focus on the IT risks and

controls as these are addressed by their IT audit colleagues. It has been argued that this will probably be

different for small-sized internal audit functions as they probably only have employed generalist auditors


(financial/operational) and no specialized IT auditors. The use of emerging IT can therefore impact the

existing roles and responsibilities of the whole internal audit staff as they are required to address the new IT

risks. Without having a pool of IT auditors this means that the current auditors should consider obtaining the

required knowledge needed for addressing the technology risks. In case this is not feasible, the organization

should consider hiring the IT audit knowledge required to obtain reasonable assurance on its IT environment.

Given the results of this study it is showed that the increasing complexity of IT within organizations

also has a counter effect as organizations will try to make their use of IT less complex and more efficient, and

thereby becoming stronger competitors in the markets they operate. This will have an impact on the

consulting role of the internal IT auditor, as they can assist the organization in achieving this goal by using

their expert knowledge of the IT systems used and business processes in place. When asking the internal IT

auditors to perform the role of business advisor, internal audit executives should clearly define the

segregation between the advising auditors and monitoring auditors so that the independency and objectivity

of the internal auditors will not be in jeopardy.

Further, it can be concluded that with the increasing reliance on IT within organizations it is the

responsibility of the internal auditor to assist management and the Audit Committee in assessing the IT skill

set of the organization and to promote greater IT risk involvement. This conclusion is particularly relevant for

internal auditors working for organizations that are at the start of enhancing their use of information

technologies for conducting their business and do not have yet implemented professional enterprise risk

management processes to address IT and other risks.

Finally, it can be concluded that the impact of emerging IT on the roles and responsibilities of internal

auditors is moderated in case the organization has outsourced its IT function or parts of it. This conclusion

shows that when examining the impact of emerging IT on the existing roles and responsibilities of internal

auditors, a distinction should be made between different business models. When the IT environment has been

outsourced, emerging IT will not have a direct impact on the task activities of the internal auditor. In case the

IT is outsourced internal auditors are facing the challenge of obtaining sufficient assurance from the service

providers. Here, it is not the internal auditor who is impacted but instead the external auditor who has to

provide reasonable assurance on the services provided by the outsourcing party. A good example is the

upcoming use of Cloud Computing services, which clearly impacts the knowledge and skills required by

external auditors in order to be able to provide assurance on these services.


How does the internal audit function of Dutch organizations needs to develop in order to be able to


Due to emerging IT and the increasing complexity of IT within organizations internal audit functions

need to focus on the development within the area of IT audit. This is, however, not true for all internal audit

functions. To be able to respond to the changes in IT and to address the new auditing risks the internal audit


function should have talented professionals with IT skills. Mature internal audit functions of Dutch

multinationals do have such professionals who also hold the relevant certifications (e.g. RE, CISA, CISSP,

and CISM) and therefore are able to respond to the changes in IT and new IT risks. It can therefore be

concluded that these type of internal audit functions do not have to develop their function in the area of IT

audit as they are already sufficient equipped to audit the increasing complexity of IT within their

organizations. It has been argued that small-sized internal audit functions do need to develop the function in

the area of IT audit as they will probably not have the availability over professionals with the required IT

audit skills. When these small-sized internal audit functions are required to develop in the area of IT audit

because of an increasing reliance of IT by their organizations, the management of the function should

consider to encourage its internal audit staff to obtain one or more of the recognized audit certificates related

to IT such as the RE, CISA, CISM, and CISSP certifications. Another way for these types of internal audit

functions to address the need for IT audit resources is to hire expert knowledge from third parties like the big

Accountancy or other IT consulting/audit firms. Further, it has been argued that the development of IT audit

knowledge and skills is more important in developing countries as the use of IT by organization in those

countries is still in the initial phase.

