An Investigation of Factors Influencing The Use of Computer-Related Audit Procedures

Name /9671/05
05/20/2009 04:15PM
Plate # 0
JIS (AAA)
JOURNAL OF INFORMATION SYSTEMS

Vol. 23, No. 1
Spring 2009
pp. 000000
An Investigation of Factors Influencing

the Use of Computer-Related
Audit Procedures
Diane Janvrin
Iowa State University
James Bierstaker
Villanova University
D. Jordan Lowe
Arizona State University
ABSTRACT: We provide data on the extent to which computer-related audit procedures
are used and whether two factors, control risk assessment and audit firm size, influence
computer-related audit procedures use. We used a field-based questionnaire to collect
data from 181 auditors representing Big 4, national, regional, and local firms. Results
indicate that computer-related audit procedures are generally used when obtaining an
understanding of the client system and business processes and testing computer controls. Furthermore, 42.9 percent of participants indicate that they relied on internal
controls; however, this percentage increases significantly for auditors at Big 4 firms.
Finally, our results raise questions for future research regarding computer-related audit
procedure use.
Keywords: computer-related audit procedures; IT specialists; control risk assessment;
firm size.
Data Availability: Data used in this study are available from the first author upon
request.
I. INTRODUCTION
dvances in client information technology (IT) are rapidly changing the way auditors
evaluate control risk and recent audit standards suggest that control risk may influence computer-related audit procedure use when examining clients with complex
We appreciate the helpful comments of Joseph Brazel, Mary Curtis, Julie Smith David, William Dilla, Julie Anne
Dilley, Stephanie Farewell, Gary Hackbarth, Frank Hodge, Cynthia Jeffrey, Eric Johnson, Brian Mennecke, Bill
Messier, Ed ODonnell, Kurt Pany, G. Premkumar, Sue Ravenscroft, Janet Samuels, Dan Stone, Tony Townsend,
Scott Vandervelde, Kristi Yuthas, two reviewers, and participants in the Iowa State Accounting / Finance Research
Seminar Series, the 2005 Information Systems New Scholars Workshop, and the 2007 Auditing Section Midyear
Meeting. Finally, we gratefully acknowledge the assistance of Sarah Erdmann, Krissy Gronborg, Cory Heilmann,
Jon Hobbs, Breanne Kruger, Omar Torren, Allan Trapp, Pat Wagaman, Katie Wallace, Tara Wilkins, the AICPA,
and the study participants.
pg 1 # 1
Name /9671/05
05/20/2009 04:15PM
Plate # 0
JIS (AAA)
Janvrin, Bierstaker, and Lowe
IT1 (AICPA 2001; PCAOB 2007). For example, SAS No. 94 alerts auditors that assessing
control risk at maximum and relying only on substantive testing may not be effective for
clients with complex IT (AICPA 2001). Instead, auditors are advised to consider using
computer-related audit procedures, including IT specialists, when they obtain an understanding of client internal controls during audit planning (AICPA 2008, AU 319.29-32). Moreover, the Public Company Accounting Oversight Boards (PCAOB) Auditing Standard No.
5 requires auditors of all publicly traded companies to express an opinion on the effectiveness of the clients internal control system over financial reporting (PCAOB 2007). This
study examines the extent to which computer-related audit procedures are used and whether
two factors, control risk assessment and audit firm size, influence computer-related audit
procedure use.
Audit firm size may impact the use of computer-related audit procedures given that
clients of Big 4 firms are more likely than those of smaller firms to have more complex
IT. Previous research has not addressed the extent to which firm size affects the use of
computer-related audit procedures. Moreover, recent research suggests that national audit
firms have gained market share in the post-Andersen period (Cassell et al. 2007; Krishnan
et al. 2008). National firms clients are likely to have more complex IT than local or regional
firms, but less than Big 4 firms. Therefore, an open question is whether national firms use
of computer-related audit procedures resembles that of the Big 4 firms or smaller firms?
We examine computer-related audit procedure use, as well as how control risk assessment and audit firm size influences use, via a field-based instrument. The instrument was
completed by 181 auditors representing Big 4, national, regional, and local firms. Results
suggest that computer-related audit procedures are generally used when obtaining an understanding of the client systems and business processes and when testing application and
general computer controls. Moreover, 42.9 percent of participants assess control risk less
than maximum, which is almost double the rate found in previous research based on a
single international audit firm (Waller 1993). In engagements where control risk is assessed
at less than maximum, computer-related audit procedures and IT specialists are more likely
to be used, than when control risk is assessed at maximum. Findings indicate that in engagements involving Big 4 audit firms, control risk is more likely to be assessed at less
than maximum and computer-related audit procedures and IT specialists are more likely to
be used than in engagements involving smaller audit firms. Furthermore, while auditors
employed by national audit firms are more likely to have control risk assessed below maximum than those working for smaller audit firms, use of computer-related audit procedures
is surprisingly similar.
This study fills a void in the research by examining how control risk and audit firm
size impact computer-related audit procedure use. These factors are important given that:
(1) failure to consider control risk for clients with complex IT may lead to audit efficiency
and effectiveness issues (AICPA 2001; Mock and Wright 1999), (2) standards suggest that
auditors consider control risks during planning when they examine clients with complex
IT (AICPA 2001, 2002b), and (3) understanding the degree to which auditors consider
control risks given advances in client IT and newer audit methodologies may provide guidance to the PCAOBs Standing Advisory Group and the Auditing Standards Board as these
groups examine new risk-based standards (AICPA 2006; PCAOB 2007). Furthermore, this
Current audit standards use the term clients with complex, highly integrated financial reporting systems (AICPA
2008, AU 319.16). For parsimony, we shorten this term to clients with complex IT.
Journal of Information Systems, Spring 2009
pg 2 # 2
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 3 # 3
JIS (AAA)
An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures
study provides evidence that audit firm size is a significant factor related to the use of
computer-related procedures, and the degree to which audit procedures are altered in response to control risk assessments and client IT complexity.
The remainder of the paper is organized as follows. In the next section we review
relevant literature and develop research questions. Next, we discuss the methodology of our
study. In the following section we present results and offer future research questions from
our findings. Finally, we discuss the implications of the study and offer additional research
directions.
II. LITERATURE REVIEW AND RESEARCH QUESTION DEVELOPMENT
PCAOB Auditing Standard No. 5 provides increased emphasis on examining the effectiveness of the clients internal control system over financial reporting. More specifically,
this standard advises auditors to examine the extent of IT in the year-end financial reporting
process. In their examination, financial auditors often examine clients with complex IT.
Regulatory standards codify how increased client IT use and related risks may influence
the use of computer-related audit procedures (AICPA 2001, 2002a, 2002b, 2002c). For
instance, SAS No. 94 describes how client IT impacts auditors consideration of internal
controls and suggests that auditors include client IT when assessing risk (AICPA 2001, AU
319.39). Auditors are expected to gain an understanding of client systems and business
processes by examining (1) significant transactions supporting the clients financial statements, (2) procedures used to initiate, record, process, and report transactions, (3) means
by which clients systems capture events and conditions (other than transactions), and (4)
processes used to prepare client financial statements (AICPA 2001, AU 319.49-51). Auditors are also encouraged to review automated controls (AICPA 2001, AU 319.44, 319.45).
Given the importance of these controls, auditors need to determine if these controls are
functioning as intended and are continuing to operate effectively (AICPA 2001, AU 319.78).
Automated controls include both application and general controls (e.g., program change
controls, access controls, and systems software controls). The new audit risk standards
(AICPA 2006) expand upon several SAS No. 94 concepts. For instance, the standard on
audit evidence suggests that auditors employ computer-assisted audit techniques (CAATs)
to check the accuracy of the summarization of a file or to re-perform procedures (i.e., aging
of accounts receivable, etc.; AICPA 2006, AU 308.33-34).
Furthermore, SAS No. 99 codifies certain fraud detection procedures that relate to client
IT evaluation. For example, auditors are encouraged to consider how a client may use
IT to commit a fraud. Auditors may use computerized audit application techniques
(CAATs) to evaluate these fraud risks (AICPA 2002b, AU 316.52) and identify journal
entries and other adjustments to be tested (AICPA 2002b, AU 316.61; Lanza and Gilbert
2007).
Finally, there may be certain circumstances (i.e., significant client IT-related risks and/
or limited auditor IT expertise) in which it is necessary to use an IT specialist (Hunton et
al. 2004). For instance, as suggested by the planning and supervision standard, auditors
may elect to use IT specialists to perform the following procedures: (1) inquiry of client
IT personnel about how transactions are initiated, recorded, processed, and reported, and
how IT controls are designed, (2) inspect systems documentation, (3) observe the operation
of IT controls, and (4) plan and perform tests of IT controls (AICPA 2006; AU 314.15).
Name /9671/05
05/20/2009 04:15PM
Plate # 0
JIS (AAA)
Research Questions
During evidence planning, auditors determine the nature, timing, and extent of audit
procedures based upon the results of the risk assessment process.2 Prior research, however,
yields conflicting results regarding whether audit plans reflect these risk assessments. Several archival studies have been conducted to assess whether evidential planning is adaptive
to variations in risk assessment (see Bedard 1989; Elder and Allen 2003; Johnstone and
Bedard 2001; Mock and Wright 1993, 1999). Overall, the results from these archival studies
suggest that audit program plans are not appropriately risk-adjusted in practice, and specifically, that control risk assessment has very little if any influence on subsequent audit
plans.
Experimental studies have also been performed in this area. Bedard and Wright (1994)
report that program plans are not closely related to risks while Wright (1988) finds evidential plans are adjusted to address increases in risk, but the adjustment may be inefficient.
Hill (2001) suggests that auditors are sensitive to prior error information in adjusting audit
plans. Finally, Bierstaker and Wright (2005) report that partners efficiency preferences
potentially interact with risk assessments and subsequent audit plan adjustments. In other
words, auditors may be reluctant to increase planned hours and tests when efficiency pressure is high, even if risks are high. It is important to note that the majority of these prior
studies focused only on Big 4 firms.
In this study, we assess whether control risk assessment leads to differential use of
computer-related audit procedures for clients with complex IT. We conjecture that for these
clients, auditors may be more likely to rely on controls and use computer-related audit
procedures. For example, auditors may be unable to evaluate clients with complex IT without obtaining electronic records from the client or using CAATs. Moreover, regulatory
standards encourage the use of CAATs in the process of understanding and auditing controls
and suggest that client IT considerations be reflected in risk assessments (AICPA 2001,
2006). Alternatively, some may argue that high IT complexity influences some auditors to
seek non-CAAT audit solutions because auditors cannot adequately deal with this level of
complexity.
Given that prior research has found conflicting results regarding whether program plans
are subsequently adapted to risks and, further, that little if any research has directly examined the relationship between control risk assessments and computer audit procedures,
we propose the following research question:
RQ1a: When examining clients with complex IT, does the use of computer-related audit
procedures vary by control risk assessment?
Computer-related audit procedures vary from requesting that the client provide electronic records to testing automated and general controls to use of IT specialists. The use
of IT specialists has recently attracted significant research interest (Brazel 2005; Brazel and
Agoglia 2007; Curtis and Viator 2000; Hunton et al. 2004), some of which suggests that
IT specialists may be underused (Carmichael 2004). SAS No. 94 suggests that auditors
consider several factors when deciding whether to use IT specialists. These factors include:
(1) the complexity of the clients IT, (2) the significance of changes made to existing client
systems or implementation of new systems, (3) the extent to which data is shared among
2
Nature refers to the specific type of audit procedures selected to gather evidence about an account or area.
Timing refers to when the audit procedures are performed (interim or year-end). Extent refers to the amount or
scope of testing (Bedard et al. 1999, 96).
pg 4 # 4
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 5 # 5
JIS (AAA)
client systems, (4) the clients use of emerging technologies, and (5) the significance of
audit evidence that is available only in electronic form (AICPA 2008, AU 319.31). Theoretically, these factors are related to control risk. Hence we investigate:
RQ1b: When examining clients with complex IT, does the use of an IT specialist vary
by control risk assessment?
Larger audit firms have more resources available to them and have a larger international
base of operations in which to respond to current developments and clients needs than
smaller firms (Gist and Davidson 1999; Palmrose 1986). These differences may enable
larger firms to provide IT-related audit training and to better use computer-related audit
procedures. Larger audit firms may be more adaptive and more likely to adjust their audit procedures to changes in client IT by incorporating more computer-related procedures.
Of particular note is the use of IT specialists. Since larger firms generally have more
resources, they may be more likely to develop, support, and employ IT specialists than
smaller firms.
Furthermore, auditors employed by larger firms are more likely to audit larger clients
who possess more complex IT. Given the fact that audit standards advise auditors to rely
more heavily on internal controls for clients with complex IT (AICPA 2001), we surmise
that computer-related audit procedures use may vary by firm size. Since most prior research
has focused on Big 4 firms, it is unclear to what extent auditors employed by national firms
will use computer-related audit procedures and IT specialists when examining clients with
complex IT.3 Therefore, the following research questions are posed:
RQ2a: When examining clients with complex IT, does the use of computer-related audit
procedures vary by firm size?
RQ2b: When examining clients with complex IT, does the use of an IT specialist vary
by firm size?
III. METHOD
Participants
Participants included 181 auditors representing Big 4, national, regional, and local firms
from geographically different regions of the U.S. One researcher attended an AICPA training seminar to obtain responses from 109 auditors from national, regional, and local firms.
We also contacted local offices of each Big 4 firm and one national firm. From these
contacts, we collected data from 72 auditors.
As shown in Table 1, participants averaged 12.7 years of financial audit experience and
their average age was 36.5 years. Many participants (86.2 percent) held CPA certificates.
The majority of the participants (71.0 percent) were male. Participants worked for a variety
of firms; 36.7 percent of participants were employed at local firms, 14.7 percent at regional
firms, 17.5 percent at national firms, and 31.1 percent at Big 4 firms.
Instrument Development and Validation
In developing our field-based instrument, we sought several sources in which to obtain
credible evidence on computer-related audit procedure use, including use of IT audit specialists and whether control risk assessment and audit firm size are associated with use.
3
Recent research (Cassell et al. 2007) suggests that national audit firms have gained market share in the postAndersen period.
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 6 # 6
JIS (AAA)
TABLE 1
Participant Demographics
Total
Responses
Years as an External Auditor
Agea
12.7
(9.4)
36.5
(10.0)
Big 4
Firms
8.0
(7.9)
31.0
(7.3)
National
Firms
Regional
Firms
Means (Std. Dev.)

