1074 Definitief Wesley-Honselaar

The Internal Audit Function: A Study Examining the
Impact of Emerging IT on the Development of the

Function
1
Wesley A. Honselaar
Vrije Universiteit Amsterdam, Faculty of Economics and Business Administration, Department of
IT Audit, De Boelelaan 1105, 1081HV Amsterdam, The Netherlands
Abstract
Purpose The purpose of this study is to explore the impact of emerging IT on the task description of the internal audit
function and to explore which developments internal audit has to undertake in order to be able to adequately audit the
increasing complexity of IT within their organizations.
Design/methodology/approach Two case studies have been performed for which interviews are held with internal
audit directors and managers in order to collect information on their view on the research questions central to this study.
Further, a review of existing literature has been performed based on which the sub questions of this study are answered.
Findings Emerging IT does not have an impact on the existing roles and responsibilities of the internal auditors
working for mature internal audit functions. As mature internal audit functions of Dutch multinationals are well prepared
in the area of IT there is no specific need for further development as they already have professionals employed who
possess the required knowledge and skills to adequately audit the increasing complexity of IT. For internal audit
functions that do not have professionals specialized in the area of IT, the impact of emerging IT can be great on the
existing roles and responsibilities of the internal auditors as they may need to address the risks related to the use of IT and
the controls to mitigate such risks. When examining the impact of emerging IT on the roles and responsibilities of the
internal auditors, different business models should be explored as the study results indicate that this will affect the
significance of the impact. The increasing complexity of IT can lead to a more advising role of the internal IT auditor as
organizations will focus on making their IT environment less complex and the use of IT more efficient in order to become
stronger competitors. It is the internal IT auditor who has the expert knowledge of the IT systems and business processes
of the organization required to advise the business in achieving this goal. Regarding the development in the area of IT,
internal audit functions can pursue different strategies to address the human resources and organizational needs in IT
audit. These strategies range from increasing the knowledge and core skills of the current internal audit staff to increasing
the use of sophisticated technology tools and third-party experts.
Practical implications This study provides internal audit executives with a description of possible strategies that can be
followed by the internal audit function to address the human resources and organizational needs in IT audit in case this is
required. Further, this study shows the potential added value that internal IT auditors can provide in advising the
organization in decreasing the complexity of the IT environment and thereby enhancing the efficiency of the use of IT.
Keywords: Internal Audit; IT Audit; Emerging IT; Information Technologies
1
Corresponding author: Tel.: +31 6 13127213 Studentnr: 1534254 Email: WHonselaar@deloitte.nl
Acknowledgements
This paper is the final version of the thesis that I have written in order to graduate for my Postdoc
degree EDP-auditing. By writing a thesis for graduation the student in question is judged on his academic
capability and whether he is capable of producing a scientific research paper independently. However,
without the support of the reviewers from the VU Amsterdam as well as from Deloitte it would have been
harder to produce a profound thesis that provides scientific as well as practical value. Therefore, this special
word of thanks goes to Rene Matthijsse (VU Amsterdam), Olaf Helmond (Deloitte), and Rob de Leeuw
(Deloitte) who have been willing to support and advise me when needed. With pleasure I look back to the
valuable discussions with the reviewers that we had about the progress of this thesis.
The field research conducted for this research has been interesting and provided valuable insights in
addition to the information obtained from the scientific literature. I am very thankful for the opportunities I
was given to interview several internal audit directors and IT audit managers responsible for the internal audit
functions examined for the case studies. My thanks go to the organizations willing to participate in this study.
The organizations which participated are Ahold and Achmea. More importantly, I would specially like to
thank the internal audit directors and IT audit managers who devoted their time to me and provided me with
valuable information needed to complete this research.
Finally, I would like to thank my family who has been motivating me from the very beginning to
finalize my thesis. Special thanks go to my girlfriend, Arminija, who has given me the time and support
needed to be able to complete this thesis.
Wesley A. Honselaar
Page | 2
W.A. Honselaar 2012 – Thesis Postgraduate IT Auditing
Management summary
In the current economy organizations are becoming increasingly dependent on Information Technology
(IT). As IT is still evolving and is becoming more and more essential for an increasing number of
organizations, it can be stated that the internal auditor nowadays receive considerably more exposure to IT
than in the past. Previous research indicates that IT is playing a more fundamental role in the way modern
organizations function and that almost every audit requires at least some consideration of possible IT issues.
Whereas technology once has been considered as the domain of specialized IT auditors it is now the concern
of all auditors. With this study the impact of emerging IT on the task description of the internal audit function
has been explored and which developments internal audit can undertake in order to be able to adequately
audit the increasing complexity of IT within their organizations.
Due to the evolving role of IT within organizations and the use of IT within the core business processes
it is expected that the lines separating IT en non-IT audits will continue to blur in the coming years. This
causes internal auditors to be faced with the challenge of monitoring the IT processes and controls as well as
providing assurance over the IT environment of their organizations. As the roles of internal auditors include,
among others, monitoring, assessing, and analyzing organizational risks and controls, it can be concluded that
emerging technologies are impacting the role of internal auditors by bringing new risks to the organization.
Based on the literature it is concluded that the Risk Assessment and Control Assurance roles of internal
auditors are affected by the use of emerging technologies within organizations. The impact of emerging IT on
the internal control of organizations is also emphasized by the Committee of Sponsoring Organizations
(COSO), which has provided an update of the COSO framework that reflects the increased relevance of
technology. With the increasing reliance on IT by organizations, it becomes the responsibility of the internal
auditor to assist the Audit Committee and management in assessing the IT skill set of the organization,
promote greater IT risk involvement, and identify overlaps and/or gaps in IT risk coverage. Due to emerging
IT and the increasing complexity of IT within organizations internal audit functions need to focus on the
development within the area of IT audit. As previous studies have shown, generalist auditors do not possess
the required knowledge to fully understand the risks and controls that come with emerging IT. It, therefore,
becomes important for the function to train the generalist auditors in the area of information
systems/technology and related controls as they will also have to deal with an increasing number of
automated controls within the business processes they audit. Besides this, due to the rapid developments and
changes in information technologies it is a must for internal auditors to keep up to date with the current
developments within the field of information technology and with the threats that come along with utilizing
new technologies. For obtaining the required knowledge (basic audit and specialized) internal audit functions
should encourage its staff to obtain one or more of the recognized audit certificates related to IT such as the
RE, CISA, CISM, and CISSP certifications. Based on the literature some strategies have been formulated that
internal audit functions can follow in order to realize the further development of the function in the area of
IT. These strategies range from increasing the knowledge and core skills of the current internal audit staff to
increasing the use of sophisticated technology tools and third-party experts.
Page | 3
The case studies show that the impact of emerging IT on the task description of the internal audit function is
low for mature internal audit functions as they employ specialized IT auditors that have the knowledge and
skills to address the new risks and controls that come with emerging IT. This means that the roles and
responsibilities of the other internal auditors (financial, compliance, operational) are not affected as they do
not have to focus on the IT risks and controls. It has been argued that this will probably be different for
small-sized internal audit functions as they probably do not have specialized IT auditors employed. Further, it
is concluded that the impact of emerging IT on the roles and responsibilities of internal auditors is moderated
in case the organization has outsourced its IT function or parts of it. This finding demonstrates that before
making conclusions regarding the impact of emerging IT on the required knowledge and skills of auditors,
different situations and business models should be examined in order to obtain an accurate and valid
conclusion regarding this relationship. To be able to respond to the changes in IT and to address the new
auditing risks the internal audit function should have talented professionals with IT skills. Mature internal
audit functions of Dutch multinationals do have such professionals who also hold the relevant certifications
(e.g. RE, CISA, CISSP, and CISM) and therefore are able to respond to the changes in IT and new IT risks. It
can therefore be concluded that these type of internal audit functions do not have to develop their function in
the area of IT audit as they are already sufficient equipped to audit the increasing complexity of IT within
their organizations. It has been demonstrated that due to the increasing complexity of IT organizations are, on
the other hand, putting effort in trying to standardize their IT environment and thereby making it less
complex and more efficient. In order for organizations to remain strong or even become stronger competitors
in the markets they operate, they can benefit from increasing the efficiency and effectiveness of their use of
IT. This can be seen as an opportunity for the internal IT auditor as they can assist their organizations in
achieving the goal of standardizing the IT environment and thereby increasing the efficiency of its use of IT.
It is the internal IT auditor who has the expert knowledge of the IT systems and business processes of the
organization required to advise the business in achieving this goal. Further, the study results show that
internal audit executives can follow several strategies to address the needs for IT audit knowledge and skills.
Internal audit executives can determine the knowledge and skill needs based on preparing a yearly audit plan
and assessing what the impact of the audit plan will be on the task description of the employees. If it turns out
that the use of information technology by the organization is impacting the audit plan, internal audit
executives can follow several strategies to be able to address the IT risks and controls. The case studies
showed that internal audit executives are mainly focused on the strategies to provide training possibilities to
the current internal audit staff for increasing the knowledge and core skill level, and to hire expert knowledge
for performing audits in specialized areas. This research ends with providing research questions which have
been developed based on the study results and can be used for performing future research on the impact of
emerging IT on the task description of the internal auditor.
Page | 4
Table of contents
Acknowledgements ......................................................................................................................................................2
Management summary ................................................................................................................................................3
1. Introduction and research question ..................................................................................................................7
2. Research design ................................................................................................................................................. 10
2.1 Crystallization of research question ........................................................................................................... 10

2.2 Data collection method .............................................................................................................................. 10
2.3 Control of variables by researcher.............................................................................................................. 11
2.4 Study’s purpose .......................................................................................................................................... 11
2.5 The time dimension .................................................................................................................................... 11
2.6 The topical scope ....................................................................................................................................... 12
2.7 Research environment ................................................................................................................................ 12
2.8 Perceptions of participants ......................................................................................................................... 12
2.9 Approach for answering the research questions ......................................................................................... 13
3. Literature review .............................................................................................................................................. 14
3.1 The role of IT in organizations and the essence of good IT control ........................................................... 14
3.1.1 The role of IT in organizations .................................................................................................................. 14
3.1.2. CobiT ........................................................................................................................................................ 16
3.1.3 IT Control quality and firm performance ................................................................................................... 19
3.2 Internal audit function ................................................................................................................................ 20
3.2.1 Definition of the internal audit function ..................................................................................................... 20
3.2.2 Roles and responsibilities of the internal audit function ............................................................................ 21
3.2.3 COSO framework for internal control ....................................................................................................... 24
3.2.4 An update to the COSO framework ........................................................................................................... 27
3.3 Impact of emerging IT on the internal audit function ................................................................................ 28
3.3.1 The impact of emerging IT on the roles and responsibilities of the internal audit function ....................... 28
3.3.2 IT audit knowledge and skills development ............................................................................................... 30
3.3.3 Ensuring an appropriate level of IT knowledge within the internal audit function .................................... 33
3.4 Summary of literature review ..................................................................................................................... 35
4. Case study results.............................................................................................................................................. 40
4.1 Case study 1 - Ahold .................................................................................................................................. 40

4.1.1 Organization description ............................................................................................................................ 40
4.1.2 The internal audit function of Ahold .......................................................................................................... 41
Page | 5
4.1.3 Impact of emerging IT on the roles & responsibilities of the internal audit function ................................ 42
4.1.4 The development of the (IT) internal audit function .................................................................................. 43
4.1.5 Strategies to address the needs for IT audit knowledge and skills ............................................................. 44
4.2 Case study 2 - Achmea ............................................................................................................................... 45
4.2.1 Organization description ............................................................................................................................ 45
4.2.2 The internal audit function of Achmea ...................................................................................................... 47
4.2.3 Impact of emerging IT on the roles & responsibilities of the internal audit function ................................ 48
5. Analysis and Conclusions ................................................................................................................................. 53
5.1 Comparison of case study results ...................................................................................................................... 53

5.1.1 Impact of emerging IT on the roles and responsibilities of the internal audit function .............................. 53
5.2 Conclusions ....................................................................................................................................................... 61
5.2.1 Answer to sub question 1 ........................................................................................................................... 61
5.2.4 Answer to the central research question ..................................................................................................... 64
6. Personal reflection and future research suggestions ...................................................................................... 66
References .................................................................................................................................................................. 69
Page | 6
1. Introduction and research question
In the current economy organizations are becoming increasingly dependent on Information Technology
(IT). This dependency is reflected in the way organizations try to compete with each other in fast changing
global business environments. In order to beat the competition, organizations nowadays find their ways to
more efficiency - and related to that less operating costs - by incorporating fully integrated information
systems used to increase the speed of transaction processing.
However, as IT can be used by organizations to increase their competitive advantage it also has its
downsides that need to be addressed appropriately for organizations to profit from the economic benefits
generated by IT. Abu-Musa (2008) states that there are many types of risks associated with IT. Among
others, these include the loss of computer assets, the risk of fraud, theft or loss of data, privacy violations,
business disruption, and competitive disadvantages in cases where the wrong IT is selected. In order for
organizations to control these risks organizations and their auditors are using frameworks as guidance for
their design and evaluation of internal controls (Tuttle and Vandervelde, 2007). According to Tongren (1997)
internal auditors are struggling to maintain their identity and purpose as the organizations they audit undergo
radical changes. Changes and developments in IT are continuously causing current control procedures to be
obsolete. Moreover, as changes in IT occur frequently and fast, auditors (internal as well as external) need to
keep pace with emerging technological changes and their impact on their own audit procedures and their
organization’s data processing system (Rezaee and Reinstein, 1998).
The Public Company Accounting Oversight Board (PCAOB) has recognized the need for auditors to
constantly maintain and develop their knowledge and skills related to the audit of internal controls and IT
systems (Curtis, Jenkings, Bedard, and Deis, 2009). According to Abdolmohammadi and Boss (2010) the
introduction of the U.S. Sarbanes-Oxley Act (SOX, 2002) made it difficult for organizations to fully rely on
their external auditors to provide guidance to the firms relating to IT audits. They further argue that due to the
relatively central nature of information systems within the organization, the burden has increasingly fallen on
the internal audit function to be the primary IT auditors of the organization.
The International Standard on Auditing 401 – Auditing in a Computer Information Systems Environment
– states that auditing processes for internal audit as well as external auditors have rapidly changed. Factors
causing these changes are among others the globalization of businesses, advances in technology, the demand
for value-added audits, the organizational structure of the clients automated information systems activities,
the degree of concentration and distribution of computer processing throughout the organization (especially if
this affects segregation of duties), and the availability of source documents of relevant data. Looking at these
changes it can be said that the internal auditor should have sufficient knowledge of automated information
systems in order to be able to plan, to give direction, to monitor, and to review the work performed related to
the audit of information systems and electronic data processing (EDP) within organizations. Additionally,
Abu-Musa (2008) states that the internal auditor should also consider whether specific IT knowledge is
Page | 7
required for an audit. This statement is highly relevant for organizations that go with the time and invest in
new, emerging, IT solutions that are to be used to support the business operations of the organization. For
example, Moorthy, Seetharaman, Mohamed, Gopalan, and Har San (2011) argue that the audit universe is
subject to change, which sometimes can even be significant. The authors explain this by providing an
example of Internet Electronic Commerce, which five years ago has been a small item on the audit universe
inventory. However, as of today this is a big item on most audit inventories that deals with issues related to
information security, privacy, and secure electronic commerce (especially over the unsecured medium of the
Internet). For a large number of organizations nowadays, these types of items are of major importance. This
example, therefore, shows that internal auditors in many cases will soon be required to demonstrate expertise
in area’s they currently cannot yet explain (Moorthy et al., 2011).