Based on the study results it can be concluded that auditors should continuously develop their (IT) audit

knowledge and skills in order to be able to perform their tasks efficiently and effectively. This is required as

businesses are witnessing rapid changes within the use of IT, which in turn requires continuous re-assessment

of the risks present for the organization and adjustments to the implemented controls to mitigate the new risks

identified. In order to be able to perform these tasks the internal auditor must, therefore, be constantly up to

date with the developments in IT that are (potentially) affecting the organization. This can mean that internal

audit executives should consider refreshing their current IT audit staff with new and young IT auditors that

are fully focused on a career in IT audit. These new and young trained IT auditors are flexible and can easily

adapt their knowledge to the changes in IT that will rapidly occur within their organizations.


Which strategies can be followed by the internal audit function in order to realize the further development of

the function in the area of IT?

The study results show that internal audit executives can follow several strategies to address the needs

for IT audit knowledge and skills. Internal audit executives can determine the knowledge and skill needs

based on preparing a yearly audit plan and assessing what the impact of the audit plan will be on the task

description of the employees. If it turns out that the use of information technology by the organization is

impacting the audit plan, internal audit executives can follow several strategies to be able to address the IT

risks and controls. This research has entailed the most preferable strategies to follow by internal audit

executives to realize the further development of the internal audit function in the area of IT:


1. Increase the core skill level of the current internal audit staff for understanding and auditing IT

risks.

2. Increase the use of sophisticated technology tools with which technology risks within the

organization can be addressed (e.g. CAATs).

3. Making use of third-party experts to address specific technology risks for which the required

knowledge is not available among the current internal audit staff.

5.2.4 Answer to the central research question

What is the impact of emerging IT on the task description of the internal audit function and which

development processes has the internal audit function to undertake in order to be able to adequately audit the

increasing complexity of IT within their organizations?

Based on the answers provided to the sub questions central to this research a well-founded answer is

given to the central research question of this study. Emerging IT and the increasing complexity of IT within

organizations do not have an impact on the task description of mature internal audit functions. The task

description is defined in the current study as the existing roles and responsibilities of the internal auditors

working for the internal audit function. This study has showed that the use of emerging IT or the increasing

complexity of IT within organizations does not have an impact on the existing roles and responsibilities of

internal auditors of mature internal audit functions of Dutch multinationals. This is explained by the fact that

mature internal audit functions, as the cases examined in this study, have a pool of specialized internal IT

auditors who possess the knowledge required to provide assurance on the IT environment of the organization.

As these mature internal audit functions of Dutch multinationals are well prepared in the area of IT there is

no specific need for further development as they already have professionals employed who possess the

required knowledge and skills to adequately audit the increasing complexity of IT. Furthermore, based on the

results of this study it can be concluded that the impact of emerging IT on the task activities of internal

auditors is dependent on the type of business model pursued by the organization. By having outsourced the

IT function, the internal audit function is not directly impacted by emerging IT as this will be managed by the

IT service provider. As opposed to the general conclusion reached by previous research that the complexity

of IT within organizations will increase in the coming years, results of this study show that organizations are

also working on making their IT environment less complex and the use of IT more efficient. From a strategic

perspective this is becoming increasingly important given the fact that organizations are becoming more and

more reliant on IT. Making the use of IT more efficient will therefore help organizations in competing with

their competitors in the coming years as this will have a positive effect on their operating costs. This will not

have an impact on the traditional roles of the internal auditor. However, it is in these situations where the

internal IT auditor should take up the role of consultant. As a trusted business advisor the internal IT auditor

can assist the organization in achieving the goal of making the IT environment less complex and the use of IT

more efficient. For internal audit functions that do not have professionals specialized in the area of IT, the


impact of emerging IT and the increasing complexity of IT within organizations will be great on the existing

roles and responsibilities of the current internal audit staff (mainly consisting of financial/operational

auditors) as they need to address the risks related to the use of IT and the controls to mitigate such risks. This

study indicated that these types of auditors (generalists) do not possess the required IT audit knowledge to

fully address all the relevant IT risks that come with the use of emerging IT or the increasing complexity of