10.0
15.7
(9.7)
(7.8)
33.9
40.2
(10.4)
(9.1)
Local
Firms
16.5
(8.8)
40.7
(9.4)
Frequencies (Percent)
Highest Education Levela
Bachelors Degree
Masters Degree and Beyond
Certificationa,b
Certified Public Accountant
Other (CIA, CISA, CMA, CFE,
CFP, etc.)
Gender a
Male
Female
Audit Firm Sizea
IT Expertisea
Novice
Intermediate
Expert
a
b
149
(82.8%)
31
(17.2%)
156
11
43
(78.29%)
12
(21.8%)
40
1
27
(87.1%)
4
(12.9%)
24
0
24
(92.3%)
2
(7.7%)
26
3
53
(81.5%)
12
(18.5%)
63
5
127
(71.0%)
52
(29.0%)
181
38
(69.1%)
17
(30.9%)
55
(31.1%)
19
(61.3%)
12
(38.7%)
31
(17.5%)
20
(76.9%)
6
(23.1%)
26
(14.7%)
48
(75.2%)
16
(25.0%)
65
(36.7%)
30
(16.7%)
127
70.5%)
23
(12.8 %)
9
(16.4%)
44
(80.0%)
2
(3.6%)
6
(19.4%)
21
(67.7%)
4
(12.9%)
4
(15.4%)
18
(69.2%)
4
(15.4%)
11
(17.2%)
40
(62.5%)
13
(20.3%)
One or more participants did not answer question.