As IT is still evolving and is becoming more and more essential for an increasing number of
organizations, it can be stated that the internal auditor nowadays receive considerably more exposure to IT
than in the past (Silltow, 2003). Silltow mentions that IT is playing a more fundamental role in the way
modern organizations function and that almost every audit requires at least some consideration of possible IT
issues. Whereas technology once has been considered as the domain of specialized IT auditors it is now the
concern of all auditors. As Pathak (2003) suggested:
[. . .] the integration of applications and enterprise-wide IS will be a key trend for the future and will surely
have a great impact on the entire set of knowledge, skills, methods, algorithms, and strategies of IA.
Accordingly, the audit practitioners and educators need to expand their skill sets and knowledge bases to
cope not only with current changes but also with future challenges.
As stated above rapid changes in IT require auditors (internal as well as external) to be able to adapt their
knowledge, skills, and audit procedures to the ever changing environments in which they operate. With the
current study the focus is primarily aimed at the impact of IT on the functioning of internal auditors. The
purpose of this study, therefore, is to explore the impact of emerging IT on the task description of the internal
audit function and to explore which developments the internal audit function has to undertake in order to be
able to adequately audit the increasing complexity of IT within their organizations. The task description is
defined in the current study as the roles and responsibilities of the internal auditors working for the internal
audit function. This means that the current study is exploring how the existing roles and responsibilities of
internal auditors are affected by the use of emerging IT by their organizations. This study is, therefore, not
aimed at exploring whether emerging IT will lead to new defined roles of the internal auditor. Based on the
purpose of this study, the following research question has been formulated:
“What is the impact of emerging IT on the task description of the internal audit function and which
development processes has the internal audit function to undertake in order to be able to adequately audit the
increasing complexity of IT within their organizations?”
Page | 8
To answer this research question the following sub questions are formulated:
1. What is the impact of emerging IT within organizations on the roles and responsibilities of the internal
audit function?
2. How does the internal audit function of Dutch organizations need to develop in order to be able to
adequately audit the increasing complexity of IT?
3. Which strategies can be followed by the internal audit function in order to realize the further
development of the function in the area of IT?
The motivation for conducting this research and finding the answers to the posed research questions is
based on the conclusions reached by prior studies that developments in information technology are one of the
most significant changes that will affect business operations and the internal audit profession (see, for
example, Rezaee & Reinstein, 1998; Rezaee, Elam, and Sharbatoghlie, 2001; Oxner, Hawkins, and Rivers,
1995; Bierstaker, Burnaby, and Thibodeau, 2001). Elaborating on these conclusions it is interesting to
perform research on the impact that emerging IT will have on the roles and responsibilities of the internal
audit function and if, based on the impact, internal audit functions need to take measures in order to stay able
to adequately audit the increasing complexity of today’s and future IT environments. As internal audit
functions are providing assurance on the efficiency of business operations, compliance with laws &
regulations, and the reliability of financial reporting, a good understanding of information technology
systems and the ability to identify risks associated with computerized environments has become critical in
performing the internal audit activity. This study is practically relevant in that it provides internal audit
managers and directors with information about the impact of developments in IT on their audit and audit
planning activities. Further, this study provides internal audit managers and directors with suggestions for
possible strategies to address technology risks and IT resource needs.
The structure of this paper is as follows. The next section (Chapter 2 – Research design) provides a
description of the research design chosen for the current study. Following this section is an extensive review
of the scientific literature that is related to the research questions central to this study (Chapter 3 – Literature
review). Chapter 4 (Case study results) shows the results of the case studies performed at two internal audit
functions of Dutch organizations. Following the case study results is a discussion on the similarities and
differences between the two cases investigated and how the case study results correspond with the
information gathered from the scientific literature (Chapter 5 – Analysis and Conclusion). Based on this
analysis a conclusion on the research findings is provided and answers are given to the research questions
central to this study.
Page | 9
2. Research design
This chapter provides a description of the research design chosen for answering the research questions
central to this study. It is explained how the different concepts and topics related to this study are to be
investigated in order to achieve reliable and valid conclusions regarding the research questions. Blumberg,
Cooper, and Schindler (2005) state that no simple classification system regarding different design approaches
exists that define all the variations that must be considered. Though, Blumberg et al. (2005) provide eight
different descriptors for classifying a research design. In order to produce a clear and accurate research
design for the current study, the eight descriptors provided by Blumberg et al. (2005) are followed and
applied. An explanation of the eight descriptors and how they are applied within the current study is provided
in the following paragraphs.
2.1 Crystallization of research question
According to Blumberg et al. (2005) a study may be viewed as formal or exploratory. The essential
differences between these two alternatives are the immediate objective and the degree of structure of the
study. The objective of exploratory studies is discovering future research tasks by developing hypotheses
and/or questions for future research. On the other hand, the objective of a formal study is to provide a valid
representation of the current state and to test the hypotheses posed. Another distinction between exploratory
and formal research designs is that exploratory studies tend towards loose structures, whereas formal studies
follow precise procedures and data source specifications. The purpose of the current study is to explore the
impact of emerging IT on the task description of the internal audit function. The current study is not aimed at
answering hypotheses but, instead, is aimed at providing a profound explanation of how the internal audit
function is impacted by emerging IT and which strategies are available for ensuring an appropriate level of IT
knowledge and skills within the function. Further, this study will lead to questions for further research and,
therefore, must be viewed as an exploratory research.
2.2 Data collection method
Following Blumberg et al. (2005) this research should be classified as a communication study, in which
the data is collected through having interviews with the subjects and collecting their responses. For the
current study interviews are held with internal audit directors and managers in order to collect information on
their view on the research questions central to this study. As Blumberg et al. (2005) also mention, it is not
always necessary for a researcher to collect new information. This is the case for the current study as it relies
not only on interview data, but also on secondary data collected through an extensive desk research.
In order to enhance the generalization of the conclusions two organizations are selected that operate in
different industries. By doing this it becomes possible to examine whether the situation regarding the
research question is different between industries. The organizations selected are Royal Ahold (consumer
Page | 10
business industry) and Achmea (finance/insurance industry). The interviews held with the internal audit
directors and managers were semi-structured and provided an in-depth understanding of how the internal
audit functions of the organizations selected are impacted by emerging IT and how they ensure an
appropriate level of IT knowledge and skills within their internal audit function. The interview questions are
developed based on the research question and sub-questions posed. Further, an extensive literature review has
been performed which led to a good understanding of the possible situation within the internal audit function
of the organizations selected. Based on the results from the scientific literature interview questions have been
defined. All the interviews were taped and subsequently converted into text for further analysis.
2.3 Control of variables by researcher
According to Blumberg et al. (2005) variables related to the research can be manipulated by the
researcher in order to discover whether certain variables produce effects in other variables. In this case the
research design to follow is called an experiment. In the current study there is no control over any variables.
The purpose of this study is to describe a situation within internal audit functions and to report on what is
happening. Following Blumberg et al. (2005) this is called an ex post facto design. The situation as it is
within the internal audit functions selected for research is obviously not influenced by the researcher.
2.4 Study’s purpose
The purpose of the current study is to find out what the impact of emerging IT is on the task description
of the internal audit function and which development processes internal audit functions have to undertake in
order to be able to adequately audit the increasing complexity of IT within their organizations. Following
Blumberg et al. (2005) this research therefore should be classified as a descriptive study. The other
classification regarding this descriptor is a causal study, in which the objective is to find out how one variable
produces changes in another. However, the current research is only aimed at providing a clear description of
internal audit functions and how they can deal with the increasing need for IT audit knowledge and skills.
2.5 The time dimension
Concentrating on the time dimension of a study, a distinction is made by Blumberg et al. (2005)
between so called cross-sectional studies and longitudinal studies. As the current research is only performed
once it is classified as a cross-sectional study. With a longitudinal research design the study must be repeated
over an extended period, with the aim to track changes over time. The current research focuses on the
situation as it is now and how internal audit functions can and/or will react on the current developments
related to IT within their organizations. However, Blumberg et al. (2005) state that cross-sectional studies can
use some of the benefits of longitudinal research designs by, for example, adroit questioning about history,
past attitudes, and/or future expectations. Within the current research it is tried to incorporate some of the
Page | 11
benefits of longitudinal studies by questioning respondents about their future expectations related to the
impact of emerging IT on the task description of the internal audit function and which measures need to be
taken in order to able to respond to these developments in the most effective way. It will be interesting to
recall this study in five years from now to determine whether the situation described in the current study and
the proposed measures to take are still relevant and deemed successful.
2.6 The topical scope
Regarding the topical scope a research can be classified as a statistical or case study (Blumberg et al.,
2005). With statistical studies the researcher is testing the hypotheses quantitatively. On the other hand, case
studies place more emphasis on a full contextual analysis of events or conditions. According to Blumberg et
al. (2005) this kind of emphasis on detail provides valuable insight for problem-solving, evaluation and
strategy. For the current study a case study approach is pursued with the objective to obtain detailed insight
into the current situation within internal audit functions and how they deal with the developments around
information technology. The different cases studied constitute the two internal audit functions used for this
study. Based on the data gathered from two different organizations an attempt is made to provide an objective
description of current situation related to the research questions central to the current study.
2.7 Research environment
For obtaining relevant information for conducting the literature review, secondary data is gathered from
the internet. The environments from which secondary was gathered are the Vrije Universiteit Amsterdam and
the home office of the researcher. The secondary data obtained for conducting the literature review (see
Chapter 2) is derived from a great diversity of scientific journals and white papers. For obtaining the
empirical data needed for this study actual field research is performed. Interviews with the internal audit
directors and managers are held at the headquarters of the organizations they work for.
2.8 Perceptions of participants
According to Blumberg et al. (2005) the perceptions of participants can influence the outcomes of the
research in subtle ways. The authors explain this by using the example of the ‘mystery shopper’. A retail
sales associate will likely change his/her performance if he/she knows that he/she is being observed and
evaluated. Blumberg et al. (2005) state that researchers need to be aware of this and that results must be
qualified based on the perceived perceptions of participants. As the current study is not trying to falsify
hypotheses and is only aimed at providing a clear description of the current situation related to the research
questions, it is assumed that the study participants will not behave less naturally nor will they try to please the
researcher by guessing the right answers as there are no right or wrong answers. By only selecting highly
Page | 12
experienced internal audit directors and managers for the case studies, an attempt is made to obtain reliable,
accurate, and valuable responses.
2.9 Approach for answering the research questions
By having performed an extensive literature review an attempt is made to find answers to sub questions
1 – 3 (see Chapter 1 – Introduction). The field research is performed to obtain additional insights related to
the information found for the literature review. Especially for sub question 2, which is specifically focused on
internal audit functions of Dutch organizations, additional information was required from field research as the
scientific literature is not particularly aimed at Dutch organizations. The two cases will be compared with
each other as well as with the information obtained from the available scientific literature. Based on this
analysis (see paragraph 5.1) answers can be provided to the sub questions posed. Based on these answers a
final conclusion of the research can be formulated by which the research question central to this study will be
answered (see paragraph 5.2).
Page | 13
3. Literature review
3.1 The role of IT in organizations and the essence of good IT control
3.1.1 The role of IT in organizations
The competitive landscape in which organizations operate has changed dramatically over the last few
decades. We have witnessed a transformation from the Industrial Age into the Information Age, in which
competitive advantage is gained by using and managing information is the best possible way. Having timely,
accurate, and complete information based on which management decisions are to be made is now more than
ever crucial to the surviving of almost every organization. To be able to manage information, organizations
are investing substantial capital in the development and maintenance of information systems and information
technologies (Borek, Helvert, Ge, and Parlikad, 2011). Based on the existing literature information systems
are known as software platforms and databases encompassing enterprise-wide systems designed to manage
all major functions of the organization (Dewett and Jones, 2001). Companies that provide these enterprise-
wide systems are among others SAP, Oracle, PeopleSoft, and JD Edwards. On the other hand, information
technologies include devices and communication media which link information systems and people.
Examples include the Internet, e-mail, personal digital assistants, video conferencing, voicemail, groupware
and corporate intranets, and smartphones (Dewett and Jones, 2001). Both terms are overlapping and often
inextricably linked. It is therefore that the two terms are often interchangeably used in the literature on
information technology. As this is the case I will refer to them jointly as information technology (IT) for the
rest of this paper.
Exhibit 2-1 on the next page shows the role of information technologies within organizations according
to Dewett and Jones (2001). These authors have drawn their research based on the analysis performed by
Huber (1990) in which he suggested that IT is a variable that can be used for promoting organizational
performance by enhancing the quality and timeliness of organizational intelligence and decision making. In
his research Huber treated the organizational characteristics as the dependent variable with IT positioned as
the independent variable. In order to offer a more encompassing view of IT and organizational functioning,
Dewett and Jones have examined IT as a moderator of the relationship between organizational characteristics
and organizational outcomes (See Exhibit 2-1).
Page | 14
Exhibit 2-1
Organizational Characteristics Organizational Outcomes
· Linking/Enabling
Information Technologies Employees
· Structure · Codifying the
· Size · Information Knowledge Base
· Learning Efficiencies · Increasing Boundary
· Culture · Information Spanning
· Interorganizational Synergies · Organizational
Relationships Efficiency
· Organizational
Innovation
Learn/Adapt
The organizational characteristics used in the model of Dewett and Jones are selected based on previous
research and have proven to be important to organizational performance, and clearly related to IT. This also
holds for the organizational outcomes that emerged from an extensive review of the literature in which it is
proven that they have the most performance enhancing potential in relation to IT. The justification for the
moderating role of IT is based on the contention from the authors that, in general, IT changes or alters the
impact of organizational characteristics on outcomes. The feedback loop from the organizational outcomes to
IT is provided to reflect the continuous and/or periodic modifications that are required to fit a given IT to its
context. Based on the organizational outcomes as a result of the use of IT the management of the organization
must determine whether or not modifications in IT are necessary to ensure the IT’s maximum utility.
Additionally, Dewett and Jones (2001) acknowledge that the effects of IT are not always positive. However,
in case they are applied appropriately they can be a very powerful addition to an organization’s
communications infrastructure. This indirectly implies that strong control over IT within organizations is
important in order to ensure that the use of IT is reliable and correct and thereby enhancing the quality and
timeliness of organizational intelligence and decision making, which in their turn have a positive impact on
organizational performance.
Taking a closer look at the moderating role of IT on the relationship between organizational
characteristics and organization outcomes (See Exhibit 2-1) it can be noted that according to Dewett and
Jones (2001) IT has this moderating role through its ability to generate information efficiencies and
information synergies.
Information efficiencies are the cost and time savings that result when IT allows individual employees
to perform their current tasks at a higher level, assume additional tasks, and expand their roles in the
organization due to advances in the ability to gather and analyze data (Dewett and Jones, 2001). In other
Page | 15
words, by the use of IT it becomes possible to increase the efficiency of existing processes by increasing the
amount and quality of information which can be adequately processed. Information synergies are the
performance gains that result when IT allows two or more individuals or subunits to pool their resources and
cooperate and collaborate across role or subunit boundaries, a between-person or between-group effect
(Dewett and Jones, 2001).