IT within organizations. Internal audit functions that do not have the IT audit resources available to provide

reasonable assurance on the IT environment of their organizations can pursue different strategies to address

the human resources and organizational needs in IT audit. This study showed that these strategies can range

from increasing the knowledge and core skills of the current internal audit staff to increasing the use of

sophisticated technology tools and third-party experts. Besides this, it also becomes the responsibility of

these internal auditors to assess the IT skill level of the organization and to promote greater IT risk

involvement by the management of the firm. Regardless of the maturity level of an internal audit function it

has clearly been showed that all auditors that need to address IT risks and design proper controls should

constantly develop their knowledge around the use of information technologies as changes in IT occur

rapidly. Within this study it is therefore argued that internal audit executives should consider refreshing their

current IT audit staff with new and young IT auditors that are fully focused on a career in IT audit. These

new and young trained IT auditors are flexible and can easily adapt their knowledge to the changes in IT that

will rapidly occur within their organizations. Without having the required resources internal audit functions

will not be able to adequately audit the increasing complexity of IT within their organizations. Therefore,

given the results of this study small-sized and/or immature internal audit functions that do not have

specialized IT audit resources available and of which the organizations are starting to become increasingly

reliant on IT need to be aware that this will impact the task description of the current internal audit staff and

need to take timely actions in order to prevent their organizations to be exposed to numerous IT risks that

come with the use of emerging IT.


6. Personal reflection and future research suggestions

This chapter is a personal reflection on the outcomes of this research. With this reflection I focus on the

observations that stood out from this study and any open questions that remain. It further describes the

research limitations that should be considered when making assumptions and conclusions based on the study

results. Based on this reflection future research suggestions are provided that can be performed to obtain

more empirical evidence on the impact of emerging IT on the task description of the internal auditor.

After my switch to the internal audit team of Deloitte Risk Services I was motivated to find a research

subject that would match the requirements of the Postgraduate IT audit course and, at the other hand, would

also be valuable to the knowledge of the internal audit team of which I am part of. With this motivation in

mind I started to read scientific articles on the impact of information technology on the internal audit activity.

Soon I discovered that the general conclusion reached by these scientific studies is that the rapid changes and

developments in IT are significantly impacting the auditing field. This motivated me to examine what the

impact of emerging IT will be on the existing roles and responsibilities of the internal auditor and which

developments the internal audit function has to undertake in order to be able to adequately audit the

increasing complexity of IT within their organizations. With this subject my goal of writing a thesis that is

relevant for the IT audit profession as well as for the internal audit team of which I am part of is achieved.

As there are numerous scientific articles that conclude that emerging IT significantly impacts the

existing roles and responsibilities of all auditors this research, however, shows that the impact is rather low

on the existing roles and responsibilities of internal auditors working for mature internal audit functions. The

reasoning behind this is that these types of internal audit functions have specialized IT auditors employed

who focus on the IT risks and controls within the organization, leaving the other auditors

(financial/operational) of the internal audit function unaffected by the developments of IT. Another

observation that showed to lower the impact of emerging IT on the existing roles and responsibilities of

internal auditors is the type of business model pursued by the organization. Whenever the IT environment has

been outsourced, the use of emerging IT will not have a direct impact on the internal audit function. These

findings demonstrate that before making conclusions regarding the impact of emerging IT on the required

knowledge and skills of auditors, different situations should be examined in order to obtain an accurate and

valid conclusion regarding this relationship. As the scientific literature used for this research does not make

this distinction in making its conclusions I have chosen to also not make this distinction upfront of the study

when selecting the case study participants. This choice has led me to the conclusion as outlined above. The

number of case studies selected is limited due to the time constraints for conducting the study. Therefore,

generalizing the conclusions of this study to all internal audit functions becomes rather difficult. I have

considered the option of developing a questionnaire based on the information gathered from the scientific

literature and to send this out to numerous internal audit executives. However, as my goal was to provide a

complete description of the situation as it is at the internal audit functions selected for this research I decided


to not use a questionnaire as this would not have provided me with the detailed information required to reach

my conclusions on the research subject. Although this research demonstrates that the impact of emerging IT

is rather low on the existing roles and responsibilities of internal auditors working for mature internal audit

functions, the question remains whether this conclusion stays valid in the coming 5 to 10 years. The

automation of business processes continues to accelerate at a high pace. This is evident, for example, in the

banking and insurance industry where Straight Through Processing is a frequently used term, meaning that an

order is being processed without any human intervention. Given these developments it remains relevant to

question whether generalists auditors (financial/operational) do need to expand their skills and knowledge in

the area of IT audit to cope with these future challenges. Based on this I suggest the following research

question for future research:

1) “What is the impact of the increasing automation of business processes on the skill set and knowledge

required for financial/operational/compliance auditors to be able to perform their audit activities?”