Participants could list more than one certification.
Specifically, we examined SAS Nos. 94, 96, 99, 100 and various audit risk standards for
computer-related audit procedures and recommendations for IT audit specialist use. We
employed a broad definition of computer-related audit procedures that included procedures
used to examine client general and application IT controls as well as CAATs. To the degree
possible, we used audit standard wording in our field-based instrument. For example, the
wording in the instrument describing computer-related procedures to obtain understanding
of client systems and business processes is from SAS No. 94 (i.e., AICPA 2008, AU
319.49).
Measurement Issues
As noted above, since computer-related audit procedure use varies significantly by
audit, pilot tests indicated that due to the wide diversity of client IT, participants would
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 7 # 7
JIS (AAA)
have difficulty determining their typical client. Therefore, we asked participants to select
one client with highly computerized systems and indicate if they used each audit procedure
for that selected client, rather than for a typical client. To measure control risk assessment,
participants indicated whether they assess control risk below maximum level due to the
highly computerized transaction and financial reporting systems for the selected client.4
Consistent with recent research on client IT and audit planning (Bedard et al. 2005),
we measure computer-related audit procedure use, including IT specialists, at the individual
auditor level. Obtaining audit procedure use data at the firm level is impractical and would
be less sensitive to individual client attributes.5
We used two measures of IT specialist use. First, participants indicated if they used an
IT specialist during the audit for the selected client. Second, participants indicated if they
used an IT specialist to perform four specific audit procedures (i.e., inquire of client IT
personnel, inspect systems documentation, observe IT control operations, and test IT controls) for the selected client.
Audit firm size is measured with four categories: Big 4, national, regional, and local.
Prior research generally compares data from Big 4 firms to smaller firms (Manson et al.
1997, 1998). While it is commonly known that large CPA firms have made significant
investments in IT (Banker et al. 2002; ODonnell and Schultz 2003), little descriptive
research exists that documents use of computer-related audit procedures and IT audit specialists by non-Big 4 firms.
Finally, we added two covariates to our logistic regressions: client IT complexity and
external audit experience. Since IT use may vary by client IT complexity, we asked participants to rate the IT complexity for their selected client on a seven-point scale where 1
manual processing and 7 highly automated financial reporting system. Also, previous
research has found IT use to vary by external audit experience (e.g., Curtis and Viator 2000;
Hunton et al. 2004; Viator and Curtis 1998).
IV. RESULTS
Descriptive Statistics
Table 2 displays the demographics and audit characteristics for the selected clients.
The audits were conducted between 2003 and 2005. Client asset size varies greatly with the
average reported at $1.8 billion in assets.6 On average, participants rated the IT complexity
for their selected client as 5.3 on the seven-point scale described above. Sixty-four percent
classified the role of information technology in the selected client as being used to provide
information to empower management and employees (i.e., informate up/down [Chatterjee
et al. 2001]).
Approximately 43 percent of participants assessed control risk below the maximum
level when examining clients with complex IT. Thirty-eight percent spent one to three weeks
on the audit, 32 percent spent one month, and 30 percent spent greater than two months.
4
As a result, only control risk related to system complexity is measured here. This provides a strong examination
of our research questions because materiality differences due to non-IT factors are controlled.
Consistent with prior research (Apostolou et al. 2001; Lowe and Reckers 2000; Sprinkle and Tubbs 1998),
participants also rated the importance of each procedure in a typical audit of a client with highly computerized
transaction and financial reporting systems on a seven-point scale with endpoints of 1 not important and 7
very important. The two measures for each individual audit procedure, importance and use, were highly
statistically correlated with Pearson correlation coefficients ranging from 0.55 for obtaining electronic records
to 0.74 for evaluating general access controls. Results for importance using ANCOVA rather than logistic
regression analysis (since importance was collected using a seven-point scale) were qualitatively similar to those
reported in the paper.
As expected, client asset size is statistically significantly correlated with audit firm size (r 0.52; p 0.0001).
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 8 # 8
JIS (AAA)
TABLE 2
Selected Client Demographics and Audit Characteristicsa
Panel A: Selected Client Demographics
Total
Big 4
Responses
Firms
Average Client Asset
Size
IT Complexity for
Clientb
National
Firms
Regional
Firms
Local
Firms
Means (Std. Dev.)

$1.8 billion $16.6 billion $2.6 billion $145 million $99 million
($10.4 billion) ($47.6 billion) ($11.8 billion) ($165 million) ($202 million)
5.29
5.69
5.18
5.06
5.06
(1.16)
(1.10)
(0.77)
(1.24)
(1.27)
Role of IT in Client c,d

Automate
Informate up / down
Transform
47
(29.8%)
101
(63.9%)
10
(6.3%)
15
(28.3%)
34
(64.2%)
4
(7.65%)
8
(30.8%)
16
(61.5%)
2
(7.7%)
6
(26.1%)
16
(69.6%)
1
(4.3%)
18
(34.0%)
32
(60.4%)
3
(5.6%)
National
Firms
Regional
Firms
Local
Firms
Panel B: Characteristics of Audit of Selected Client

Total
Responses
Big 4
Firms
Assessed control risk below maximum level due to selected clients highly computerized transaction
and financial reporting systemsd
Yes
75
34
15
7
15
(42.9%)
(61.8%)
(51.7%)
(26.9%)
(24.6%)
No
100
21
14
19
46
(57.1%)
(38.2%)
(48.3%)
(73.1%)
(75.4%)
Time Spent on Annual Audit of Selected Clientd
1 to 3 Weeks
60
2
6
13
37
(38.0%)
(3.7%)
(46.2%)
(50.0%)
(60.7%)
1 Month
51
19
6
8
17
(32.0%)
(35.2%)
(46.2%)
(30.8%)
(27.9%)
2 Months
47
33
1
5
7
(30.0%)
(61.1%)
(7.6%)
(19.2%)
(11.4%)
Evidence Collection Method for Selected Clientd
Paper Evidence
15
0
1
4
9
Only
(8.7%)
(0%)
(3.6%)
(15.4%)
(14.8%)
Both Paper and
156
54
26
22
51
Electronic
(90.2%)
(100.0%)
(92.8%)
(84.6%)
(83.6%)
Evidence
Electronic
2
0
1
0
1
Evidence Only
(1.1%)
(0%)
(3.6%)
(0%)
(1.6%)
Made changes to information requests and / or audit procedures due to selected clients electronic
data retention policiesd
Yes
60
18
11
6
23
(34.7%)
(33.3%)
(39.3%)
(23.1%)
(37.7%)
No
113
36
17
20
38
(65.3%)
(66.7%)
(60.7%)
(76.9%)
(62.3%)
(continued on next page)
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 9 # 9
JIS (AAA)