Based on these two benefits of IT, Dewett and Jones have identified the following organizational
outcomes: improved ability to link and enable employees, improved ability to codify the organizations’
knowledge base, improved boundary spanning capabilities, improved information processing that leads to
increased efficiency, and improved collaboration and coordination that promotes innovation. I would like to
refer to the paper of Dewett and Jones (2001) for a full explanation of the effect of IT on the identified
organizational outcomes as mentioned here above, as this goes beyond the scope of the current paper. This
also holds for the link between the identified organizational characteristics and organizational outcomes.
Relevant for the current study is the argument set forth by Dewett and Jones (2001) that IT is a moderator of
organizational characteristics and processes that are already present before the use of IT. This is supported by
Powell and Dent-Micallef (1997), who on their turn suggested that IT will only lead to competitive
advantages in case it leverages or exploit existing, complementary business and human resources.
Additionally, previous research (e.g., Neo, 1988) has found that strategic planning and management vision
and support had more to do with IT success than did IT itself. Powell and Dent-Micallef (1997) provided
empirical support to these findings by analyzing IT and various aspects of human resources (flexibility, CEO
commitment, IT/strategy integration, openness of culture, openness of communication, consensus) to show
that only when IT is used in support of these factors it is able to produce performance advantages.
Based on these findings it can be concluded that there is a strong need for tight coupling between
strategy and IT within organizations. Furthermore, given the reliance on technology within most
organizations, it is important for organizations to have a framework that addresses technology in order to be
functional in today’s audit environment (Tuttle and Vandervelde, 2007). It is therefore that organizations and
auditors working in computerized environments are adopting so called specialized frameworks, of which
CobiT (Control Objectives for Information and related Technology) 2 is one of the most popular ones. The
following paragraph provides an explanation of CobiT.
3.1.2. CobiT
In the beginning (1996) the CobiT framework was intended for use by the management of an
organization as a benchmarking tool consisting of the best practices related to IT controls. However, because
of its strong focus on controls, auditors (internal as well as external) have applied the framework to financial
statement audits as well as to operational and compliance audits (Tuttle and Vandervelde, 2007). The CobiT
framework is based on three dimensions. The first dimension contains seven well-known quality criteria that
2
http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
Page | 16
information must meet in order to satisfy business requirements (Lindgreen, 2005). These criteria are:
effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability. The second
dimension consists out of four categories of IT resources: people, information, applications, and
infrastructure. The third dimension consists out of four different domains, in which control can be grouped:
(i) Plan and Organize, (ii) Acquire and Implement, (iii) Deliver and Support, and (iv) Monitor and Evaluate.
The domains within this dimension are logically matching the different phases of the lifecycle of information
systems: Strategy and Planning, Development and Implementation, and Production and Maintenance
(Lindgreen, 2005). Exhibit 2-2 provides an overview of the CobiT framework.
The CobiT framework as depicted on the next page in exhibit 2-2 relates each CobiT process to the
CobiT information criteria that is affected by the process. Tuttle and Vandervelde (2007) therefore state that
this framework should provide an auditor with a means of directly assessing specific controls for their effect
on the quality of information, whether it is a financial, operational, or compliance audit.
According to Lindgreen (2005) operational auditors and accountants experience the framework as too
comprehensive and too technical in practice. The 34 control objectives of CobiT will not cause many
problems for the average IT-auditor, but for example network security, Service Level Agreements, or
capacity management can be difficult to understand for persons with no technical background. This implies
that for an organization to have adequate control over IT used by the organization, the organization should
have enough employees with required technical skills and knowledge in order to identify and assess the
relevant IT controls. Having said this, it becomes relevant to know what the relation is between IT control
quality and firm performance. If good IT control quality leads to better firm performance, it should be taken
serious by organizations that are aimed at growing and expanding their business. Even more, they should take
everything in mind that affects IT control quality within an organization. The following paragraph provides a
discussion about the relationship between IT control quality and firm performance and indicates the
importance of good IT control within the organization.
Page | 17
Exhibit 2-2
Source: Tuttle and Vandervelde, 2007.
Page | 18
3.1.3 IT Control quality and firm performance
Modern organizations are becoming more and more reliant on information technology. This, coupled
with the interconnected nature and growing complexity of IT systems and infrastructure as well as the
constantly changing threat and regulatory environments, entails increased risks and related to that the need to
implement IT internal controls to mitigate those risks (Stoel & Muhanna, 2011). According to NIST (2006),
IT controls refer to: the management, operational, and technical safeguards or countermeasures prescribed
for an information system to protect the confidentiality, integrity, and availability of the system and its
information. As we witness a growing importance of IT controls it remains, however, a challenge to establish
the business case for management focus on IT controls (Power, 2009). It can be argued that this should
change, especially if it can be showed that investing in quality IT internal controls leads to better overall
financial performance. Given this statement, Stoel & Muhanna (2011) argue in their study on the effect of IT
internal control weaknesses on firm performance that IT internal control weaknesses adversely impact
corporate performance by reducing the ability of the organization to meet the essential needs for reliable
information and systems to perform daily operations. In addition, the authors argue that IT internal control
weaknesses also reduce the ability of the organization to effectively and efficiently deliver customer service,
management support and productivity gains. The study of Stoel & Muhanna (2011) therefore complements
previous research, which is mainly based on the IT-enabled “competitive advantage” theoretical lens (see, for
example, Jeffers, Muhanna, and Nault 2008; Wang & Alam 2007; Aral & Weill 2007; Ray, Muhanna, and
Barney 2005; Ravichandran & Lertwongsatien 2005; Wade & Hulland 2004), by using an organizational
liability perspective. Instead of focusing on the distinctive advantages to which IT can lead to, the focus has
been on the pitfalls and increased IT-induced risks that are related to poor IT internal controls (Stoel &
Muhanna, 2011). As modern organizations are increasingly dependent on IT, Stoel and Muhanna argue that
not properly attending to IT internal controls can result in deficiencies that lead to a liability (competitive
disadvantage) for the firm.
According to Krishnan, Peters, Padman, and Kaplan (2005) the reliability and integrity of data produced
by the information systems of the organization are critical for overall business success, and not just for the
production of reliable financial reports. Material weaknesses in IT internal controls can have a broad impact
on the organization as they can impact both the production of reliable financial reports as well as the
underlying business operations (i.e., the execution, recording, and safeguarding of raw transaction data
associated with core business activities). Additionally, looking at the integrated nature of today’s financial,
operational, and decision-support systems, it can be stated that the presence of material weaknesses in IT
internal controls indicates that the organization is not likely to meet its objectives of providing reliable
systems and quality data necessary to support managerial decision making and operational activities. It can
further indicate that the organization is unlikely to meet the confidentiality and availability expectations of its
customers and suppliers (Stoel & Muahnna, 2011). These statements imply that the presence of material
weaknesses in IT internal controls within an organization will lead to lower accounting earnings and
Page | 19
therefore have a negative impact on firm performance. Next to this, it is suggested by prior research that IT
can contribute to the future performance of organizations. This is based on the thought that IT can lead to
higher product and service quality, better flexibility, or can enable support for reengineering efforts and
improved customer service. Prior research has shown that these types of IT-enablement are strongly
recognized and priced by investors (see, for example, Anderson, Banker, and Ravindran 2006; Wang & Alam
2007; Sambamurthy, Bharadwaj, and Grover 2003; Brynjolfsson, Hitt, and Yang 2002). Based on these
studies, Stoel & Muhanna (2011) state that IT internal control weaknesses can also in this context be seen as
a liability as it reflects a reduced ability to capture future value from IT assets. They further state that when
investors will impound these IT internal control weaknesses and potential future inabilities into stock prices,
the firm’s market value will be negatively impacted in case IT internal control weaknesses are present within
the organization.
Stoel & Muhanna (2011) have provided empirical evidence showing that IT controls are an
organizational necessity and that information systems-related risk is priced by the capital markets. Their
findings further support the organizational liability perspective, by which it is argued that it is essential to
have effective IT internal controls for realizing the full potential of IT while at the same time reducing the
associated risks. On the other hand, with this perspective it is argued that deficiencies in IT internal controls
will have a negative impact on firm performance (Stoel & Muhanna, 2011).
Having explained the benefits of good quality IT internal controls within organizations and the
importance of effective IT controls, it has become visible that organizations and their internal audit functions
can benefit from paying sufficient management attention to IT controls. As IT is becoming more and more
critical in today’s organizations it can be argued that management focus on IT controls should increase in the
coming years so that organizations can benefit from the effect that quality IT internal controls have on the
performance of the organization. The following paragraph (3.2) provides a description of the internal audit
function and its roles and responsibilities within the organization. The paragraph also describes the role of the
internal audit function in providing assurance on the internal control environment of the organization and
provides examples of best practices that can be followed in order to obtain the required assurance.
3.2 Internal audit function
3.2.1 Definition of the internal audit function
A review of the literature reveals a great number of studies performed on the existence and purpose of
internal audit functions within organizations. Through the decades the meaning and definition of the internal
audit function has changed. Historically, the internal audit function has been viewed as a so called
“policeman and watchdog of the organization”, fulfilling the role of a monitoring function and tolerated as a
Page | 20
necessary component of organizational control (Spira and Page, 2003). With this view the internal audit
function was deemed subservient to the achievement of important organizational objectives.
Nowadays, this view has shifted towards a more positive vision on the role of the internal audit
function. During the 1980’s outsourcing of the internal audit function became a popular strategy for
organizations in order to decrease the costs of internal control. This move to outsourcing has been one of the
driving forces behind the changing role of internal audit (Spira and Page, 2003). Bruce (1996) advocated that
the drive towards the integration of external and internal audit was a risk management approach by top
management and the desire to view this in an integrated way. However, a countervailing pressure was present
because of the need for independence of external auditors. The internal audit community responded to this by
emphasizing professionalism and the potential to add value to the organization by helping it achieve the
major corporate objectives (Spira and Page, 2003).
Having introduced a shift in the role of the internal audit function, the Institute of Internal Auditors
(IIA) officially adopted a new definition of the internal audit function in June 1999 (Nagy and Cenker, 2002).
This new definition has been developed by the Guidance Task Force (GTF) and is as follows:
‘The internal audit function is an independent, objective assurance, and consulting activity designed to add
value and improve an organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes (IIA, 2000)’
Looking at this new definition it becomes clear that the focus of the internal audit function has shifted
from one of assurance to that of adding value to the organization. The new definition provided by the IIA
attempts to move the profession towards a standard-driven approach with a heightened identity (Bou-Raad,
2000).
3.2.2 Roles and responsibilities of the internal audit function
During the past decades the growing concern for corporate governance has been beneficial to the
standing of internal auditors. By emphasizing the benefits of objectivity in their reports and the independence
of judgment it also boosted their claim to professional status (Spira and Page, 2002). Corporate governance is
a broad concept and has been used by board of directors, regulators, investors, and accountants. The former
SEC (Securities and Exchange Commission) chairman, Arthur Levitt, has underscored the importance of
effective corporate governance. Levitt (1999) defined corporate governance as:
“The link between a company’s management, directors and its financial reporting system.”
Page | 21
A broader definition of corporate governance has been developed by the Organization for Economic
Co-operation and Development (OECD, 1999). They define corporate governance as follows:
“Corporate governance…involves a set of relationships between a company’s management, its board, its
shareholders, and other stakeholders. Corporate governance also provides the structure through which the
objectives of the company are set, and the means of attaining those objectives and monitoring performance
are determined. Good corporate governance should provide proper incentives for the board and
management to pursue objectives that are in the interest of the company and shareholders and should
facilitate effective monitoring…”
Looking at the definition provided by the OECD (1999) it can be seen that this one is much broader
described than the definition provided by Levitt. Important concepts that are introduced within the definition
of corporate governance as provided by the OECD are incentives, goal congruence, monitoring, and control.
Some of the elements within the definition of corporate governance do also appear in the definition of the
internal audit function as outlined in the previous paragraph (par. 3.2.1). These shared elements are
assurance, risk, and control. According to Hermanson and Rittenberg (2003) an effective internal audit
function is an important “frontline player” in the two fundamental governance activities – providing
assurance regarding controls and monitoring of risks. A broader description of the internal audit function’s
role within corporate governance is given by the Institute of Internal Auditors (IIA). The IIA describes the
role of the internal audit function within corporate governance as follows:
“[Internal auditors’] roles include monitoring, assessing, and analyzing organizational risks and controls;
and reviewing and confirming information and compliance with policies, procedures, and laws. Working in
partnership with management, internal auditors provide the board, the audit committee, and executive
management assurance that risks are held at bay and that the organization’s corporate governance is strong
and effective. And, when there is room for improvement anywhere within the organization, the internal
auditors make recommendations for enhancing processes, policies, and procedures.” 3
On the next page – in exhibit 2-3 – a graphical overview is provided of the different key roles of internal
auditors that together make up the internal audit function within an organization. According to the definition
provided by the IIA’s International Standards for the Professional Practice of Internal Auditing 4, Risk
Assessment is a systematic process for assessing and integrating professional judgments about probable
adverse conditions or events. Selim and McNamee (1999b) state that risk is a concept used to express a
degree of uncertainty about events and/or their outcomes that could have a negative impact on achieving the
goals and objectives of the organization. It is therefore of great importance to manage the risks to which the
organization is exposed to. In this regard it is the job of the internal auditor to identify all the activities that
3
http://www.theiia.org/theiia/about-the-profession/about-the-internal-audit-profession/
4
http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/
Page | 22
Exhibit 2-3
Roles of the internal auditor
Risk Confirming Analyzing Reviewing Control

Consulting
Assessment Information Operations Compliance Assurance
need to be audited, the relevant risk factors within those activities, and to assess the significance of the risks
identified.
The role of Confirming Information is an important step in the audit process and includes the
responsibility of keeping the organization informed on all discoveries and observations that are made during
an audit. According to the explanation provided by the IIA 5 confirming information continuously with the
client helps the auditor to quickly analyze information and to make accurate and well-founded judgments on
the research object. This also means that it is a must for the internal auditor to have excellent communication
skills that will help the auditor in building a good relationship with the client.
Important to the well-being of an organization is that set up protocols are being followed and that
organizational goals that flow out of the organization’s strategy are achieved. Here it is the role of the internal
auditor to Analyze Operations to make sure that appropriate procedures are being followed and that goals
throughout the whole organization are reached. To be able to fulfill this role internal auditors must be aware
and well known with the objectives of their organization. They also need to have the required knowledge on
the audit object in order to be able to examine and analyze the effectiveness of operations.
Organizations, whether they are national or global, big or small, public or private, all need to adhere to
rules and regulations. It is the responsibility of management to implement policies and to maintain the
necessary knowledge of the compliance requirements that are based on applicable contracts, laws and
regulations. The internal auditor’s role of Reviewing Compliance is reviewing the compliance objectives of
the organization and providing insight into the impact that non-compliance with rules and regulations can
have on the organization.4 Here it is important that senior management is timely informed on any indications
of significant non-compliance, so that timely actions can be defined in making sure that the organization
complies with all applicable laws and regulations. What is making this role difficult is that compliance issues
are always changing as laws and regulations are continuously being revised and adjusted and also
organization policies are being altered. Besides analyzing whether the organization is compliant with laws
5
http://www.theiia.org/theiia/about-the-profession/about-the-internal-audit-profession/
Page | 23
and regulations, the internal auditor needs also to ensure that objectives set by management are in line with
and adhere to the overall mission, culture, and climate of the organization.