Based on this research I argue that the impact of emerging IT on the task description of the internal

auditors working for small-sized and/or immature internal audit functions will be greater than for the mature

internal audit functions, such as the ones selected for this study. The reasoning behind this is that the small-

sized/immature internal audit functions probably do not have specialized IT auditors employed, but only

traditional financial and/or operational auditors. The fact that no such internal audit functions are selected for

this research represents a limitation of this study. It would therefore be interesting to investigate whether the

conclusion reached through this research that the impact of emerging IT on internal auditors is low within

high mature and large internal audit functions, will be different for the small-sized and low mature internal

audit functions within small-medium sized (SMEs) organizations that are at the start of becoming

increasingly reliant on information technologies. How relevant becomes the question for these types of

organizations to focus on IT risks and controls and how do these organizations anticipate on the risks they

will face due to the increasing reliance on IT? Based on this I suggest the following research question for

future research:

2) “What is the impact of becoming more reliant on IT on the perception of entrepreneurs of SMEs towards

the importance of IT risk management within their organizations and how can the IT auditor assist these

entrepreneurs in obtaining reasonable assurance on their IT environment?”

Finally, the literature review shows that a great number of scientific articles are writing about the

ever increasing complexity of IT within organizations and the impact of this development on the internal

audit profession. This research demonstrates that due to this development organizations are, on the other

hand, putting effort in trying to standardize their IT environment and thereby making it less complex and

more efficient. This is a logical reaction to the conclusions reached in previous research that the complexity


of IT is increasing within organizations. In order for organizations to remain strong or even become stronger

competitors in the markets they operate, they can benefit from increasing the efficiency and effectiveness of

their use of IT. This will lower the operating costs of the business operations and therefore can lead to better

financial performance. The results of the case study imply that this can lead to less need for IT audit

resources as the scope and the complexity of the audit object will decrease. On the other hand, however, I see

this as an opportunity for the internal IT auditor as they can assist their organizations in achieving the goal of

standardizing the IT environment and thereby increasing the efficiency of its use of IT. It is the internal IT

auditor who has the expert knowledge of the IT systems and business processes of the organization required

to advise the business in achieving its goal. This is also in line with the evolving role of the internal auditor

into that of the consulting arena. Utilizing the internal IT auditor as a trusted business advisor can in these

situations therefore add value to the organization in achieving its strategic objectives. Based on this I suggest

the following research questions for future research:

3) “What is the role of the IT auditor in assisting organizations achieving the goal of standardizing the IT

environment and thereby increasing the efficiency of its use of IT and what is the added value of the IT

auditor in performing this role?”

4) “What is the difference between an IT consultant and an IT auditor and which aspects of these two

professions are the most important in assisting organizations achieving the goal of standardizing the IT

environment and thereby increasing the efficiency of its use of IT?”

With this personal reflection on the current research I have pointed out what stood out from this study,

the open questions that remained, the research limitations, and my suggestions for future research. I do

encourage future researchers in the area of IT audit to consider the future research suggestions provided in

this chapter. Based on a review on the existing IT audit literature I have noted that these topics have not yet

been explored in depth. This makes it relevant for them to be investigated through further research.


References

Abdolmohammadi, M.J., & Boss, S.R. (2010). Factors associated with IT audits by the internal audit

function. International Journal of Accounting Information Systems, 11(3), 140-151.

Abu-Musa, A.A. (2008). Information technology and its implications for internal auditing.

Managerial Auditing Journal, 23(5), 438-466.

Anderson, M., Banker, R., and Ravindran, S. (2006). Value implications of investments in

information technology. Management Science, 52(2), 1359–1376.

Aral, S., & Weill, P. (2007). IT assets, organizational capabilities, and firm performance.

Organization Science, 18(5), 763–780.