TABLE 2 (continued)
Total
Responses
Big 4
Firms
National
Firms
Regional
Firms
Use of IT specialist during audit of selected clientd
Yes
77
50
8
10
(44.8%)
(90.9%)
(27.6%)
(38.5%)
No
95
5
21
16
(55.2%)
(9.1%)
(72.4%)
(61.5%)
Local
Firms
8
(13.6%)
51
(86.4%)
Participants were asked to select one client with highly computerized transaction and financial reporting
systems that they audited within the last year. Demographics for these selected clients and audit characteristics
are reported.
b
Participants rated the IT complexity for their selected client where 1 manual processing and 7 highly
automated financial reporting system.
c
Participants were told that automate refers to IT replacing human labor by automating business processes;
informate up / down indicates IT provides data / information to empower management and employees; transform
refers to IT fundamentally altering traditional ways of doing business by redefining business processes and
relations.
d
One or more participants did not answer question.
Forty-five percent responded that an IT specialist was used during the selected audit. The
most common evidence collection method was using both paper and electronic methods
(90.2 percent) versus using strictly paper evidence (8.7 percent) or only electronic evidence
(1.1 percent). Finally, standards suggest that auditors may be required to make changes to
information requests and/or audit procedures due to client electronic data retention policies.7 A majority of our participants (65.3 percent) did not make changes to information
requests and/or audit procedures due to the selected clients electronic data retention
policies.
Descriptive statistics indicate that audit procedure use varies significantly by audit phase
(see Panel A of Table 3). Use was high during the audit planning phase as most participants
consider client IT in the risk assessment process (RiskAssessment) (88.2 percent), obtain
an understanding of client system and business processes (ranging from 82.6 percent for
reviewing processes used to prepare the clients financial statements, ProcessesToPrepareFinancialStatements, to 94.8 percent for examining significant transactions supporting the clients financial statements, SignificantTransactionsSupportingStatements), and
request that their client provide electronic records (RequestClientElectronicRecords,
93.1 percent). Use during control testing was lower as the percent of participants that
use automated, application, and general controls varied from 54.1 percent for testing automated controls to determine if they function effectively throughout the audit period
(AutomatedControlEffectiveness) to 72.0 percent for evaluating access controls (AccessGeneralControl). However, fewer participants used CAATs for substantive testing (ranging
from 35.3 percent to 54.8 percent). Finally, as shown in Panel B of Table 3, of the participants who used IT specialists when examining clients with complex IT, 76.0 percent used
IT specialists to plan and perform IT control tests (SpecialistTestITControls), 85.3 percent
7
For example, if a client retains supporting documentation electronically for specific account balances for only
six months, the auditor needs to either adjust his / her data collection plan or audit procedures accordingly.
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 10 # 10
JIS (AAA)
10
TABLE 3
Descriptive Statistics: Procedure and IT Specialist Use Percentage
Panel A: Audit Procedures
Include client technology considerations in risk assessment

process (RiskAssessment)
Obtain Understanding of Client System and Business
Processes by Examining:
Significant transactions supporting the clients financial
statements (SignificantTransactionsSupportingStatements)
Procedures and records (both automated and manual) to
initiate, process, and report significant transactions
(ProceduresToProcessTransactions)
How system captures events and conditions (other than
transactions) that are significant to the financial statements
(HowSystemCapturesEvents)
Processes used to prepare the clients financial statements
(including significant accounting estimates and
disclosures) (ProcessesToPrepareFinancialStatements)
Test Automated Controls to Determine if They:
Function as intended (AutomatedControlFunction)
Continue to function effectively throughout the audit

period (AutomatedControlEffectiveness)
Evaluate client computer controls related to specific
applications (ApplicationControl)
Evaluate the Following Client General Computer Controls:
Program change controls (ProgramChangeGeneralControl)
Access controls (AccessGeneralControl)

Systems software controlsb
(SystemsSoftwareGeneralControl)
Use Computer-Assisted Audit Techniques (CAATs) to:
Evaluate fraud risks (EvaluateFraudRisksCAAT)
Identify journal entries and other adjustments to be tested
(IdentifyJournalEntriesCAAT)
Check accuracy of electronic files
(CheckFileAccuracyCAAT)
Re-perform procedures (i.e., aging of accounts receivable,
etc.) (RePerformProceduresCAAT)
Select sample transactions from key electronic files
(SelectSampleTransactionsCAAT)
Sort transactions with specific characteristics
(SortTransactionsCAAT)
Test an entire population instead of a sample
(TestEntirePopulationCAAT)
Obtain evidence about control effectiveness
(ObtainControlEffectivenessEvidenceCAAT)
Evaluate inventory existence and completeness
(EvaluateInventoryCAAT)
Request that client provide electronic records to examine
(RequestClientProvideElectronicRecords)
Reference in
Standard
Use in Selected
Client Percenta
AU 318.15
88.17
AU 319.49
94.80
AU 319.49
93.64
AU 319.49
83.04
AU 319.49
82.56
AU
AU
AU
AU
AU
319.29,
319.78
319.29,
319.78
319.44
65.90
AU
AU
AU
AU
319.45,
319.96
319.45
319.45
72.02
60.71
AU 316.52
AU 316.64
37.87
49.11
AU 308.33
54.76
AU 308.34
41.32
AU 327.19
51.79
AU 327.19
49.40
AU 327.19,
AU 327.61
AU 327.27
35.33
35.50
AU 316.54
35.93
AU 314.11
93.10
54.07
66.27
60.36

Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 11 # 11
JIS (AAA)
11

TABLE 3 (continued)
Panel B: Use IT Audit Specialistc
To inquire of clients IT personnel about how data and