In providing Control Assurance the internal auditors examine and evaluate the efficiency and
effectiveness of implemented controls by the organization. They further determine whether the implemented
controls are adequate and are mitigating the risks identified that threaten or have the potential to threatening
the well-being of the organization. There exist multiple frameworks that are developed throughout the years
to provide guidelines for effective internal control implementation within organizations and the monitoring of
the internal control environment. The two most important examples for this study are the framework of
internal control of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 6 and
the Control Objectives for Information Related Technology (CobiT)7 framework. These frameworks will be
discussed in following paragraphs.
The last role of the internal auditor discussed here is the role of Consulting. This role has evolved over
time and has changed the tasks and responsibilities of the internal audit function. This also led to the new
developed definition of internal auditing by the Institute of Internal Auditors as described above (paragraph
3.2.1). Following the statement of Brody and Lowe (2000) this new definition puts internal auditing into both
the assurance and the consulting arena. The authors explain that consulting differs in its overall objective and
context from assurance. Assurance implies that value can be added by providing an assessment of the
reliability of data, processes and operations, whether consulting attempts to make direct improvements to the
conditions or circumstances of an organization. According to Fernandes (2000) organizations have been
recruiting internal auditors to provide consulting services in various activities such as strategic alliances,
mergers, and acquisitions. Extensive research exists on the issues related to the conflict between providing
assurance and consulting services at the same time. As pointed out by Brody and Lowe (2000) consulting
done by internal auditors may create a conflict of interest as internal auditors must concurrently satisfy line
managers and conduct audits in the same department. They are therefore required to play both the role of
monitor and advisor which makes it difficult for the internal auditor to remain objective in his/her judgments.
As an in-depth discussion on this topic goes beyond the scope of the current study no further analysis on
this conflict is performed. In the next paragraph the internal control framework of the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) will be discussed.
3.2.3 COSO framework for internal control
The Internal Control-Integrated Framework is a product of the 1970s’ Treadway Commission that has
been issued by the Committee of Sponsoring Organizations (the “COSO framework”). The framework
remains, however, a valid and frequently used basis for the management of risks in today’s organizations,
particularly with respect to SOX and Sarbanes-Oxley Rule 404. Its value has also been recognized by private
6
http://www.coso.org/
7
http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
Page | 24
companies that use the framework for organizing their approach to internal controls. This is mainly due to the
fact that the framework enables executives to customize controls according to their most significant risks and
complexities (Deloitte, 2009).
According to Damianides (2005) internal control is defined by COSO as a process, affected by an
entity’s board of directors, management, and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
 Effectiveness and efficiency of operations.

 Reliability of financial reporting.
 Compliance with applicable laws and regulations.
Damianides (2005) further explains that the COSO framework offers the following key concepts:
 Internal control is a process. It is a means to an end, not an end in itself.

 Internal control is affected by people. It is not merely policy manuals and forms, but people at every
level of an organization.
 Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an
entity’s management and board.
 Internal control is geared to the achievement of objectives in one or more separate but overlapping
categories.
The COSO framework is depicted as a cube. Within the horizontal axis the business elements strategy,
financial reporting, and compliance are incorporated. This is a much broader focus than the Sarbanes-Oxley
Rule 404, as this rule only focuses on financial reporting. The broader focus of the COSO framework is
beneficial to the organization as it is looking at risks across the enterprise. When designing the approach to
managing risks, private companies should consider the five elements of the framework which are:
monitoring, information and communication, control activities, risk assessment, and control environment.
Each area provides options that may be considered by organizations in designing their approach to managing
risk (Deloitte, 2009).
Control environment: this element of the framework represents the conscience of the organization,
which can be describes as the tone from the top. The main question here is how important risk management is
to the organization. Organizations with strong control environments do not only pay attention to strategy and
growth, but their boards also focus on risk and complexity in the business. These organizations are
characterized by:
 Having documented company principles and values.
Page | 25
 Having strong and clear governance and organizational structures, including charters, responsibilities,
and the composition of advisory boards.
 Managing the material numbers and risks that can impact shareholder value through utilizing key
performance indicators and dashboards.
 Requiring managers to attest to their view of risk areas, reconciliations, or other data, which enhances
accountability.
 Having human resources policies and practices employed that support internal controls and also address
situations such as conflicts of interest, gifts, and related parties.
 Encouraging employees to report on incidents that happen within the organization that involve fraud or
significant risk.
Risk assessment: the significant internal and external issues related to the organization are evaluated by
performing a risk assessment, which is a quantitative and qualitative approach. Risk assessments are effective
when the assessment incorporates not only the material financial numbers, but also the drivers of values and
risks within the company. The risks assessment examines multiple elements of the financial statements with
considering factors like the materiality of the account balance, the importance to operations, susceptibility to
loss or fraud, volatility in account balance, and the complexity of the calculation. These elements are
classified on a grid based on magnitude of the account and the likelihood of misstatement. The outcomes of
the risk assessment must be reported to the board. This enables the organization to evaluate and address its
risks and define a customized approach for addressing them from the top down (Deloitte, 2009).
Control activities: for mitigating the risks identified the organization should implement control
activities, which are the policies and procedures designed to address the controls that mitigate the risks.
These controls should be documented and followed. Typical controls include segregation of duties,
approvals, and reconciliations (Deloitte, 2009).
Information and communication: for an organization to be able to monitor and understand business
and control performance, the organization should have timely and accurate communication of information.
Timely and accurate information also helps employees to understand what is expected from them. Besides
that, it also provides managers the information needed to make the right decisions and avoid surprises
(Deloitte, 2009).
Monitoring: to be able to determine whether internal controls are adequately designed, executed, and
are effective the organization should implement monitoring processes. Monitoring processes exist throughout
the COSO cube. In order to substantiate that the monitoring activities are actually performed it is advisable to
position this element atop the model. It is important that employees know that they can be checked in order to
confirm that they are doing what they are supposed to be doing. With this it is important, however, to align
Page | 26
the scope and frequency of the monitoring activities with the significance of the risk and the importance of
the value driver in question (Deloitte, 2009).
3.2.4 An update to the COSO framework
After 20 years since the inception of the original COSO framework in 1992, COSO has made an update
to the COSO Internal Control – Integrated Framework. During the last 20 years business and operating
environments have changed dramatically, becoming increasingly complex, technologically driven, and global
in scope (COSO, 2011). Based on these changes COSO has updated the Internal Control – Integrated
Framework and believes that the updated framework will enable organizations to effectively and efficiently
develop and maintain systems of internal control that can enhance the likelihood of achieving the entity’s
objectives and can adapt to changes in the business and operating environments (COSO, 2011). Among the
most significant changes across all areas of the framework are:
· Applies a principles-based approach – The new COSO framework explicitly states the principles that
represent the fundamental concepts associated with the components of internal control. These principles
are to be used by management to assess whether an entity has effective internal control.
· Reflects the increased relevance of technology – Nowadays organizations are using or relying more on
technology than ever. It is therefore important to reflect on the increased relevance of technology,
especially as changes in technology can impact how all components of internal control are implemented.
· Enhances governance concepts – The updated framework includes an expanded discussion on
governance relating to the Board of Directors and committees of the Board, including
nomination/governance committees, compensation, and audit.
· Expands the reporting category of objectives – The financial reporting objective is expanded and now
includes other external reporting beyond financial reporting, as well as internal reporting (financial and
non-financial).
· Enhances considerations of anti-fraud expectations – Due to many scandals and the growing
importance of fraud detection, the new framework includes an expanded discussion on fraud. Further,
the new framework also considers the potential for fraud as a principle of internal control.
· Considers different business models and organizational structures – Over the past 20 years we have
witnessed a change in business models and organizational structures. Due to the globalization of
business new organizational structures evolve. Further, business models change as many organizations
are using third parties for providing products or services necessary to the ongoing operation of the entity.
This change in business models and organizational structures requires management to look in new ways
at their systems of internal control. The new COSO framework therefore explicitly considers the
extended business model including the responsibilities for internal control in this model and the
achievement of effective internal control.
Page | 27
With this paragraph a description of the role of the internal audit function in providing assurance on the
internal control environment of the organization has been provided. Further, a description of one of the most
popular best practices has been provided that can be followed in order to obtain the required assurance on the
inter control environment of a company. The following paragraph (3.3) discusses how the increasing reliance
on IT of organizations is impacting the internal audit function and how the internal audit function should
develop in order to be able, especially in the coming years, to design good quality IT internal controls and
striving for these IT controls to be effective.
3.3 Impact of emerging IT on the internal audit function
3.3.1 The impact of emerging IT on the roles and responsibilities of the internal audit function
According to Hall & Singleton (2005) the field of auditing is impacted by the emerging developments in
Information Technology (IT). As they refer to the field of auditing as a whole this, therefore, also relates to
the activities performed by the internal audit function. Nowadays, IT is present in almost every business
process because of its advantages to make the existing processes more efficient and to improve
communications within the organization as well as between the organization and its customers/suppliers.
Because of the presence of IT, auditors therefore should have both IT and task expertise in order to be able to
perform their daily tasks efficiently and effectively (Bedard, Jackson, Ettredge and Johnstone, 2003).
Kimpton & Martin (2001) state that due to the evolving role of IT within organizations auditors are
required to be involved in the planning and organizing of IT-related projects and the implementation,
delivery and support of information systems. Moreover, auditors are also faced with the challenge of
monitoring the IT processes and controls, and providing assurance over the IT environment of organizations.
It is therefore no longer effective to audit “around the computer”, which has been the case in the past when
only manual processes and controls were audited. This makes it now essential for auditors to follow an audit
approach through and with the computer (Carrol, Merwe, and Lubbe, 2009). As the focus of the current study
is on internal auditors it is argued that internal auditors are required to obtain knowledge of auditing as well
as IT to be successful in their role to provide assurance over the IT environment of their organizations.
It has been confirmed by the International Standard on Auditing 401 (2002) that although the scope and
overall objective of an audit in a computerized information system environment (CIS) does not change, the
processing, storage and communication of financial information will with the use of a computer.
Additionally, the use of computers (technology) may also affect the accounting and internal control systems
as implemented within the organization. Following the International Standard on Auditing 401 (2002) a CIS
environment may affect:
Page | 28
· The procedures followed by auditors in order to obtain sufficient understanding of the accounting and
internal control systems.
· The consideration of control risk and inherent risk through which the auditor arrives at the risk
assessment.
· The design and execution of tests of controls by the auditor, as well as the design and execution of
substantive testing procedures necessary for achieving the audit objectives.
The use of complex computer systems (including, for example, distributed databases, end-user
processing applications, and business management systems) can result in more risk for the organization and
therefore require further consideration by the auditor. By doing so, the auditor should obtain a clear
understanding of the complexity and significance of the information systems activities and the availability of
data that needs to be obtained in performing the audit.
Moorthy et al. (2011) state that in the current age, in which organizations rely on IT and multiple
participants in governance, it is the responsibility of internal auditors to assist the Audit Committee and
management in assessing the IT skill set of the organization, promote greater IT risk involvement on part of
the external auditors and the Audit Committee, and identify overlaps and/or gaps in IT risk coverage. Internal
auditors should, according to Moorthy et al. (2011), also encourage the organization to explore Enterprise
Risk Management (ERM) techniques and tools in order to address IT and other risks at an enterprise level.
Hadden, DeZoort, and Hermanson (2003), who have performed research on the role of internal auditors and
the Audit Committee in the IT area, suggested based on their study results that all corporate governance
players (management, internal auditors, Audit Committee, external auditors) should increase their IT-related
efforts, thereby minimizing the probability of an IT-related control failure. This is something that should be
taken seriously, given the results of the study provided by Stoel & Muhanna (2011) that deficiencies in IT
internal controls will have a negative impact on firm performance (see subparagraph 3.1.3 above).
Based on the statements above it can be concluded that the internal audit function activities are
impacted by emerging IT. The ever increasing role of IT within organizations therefore causes Chief Audit
Executives of today to think about the necessary actions to take in order to prepare their internal audit
function for the Information age. One in which information technology and control over IT will be important
factors for overall business success. A study performed by PricewaterhouseCoopers (2007) on the future of
internal audit involving 72 Chief Audit Executives (CAEs) from Fortune 250 companies revealed that CAEs
indeed are expecting that emerging IT will impact the activities performed by the internal audit function. For
example, one of the CAEs interviewed said that he expects the lines separating IT and non-IT audits will
continue to blur in the coming years. Another CAE explained that his organization is providing IT training
for its internal auditors. These statements suggest that internal audit leaders are realizing that the activities
performed by the internal audit function will be impacted by the increasing role that technology will play in
Page | 29
future organizations. The study of PricewaterhouseCoopers (2007) further reveals that CAEs are thinking
about the needed skills and capabilities for their internal auditors in the coming years. It is stressed that it will
become essential for the organization to have talented audit professionals that are able to evaluate and test
internal controls, and to audit and assess complex IT environments. The CAEs interviewed further expect a
significant increase of internal audit professionals in the technology area and also gave the highest priority to
skill sets in the area of technology and risk management. In addition to this, some of the CAEs interviewed
said that it becomes increasingly important to find talented professionals with integrated skills in finance and
technology, and that IT skills are a must. Taking these findings into account it can be assumed that emerging
IT, and with that the evolving role of IT within organizations, leads to an integration of IT audit with
traditional auditing operations. As the results of the study by PricewaterhouseCoopers (2007) suggest, IT
skills will be an essential complement to traditional auditing skills and an understanding of IT risks needs to
be gained by internal audit.
Based on the discussion above it becomes relevant to know the best ways to develop IT audit
knowledge and skills for internal auditors. The following subparagraph will go deeper into this question by
explaining ways to develop the required IT audit knowledge and skills based on previous research performed.
3.3.2 IT audit knowledge and skills development
The need for continuous development of (IT) audit knowledge and skills is important for auditors to be
able to perform their tasks efficiently and effectively. Pathak (2005) stated that the modern auditor must be
seen as a complex, trained and educated person that must possess skills beyond traditional financial audit,
including knowledge related to information technology and management, sociology, security and forensics,
and professional judgment. The U.S. General Accounting Office (GAO) and the National State Auditors
Association (NSAA) conducted a survey (2001) by which they provided a skill-assessment of state
government audit agencies. The results of the study indicated that, overall, auditors had a minimum
understanding of the information technologies they audited. The survey included 75 technical categories, and
the results of the survey revealed that in 55 out of the 75 categories, more than 40 percent of the respondents
wanted more experience and training in those areas of technology (McCollum, 2002). These findings are
supported by the results of the study performed by Hunton, Wright, and Wright (2004), who with their study
performed a comparison of risk assessments between clients with non-ERP systems and ERP systems and
between IS (Information Systems) and generalist auditors. The results showed that control risks presented by
more complex ERP systems are more difficult for generalist auditors to understand than it is for IS auditors.
The implication of this finding is that there is an increased need for auditors to gain knowledge in the area of
information systems/technology and related controls, considering the ever increasing complexity of systems
along with the need for automated controls (Curtis, Jenkins, Bedard, and Deis, 2009). A more recent study,
performed by Brazel & Agoglia (2007), also found that the IS expertise of generalist auditors is a significant
Page | 30
determinant of control risk judgments in complex computer environments. Additionally, Brazel and Agoglia
provided empirical evidence showing that auditors with greater IS proficiency are better at identifying ERP
risks.