Bedard, J.C., Jackson, C., Etteredge, M.L., and Johnstone, K.M. (2003). The Effect of Training on

Auditors’ Acceptance of an Electronic Work System. International Journal of Accounting

Information Systems, 4, 227-250.

Bierstaker, J.L., Burnaby, P., and Thibodeau, J. (2001). The impact of information technology on

the audit process: an assessment of the state of the art and implications for the future. Managerial

Auditing Journal, 16(3), 159-164.

Blumberg, B., Cooper, D.R., and Schindler, S. (2005). Business research methods. McGraw-Hill

Education: Berkshire.

Borek, A., Helfert, M., Ge, M., and Parlikad, A.K. (2011). An information oriented framework for

relating IS/IT resources and business value. Accepted at the 18th EurOMA Conference: Exploring

Interfaces, Cambridge, UK.

Bou-Raad, G. (2000). Internal auditors and a value added approach: the new business regime.


Brazel, J.F., & Agoglia, C.P. (2007). An examination of auditor planning judgments in a complex

accounting information system environment. Contemporary Accounting Research 24 (4): 1059–

1083.

Brody, R.G., & Lowe, D.J. (2000). The new role of the internal auditor: implications for internal

auditor objectivity. International Journal of Auditing, 4, 169-176.

Bruce, R. (1996). They should be: are they. Accountancy, June, 64.

Brynjolfsson, E., Hitt, L.M., and Yang, S. (2002). Intangible assets: computers and organizational

capital. Brookings Papers on Economic Activity, 1, 137–181.

Caroll, M., Van Der Merwe, A., and Lubbe, S. (2009). An information systems auditor’s profile.

International Journal for the Study of Southern African Literature and Languages, 16(1), 318–355.

COSO (2011). Internal Control – Integrated Framework. Framework, December 2011. URL:

www.ic.coso.org

http://www.ic.coso.org/


Curtis, M.B., Jenkings, J.G., Bedard, J.C., and Deis, D.R. (2009). Auditors’ training and proficiency

in information systems: A research synthesis. Journal of Information Systems, 23(1), 79-96.

Damianides, M. (2005). Sarbanes-Oxley and it governance: new guidance on it control and

compliance. Information Systems Management, 22(1), 77-85.

Desai, N.K., Gerard, G.J., and Tripathy, A. (2008). Co-sourcing and external auditors’ reliance on

the internal audit function. The Institute of Internal Auditors Research Foundation. ISBN 978-0-

89413-659-7.

Dewett, T., & Jones, G. R. (2001). The role of information technology in the organization: a review,

model, and assessment. Journal of Management, 27, 313.

Fernandes, J.J. (2000). Internal audit in the next millennium. Auditwire, January/February, 1-2.

Flemming, R.T. (2003). The internal audit function: an integral part of organizational governance.

The Institute of Internal Auditors Research Foundation, 73-96. URL:

http://users.cba.siu.edu/odom/acct465/roia/Ch3.pdf

Furnel, S. (2006). Securing mobile devices: technology and attitude. Network Security, 2006(8), 9-

13.

Gallegos, F., Senft, S., Manson, D.P., and Gonzales, C. (2004). Information technology control and

audit. Auerbach Publications: New York.

Greenstein, M. & McKee, T.E. (2004). Assurance practitioners’ and educators’ self-perceived IT

knowledge level: an empirical assessment. International Journal of Accounting Information

Systems, 5, 213-243.

Hadden, L.B., DeZoort, F.T., and Hermanson, D.R. (2003). IT Risk Oversight: The Roles of Audit

Committees, Internal Auditors, and External Auditors. Internal Auditing, 18(6), 28-30.

Hall, J.A., & Singleton, T. (2005). Information Technology Auditing and Assurance. Thomson

(South Western). Florida, 2nd ed.

Heiser, J., & Nicolett, M. (2008). Gartner Report. URL: http://cloud.ctrls.in/files/assessing-the-

security-risks.pdf

Hermanson, D.R., Hill, M.C., and Ivancevich, D.M. (2000). Information technology-related

activities of internal auditors. Journal of Information Systems, 14, 39-53.