transactions are initiated, recorded, processed, and
reported, and how IT controls are designed
(SpecialistInquiryClientPersonnel)
To inspect system documentation
(SpecialistInspectSystemDocumentation)
To observe the operation of IT controls
(SpecialistObserveITControlsOperations)
To plan and perform tests of IT controls
(SpecialistTestITControls)
Reference in
Standard
Use in Selected
Client Percenta
AU 319.32,
AU 314.15
90.41
AU
AU
AU
AU
AU
AU
86.67
319.32,
314.15
319.32,
314.15
319.32,
314.15
85.33
76.00
Percentage of participants that indicated they used procedure when auditing selected client.
Systems software controls refer to general computer controls over the operating systems and utility programs
that manage the computer resources.
c
Includes only participants who initially indicated that they used IT audit specialists on selected audit as shown
in Table 2. Two participants failed to answer these questions.
b
to observe the operation of IT controls (SpecialistObserveITControlOperations), 86.7 percent to inspect system documentation (SpecialistInspectSystemDocumentation) and 90.4
percent to inquire about clients IT processing (SpecialistInquiryClientPersonnel).8
Implications for Future Research
Our descriptive results suggest that computer-related audit procedure use varies by audit
phase. Future research examining why computer-related audit procedure use is higher during audit planning and control testing than during substantive testing may be warranted.
Perhaps, in order to evaluate controls, many of which are embedded in the clients IT,
auditors have no choice but to use computer-related audit procedures. However, in the
substantive testing phase, auditors used a mix of procedures, despite potential advantages
of using computer-related procedures (i.e., continuous auditing).
Future research could examine why the use of CAATs in general and IT specialists is
somewhat low. For example, perhaps individual auditors are uncomfortable with certain
computer-related procedures because of their own IT knowledge limitations, suggesting
more education and/or training in this area is needed. The level of training and support
that auditors receive from their firm may govern the extent to which CAATs are used. This
may be coupled by a scarcity of IT specialists, the degree to which subordinates have
discretion regarding the extent to which they comply with the requests of their managers
(Kennedy et al. 2008), or perhaps there is no need for more IT specialists (Hunton et al.
2004). Alternatively, is it more of a function of firm-wide policy, including recommendedversus-required audit procedures such as CAATs (Venkatesh et al. 2003) or budget time
frame issues as examined in Curtis and Payne (2008)? Thus, future research could rely on
information systems theories such as technology acceptance model (Davis 1989), theory of
planned behavior (Ajzen 1991; Taylor and Todd 1995), innovation diffusion theory (Moore
and Benbasat 1991), or social cognitive theory (Compeau and Higgins 1995) to examine
8
Two participants who indicated they used IT specialists in Table 2 failed to provide responses when asked to
indicate which specific audit procedures IT specialists performed.
Name /9671/05
05/20/2009 04:15PM
Plate # 0
12
JIS (AAA)
if CAATs use is related to the IT knowledge of the individual auditor, the skill set of the
IT specialist, the amount of training and support provided by the audit firm, the budget
timeframe, or perceived lack of need or limitations inherent with current CAATs.
RQ1 Findings
Our first research question examines whether computer-related audit procedure use
varies by control risk assessment. Descriptive statistics presented in the first two columns
in Table 4 suggests that, in general, auditors who assessed control risk below maximum
are more likely to use computer-related auditor procedures. Further, we ran logistic regressions for each IT with use as our dependent variable, control risk and firm size as the
independent variables, and client IT complexity and external audit experience as covariates.9
To determine if computer-related audit procedure use varies by control risk assessment
when examining clients with complex IT (i.e., RQ1a), we examine the odds ratio for control
risk as shown in the second column in Table 5. To illustrate the odds ratio of 2.797 to 1
for RiskAssessment suggests that holding all other variables constant, participants who
assessed control risk below maximum are approximately three times more likely to include
client technology considerations in the risk assessment process than those who did not rely
on controls. Results suggest that in complex IT environments when auditors relied on
controls (that is assessed control risk below maximum), they were more likely to use
computer-related audit procedures. Specifically, Panel A indicates that participants who
relied on controls were more likely to consider client IT issues to test application controls
and access general controls, and to use CAATs for several tasks.
Similarly, to examine if use of IT specialists is associated with control risk assessment
when examining clients with complex IT (i.e., RQ1b), we ran logistic regressions for each
audit procedure using IT specialists with use as our dependent variable, control risk and
firm size as the independent variables, and client IT complexity and external audit experience as covariates.10 Logistic regression results (see Panel B of Table 5) found no differences in audit procedure use between those respondents who use IT audit specialists and
assess control risk below maximum and those who assess control risk as maximum.
These results suggest that auditors are more likely to use computer-related audit procedures when they rely on internal controls. However, results vary as to which computerrelated procedures were significantly related to internal control reliance. Future research is
needed to investigate why some computer-related procedures were significantly related to
internal control reliance (i.e., evaluate fraud risks), while others were not (i.e., inventory
evaluation). Perhaps some tasks still require some manual procedures (i.e., inventory observation) whereas others have specific software applications developed for them (i.e., client
risk assessments).
In addition, future research could examine if there is a general trend to use more
computer-related audit procedures as client IT becomes increasingly complex over time.
Moreover, if auditors tend to rely more on client controls in complex IT environments,
9
10
External audit experience was not statistically significant for each audit procedure, thus we do not report its
odds ratio in Table 5.
In addition, cross-tabulating IT specialist use and control risk assessment finds that 46 of the 74 participants
(62 percent who assess control risk below maximum also use IT specialists while only 31 of the 98 participants (32 percent) who assess control risk at maximum used IT specialists. One participant who accessed control
risk below maximum and two participants who accessed control risk at maximum did not answer the question
regarding IT specialist use. Chi-Square results indicated that this relation is statistically significant (Chi-Square
value 15.9; p 0.0001).
pg 12 # 12
RiskAssessment
Obtain Understanding of System and
Processes by Examining
SignificantTransactionsSupportingStatements
ProceduresToProcessTransactions
HowSystemCapturesEvents
ProcessToPrepareFinancialStatements
AutomatedControlFunction
AutomatedControlEffectiveness
ApplicationControl
Evaluate the Following General Computer Controls
ProgramChangeGeneralControl
AccessGeneralControl
SystemsSoftwareGeneralControl
97.10
95.89
94.52
86.11
88.89
80.82
68.49
83.10
72.86
85.71
71.43
83.33
93.81
93.81
81.25
77.32
55.67
43.75
54.74
52.08
63.16
53.68
Percent of Participants in Each Control

Risk Group Using Specific IT
Assessed Control
Assessed Control
Risk at Maximum
Risk below Maximum
90.57
94.34
83.02
57.14
67.86
57.14
65.52
41.38
64.29
93.10
93.10
79.31
82.76
85.19
41.38
56.14
50.88
52.54
40.68
51.72
89.83
91.53
74.58
72.88
83.05
52.00
72.00
48.00
56.00
44.00
58.33
99.90
92.00
83.33
68.00
80.00
Plate # 0
85.45
81.48
87.04
98.18
96.36
92.73
98.18
98.15
Percent of Participants from Each Firm

Size Group Using Specific IT
Big 4
National
Regional
Local
Firms
Firms
Firms
Firms
05/20/2009 04:15PM
Panel A: Audit Proceduresa
TABLE 4
Descriptive Statistics: Percent of Participants from Each Control Risk Assessment and Firm Size Group Using IT
Name /9671/05
JIS (AAA)
pg 13 # 13
13
95.74
93.88
91.84
83.67
Complete descriptions of each audit procedure are shown in Table 3.

Includes only participants who initially indicated that they used IT audit specialists on selected audit as shown in Table 2.
90.91
88.64
88.64
84.09
16.00
36.00
54.17
37.50
41.67
41.67
32.00
20.00
13.04
92.00
22.03
25.42
38.98
28.81
45.76
42.37
25.86
22.03
30.51
85.00
75.00
75.00
75.00
62.50
90.00
80.00
80.00
50.00
85.71
71.43
71.43
85.71
14
89.66
83.87
80.65
64.52
42.86
53.57
53.57
46.43
64.29
46.43
40.74
42.86
46.43
100.00

Big 4
National
Regional
Local
Firms
Firms
Firms
Firms
62.26
77.36
71.70
53.85
56.60
60.38
43.40
50.94
45.28
100.00
Plate # 0
SpecialistInquiryClientPersonnel
SpecialistInspectSystemDocumentation
SpecialistObserveITControlsOperations
SpecialistTestITControls
54.29
67.14
67.14
52.17
65.71
64.29
44.93
57.14
44.93
97.26

Assessed Control
Assessed Control
Risk at Maximum
Risk below Maximum
25.00
36.46
45.26
32.63
41.05
37.89
28.42
19.79
28.42
89.69

Big 4
National
Regional
Local
Firms
Firms
Firms
Firms
05/20/2009 04:15PM
Panel B: Use IT Audit Specialistb
Use CAATs for:

EvaluateFraudRiskCAAT
IdentifyJournalEntriesCAAT
CheckFileAccuracyCAAT
RePerformProceduresCAAT
SelectSampleTransactionsCAAT
SortTransactionsCAAT
TestEntirePopulationCAAT
ObtainControlEffectivenessEvidenceCAAT
EvaluateInventoryCAAT
RequestClientProvideElectronicRecords

Assessed Control
Assessed Control
Risk at Maximum
Risk below Maximum
TABLE 4 (continued)
Name /9671/05
JIS (AAA)
pg 14 # 14
0.972
0.335
0.654
0.784
0.061
0.077
0.030g
0.275
0.029g
0.162
2.199
2.001
2.625
1.591
3.012
1.763
0.218
0.971
0.466
0.799
1.154
2.797
15
9.844
6.583
3.524
0.004h
0.006g
0.001h
0.016g
6.910
7.025
2.750
2.488
4.929
3.038
0.020g
0.001h
4.456
0.937
2.619
10.588
6.110
0.976
0.420
0.103
0.014g
0.066
0.002h
0.009h
0.069
0.114
0.003h
0.065
0.237
0.959
0.184
0.037g
0.138
1.701
0.907
1.451
1.322
0.975
1.133
0.004
3.406
1.078
1.413
1.342
1.109
1.176
1.221
1.331
1.230
1.431
0.935
1.497
1.186
1.287
2.136
0.543
0.355
0.217
0.080
0.200
0.035g
0.836
0.149
0.368
0.183
0.004h
0.307
0.862
0.469
0.591
0.959
0.816
0.959
0.303
0.904
0.569
0.713
Plate # 0
2.997
4.846
3.302
0.126
2.121
2.755
13.331
7.432
Firm Size
Big 4 versus
Big 4 versus
National versus
Client IT
Control Risk
Others Contrast
National Contrast Smaller Contrast
Complexity
Odds p Wald Odds p Wald Odds p Wald Odds p Wald Odds P Wald
Ratioa Chi-Square Ratiob Chi-Square Ratioc Chi-Square Ratiod Chi-Square Ratioe Chi-Square
05/20/2009 04:15PM
RiskAssessment
Obtain Understanding of System and Processes
by Examining
SignificantTransactionsSupportingStatements
ProceduresToProcessTransactions
HowSystemCapturesEvents
ProcessToPrepareFinancialStatements
AutomatedControlFunction
AutomatedControlEffectiveness
ApplicationControl
Evaluate the Following General Computer
Controls
ProgramChangeGeneralControl
AccessGeneralControl
SystemsSoftwareGeneralControl
Panel A: Audit Proceduresf
TABLE 5
Logistic Regression Results: Interaction of Control Risk and Audit Firm Size on Audit Procedure and IT Specialist Use
Name /9671/05
JIS (AAA)
pg 15 # 15
Use CAATs for:

EvaluateFraudRiskCAAT
IdentifyJournalEntriesCAAT
CheckFileAccuracyCAAT
RePerformProceduresCAAT
SelectSampleTransactionsCAAT
SortTransactionsCAAT
TestEntirePopulationCAAT
ObtainControlEffectivenessEvidenceCAAT
EvaluateInventoryCAAT
RequestClientProvideElectronicRecords
2.565
2.551
1.661
2.077
2.442
2.780
1.818
4.851
1.766
2.928
0.019g
0.020g
0.183
0.055
0.017g
0.007h
0.122
0.001h
0.153
0.341
4.559
5.471
2.752
2.048
0.929
1.429
1.356
2.508
1.781
0.614
0.014g
0.071
0.855
0.367
0.444
0.031g
0.175
0.958
0.001h
0.001h
2.417
3.380
2.243
1.545
0.615
1.754
1.197
1.585
0.977
0.799
0.084
0.024g
0.116
0.383
0.350
0.271
0.723
0.381
0.962
0.999
2.591
2.060
1.359
1.526
1.861
0.735
1.205
1.991
2.463
0.673
0.918
0.862
1.106
0.789
1.162
1.015
0.908
0.791
0.884
1.287
0.627
0.379
0.518
0.137
0.330
0.923
0.548
0.181
0.458
0.352
Plate # 0
16
0.083
0.159
0.542
0.405
0.229
0.549
0.723
0.215
0.104
0.950
05/20/2009 04:15PM
Firm Size
Big 4 versus
Big 4 versus
National versus
Client IT
Control Risk
Others Contrast
Complexity
TABLE 5 (continued)
Name /9671/05
JIS (AAA)
pg 16 # 16
0.834
0.878
0.384
0.188
8.416
9.695
8.967
2.019
0.068
0.015g
0.016g
0.317
18.274
8.571
7.062
4.608
0.023g
0.051g
0.076
0.096
0.313
1.203
1.431
0.290
0.462
0.878
0.773
0.277
2.531
1.542
0.973
1.901
0.119
0.316
0.947
0.059
Odds ratio reports likelihood of audit procedure use given control risk is assessed below maximum (i.e., respondent relies on controls) versus at maximum and all other
variables remain constant.
b
Odds ratio reports likelihood of audit procedure use for Big 4 versus other firms holding all other variables constant.
c
Odds ratio reports likelihood of audit procedure use for Big 4 versus national firms holding all other variables constant.
d
Odds ratio reports likelihood of audit procedure use for national versus smaller firms holding all other variables constant.
e
Odds ratio reports likelihood of audit procedure use given client IT complexity is high versus low and all other variables remain constant.
f
Complete descriptions of each audit procedure are shown in Table 3.
g
p 0.05 level.
h
p 0.01 level.
i
Includes only participants who initially indicated that they used IT audit specialists on selected audit as shown in Table 2.
1.253
1.141
2.049
2.385
Firm Size
Big 4 versus
Big 4 versus
National versus
Client IT
Control Risk
Others Contrast
Complexity
05/20/2009 04:15PM
SpecialistInquiryClientPersonnel
SpecialistInspectSystemDocumentation
SpecialistObserveITControlsOperations
SpecialistTestITControls
Panel B: Use IT Audit Specialisti
TABLE 5 (continued)
Name /9671/05
Plate # 0
JIS (AAA)
17
pg 17 # 17
Name /9671/05
05/20/2009 04:15PM
Plate # 0
18
JIS (AAA)
future research could investigate if the relationship between control risk assessments and
audit procedures has strengthened over time. Auditors may increasingly gravitate away from
manual audit procedures and reconsider the balance of manual and computerized audit
procedures that is most appropriate for each client.
RQ2 Findings
Next, descriptive statistics examining whether computer-related audit procedure use
(RQ2a) and use of IT specialist (RQ2b) vary by audit firm size are presented in Table 4.
Results suggest that, in general, auditors from Big 4 firms are more likely to use computerrelated audit procedures. To further examine our data, we used firm size planned contrasts.
Our planned contrasts examine whether the use varied between Big 4 and non-Big 4 firms,
Big 4 and national firms, and national and smaller firms.11 Results for RQ2a, shown in
Panel A of Table 5, indicate that auditors employed by Big 4 firms are more likely than
those working for smaller firms to use computer-related audit procedures such as (1) obtaining an understanding of the clients systems and processes by examining the process to
prepare the financial statements, (2) testing automated controls, (3) evaluating general computer controls, and (4) using CAATs to evaluate fraud risk, identify journal entries to be
tested, check accuracy of electronic files, and obtain evidence about control effectiveness.
Furthermore, auditors from Big 4 firms are more likely than auditors from national firms
to use computer-related audit procedures to (1) obtain an understanding of the clients
systems and processes by examining the process to prepare the financial statements, (2)
test the effectiveness of automated controls, (3) evaluate program change and access general
computer controls, and (4) use CAATs to identify journal entries to be tested.
Results regarding RQ2b indicate that auditors from Big 4 firms who used IT specialists
are more likely to use the specialists to inspect system documentation and observe IT
control operations than are auditors from smaller firms. In addition, auditors from Big 4
firms who used IT specialists are more likely than auditors from national firms to use the
specialists to inquire of client personnel and inspect system documentation.
Our results suggest that computer-related audit procedure use varies by audit firm size.12
Future research could examine if this creates barriers to entry for small audit firms given
that even small public companies are now subject to Sarbanes-Oxley Section 404a requirements and will soon be subject to Section 404b (mandating an auditor evaluation of internal
controls). For example, do smaller firms have sufficient numbers of IT specialists available
to perform audits? Another avenue of research related to firm size would be to examine
whether other audit procedures (not involving technology) are differentially used depending
on the size of the firm and their respective clients. Future research could investigate the
reasons for these differences and the effects on systems and audit quality. Are universities
providing appropriate education? Is there a shortage of college graduates with a combination
11
12
Before grouping responses from regional and local firms together, we ran an initial planned contrast to identify
any differences between responses from these two groups. Results noted only one statistically significant difference between responses from regional and local firms: use of IT audit specialist to test IT controls
(SpecialistTestITControls).
To examine whether the interaction between control risk assessment and firm size is statistically significant, we
added an interaction term to each logistic regression. The interaction term was not statistically significant in any
of the regression models.
pg 18 # 18
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 19 # 19
JIS (AAA)
19
of IT and accounting skills? Do SOX regulations go too far or does the audit profession
need to rise up to expectations?
V. CONCLUSIONS, IMPLICATIONS, AND FUTURE RESEARCH
In contrast to some previous research, our results suggest that client IT complexity
influences the nature of audit testing, and gives standard setters insights into how auditors
adjust audit programs in response to control risk assessments. While previous research has
found mixed results on the relation between client risks and audit planning, and often
focused on audit effort, our study shows a clear linkage between auditors control risk
assessments and the nature of tests used with respect to computer-related audit procedures.
The results also indicate a wide range of variability in terms of the procedures auditors
select for high IT clients. Future research should examine whether these differences are
due to auditors tailoring their audit programs based on individual client-related factors or
whether they arise because of individual or audit firm differences in audit approaches.
Unlike previous research, which focused primarily on Big 4 firms, our study considers the
role of audit firm size. For example, our results indicate that while auditors employed by
national audit firms are more likely to have control risk assessed below maximum than
those working for smaller audit firms, use of computer-related audit procedures is surprisingly similar.
Future research needs to examine the extent to which these computer-related audit
procedures improve audit effectiveness and efficiency. For example, are auditors willing to
reduce substantive tests if control risk is low, consistent with AS No. 5? Or are they still
reluctant to reduce their own work given concerns about liability? Moreover, recent research
by Hoitash et al. (2008) finds a link between internal control quality and audit costs.
Therefore, future research could examine if increased reliance on internal controls leads to
reductions in substantive testing, manual procedures, and possibly audit costs.
In addition, Hermanson et al. (2000) found that internal auditors are sensitive to traditional IT controls such as asset safeguarding and data integrity, but did not focus on risks
related to systems development and acquisition. Future research could investigate if external
auditors have a similar tendency to focus on traditional IT controls, and how that may be
linked to their choice of computer-related audit procedures.
The results of our study should be interpreted in light of the following limitations. First,
this paper examines audit procedures discussed in current standards (AICPA 2002a, 2002b,
2002c, 2006) but not in relation to a specific internal control framework. Several professional organizations have developed internal control frameworks and corresponding audit
procedures (Colbert and Bowen 1996; Hermanson et al. 2000; Kerr and Murthy 2008; Tuttle
and Vandervelde 2007). Additional research could examine the use of these frameworks as
a basis for selecting audit procedures, as well as new frameworks that may emerge from
recently formed standard-setting bodies (e.g., PCAOB).13 Second, auditors may assess control risk at maximum for audit efficiency reasons, although they are required to test key
controls for large publicly held clients (PCAOB 2007). We cannot determine if our participants who elected not to rely on controls did so after finding poor client internal controls
or whether their lack of control reliance was due to audit efficiency issues. Future research
could examine this important issue. Third, our study requires participants to self-report
control risk assessment for a single client with highly computerized transaction and financial
13
Since the majority of our participants were members of the AICPA, it is likely that the framework we used was
most familiar to them at the time that the data was collected for this study.
Name /9671/05
05/20/2009 04:15PM
Plate # 0
JIS (AAA)
20
reporting systems. Although we have some evidence that suggests data collected for selected
clients is highly correlated with data collected for typical clients, future archival research
similar to Mock and Wright (1993, 1999) may be useful to determine if the relation between
control risk assessment and audit procedure use as noted in our study holds in the current