Moorthy et al. (2011) conclude that it is important to recognize the increasing reliance on information
technology to accomplish and/or support the audit activities. The authors state that the auditor’s professional
knowledge and skills set is made up of an ever-increasing percentage of technology topics. In addition, they
emphasize the importance of continuous acquisition of new knowledge due to the rapid changes in IT and the
use of IT within organizations. For example, the use of internet by organizations changes quickly and,
therefore, the knowledge and skills of auditors in this area must be constantly updated with the new changes
in order for the auditors to be of value in audits and audit planning. Not only knowledge and skills related to
changes in information technology are important. Besides this, emerging information technologies also
causes auditors to worry about new auditing risks (Moorthy et al., 2011). Examples of new auditing risks can
be, among others, risks related to the use of Cloud computing services (e.g., Heiser & Nicolett, 2008), Social
Media (e.g., Kaplan & Haenlein, 2010), and portable devices such as mobile phones (e.g., Furnell, 2006). It is
evident that the use of these emerging technologies brings new risks to the organization and, therefore, need
to be well understood by the internal auditors in case their organization utilizes them.
Auditors that enter the field of IT audit usually hold a bachelor’s degree with a major in Accounting,
computer science, and/or Management Information Systems (MIS) (Hunton et al., 2004). It is added by
Hunton et al. that besides having sufficient knowledge of information technology, such as network security,
operating systems, and e-commerce, it is essential for a person who wants to enter the world of IT audit to
just genuinely like technology and computers. This statement is supported by the results of the study
performed by Merhout & Cothran (2006), in which one of the IT audit hiring managers interviewed
emphasized that a student should simply have a good aptitude for technology. Based on these statements it
can be assumed that internal audit functions should have auditors that have a feeling with information
technology, as this will probably lead to greater IT audit knowledge and skills given the simple fact that these
persons will continuously learn and update their knowledge in the arena of technology.
Given the relevance of gaining knowledge about information technology, the accounting curriculum has
integrated specific IT courses in order to prepare future accountants/auditors in this area. One of the instances
that looked at the significance of IT in the accounting curriculum is the International Federation of
Accountants (IFAC). In 1995, the IFAC published the Education Committee Guideline 11 in which it is
stated that “Competence with this technology is an imperative for professional accountants.” Additionally, it
is stated that IT “… requires special attention due to its explosive growth and its rapid rate of change.”
(IFAC, 1995, pp. 1-2). Reviewing the scientific literature related to this topic shows that various studies have
been performed that focus on the need to include information technology courses into the accounting
curriculum (e.g., Curtis et al., 2009; Greenstein & Mckee, 2004; Merhout & Cothran, 2006). Next to this,
Page | 31
auditors or other professionals that want to enhance their knowledge and skills in IT auditing should go for
obtaining one of the recognized audit certificates related to IT.
The CISA designation offered by ISACA is probably the most prestigious international credential
available for entry-level IT auditors (Hunton et al., 2004). The value of CISA is evident by the time it has
been around. The certification is lasting for the past thirty years within the information era, which is proof of
its value from both the employees’ and employers’ perspectives (Ryan & Schou, 2004). In the UK there has
been a remarkable increase of practitioners that are CISA certified, this also indicates the international appeal
of CISA (Mansour, 2005). The requirements for the CISA certification are: a successful completion of the
CISA examination, five years professional experience in IS auditing, control or security, adhering to the code
of auditing standards and code of professional ethics, and maintaining the obtained skills by continuous
education. The exam has been divided into content areas of which there are seven of them. Each section is
weighted according to its importance. The two sections which are accountable for the highest weights are:
‘’Protection of Information Assets’’ (25% of the exam) and ‘’Business Application System Development,
Acquisition, Implementation and Maintanance’’ (16% of the exam), while ‘’IS Audit Process’’ is only 10%
of the exam. Entry-level IT auditors with a MIS or related degree are given an advantage when preparing for
the exams as many of the IT subject areas are often already included in MIS curriculums (Merhout &
Cothran, 2006).
ISACA also offers another potential designation the CISM, Certified Information Security Manager,
this designation is aimed at experienced security managers. Hunton et al. (2004) noted also other valuable
certifications such as the Certified Information Technology Professional (CITP), Certified Internal Auditor
(CIA) and Certified Fraud Examiner (CFE). Next to these there are numerous other certifications available,
though these seem to have their focus on the information security professionals rather than IT auditors.
Whiteman and Mattord (2005) add the following relevant certifications for practitioners in the field of IT
auditing: System Security Certified Practitioner (SSCP), Global Information Assurance Certification (GIAC),
Certified Information Systems Security Professional (CISSP) and Certified Information Forensics
Investigator (CIFI). The numerous certifications available are a clear indication that the IT audit profession
aims for high ideals in terms of service to its stakeholders and to the development of its workforce (Merhout
& Cothran, 2006). Moreover, Merhout and Cothran found in their content analysis of IT audit job
advertisement that 69% of the ads between 2004 and 2005 al mention holding certifications as a must or at
least a plus such as CISA, CISSP, CISM and/or CFE.
The amount of experience professionals need for a job in IT audit varies. This is subsidiary to the
seniority of the level of support and whether the IT auditor will work alone or be part of a team. An
individual’s success is usually equal to the depth of their IT and business experience prior to becoming an IT
auditor, coupled with their willingness for further development and on the job learning. Once hired as an IT
Page | 32
auditor, undistorted professional and personal development is more than gaining the required amount of
‘’CPEs’’ (Continues Professional Education credits) to renew qualifications such as, CISM, CISA and
CISSP. The undistorted and most successful IT auditors are the ones with an everlasting thrive for further
development and a great fascination for audit, technology and related topics (Merhout & Cothran, 2006).
This clearly implies that besides having a good basic understanding of IT audit, which can be obtained by
following the educational courses as previously outlined, professionals within this profession should
continuously update their knowledge related to new emerging technologies. As emerging technologies can
have an impact on the way an organization conducts its business, it also brings with it new risks that must be
well understood in order for organizations to be able to be in control over their current and future IT
environments. Therefore, it is a must for internal auditors to keep up to date with the current developments
within the field of information technology and with the threats that come along with utilizing the new
technologies.
3.3.3 Ensuring an appropriate level of IT knowledge within the internal audit function
So what can internal audit functions do to ensure an appropriate level of information technology
knowledge among their internal auditors? An interesting study that can be used to answer this question is the
study performed by PricewaterhouseCoopers (2007), by which they examined the future of internal audit.
Through responses on the surveys send to 72 Chief Audit Executives (CAEs) and 10 thought leaders, and in-
depth interviews held with 19 individuals representing a cross-section of the survey population,
PricewaterhouseCoopers has defined multiple strategies to address information technology risks and the need
for competent IT audit resources. Based on the survey responses it is noted that CAEs intend to employ a
variety of organizational, infrastructure, and human reseource strategies to address information technology
risks and the need for IT audit resources. These strategies range from using technology tools for supporting
auditors in their daily tasks to enhance the IT audit skills of the core internal audit staff and/or maintaining a
fully separate IT audit group for addressing technology risks. The results of the study performed by
PricewaterhouseCoopers (2007) show that most of the CAEs intend to go for the strategy to increase the core
skill level of the general internal audit staff in order for them to understand and audit technology risks. The
table on the next page (Exhibit 2-4) provides an overview of the 10 strategies defined by
PricewaterhouseCoopers for addressing technology risks and the need for IT audit resources, including
projected usage (%) of the CAEs surveyed. A discussion on the top 3 ranked strategies is provided.
Looking at the number 1 ranked strategy by CAEs (increase the core skill level of the general internal
audit staff), it can be argued that CAEs want to strengthen the knowledge and skills of the current staff. This
finding is supported by the results of the study performed by Saharia, Koch, and Tucker (2008), who found
that internal audit departments satisfied their needs for ERP-skills and related technology risks by providing
the staff with in-house training instead of hiring external parties with expert knowledge. Results of the study
Page | 33
Exhibit 2-4
Projected Strategy to address HR & organizational needs in IT audit

usage (%)
76 Increase the core skill level of the general internal audit staff for
understanding and auditing technology risks
68 Acquire more sophisticated technology tools to address technology risks
60 Increase the use of third-party experts
57 Embed some auditors with IT audit skills in the larger internal audit
function while maintaining a separate IT audit group to support audit teams
in addressing technology risks
54 Deploy higher-level/more experienced IT auditors
49 Increase the number of IT auditors with relevant certifications
47 Increase the percentage of total staff who are IT auditors
37 Deploy technology professionals who are not auditors
26 Maintain a separate IT audit group within internal audit to address
technology risks
14 Embed auditors with IT audit skill sets within larger internal audit function
without maintaining a separate IT audit group to address technology risks
Source: PricewaterhouseCoopers, 2007
also indicate that the primary means of staying up to date with knowledge related to ERP systems and related
risks is to have the possibility of independent study for staff, classroom instructions, and/or seminars where
current issues are being discussed around the topic of interest (Saharia, Koch, and Tucker, 2008).
68% of the respondents indicated that they intend to acquire more sophisticated technology tools to
address technology risks. This holds that internal audit departments should focus on the use of, for example,
the so called Computer-Assisted Audit Tools (CAATs). CAATs include a variety of tools consisting of
operating systems and database management system security evaluation software, network security
evaluation software, data analysis software, and software and code testing tools (Sayana, 2003). There are
multiple situations in which CAATs can be used to assist auditors during the audit to test IT controls present.
These situations are present if the client uses, for example: (1) systems and/or applications that involve
electronic data interchange, (2) systems to electronically provide services to customers, (3) electronic
payment systems, or (4) decision support systems involving automatic reasoning in order to support decision
making within the organization (Gallegos, Senft, Manson, and Gonzales, 2004). When using CAATS it is
Page | 34
important for the audit team during the planning phase to link the available CAATs with high risk areas. In
this case the auditors can take full advantage of the ability of CAATs to test specific risks and audit 100% of
large volume of data easily (Suen, 2009). According to Suen (2009) CAATs will only improve audit
efficiency and the strength of audit evidence if the auditors using the tools have a good understanding of the
client’s business processes and if they have experience with the audit tools. With the focus in the current
study on internal auditors, it can be argued that internal auditors possess a good understanding of the business
processes as they are part of the organization they are working for. If internal audit executives choose to
make use of CAATs, they must arrange training activities in order to increase the experience with the audit
tools among their staff.
60% of the respondents of the study performed by PricewaterhouseCoopers (2007) indicated that they
intend to make use of third-party experts for addressing technology risks and IT audit resources needs.
Following this strategy by internal audit executives is also highlighted by Flemming (2003), who states that
the internal audit function more often obtains the required audit capacity and competency through in-sourcing
or co-sourcing contracts. Organizations that can provide these services are the large accounting firms,
business service providers, and/or consultancy firms. The question should always be: can we achieve
sufficient assurance? If this is not the case the internal audit function should determine in which area’s
insufficient resources are available in terms of capacity and/or competency. For those areas where the
internal resources are insufficient to achieve the required assurance, external resources must be obtained
through possible in-sourcing and/or co-sourcing arrangements in order to have the necessary skills for
performing the audit.
3.4 Summary of literature review
Based on the literature review answers can be defined for the sub questions central to this study. As is
already pointed out in paragraph 2.9 (Answering the research questions), the search for relevant scientific
literature related to the current study’s topics is performed to find answers to sub questions 1 – 3. This
paragraph describes the answers found to these research questions by providing a summary of the literature
as described and discussed within the previous paragraphs (3.1, 3.2, and 3.3).
Sub question 1: What is the impact of emerging IT within organizations on the roles and responsibilities
of the internal audit function?
Based on the information provided by previous research it can be stated that the field of auditing is
impacted by the emerging developments in IT. More than ever it has become crucial to the surviving of
almost every organization to have timely, accurate, and complete information based on which management
can make its decisions. In order to be able to manage this information, organizations are investing substantial
capital in the development and maintenance of information systems and information technologies. Besides
Page | 35
providing only advantages to the organization, the use of complex information technologies can result in
more risk for the company and therefore require further consideration by the internal auditor. Due to the
evolving role of IT within organizations and the use of IT within the core business processes it is expected
that the lines separating IT en non-IT audits will continue to blur in the coming years. This causes internal
auditors to be faced with the challenge of monitoring the IT processes and controls, and providing assurance
over the IT environment of their organizations.
One of the purposes of this study is to investigate what the impact of emerging IT within organizations
is on the existing roles and responsibilities of internal auditors. Based on the literature review the roles of
internal auditors include, among others, monitoring, assessing, and analyzing organizational risks and
controls. It can be concluded that emerging technologies are impacting the role of internal auditors by
bringing new risks to the organization that are related to the use of emerging IT. The new IT risks that come
with the use of emerging technologies by the organization on their turn lead to the need for the internal audit
function to implement IT internal controls in order to mitigate those risks. It therefore becomes important for
organizations to have a framework that addresses technology in order to be functional in today’s audit
environment. For this, internal auditors are adopting specialized frameworks such as CobiT with which they
are able to implement adequate IT internal controls within the organization. Based on this it can be concluded
that the Risk Assessment and Control Assurance roles of internal auditors are affected by the use of
emerging technologies within organizations. Having the role of Risk Assessment, internal auditors will need
to identify all new activities that exist due to the use of emerging technology and the relevant risk factors
within those activities. Therefore, this role is impacted as internal auditors will need to possess the IT
knowledge and skills needed to be able to perform this role correctly. The same is true for the internal
auditors’ role to provide Control Assurance. As for performing this role within organizations that use
emerging technologies, internal auditors are also required to have the specific IT audit knowledge and skills
in order to be able to examine and evaluate the efficiency and effectiveness of implemented controls around
the use of IT by the organization. The impact of emerging IT on the internal control of organizations is also
emphasized by the Committee of Sponsoring Organizations (COSO), which has provided an update of the
COSO framework that reflects the increased relevance of technology. Especially as changes in technology
can impact how all components of internal control are implemented. With the increasing reliance on IT by
organizations, it becomes the responsibility of the internal auditor to assist the Audit Committee and
management in assessing the IT skill set of the organization, promote greater IT risk involvement, and
identify overlaps and/or gaps in IT risk coverage. Moreover, internal auditors will have the responsibility of
encouraging their organizations to explore enterprise risk management (ERM) techniques and tools in order
to address IT risks at an enterprise level.
Page | 36
Sub question 2: How does the internal audit function of Dutch organizations needs to develop in order to
be able to adequately audit the increasing complexity of IT?
For organizations to have adequate control over the information technologies it uses they should have
enough employees with the required technical knowledge and skills in order to identify and assess the
relevant IT controls. Due to emerging IT and the increasing complexity of IT within organizations internal
audit functions need to focus on the development within the area of IT audit. As previous studies have
shown, generalist auditors do not possess the required knowledge to fully understand the risks and controls
that come with emerging IT. Besides having a pool of IT auditors within the internal audit function it,
therefore, becomes important for the function to train the generalist auditors in the area of information
systems/technology and related controls as they will also have to deal with an increasing number of
automated controls within the business processes they audit.