Hermanson, D.R., & Rittenberg, L.E. (2003). Internal audit and organizational governance. The

Institute of Internal Auditors research Foundation. ISBN 0-89413-498-1.

Hinson, G. (2007). The state of IT auditing in 2007. EDPACS, 36(1), 13-31.

Huber, G. P. (1990). A theory of the effects of advanced information technologies on organizational

design intelligence, and decision making. Academy of Management Review, 15 (1), 47–71.

Hunton, J. E., Wright, A.M., and Wright, S. (2004). Are financial auditors overconfident in their

ability to assess risks associated with enterprise resource planning systems? Journal of Information

Systems, 18(2), 7–28.

http://users.cba.siu.edu/odom/acct465/roia/Ch3.pdf

http://cloud.ctrls.in/files/assessing-the-security-risks.pdf

http://cloud.ctrls.in/files/assessing-the-security-risks.pdf


International Federation of Accountants. ‘‘Information Technology in the Accounting Curriculum’’,

International Federation of Accountants Education Committee Guideline 11; 1995 [December].

Institute of Internal Auditors (IIA) (2000). Internal Auditing; adding value across the board.

Corporate Brochure, IIA.

International Standard on Auditing 401 (2002), Auditing in Computer Information Systems

Environment. URL: http://www.icisa.cag.gov.in/Background%20Material-IT%20Environment/IT-

Audit-

Environment/Auditing%20in%20a%20Computer%20Information%20Systems%20Audit%20.pdf

Jeffers, P.I., Muhanna, W.A., and Nault, B.R. (2008). Information technology and process

performance: an empirical investigation of the interaction between IT and non-IT resources.

Decision Sciences, 39(4), 403–434.

Kaplan, A.M., & Haenlein, M. (2010). Users of the world, unite! The challenges and opportunities

of Social Media. Business Horizons, 53(1), 59-68.

Kimpton, C., & Martin, D. (2001). Overview of Principal IT Evaluation Models: Tools for IT

Auditors. Information Systems Control Journal, 5, 49-53.

Krishnan, R., Peters, J., Padman, R., and Kaplan, D. (2005). On data reliability assessment in

accounting information systems. Information Systems Research, 16(3), 307–326.

Levitt, A. (1999). An Essential Next Step in the Evolution of Corporate Governance. Speech to the

Audit Committee Symposium, June 29.

Lindgreen, E.R. (2005). Opkomst, ondergang en opleving van een raamwerk voor

informatiebeheersing. Bestuurlijke Informatieverzorging, Mei, 206-211.

Mansour, C. (2005). Global Perspectives: The Changing Role of the IT Auditor – A UK Perspective.

Information Systems Control Journal, 2005(3), 22.

McCollum, T. (2002). IS guidance for government auditors. Internal Auditor, 59(2), 16-17.

Merhout, J.F., & Cothran, P.E. (2006). Increasing demand for IT auditing creates new career options

for AIS/MIS/IT students. Review of Business Information Systems, 10(4), 41-50.

Moorthy, M.K., Seetharaman, A., Mohamed, Z., Gopalan, M., and Har San, L. (2011). The impact

of information technology on internal auditing. African Journal of Business Management, 5(9),

3523-3539.

Nagy, A.L., & Cenker, W.J. (2002). An assessment of the newly defined internal audit function.


Neo, B. S. (1988). Factors facilitating the use of information technology for competitive advantage:

an exploratory study. Information and Management, 15, 191–201.

NIST (The National Institute of Standards and Technology) (2006). Federal information processing

standards publication: minimum security requirements for federal information and information

http://www.icisa.cag.gov.in/Background%20Material-IT%20Environment/IT-Audit-Environment/Auditing%20in%20a%20Computer%20Information%20Systems%20Audit%20.pdf




systems. Gaithersburg, MD: Computer Security Division, The national institute of standards and

technology. URL: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-finalmarch.pdf).

Organisation for Economic Co-operation and Development (OECD) (1999). OECD Principles of

Corporate Governance (http://www.oecd.org).

