19-April-02
The effects of auditor type and The effects of auditor type and information system risk on the information system risk on the implementation of continuous implementation of continuous monitoring of financial monitoring of financial information systems.information systems.
Richard Dull - Clemson UniversityEric Johnson - Indiana University
19-April-02
Today’s Presentation -- Today’s Presentation --
Report on the status of our projectSeek advice for improvement
19-April-02
Continuous Monitoring/AuditingContinuous Monitoring/Auditing
Are we operating at an acceptable level of implementation?
19-April-02
Why Not?Why Not?
“Everyone” agrees CM would assist in providing more timely information to decision-makers.
It is widely accepted in non-financial settings.
19-April-02
Background Background
Continuous monitoring – one of the “top five” emerging technologies
The role of auditor in IS design, implementation and monitoring is key in CM deployment (Kogan et. al.)
Auditor acceptance of technology may influence risk assessment for new technology (Hunton et. al.)
19-April-02
Research QuestionsResearch Questions
Obstacles to CM/CA implementationEffects of RiskEffects of Auditor “type”
– Internal– External
19-April-02
Addressing the Research Addressing the Research QuestionsQuestionsField experimentCurrently in process
– Limited preliminary results– Adjusting for next round
19-April-02
Research DesignResearch Design
Basic 2X2 Design– Auditor Type
InternalExternal
– IS Risk LevelLowHigh
19-April-02
Research Design - AuditorResearch Design - Auditor
PracticingIS Experienced
19-April-02
Research Design - AuditorResearch Design - Auditor
Internal– Improve organizations operations (IIA)– Organization’s interest– Support CM
External– Compliance of financial information system– CM is “untested”– Lower Support
19-April-02
Research Design – AuditorResearch Design – AuditorOther factors . . .Other factors . . .
Who developed CM modulesResidence/control of modulesTrust
19-April-02
Research Design -- RiskResearch Design -- Risk
Manipulated by controls over passwords– Security manager– Network manager
19-April-02
Research Design – Risk (problems?)Research Design – Risk (problems?)
Manipulation too subtle?CM “untested” – does this overshadow the
risk manipulation
19-April-02
CaseCase
Provided background on companyHigh risk and low risk versionsSolicited opinions on company
19-April-02
Case – QuestionsCase – Questions
Security of systemAccess by company's IS staffInherent riskControl riskFraud riskEffectiveness of CA softwareAuditor’s qualifications to assess controlsOverall knowledge of CA
19-April-02
Case – Questions CA Case – Questions CA
General opinions regarding CACosts/BenefitsEffectivenessStaffingTimingAuditor involvement in developmentRelative risk
19-April-02
DemographicsDemographics
Experience IS/non-ISCompany typeLevelCertifications
19-April-02
ResultsResults
19-April-02
FutureFuture
Shorten survey/caseWeb vs. paper?