Having the required IT audit knowledge at one point in time is, however, not enough for ensuring that
the internal auditors will be able to adequately audit the increasing complexity of IT within their
organizations. In order for the internal auditors to perform their tasks efficiently and effectively there should
be continuous development of (IT) audit knowledge and skills. The importance of this continuous acquisition
of new knowledge is emphasized as businesses are witnessing rapid changes within the use of IT. This has
been illustrated with the use of internet by organizations. As the way organizations use the internet to
perform their businesses changes quickly, the knowledge and skills of auditors in this area must be constantly
updated with these new changes. Therefore, it is a must for internal auditors to keep up to date with the
current developments within the field of information technology and with the threats that come along with
utilizing the new technologies. The literature review has shown that due to the increasing use of IT within
organizations the accounting curriculum has integrated specific IT courses in order to prepare future
accountants and auditors in the area of IT audit. In order to obtain the required knowledge (basic audit and
specialized), internal auditors have the possibility of obtaining one or more of the recognized audit
certificates such as the CISA, CISM, and CISSP certification. It should be noted however that only obtaining
a certificate such as the ones mentioned above will probably not be sufficient for training the internal audit
staff in the area of IT audit. Certificates such as the CISA, CISM, and CISSP are obtained by following one
multiple choice exam for which the person trying to obtain the certificate has to perform a self-study.
Preparing yourself for a CISA exam, for example, will take one or two weeks of preparation. Based on these
rather short studies it can be argued that only obtaining one of the recognized certificates will not be
sufficient, and that therefore prior experience such as a bachelor’s degree with a major in Computer Science
and/or Management Information Systems should be considered when hiring IT auditors to become part of the
internal audit function. Next to this, some countries such as The Netherlands provide full postgraduate master
courses through which people can become a recognized IT auditor. If this course is successfully completed
the IT auditor can opt for becoming a member of the professional association NOREA (Nederlandse Orde
Page | 37
van Register EDP-Auditors)8. Being a member of the professional association NOREA means that you are an
expert in the area of IT audit. These persons are therefore valuable when developing the internal audit
function in the area of IT audit. For the development of the internal audit function to be able to adequately
audit the increasing complexity of IT, internal audit management should not only focus on the knowledge and
skills development of the current internal audit staff. Next to that, they must ensure that they have auditors
which have a deep fascination with technology as this will probably lead to greater IT audit knowledge and
skills given that these persons will need to continuously learn and update their knowledge in the field of
information technology. This can mean that internal audit executives should consider refreshing their current
IT audit staff with new and young IT auditors that are fully focused on a career in IT audit. These new and
young trained IT auditors are flexible and can easily adapt their knowledge to the changes in IT that will
rapidly occur within their organizations.
Sub question 3: Which strategies can be followed by the internal audit function in order to realize the
further development of the function in the area of IT?
Based on the literature some strategies have been formulated that internal audit functions can follow in
order to realize the further development of the function in the area of IT. Chief Audit Executives are mostly
considering following the strategy of increasing the core skill level of the internal audit staff to make them
understand and be able to audit technology risks. Ways to achieve this is to provide the internal audit staff
with in-house training possibilities such as independent study, classroom instructions, and/or seminars where
current issues in the area of IT are being discussed.
Another possible strategy for internal audit functions is to start using or increase the use of sophisticated
technology tools with which technology risks within the organization can be addressed. This means that the
internal audit function can choose to make use of computer-assisted audit tools (CAATs). Using such tools
for substantive testing to search for specific errors and frauds or to provide total assurance on the data
processing significantly increases the credibility of and value provided by the internal audit function. A
prerequisite for using such tools is that the auditor has a good understanding of the client’s business processes
and has experience with the audit tools. Internal audit functions that choose to follow this strategy should,
therefore, also devote enough time in training the internal audit staff in the use of these tools in order to
increase the experience.
For addressing the need for IT audit knowledge and skills, internal audit functions can make use of
third-party experts. Making use of third-party experts makes it possible to address specific technology risks
for which the required knowledge is not available among the current internal audit staff. Obtaining the
specialized knowledge can be done through engaging in in-sourcing or co-sourcing contracts with
Consultancy firms, Accounting firms, and/or business service providers. When following this strategy it will
be valuable to let the in house auditors shadow the experts that are hired for performing the audits. In this
8
http://www.norea.nl/
Page | 38
way, the current internal audit staff will at the same time be trained in the specialist areas. Thereby, the
internal audit function can maintain the knowledge within the organization after the audits have been
performed.
Page | 39
4. Case study results
This chapter provides an overview of the answers gained from the multiple interviews held with internal
audit directors and managers. Based on the information gathered during the interviews a good description can
be provided of how the internal audit functions selected for this research are being impacted by emerging IT
and how they need to develop to ensure an appropriate level of IT knowledge and skills among their internal
audit staff to be able to adequately audit the increasing complexity of IT within their organizations. The
following paragraphs provide an overview of the answers obtained.
4.1 Case study 1 - Ahold
One of the organizations selected for the case study is Ahold. The following subparagraphs provide a
description of the organization and the internal audit function of Ahold. Further, the answers gained during
the interviews that are related to the research questions central to this study are described.
Interviewees:
Internal audit director Peter van de Fliert
IT audit manager Co Wenker
4.1.1 Organization description
Ahold is an organization based in the Netherlands and is known as an international retailing group 9.
The organization holds strong consumer brands in Europe as well as in the United States. Currently, Ahold
has 3,008 stores around the world and is employing 218,000 employees. Total sales in 2011 added up to
€30.3 billion, making it belong to the biggest organizations in the world (ranked 104 in Fortune 500 10). The
foundation of Ahold is to sell great food with having supermarkets as its core business. Ahold also operates
in other formats including: Online; Convenience stores; and Fuel Stations. With the online businesses Peapod
and albert.nl, Ahold serves people within the Netherlands and the United States. The convenience stores
(“Albert Heijn To Go”) are known as small size stores located in busy areas such as train stations and
shopping streets. These stores are focused on the on-the-go customers with fast food solutions. In countries
such as the United States, Czech Republic, and Slovakia Ahold is also selling its products through fuel
stations.
The international headquarters of Ahold are based in Amsterdam, the Netherlands. Next to the
headquarters in the Netherlands, Ahold also holds offices in Switzerland and the United States. Ahold
Corporate is responsible for the functions that support the business, including strategy, finance, legal,
9
https://www.ahold.com/
10
http://money.cnn.com/magazines/fortune/global500/2007/snapshots/7908.html
Page | 40
compliance, insurance, human resources, communications, mergers & acquisitions, corporate responsibility,
information management, and internal audit. The picture below provides a good overview of the
organizational structure of Ahold, including all of its brands (source:
http://2011yearreview.ahold.com/downloads/Ahold-Full-AR-2011.pdf):
4.1.2 The internal audit function of Ahold
The internal audit function of Ahold falls under the responsibility of Ahold Corporate. The function
adds up to approximately 40 employees of which 50% is working in the United States and 50% in Europe.
Within the internal audit function in Europe a dedicated IT audit group exists. The size of the European IT
audit group is rather small as it only consists of 2 IT auditors. In addition to the IT auditors there are also 2
operational auditors that have finished the RE (Register EDP-auditor) post graduate education.
The internal audit function of Ahold can be viewed as a mature function given its size and many years
of existence and experience. In 2003 Ahold has been involved in a public scandal causing the management of
Ahold to implement a policy of ‘zero tolerance’ in the areas of compliance and controls in which the internal
audit function played a strong role in improving controls and providing assurance. In 2006, Ahold decided to
delist from the New York Stock Exchange. Following this decision was a new period in which the Executive
Board of Ahold announced that the internal audit function should take up the role of ‘trusted business
advisor’. This led to the implementation of a new organizational model for the internal audit function. The
implementation started with the appointment of a new Chief Internal Audit. Under the leadership of the new
Chief Internal Audit the internal audit function has been able to put more focus on what is happening in the
business, leading to more knowledge of the operational risks instead of only focusing on compliance and
controls. After the retirement of the Chief Internal Audit, again a new Chief Internal Audit was appointed.
After his appointment he took the time to analyze the developments within the market. Based on this analysis
it became clear that having proper control over strategic risks is significantly important to the organization.
Therefore, the goal of the internal audit function became to provide assurance over strategic risks related to
Page | 41
the overall strategy of Ahold. With this new goal the internal audit function is now fully focused on the
strategic risks of the Ahold Group. Having such a focus means that there is no area within the businesses of
Ahold that is now not being audited by the internal audit function.
The audits performed by the internal audit function of Ahold are partially based on the COSO
Committee of Sponsoring Organizations of the Treadway Commission) framework. To be more precise,
Ahold is maintaining its own control framework called the ABC Framework (Ahold Business Control
Framework). The aim of this framework is to provide reasonable assurance that the risks to not achieving
strategic objectives are identified and mitigated as such. The ABC Framework developed by Ahold is based
on the recommendations of COSO. Further, elements of CobiT are also incorporated into the framework in
order to control the risks related to the use of information technology by the organization.
The internal audit function is not making use of in-sourcing/co-sourcing services in performing the
audits. In the past this has been the case, however, nowadays this is becoming less and less relevant. This can
be explained by the fact that the second line of defense within the organization – the Internal Control function
– is hiring experts if needed. For example, when implementing a new website the Internal Control function
hires experts for conduction attacking penetration tests in order to see how well secured the access to the
website is. The interviewees indicated, however, that when needed the internal audit function will hire
experts through in-sourcing/co-sourcing agreements.
4.1.3 Impact of emerging IT on the roles & responsibilities of the internal audit function
According to the interviewees the impact of emerging IT on the roles and responsibilities of the internal
audit function of Ahold will not be significant. However, the function should always move along with the
developments within the business, as is the case for IT related topics. Emerging IT can lead to a change in
scope and the execution of audits. According to the internal auditor director developments such as “bring
your own device” calls for specific attention looking from an audit perspective. The use of mobile devices
definitely brings new risks to the organization that must be identified and mitigated. This is also true for the
developments within the business related to the online web services provided by Ahold. Due to the increasing
use of web services the risk of being hacked is increasing and should be acted upon appropriately. As these
types of emerging IT are also present within Ahold and do lead to new (IT) risks it can be expected that these
developments will also have an impact on the roles and responsibilities of the internal auditors of Ahold.
Though, according to the internal audit director and IT audit manager interviewed this will not impact or
change the roles and responsibilities of their current internal audit staff. They state that instead of having an
impact on the roles and responsibilities, it will have an impact on the content of the knowledge required.
According to the internal audit director and IT audit manager there will be more need for specialist
knowledge in the coming years. To illustrate this, the internal audit director provided an example that relates
Page | 42
to the use of Cloud Computing services by Ahold. Ahold is using the Cloud Computing services from Google
for its email traffic (Gmail). Ahold must obtain assurance on the Cloud services delivered and this assurance
is provided by Google. In order for Ahold to assess whether the assurance provided by Google is sufficient
enough for achieving its own organizational objectives, the internal audit function should have experts related
to this type of service for conducting the assessment. This should however not impact the task activities of
the current internal audit staff. If this knowledge is not available then it should be obtained by simply hiring a
subject matter expert for performing the analysis. This again was illustrated with an example focused on the
use of websites by the organization. The security around the use of websites by Ahold is tested by an ethical
hacker who is hired by the organization to perform professional security checks on the websites. Another
reason for explaining why the roles and responsibilities of the current internal audit staff are not significantly
impacted by the increasing reliance on technology is the fact that Ahold has started to outsource the
administration of its IT since the beginning of 2005 and has extended the outsourcing contract in 2009 11. By
outsourcing the IT function, the controls around the use of IT are mainly being performed by the outsourcing
party. New IT solutions therefore do not have a direct impact on the audit activities of the current staff.
Instead, Ahold internal audit is relying on the assurance provided by its IT service providers. What is needed
therefore is the knowledge to assess whether the assurance provided by the IT service providers is sufficient.
Again, if this knowledge is not available experts will be hired in by the company.
4.1.4 The development of the (IT) internal audit function
According to the internal audit director and IT audit manager interviewed, how the internal audit
function should develop is mostly dependent on the business activities performed by the organization. It is
always important to look at the ratio of the audit function relative to the business. If, for example, IT is only
good for 10% of the business activities and the remaining 90% consists of other business processes then this
ratio should also be considered within the internal audit function. Further, if the organization has outsourced
most of its IT and therefore will get assurance from the service providers on the IT risks then this will also be
reflected within the lines of defense and therefore the internal audit function. It is therefore always necessary
for the internal audit function to mirror with the risk level as it is in the business. Another development
within the internal audit function of Ahold is, according to the interviewees, that the IT-auditor is taking more
distance from the role of only testing controls and reporting on what is effective and what is not. Instead, the
business is being more involved by asking them how they know that they are in control over their own
processes and what they have implemented to warrant that they are actually in control. Within Ahold, this
will probably lead to less need for IT audit resources and being able to rely more on the activities already
performed within the business. Next to this, due to the outsourcing of the IT by Ahold all audits that have
previously been performed on the Unix, Oracle, and Windows environments will not be that extensive
11
http://www.computable.nl/artikel/nieuws/infrastructuur/3179908/2379248/ahold-besteedt-ict-opnieuw-uit-aan-
hp.html
Page | 43
anymore in the future. For assurance on the risks related to these environments Ahold now relies on Third
Party assurance reports (e.g. ISAE3402, ISAE3000, and SSAE16)12 from its service providers. This also
leads to less need for IT audit resources for the technical compliance activities within the internal audit
function of Ahold. Given these developments the interviewees do not see the need for specifically focusing
on the development of the internal audit function in the area of IT audit.
4.1.5 Strategies to address the needs for IT audit knowledge and skills
The respondents were asked how they will address the need for IT audit knowledge and skills in the
coming years. Both the internal audit director and the IT audit manager answered that the knowledge and
skills needed by the internal audit function are becoming visible when developing the yearly audit plan.
Based on the audit plan the needed capacity of the internal staff will be determined. The aim of the audit plan
is to identify all the relevant risks within the organization that can potentially cause the organization to not
achieve its strategic objectives. Whenever the risks have been identified it also becomes known which
business processes are affected. By having clear which processes need to be controlled, and therefore also
audited, the internal audit director knows which resources he will need in order to be able to adequately
execute the audit plan. In case risks are identified that are related to the use of IT within the organization then
there need to be enough resources available that can address those risks. However, the interviewees indicated
that these resources do not necessarily have to come from within the organization. If there is a strong need for
expert knowledge to address specific risks the best strategy to follow is to hire experts from outside the
organization as this is the easiest and most efficient way for obtaining the knowledge required. Additionally,
the respondents also indicated that they have the possibility to swap resources with the internal audit function
of Ahold USA. This can be very helpful when it turns out that the internal audit function of Ahold USA
possesses the expert knowledge needed for adequately performing the audits. The respondents emphasized
that with preparing the audit plan the internal audit function also takes the developments within the business
and the market into account. If there are developments which in the long run will require the internal audit
function to respond to, the management of the function should determine if it is necessary and useful to have
the current internal audit staff or part of it being trained so that they will possess the required knowledge and
skills when needed.
The internal audit director and IT audit manager interviewed particularly stressed the importance of
keeping up to date with the developments within the use of information technology. In order to keep up to
date with the developments it is important for the internal audit staff to attend seminars related to emerging
IT to learn about the consequences it can have for the organization. The respondents indicated that they have
recently attended a seminar in which the development of IT within the next 10 years has been discussed. By
attending such seminars it can be determined whether or not it is useful to facilitate training days for the
current internal audit staff. Next to this, the IT audit manager also indicated that as an IT audit manager one
12
http://www.ifac.org/sites/default/files/downloads/b014-2010-iaasb-handbook-isae-3402.pdf
Page | 44
should not ignore invites that are received from training bureaus or for attending seminars. As these
institutions are always focused on the latest trends and developments within their discipline, in this case IT,
you will notice what is important and what is not. For example, if ten or more invites are received which are
focused on Cloud Computing and/or ‘bring your own device’, than as an IT audit manager you have an
indication of the hot topics in this area. Based on this you can decide if it is needed to pay attention to these
topics and how they can impact the business of your organization. The internal audit director added that as a
pro-active internal audit function you should always keep in touch with the contacts within the business and
IT in order to know what kind of developments they see within the business and IT and how they think this
will impact the day-to-day activities of the company. By doing this the internal audit director and IT audit
manager of Ahold are aware of the fact that the topic ‘bring your own device’ is becoming increasingly
important to focus on as this will be used by the organization in an extended way during the coming years. It
is therefore important for the internal audit function to realize that this will also bring new security threats to
the organization that needs to be sufficiently controlled in order to reduce/mitigate the risks related to the use
of mobile devices. This triggers the internal audit function of Ahold to facilitate trainings and technical
courses related to this topic for its current internal audit staff.