Oxner, T., Hawkins, K. and Rivers, R. (1995), ‘A study of computer usage by internal auditors in

Canada and United States’, Journal of International Accounting Auditing & Taxation, 4(1), 27-37.

Pathak, J. (2003). IT auditing and electronic funds transfers. Internal Auditing, 18(5), 28.

Pathak, J. (2005). Risk management, internal controls and organizational vulnerabilities. Managerial

Auditing Journal, 20(6), 569-577.

Power, M. (2009). The risk management of nothing. Account Organizations & Society, 34(6/7),

849–855.

Powell, T. C., & Dent-Micallef, A. (1997). Information technology as competitive advantage: the

role of human, business, and technology resources. Strategic Management Journal, 18 (5), 375–405.

PricewaterhouseCoopers (2007). Internal Audit 2012*: a study examining the future of internal

auditing and the potential decline of a controls-centric approach. Advisory Services Internal Audit,

1-68.

Ravichandran, T., & Lertwongsatien, C. (2005). Effect of information systems resources and

capabilities on firm performance: a resource-based perspective. Journal of Management Information

Systems, 21(4), 237–76.

Ray, G., Muhanna, W.A., and Barney, J.B. (2005). Information technology and the performance of

the customer service process: a resource-based analysis. MIS Quarterly, 29(4), 625–651.

Ray, M., & Ramaswamy, P. (2007). Global technology Audit Guide (GTAG) 7: Information

technology outsourcing. The Institute of Internal Auditors, March 2007.

Rezaee, Z., Elam, R. and Sharbatoghlie, A. (2001), ‘Continuous auditing: The audit of the future’,


Rezaee, Z., & Reinstein, A. (1998). The impact of emerging information technology on auditing.


Ryan, J.J.C.H., & Schou, C.D. (2004). On Security Education, Training and Certifications.

Information Systems Control Journal, 2004(6), 27-30.

Saharia, A., Koch, B., and Tucker, R. (2008). ERP systems and internal audit. Issues in Information

Systems, 9(2), 578-586.

Sambamurthy, V., Bharadwaj, A., and Grover, V. (2003). Shaping agility through digital options:

reconceptualizing the role of information technology in contemporary firms. MIS Quarterly, 27(2),

237–63.

Sayana, S. A. (2003). Using CAATs to Support IS Audit. Information Systems Control Journal, 1,

pp. ?

Selim, G., & McNamee, D. (1999b). The risk management and internal auditing relationship:

developing and validating a model. International Journal of Auditing, 3(3), 159-174.

http://csrc.nist.gov/publications/fips/fips200/FIPS-200-finalmarch.pdf

http://www.oecd.org/


Silltow, J. (2003). Shedding light on information technology risks. The internal Auditors, 60(6), 32-

39.

Spira, L.F., & Page, M. (2003). Risk management: the reinvention of internal control and the

changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640-661.

Stoel, M.D., & Muhanna, W.A. (2011). IT internal control weaknesses and firm performance: An

organizational liability lens. International Journal of Accounting Information Systems, 12(4), 280-

304.

Suen, J. (2009). Computer Assisted Audit Techniques : A study of the tools, their usage, and future

initiatives. URL: http://uwcisa.uwaterloo.ca/Biblio2/Year/2009/Jonathan_Suen.pdf

Tongren, J.D. (1997). Coactive audit: the enhancement audit model. Managerial Finance, 23(12),

44-51.

Tuttle, B., & Vandervelde, S.D. (2007). An empirical examination of CobiT as an internal control

framework for information technology. International Journal of Accounting Information Systems, 8,

240-263.

Wade, M.W., & Hulland, J. (2004). The resource-based view and information systems research:

review, extension, and suggestions for future research. MIS Quarterly, 28(1), 107–42.

Wang, L., & Alam, P. (2007). Information technology capability: firm valuation, earnings

uncertainty, and forecast accuracy. Journal of Information Systems, 21(2), 27–48.

Whitman, M.E., & Mattord, H.J. (2005). Principles of Information Security, 2nd ed., Boston:

Thomson Course Technology.

http://uwcisa.uwaterloo.ca/Biblio2/Year/2009/Jonathan_Suen.pdf