audit environment.
Furthermore, different auditors may define IT complexity differently. Although our pilot
study participants interpreted this term similarly, we are unable to guarantee that study
participants from different firms defined the term similarly. Also, since auditors employed
by larger firms are more likely to audit larger clients, our firm size is somewhat confounded
with client size. Finally, we acknowledge that auditors from some of the smaller firms may
not have had access to IT auditors or had individuals trained to conduct CAATs. Our study,
however, did not collect data on these variables.
REFERENCES
Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes 50 (December): 179211.
Allen, R. D., D. R. Hermanson, T. M. Kozloski, and R. J. Ramsay. 2006. Auditor risk assessment:
Insights from the academic literature. Accounting Horizons 20 (June): 157177.
American Institute of Certified Public Accountants (AICPA). 2001. The Effect of Information Technology on the Auditors Consideration of Internal Control in a Financial Statement Audit.
Statement of Auditing Standards No. 94. New York, NY: AICPA.
. 2002a. Audit Documentation. Statement of Auditing Standards No. 96. New York, NY:
AICPA.
. 2002b. Consideration of Fraud in Financial Statement Audit. Statement of Auditing Standards
No. 99. New York, NY: AICPA.
. 2002c. Interim Financial Information. Statement of Auditing Standards No. 100. New York,
NY: AICPA.
. 2006. Risk Assessment Standards. New York, NY: AICPA.
. 2008. Codification of Statements on Auditing Standards. New York, NY: AICPA.
Apostolou, B. A., J. M. Hassell, S. A. Weber, and G. E. Sumners. 2001. The relative importance of
management fraud risk factors. Behavioral Research in Accounting 13: 124.
Arnold, V., and S. Sutton. 1998. The theory of technology dominance: Understanding the impact of
intelligent decision aids on decision makers judgments. Advances in Accounting Behavioral
Research 1: 175194.
Banker, R. D., H. Chang, and Y. Kao. 2002. Impact of information technology on public accounting
firm productivity. Journal of Information Systems 16 (Fall): 209222.
Bedard, J. 1989. An archival survey of audit program planning. Auditing: A Journal of Practice &
Theory 8 (Fall): 81102.
, and A. Wright. 1994. The functionality of decision heuristics: Reliance on prior audit adjustments in evidential planning. Behavioral Research in Accounting 6: 6271.
, T. Mock, and A. Wright. 1999. Evidential planning in auditing: A review of the empirical
research. Journal of Accounting Literature 18: 96142.
, L. Graham, and C. Jackson. 2005. Information systems risk and audit planning. International
Journal of Auditing 9 (July): 147163.
Bierstaker, J., and A. Wright. 2004. The impact of the adoption of a business risk audit approach on
internal control documentation and testing practices: A longitudinal investigation. International
Auditing Journal (March): 6778.
, and . 2005. The interaction between auditors risk perceptions and partner preferences
on audit program planning. Advances in Accounting 21: 124.
pg 20 # 20
Name /9671/05
05/20/2009 04:15PM
Plate # 0
pg 21 # 21
JIS (AAA)
21
Brazel, J. 2005. A measure of auditor AIS expertise: Development, assessment, and uses. Managerial
Auditing Journal 20: 619632.
, and C. Agoglia. 2007. An examination of auditor planning judgments in a complex accounting information system environment. Contemporary Accounting Research 24 (Winter): 1059
1083.
Carmichael, D. R. 2004. The PCAOB and the social responsibility of the independent auditor. Accounting Horizons (June): 127133.
Cassell, C. A., G. Giroux, L. Myers, and T. Omer. 2007. The emergence of second-tier auditors:
Evidence from investor perceptions of financial reporting credibility. Working paper, Texas
A&M University.
Chatterjee, D., V. J. Richardson, and R. W. Zmud. 2001. Examining the shareholder wealth effects
of announcements of newly created CIO positions. MIS Quarterly 25 (March): 4370.
Colbert, J., and P. Bowen. 1996. A comparison of internal controls: CobiT, SAC, COSO, and SAS
55 / 78. IS Audit & Control Journal: 2535.
Compeau, D. R., and C. A. Higgins. 1995. Computer self-efficacy: Development of a measure and
initial test. MIS Quarterly 23 (June): 145158.
Cook, T. D., and D. T. Campbell. 1979. Quasi-Experimentation Design & Analysis Issues for Field
Settings. Boston, MA: Houghton Mifflin Company.
Curtis, M. B., and R. E. Viator. 2000. An investigation of multidimensional knowledge structure and
computer auditor performance. Auditing: A Journal of Practice & Theory 19 (Fall): 83103.
, and E. A. Payne. 2008. An examination of contextual factors and individual characteristics
affecting technology implementation decisions in auditing. International Journal of Accounting
Information Systems 9 (June): 104121.
Davis, F. D. 1989. Perceived usefulness, perceived ease of use, and user acceptance of informational
technology. MIS Quarterly 13 (September): 318339.
Elder, R. J., and R. D. Allen. 2003. A longitudinal field investigation of auditor risk assessments and
sample size decisions. The Accounting Review 78 (October): 9831002.
Ghosh, A., and S. Lustgarten. 2006. Pricing of initial audit engagements by large and small audit
firms. Contemporary Accounting Research 23 (Summer): 333368.
Gist, W. E., and R. A. Davidson. 1999. An exploratory study of the influence of client factors on
audit time budget variances. Auditing: A Journal of Practice & Theory 18 (Spring): 101116.
Hermanson, D. R., M. C. Hill, and D. M. Ivancevich. 2000. Information technology-related activities
of internal auditors. Journal of Information Systems 14 (Supplement): 3953.
Hill, M. C. 2001. Planned audit hours: Do auditors use a same as last year strategy? Advances in
Accounting Behavioral Research 4: 281302.
Hoitash, R., U. Hoitash, and J. C. Bedard. 2008. Internal control quality and audit pricing under the
Sarbanes-Oxley Act. Auditing: A Journal of Practice & Theory 27 (May): 105126.
Hunton, J. E., A. Wright, and S. Wright. 2004. Are financial auditors overconfident in their ability to
assess risks associated with enterprise resource planning systems? Journal of Information Systems 18 (Fall): 729.
International Accounting Bulletin. 2005. InterviewBDO Seidman: Grabbing new opportunities. International Accounting Bulletine London, England (September 5): 5.
Johnstone, K. M., and J. Bedard. 2001. Engagement planning, bid pricing, and client response in the
market for initial attest engagements. The Accounting Review 76 (April): 199221.
Kennedy, S. J., T. W. Vance, and A. Webb. 2008. Creating bias in accounting estimates: The effects
of subordinate independence and ethicality concerns. Working paper, University of Washington
and University of Waterloo.
Kerr, D. S., and U. S. Murthy. 2008. The importance of CobiT IT processes for effective internal
control over the reliability of financial reporting: An international survey. Working paper, University of North Carolina at Charlotte and University of South Florida.
Krishnan, G. V., M. S. Park, and J. Vijayakumar. 2008. Does the flight of clients from the Big 4 to
second tier auditors indicate lower audit quality? Working paper, Lehigh University.
Name /9671/05
05/20/2009 04:15PM
Plate # 0
22
JIS (AAA)
Lanza, R. B., and S. Gilbert. 2007. A risk-based approach to journal entry testing. Journal of Accountancy 204 (July): 3235.
Liang, D., F. Lin, and S. Wu. 2001. Electronically auditing EDP systems with the support of emerging
information technologies. International Journal of Accounting Information Systems 2 (June):
130147.
Lowe, D. J., and P. M. J. Reckers. 2000. The use of foresight decision aids in auditors judgments.
Behavioral Research in Accounting 12: 97118.
Manson, S., S. McCartney, and M. Sherer. 1997. Audit Automation: The Use of Information Technology in the Planning, Controlling and Recording of Audit Work. Edinburgh, Scotland: Institute
of Chartered Accountants of Scotland.
, , , and W. A. Wallace. 1998. Audit automation in the UK and the US: A
comparative study. International Journal of Auditing 2: 233246.
Mock, T., and A. Wright. 1993. An exploratory study of auditor evidential planning judgments.
Auditing: A Journal of Practice & Theory 12 (Fall): 3961.
, and . 1999. Are audit program plans risk-adjusted? Auditing: A Journal of Practice
& Theory 18 (Spring): 5574.
Moore, G., and I. Benbasat. 1991. Development of an instrument to measure the perceptions of
adopting an information technology innovation. Information Systems Research 2 (September):
192222.
ODonnell, E., and J. Schultz. 2003. The influence of business-process-focused audit support software
on analytical procedures judgments. Auditing: A Journal of Practice & Theory 22 (September):
265279.
Palmrose, Z-V. 1986. Audit fees and auditor size: Further evidence. Journal of Accounting Research
24 (Spring): 97111.
Peecher, M. E., and I. Solomon. 2001. Theory and experimentation in studies of audit judgments and
decisions: Avoiding common research traps. International Journal of Auditing 5: 193203.
Public Company Accounting Oversight Board (PCAOB). 2004. An Audit of Internal Control Over
Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing
Standard No. 2. Washington, D.C.: Government Printing Office.
. 2007. An Audit of Internal Control Over Financial Reporting That Is Integrated with An
Audit of Financial Statements. Auditing Standard No. 5. Washington, D.C.: Government Printing
Office.
Roybark, H. M. 2007. Analysis of audit deficiencies based on PCAOB inspection reports issued during
2005. Journal of Accounting, Ethics, & Public Policy 6 (2): 125154.
Simunic, D. 1980. The pricing of audit services: Theory and evidence. Journal of Accounting Research
18 (1): 161190.
Sprinkle, G. B., and R. M. Tubbs. 1998. The effects of audit risk and information importance on
auditor memory during working paper review. The Accounting Review 73 (October): 475502.
Taylor, S., and Todd, P. A. 1995. Assessing IT usage: The role of prior experience. MIS Quarterly
19 (June): 561570.
Tuttle, B., and S. D. Vandervelde. 2007. An empirical examination of CobiT as an internal control
framework for information technology. International Journal of Accounting Information Systems
8 (December): 240263.
Venkatesh, V., M. Morris, G. Davis, and F. Davis. 2003. User acceptance of information technology:
Toward a unified view. MIS Quarterly 27 (3): 425478.
Viator, R. E., and M. B. Curtis. 1998. Computer auditor reliance on automated and non-automated
controls as a function of training and experience. Journal of Information Systems 12 (Spring):
1930.
Waller, W. 1993. Auditors assessments of inherent and control risk in field settings. The Accounting
Review (October): 783803.
Wright, A. 1988. The impact of prior working papers on auditor evidential planning judgments.
Accounting, Organizations and Society: 595606.
pg 22 # 22