On the question if people from the business, specifically those working for the IT function of Ahold,
will be trained to become an IT auditor the interviewees responded that this is certainly something they
would consider given the fact that those persons possess great knowledge related to the information
technology used by the organization. The internal audit director, however, emphasized that these persons
must also have or be able to obtain the required professional audit skills.
4.2 Case study 2 - Achmea
The second organization selected for the case study is Achmea. Again, the following subparagraphs
provide a description of the organization and the internal audit function of Achmea. Further, the answers
gained during the interviews that are related to the research questions central to this study are described.
Interviewees:
Senior internal audit manager (RA) Ad Smits
Senior internal audit manager (RE) Corné Mulders
4.2.1 Organization description
The second internal audit function used for the case study is the one from Achmea. Achmea is an
insurer company based in the Netherlands. The company is not listed on the Stock Exchange. Worldwide
Achmea is employing 21,000 employees (of which 17,000 are working in the Netherlands) and has gross
premium revenue close to €20 billion. Within the Netherlands Achmea is the largest insurer, and also in other
parts of Europe Achmea holds sometimes significant positions. For instance, the organization holds strong
Page | 45
positions in Russia, Turkey, Greece, Ireland, Bulgaria, Romania, and Slovakia. Achmea distinguishes itself
from its competitor insurers as the company has a cooperative background. A cooperative is: “a legal entity
owned and democratically controlled by its members. Members often have a close association with the
enterprise as producers or consumers of its products or services, or as its employees.” 13 Achmea has
retained its cooperative identity throughout its 200-year history guided by the idea that the organization forms
an integral part of the communities it serves 14. The primary goal of the organization is to be innovative and
develop products and services that meet the needs of its customers. Customers of Achmea include private
individuals, companies and other organizations. Within the Netherlands and Europe the focus of Achmea is
on its core competences that are applied in Achmea’s core segments: Income protection, Health, Non-life,
term insurance and standard pension products. In the Netherlands Achmea also offers the full range of
insurances and related financial products. Achmea is active under the names of several brands, of which the
six largest are Interpolis, Zilveren Kruis Achmea, Agis Zorgverzekeringen, FBTO, Centraal Beheer Achmea,
and Avéro Achmea. The company is using different distribution channels through which it provides its
products and services to its customers. The insurance products are mainly provided to customers via the
direct channel (internet or telephone) of Achmea or via the local banks (Rabobank - Interpolis). The brand
Avéro Achmea is used to provide a great diversity of insurance products to customers via brokers and
intermediaries. Achmea has an organizational structure consisting of distribution- and product divisions. The
distribution divisions are fully focused on the customer, whether the product divisions are aimed at the
developing and maintaining accessible, understandable, and affordable products and services which are being
offered to the market via the distribution divisions. Within the division ‘Zorg & Gezondheid’ (Healthcare),
familiar from brands such as Zilveren Kruis Achmea and Agis, the distribution and product development are
bundled. The following picture provides a good overview of the organizational structure of Achmea,
including all of its divisions (source: http:// www.achmea.nl/over-achmea/organisatie/Paginas/Organogram-
groot.aspx):
13
http://en.wikipedia.org/wiki/Cooperative
14
http://www.achmea.nl/financieel/jaarverslagen/Documents/ACHMEA_Jaarverslag_2011.pdf
Page | 46
4.2.2 The internal audit function of Achmea
Managing risks is for insurance companies such as Achmea a daily activity. It is a fundamental part of
its business. With a well-organized risk management, which is underpinned by the risk appetite of Achmea
and the integrated risk management framework, Achmea is able to identify, assess, mitigate and control all
the risk categories that are applicable to its business. Having implemented a strong three lines of defence
model, Achmea is striving for obtaining as much assurance as possible on achieving its organizational
objectives. The management of the Achmea Group, the divisions and operating companies are together
making up the first line of defence. This first line of defence refers to the risk management as it is embedded
within the business itself. The second line of defence comprises the Risk & Compliance, actuarial and
compliance departments in the divisions and operating companies. The third line of defence is focused on
providing additional assurance on governance, risk management, and internal controls. This third line is
composed of the internal audit function of Achmea. The picture below provides a clear overview of the three
lines of defence model implemented by Achmea (source: http://www.achmea.com/corporate-
governance/risk-management):
The internal audit function of Achmea, which is the third line of defence (see picture above), consists of
82 FTEs within the Netherlands. Outside the Netherlands another 28 FTEs are working for the internal audit
function. Compared to other organizations the internal audit function of Achmea can be rated as a mature
function which is reflected by its size and years of existence and experience (approximately 30 years). Within
Page | 47
the overall group of internal auditors there are approximately 25 auditors with IT audit knowledge and skills.
Of this 25, 11 IT auditors are within the central IT audit team which focuses on Information management and
Information technology within Achmea. Besides the central team, the internal audit function also provides
specific audit teams for the different divisions of the company and within those audit teams there are IT
auditors who are responsible for auditing the specific applications that are used by the divisions. The internal
audit function of Achmea does not have a separate IT audit department, which is also not preferred by the
management of the function. Instead, the function works with integrated audit teams consisting of
compliance, financial, operational, and IT auditors. With the integrated approach audit teams are always
created by looking at the needed technical expertise for performing the audit but also at the required
knowledge of the organization.
The audit approach by the internal audit function of Achmea is mainly based on the COSO framework
for internal control. This is reflected in the functions focus for achieving objectives related to the following
categories: reliability of financial reporting, compliance with applicable laws and regulations, and the
effectiveness and efficiency of operations. For identifying the relevant control environments related to the
information technology used by the organization, the internal audit function is using the CobiT framework as
a reference. However, the audits related to IT are not based on all the objectives and controls stated by CobiT
but, instead, the framework is only used as a tool to identify possible control activities. The relevant areas to
audit within the organization are identified based on a Risk Based Approach. This holds that the function and
the business are identifying the critical risks that are present to the organization and the related processes in
which the identified risks are present. Based on this identification process it will be determined by the
internal audit function which controls need to be in place and tested in order to mitigate the risks.
The interviewees indicated that the internal audit function is not making use of in-sourcing/co-sourcing
services for performing the audits. Only in case of capacity issues the function will consider to hire external
parties for assisting during the audits. But, as the current formation consists of more than enough auditors and
also IT auditors it will not be quite often necessary to hire external parties.
4.2.3 Impact of emerging IT on the roles & responsibilities of the internal audit function
The processes of Achmea have changed over the years and the reliance on IT has increased which is
reflected by the increasing automation throughout the supply chain. In the past orders were received via
mailings or phone calls from customers. These orders were than typed in to the computer systems by the back
office of Achmea. Today, the automation of the process already starts at the beginning with customers being
able to communicate about products and services with Achmea via the internet. If the IT will fail this will
bring much more risks than in the past as Achmea will than not be able to fulfill its commitments to its
customers. Even though the reliance on information technology is increasing the interviewees do not expect
Page | 48
that this will have a significant impact on the roles and responsibilities of the current internal audit staff. The
current internal audit staff includes a great number of IT auditors who possess the required knowledge and
skills to execute the audits on the controls related to the IT risks identified within the organization’s business
processes. The roles and responsibilities they have will therefore not change. The interviewees both have a
very different view on the impact of emerging IT on their internal audit function. At the moment, the IT
environment and the automation of processes is very complex due to the fact that Achmea is a fusion
company which still holds a great number of legacy systems which are all interconnected with each other.
However, instead of making the IT environment more complex in the coming years by increasing the
automation of current processes, the senior managers indicated that the organization is now fully focused on
making the use of IT and the whole IT environment less complex. By doing that Achmea is attempting to
make its products and services easier for the clients. If Achmea succeeds in standardizing the complex
business processes and the related information technology, this will have a direct impact on the need for IT
audit resources, as there will be less needed compared to the current situation. The interviewees added that by
making the current use of IT more complex by constantly incorporating new emerging technologies
whenever available, the company will become less competitive in the markets it operates. This is due to the
reason that the business processes can become less efficient because of non-standardized procedures and
technologies, which is also true for the internal audit function. On the other hand, going through such a
transformation are of course interesting times for the IT employees as well as the IT auditors. Moving from
an old to a new situation means that migrations have to be performed between complex IT environments.
Obtaining assurance on these migration processes is required in order to prevent the risk of losing valuable
data.
The objective of the internal audit function of Achmea is to increase the collaboration between persons
from different backgrounds with different competences to jointly perform the audits that need to be executed.
An example was provided about the introduction of KKV (Keurmerk Klantgericht Verzekeren) 15. As the
requirements from the KKV are very complex and difficult to understand the internal audit function should
have an expert on this subject to answer the related questions. But, in order to realize the KKV the
organization must also implement this correctly within the IT systems used. Therefore, audit teams must be
created that include auditors from multiple disciplines in order to adequately respond to the issues at hand.
The interviewees acknowledged that all internal auditors should possess some basic IT knowledge. However,
their opinion is that for specific technical IT related questions you must have a specialized IT auditor who is
able to perform the job. Meaning that it is not realistic to think that training the financial, compliance, and/or
operational auditors with some basic IT knowledge will be sufficient for the internal audit function to be able
to perform specific technical IT audits throughout the organization. This holds that the role and responsibility
of the current internal audit staff will not be impacted by the use of emerging technologies by the
organization.
15
http://www.keurmerkverzekeraars.nl/
Page | 49
To the question how the internal audit function of Achmea should develop in order to be able to
adequately audit the increasing complexity of IT within the organizations the interviewees responded that
instead of increasing the complexity of IT Achmea is focusing on standardizing the IT environment. By
doing this the organization is trying to make the use of IT more efficient and more easy to use for the
organization as well as the customers. This development should eventually lead to a better to understand and
better to manage IT environment which, in turn, will also decrease the need for the number of IT auditors
needed if the goal of standardizing the IT is achieved.
Next to the development described above, the interviewees also indicated that the complete IT
infrastructure of Achmea has been outsourced since 5 years now. Comparing the current situation with the
situation of 10 years ago therefore also shows a difference in how and which IT risks need to be audited by
the internal audit function of Achmea. 10 years ago, when all IT was still managed in-house the internal audit
function was aimed at mitigating risks such as the reliability of information processing through the systems
and continuity of the IT infrastructure. As these IT risks are still present they are, however, now managed by
the outsourcing party who is managing and hosting the IT infrastructure of Achmea. This causes that the
internal audit function of Achmea had to change the way in which the organization would obtain assurance
on the IT risks controlled by the outsourcing parties. For assurance on the risks related to these environments
Achmea now relies on Third Party assurance reports (e.g. ISAE3402, ISAE3000, and SSAE16) 16 from its
service providers for obtaining the required assurance. Having outsourced the complete IT infrastructure also
had an impact on the need for IT audit resources for the internal audit function of Achmea. These
developments should eventually lead to less need for IT audit resources.
The interviewees expect that the IT risks as they are currently present within the organization will
change due to changes within the business and the way in which the business is performed. It is, however, not
expected that the number of IT risks compared to the number of Business risks (manual) will increase. Only
that they will change due to the developments within the market (e.g. Cloud Computing, internet services,
and the use of mobile devices). The senior managers indicated that as the internal audit function of the
organization they should know and understand how the developments within IT can impact the internal
control environment when the organization chooses to implement and use it. The internal audit function
needs to know what the strategy of the organization is and will be so it can prepare the internal audit staff on
the changes the new strategy will bring to the control environment of the organization and with that the
required knowledge and skills to be able to provide assurance.
16
http://www.ifac.org/sites/default/files/downloads/b014-2010-iaasb-handbook-isae-3402.pdf
Page | 50
The internal audit function of Achmea assesses yearly the availability of the required resources for
being able to answer the audit questions. This is not only done for IT, but also for the financial, compliance,
and operational auditors. Three times a year all the developments within the market and their potential impact
on the internal audit function are discussed. Furthermore, the internal audit function is preparing a business
plan each year which also includes a paragraph: Employee. Within this paragraph it is described how the
business plan will impact the internal auditor’s task activities. The interviewees do not expect troubles with
obtaining the required IT audit knowledge and skills. By having multiple assessments of the internal audit
function and its capacity and available knowledge, the management of the function is able to anticipate on
potential shortages in a timely manner. These shortages are, however, not expected. One explanation for this
is that Achmea is not a frontrunner in the area and use of IT. Achmea will always follow the developments in
IT which leads to the fact that new risks due to the use of emerging IT will not be playing a role within the
organization directly. This gives the internal audit function of Achmea enough time to anticipate on the
changes emerging IT will bring to the internal control environment. Next to this, the interviewees stipulated
that due to its size and brand Achmea is an attractive employer to work for. This also helps with attracting
educated and knowledgeable internal (IT) auditors. The question of how to address the needs for IT audit
knowledge and skills therefore becomes less relevant for the internal audit function of Achmea.
A possible strategy to follow when needed is to hire external experts that can assist the internal audit
function in developing the audit plan and/or performing the audits. This was explained by the example of the
use of Sharepoint by the organization for the automation of the business processes. Sharepoint is developing
fast and expertise related to the new developments will not be available at the moment new releases are
introduced. For having the expertise needed the internal audit function will therefore hire the expert
knowledge from outside the company. When it is expected that the knowledge need to be embedded within
the internal audit function itself, than it will be decided which persons will have to follow the specific
training courses related to the topic. These trainings can be facilitated within the company or at the training
schools specialized in the topics relevant for the organization. The interviewees emphasized that great
attention is being paid to the continuous development of the internal auditors. All the auditors have to
maintain their knowledge and keep up to date with the developments occurring within their area of interest.
This is realized by committing to the permanent education (PE) that needs to be followed by the auditors to
ensure they maintain their auditor title (e.g. RE, RO, RA, RC). Additionally, the internal audit function has
also set up the Business School IA in 2011. Based on the developments within the business, the management
of the internal audit function will select the subjects that are relevant to include within the training courses of
the Business School IA. For example, in the area of IT Achmea is currently involved in the implementation
of Identity Management17. When having such an implementation it is important to train the IT auditors on
17
http://en.wikipedia.org/wiki/Identity_management
Page | 51
this subject so that they will fully understand what it means. This is done through the Business School IA of
Achmea, which is aimed at the continuous development of the internal audit staff.
Another strategy sometimes followed by the internal audit function of Achmea to address the needs for
IT knowledge regarding the IT environment of the organization is to attract people from the business and to
retrain them in becoming auditors of the company. One clear advantage of this is that the people from the
business have a good understanding of how the IT is working and how the controls designed around the use
of IT are being performed. A requirement from the internal audit function is that these persons will follow the
relevant basic audit courses as they will be required to possess the fundamental audit skills needed to be able
to perform audits.