An Investigation of Factors Influencing The Use of Computer-Related Audit Procedures

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

An Investigation of Factors Influencing The Use of Computer-Related Audit Procedures

Uploaded by

Copyright:

Available Formats

Name /9671/05

JOURNAL OF INFORMATION SYSTEMS

An Investigation of Factors Influencing

Janvrin, Bierstaker, and Lowe

Journal of Information Systems, Spring 2009

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

Journal of Information Systems, Spring 2009

Janvrin, Bierstaker, and Lowe

Journal of Information Systems, Spring 2009

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

Journal of Information Systems, Spring 2009

Janvrin, Bierstaker, and Lowe

Means (Std. Dev.)

One or more participants did not answer question.

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

Journal of Information Systems, Spring 2009

Janvrin, Bierstaker, and Lowe

Means (Std. Dev.)

Role of IT in Client c,d

Panel B: Characteristics of Audit of Selected Client

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

Journal of Information Systems, Spring 2009

Janvrin, Bierstaker, and Lowe

Include client technology considerations in risk assessment

Continue to function effectively throughout the audit

Access controls (AccessGeneralControl)

(continued on next page)

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

To inquire of clients IT personnel about how data and

Journal of Information Systems, Spring 2009

Janvrin, Bierstaker, and Lowe

Journal of Information Systems, Spring 2009

Percent of Participants in Each Control

(continued on next page)

Percent of Participants from Each Firm

Panel A: Audit Proceduresa

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

Journal of Information Systems, Spring 2009

Journal of Information Systems, Spring 2009

Complete descriptions of each audit procedure are shown in Table 3.

Percent of Participants from Each Firm

Percent of Participants in Each Control

Percent of Participants from Each Firm

Panel B: Use IT Audit Specialistb

Use CAATs for:

Percent of Participants in Each Control

Janvrin, Bierstaker, and Lowe

(continued on next page)

Panel A: Audit Proceduresf

Journal of Information Systems, Spring 2009

Use CAATs for:

Journal of Information Systems, Spring 2009

(continued on next page)

Panel B: Use IT Audit Specialisti

Journal of Information Systems, Spring 2009

Janvrin, Bierstaker, and Lowe

Journal of Information Systems, Spring 2009

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

Journal of Information Systems, Spring 2009

Janvrin, Bierstaker, and Lowe

Journal of Information Systems, Spring 2009

An Investigation of Factors Influencing the Use of Computer-Related Audit Procedures

Journal of Information Systems, Spring 2009