As the world is changing, as an organization you will need to change with it. Especially if you are
working within the audit profession you should be willing to constantly develop yourself as the profession
never stands still. The management of the internal audit function of Achmea is confident that they have the
proper measures in place to be able to anticipate on what is happening within the business and to attract
educated persons. Furthermore, the internal audit function has made good arrangements with persons that
hold specific expertise in areas that need to be controlled by the internal audit function and for which no in-
house knowledge is available. It certainly helps when the internal audit staff is eager to learn and wants to
constantly develop itself.
Page | 52
5. Analysis and Conclusions
This chapter provides an analysis of the results obtained from the different case studies. The results of
the two case studies are compared with each other and with the literature provided in order to formulate final
answers to the research questions central to this study. The case study results are analyzed and discussed
regarding each sub question (1 – 3, see chapter 1) in paragraph 5.1. Based on the analysis and discussion a
concluding answer is provided to the research question of this study (see paragraph 5.2).
5.1 Comparison of case study results
5.1.1 Impact of emerging IT on the roles and responsibilities of the internal audit function
A great number of scientific studies, as they have been discussed in the literature review (see Chapter 3)
are pointing out to the fact that it becomes significantly important for auditors to obtain IT-audit knowledge
and skills as developments in IT will have a great impact on their day-to-day audit activities. This sounds
logical and is also true to a certain degree. However, what is missing in the scientific articles on this topic and
used for this study is the distinction between different business models (e.g., outsourcing of IT) and structures
of internal audit functions (only generalists auditors vs a fully integrated IT audit team). This should be
considered when making general conclusions on the impact of emerging IT on the roles and responsibilities
of the internal auditor. This is indicated by the results of both case studies examined for this research. Both
cases indicated that emerging IT will not have a significant impact on the roles and responsibilities of the
internal audit function. The internal audit function of Achmea already includes a great number of IT auditors
who possess the knowledge and skills required to execute the audits related to IT. This can be explained by
the intense reliance on information technology by organizations in the financial services industry. On the
other hand, there are much less IT auditors within the internal audit function of Ahold. However, results
indicated that emerging IT will not impact the roles and responsibilities of the current internal audit staff.
This is in contrast with the results of the study performed by PricewaterhouseCoopers (2007), which revealed
that Chief Audit Executives (CAEs) are expecting that the lines separating IT and non-IT audits will continue
to disappear in the coming years. This means that also the activities performed by the internal auditors are
impacted as they are required to take technology risks into account when establishing the audit plan. This is
consistent with the view provided by the International Standard on Auditing 401 (2002) that the use of
information technologies within an organization can affect the procedures followed by auditors in order to
obtain sufficient understanding of the accounting and internal control systems implemented within the
organization. Further, the use of information technologies also can affect the design and execution of tests of
controls by the internal auditor and it clearly affects the risk assessment performed to identify the relevant
risks for an organization. The reason that emerging IT will not have a significant impact on the existing roles
and responsibilities of the current internal audit staff of the internal audit functions examined is that these
functions have experienced IT auditors employed who have the knowledge and skills needed to anticipate on
Page | 53
the changes in IT within their organization. Based on the results from the case studies risk assessments will
be impacted by the use of new technologies as completely new risks are to be considered by the organization.
This has been illustrated with the use of new technologies such as ‘bring your own device’ and Cloud
Computing, which entails new risks that need to be well understood by the organization in order to be able to
control them. The risk assessment can be adequately performed as the knowledge required for this seems to
be in-house at mature internal audit functions such as the internal audit functions of Ahold and Achmea. A
note that needs to be made here is that having a pool of experienced IT (audit) personnel does not guarantee
that the use of emerging technology by an organization will be successfully controlled. A good example of an
organization that has a mature internal audit function and failed in implementing a new ERP system is the
Dutch Ministry of Defense. The project called ‘Speer’ is considered as one of the biggest SAP
implementation projects within The Netherlands and even within Europe. 18 Having a pool of 60 IT auditors
did not, however, prevent the project from failure. The end-responsible for the project, Walter van der Garde,
acknowledged that the internal IT auditor was not given the right role and responsibility for providing
assurance over different parts of the project. This implies that the roles and responsibilities of IT auditors
should be well defined when asked to provide assurance over the IT environment of the organizations they
work for.
The results of both case studies performed show that the impact of emerging IT on the roles and
responsibilities of the internal auditors is moderated in case the IT is outsourced to an IT service provider.
Both Ahold and Achmea have outsourced most of its IT environment to IT service providers. Using such
business models is consistent with the update of the COSO framework provided by COSO (2011) in which it
is emphasized that business models change as many organizations are using third parties for providing
products and services. It is remarkable that the scientific literature aimed at examining the impact of
information technology on the task activities of the (internal) auditor does not investigates this impact for
different business model. When outsourcing the IT, the implementation of new IT solutions will not have a
direct impact on the audit activities of the current internal audit staff. However, it is emphasized by Ray and
Ramaswamy (2007) that it is critical for internal auditors to evaluate the effectiveness of the risk and controls
framework of the service provider in order to mitigate internal control risks throughout the lifespan of the
outsourcing agreement. Further, Ray and Ramaswamy state that the internal auditor is facing another
challenge when the organization has outsourced its IT environment. One of the key issues that come with
outsourcing the IT environment is the internal auditor’s role in ensuring adherence to the various compliance
and security standards. Besides that, the internal auditors must assess the extent to which they can rely on the
work performed by independent service auditors and other specialists. This has also been stressed by the case
study participants, who indicated that they are hiring experts in the area of assurance on activities performed
by service providers to assess whether the assurance provided by these outsourcing vendors is sufficient.
18
http://www.norea.nl/ReadFile.aspx?ContentID=37495&FileID=23048&Type=2
Page | 54
An interesting finding obtained from the case studies is that Achmea indicated that it is focusing on
making the IT environment less complex. This is in contrast to most of the studies used within the literature
review, which emphasize on the increasing complexity of IT within organization (see, for example, Stoel &
Muhanna, 2011; Curtis et al., 2009; Hermanson, Hill, and Ivancevic, 2000) and the impact it will have on the
information technology related activities of internal auditors. By making the IT environment less complex
there will also be less need for IT audit resources. This, therefore, will not impact the existing roles and
responsibilities of the current staff. The statement of Achmea to make the IT environment less complex will
be crucial for most organizations if they want to compete with their competitors within the markets they
operate. Therefore, based on the case study results of the current study it can be argued that the increasing
complexity of IT within organizations also impacts the role and responsibility of the internal IT auditor as it
requires the IT auditor to support the organization not only with providing assurance on the IT environment,
but also with consulting the organization in making the IT environment less complex. By assisting the
organization in making the IT environment less complex, the use of IT by the organization will become more
efficient and effective. This can lead to a stronger organization as opposed to its competitors and eventually
even better financial performance. The case study results therefore indicate that the increasing complexity of
IT within organizations have an impact on the Consulting role of the internal IT auditor, as it has been
explained in paragraph 3.2.2 in this paper. By performing the consulting role the internal IT auditor will add
value to the business as outlined above. However, as the internal IT auditor is therefore required to play both
the role of monitor and advisor this will make it difficult for the auditor to remain objective in his/her
judgments. So, when asking the internal IT auditor to advise in how to enhance the efficiency and
effectiveness of the IT used, internal audit executives should clearly define the segregation between the
advising auditors and monitoring auditors. Here, it is important that the IT auditor who performs the role of
consultant will not also perform the eventual audit on the implementation of his/her advice. This will be in
conflict with the independence and objective role the IT auditor should have. Therefore, when giving the
internal IT auditors the role of consultant, the internal audit executives should consider whether they have
enough IT audit resources available to be able to have this segregation between advising and monitoring in
place. If the pool of current internal IT auditors is not sufficient it should be considered to hire external IT
auditors specialized in performing the tasks required, either as advisor or as auditor.
Looking at the maturity level of the internal audit functions used for the case study, it can be argued that
emerging IT will not have a significant impact on the existing roles and responsibilities of the internal
auditors because these function are well equipped to respond to the risks that arise from the use of new
technologies by the organizations. It can be expected that this will somewhat be different for internal audit
functions that hold a low level of maturity and have few auditors with sufficient knowledge of IT. The
reasoning for this is based on the assumption that immature and/or small-sized internal audit functions have
mainly financial and/or operational auditors employed. If the organizations where these types of internal
audit functions are part of choose to make extensive use of information technologies, this also means that the
Page | 55
organization will be exposed to numerous IT risks that need to be well understood in order to be able to
mitigate those risks. This will therefore than have an impact on the existing roles and responsibilities of the
current internal audit staff consisting of the financial and/or operational auditors. As their knowledge will
probably not be sufficient enough to identify the new IT risks, or at least all of them, it should be considered
by the internal audit executives to either develop the knowledge of the current staff in the area of IT audit
(e.g. by following a postgraduate IT audit course) or to hire external expertise in order to obtain the required
assurance on the new implemented IT environment. The assumption that generalists auditors
(financial/operational) will probably not have sufficient knowledge to identify all the relevant risks that come
with the use of emerging IT (e.g, implementation of a new ERP-system) is supported by the study performed
by Curtis et al. (2009) which provide empirical results that show that control risks presented by more
complex ERP systems are more difficult for generalists auditors to understand than it is for IS auditors. In
addition, the study of Brazel & Agoglia (2007) provides empirical prove that auditors with greater IS
proficiency are better at identifying ERP risks than generalists auditors. Besides having an impact on the
existing roles and responsibilities of the internal auditors it also becomes the responsibility of the internal
auditor to assist management and the Audit Committee (if present) in assessing the IT skill set of the
organization and to promote greater IT risk involvement. This is important, given the findings of Stoel and
Muhanna (2011) that not properly attending to IT risks and IT internal controls can result in deficiencies that
lead to a liability (competitive disadvantage) to the firm. Additionally, low maturity internal audit functions
should, whenever the organization is going to make extensive use of information technology, encourage the
organization to explore enterprise risk management (ERM) techniques and tools in order to address IT risks
at an enterprise level (Moorthy et al., 2011). The internal audit functions selected for the case studies already
have a professional enterprise risk management system implemented. This makes the organizations strong in
addressing IT and other risks and responding to new risks whenever they occur.
The results obtained through the case studies show that internal audit functions need to mirror their
activities and the risk level with those in the business. The development of the internal audit function of
Ahold is largely dependent on the business activities performed by the organization. Likewise, the case study
on Achmea shows that the internal audit function of Achmea is always focusing on the strategy of the
organization and what the strategy will be in order to prepare the internal audit staff on the changes the new
strategy will bring to the current control environment. In case the business activities and/or strategy changes
it can have an impact on the required knowledge and skills of the internal audit staff to be able to provide
assurance. The results of both case studies also show that there is no strong need for the internal audit
functions to develop within the area of IT. This can be explained by the outsourcing of IT which is done by
both organizations. Due to the outsourcing of IT, all previous audits performed by the internal audit function
on the IT environments of their organizations are now being performed by the independent auditors of the
Page | 56
service providers. This eventually leads to less need for IT auditors and with that the development of the
function within the field of information technology. These results show that the impact of emerging IT on the
task activities of internal auditors is dependent on the type of business model pursued by the organization. It
can therefore not be stated that the increasing complexity of IT within organizations impacts the internal
audit activity without considering the business model of the organization under investigation. Both
organizations examined in the current study have outsourced their IT function to IT service providers. By
having outsourced the IT function, the internal audit function is not directly impacted by emerging IT as this
will be managed by the IT service provider. Instead, it can be argued that this will impact the external (IT)
auditors who are performing the third party assurance audits (e.g., ISAE3402 and ISAE3000) on behalf of the
organization who has outsourced its IT environment or parts of it. They are required to possess the
knowledge and expertise needed to provide reasonable assurance on the audit object, which in this study can
be defined as the IT environments of Ahold and Achmea. Besides outsourcing, the case study results also
provide insight into other reasons for not having the need for development within the area of IT. According to
the results of the Ahold case study, there can be less need for IT audit resources in case the business itself is
more involved and already has performed many of the controls itself. The other reason provided by Achmea
is that the organization is focusing on making the IT more standardized and thereby less complex. In contrast
to many previous research performed, in which it is stated that IT is becoming more complex within
organizations, Achmea is aimed at making the IT less complex and more efficient. As already discussed in
paragraph 5.1.1 this is a very logical development because organizations will have to compete with their
competitors to stay profitable in the short- and long term of their existence. One aspect that becomes
increasingly important for organizations in order to compete is the efficiency and effectiveness of the
information technologies used. Having more efficient and effective information technologies than your
competitors also means that your organization has fewer costs than your competitors. As organizations are
becoming increasingly reliant on IT, making the use of IT more efficient and effective will only increase in
importance for the profitability of organizations in the future. Eventually this can lead to a decrease in the
need for IT audit resources which is why the internal audit function of Achmea is not specifically aimed at
further developing the function in the area of IT. However, it can be stressed that the development of
decreasing the complexity of the IT environment within organizations to make the use of IT more efficient
may lead to the need for IT auditors in the role of consultant. As less IT audit resources are required when the
environment has been standardized and made less complex, in order to achieve such a state requires a lot of
expert knowledge in the area of IT. This role can be fulfilled by IT auditors as they possess the knowledge of
IT and business processes and are also able to identify the risks within the new situation and the controls that
can be implemented in order to mitigate the identified risks. Internal audit executives therefore should
consider to utilize the full potential of their IT audit resources by also making them business advisors and let
them assist the organization in achieving the goal of making the use of IT more efficient and effective. The
finding that a decrease in the need for IT audit resources is expected by Achmea is somewhat unexpected and
is also not very consistent with the scientific literature provided within this research. For example, Curtis et
Page | 57
al. (2009) have stated that due to the ever increasing complexity of systems and the need for automated
controls, there will be an increased need for auditors to gain knowledge in the area of information
systems/technology and related controls. As this sounds logical, the current study shows that this is not
necessarily true for all auditors. Auditors within internal audit functions that have dedicated IT auditors to
focus on IT and related controls, such is the case for Ahold and Achmea, do not have the need to gain much
knowledge in the area of IT as this is addressed by their IT audit colleagues. The findings of Curtis et al.
(2009) are expected to be more true for small-sized internal audit functions of which the internal audit staff is
required to audit all the business processes including those in which information technology is used. These
auditors should consider developing their IT audit knowledge and skills whenever the use of IT is increased
by their organizations. Another way for these types of internal audit functions to address the need for IT audit
resources is to hire expert knowledge from third parties like the big Accountancy or other IT consulting/audit
firms. Further, it can be argued that the development of IT audit knowledge and skills is more important in
developing countries as the use of IT by organizations in those countries is still in the initial phase. This is
supported by the study of Abu-Musa (2008) in which it is stated that there is a lack of efficient and effective
professional standards in Saudi Arabia in the area of IT and internal auditing compared with other highly
developed countries such as the USA. In those countries, for example, there have many standards been issued
by the American Institute of Certified Public Accountants (AICPA)19 that relate to IT and its impact on the
auditor’s consideration and evaluation of internal controls such as the SAS No. 3, SAS No. 48, and SAS No.
94.
Following the statements of Moorthy et al. (2011) it is important for auditors to continually acquire new
knowledge of IT due to the rapid changes in IT and the use of IT within organizations. These rapid changes
also cause auditors to worry about new auditing risks. This is also acknowledged by the respondents of the
case studies, who have indicated that they constantly follow the changes within the organization and
determine what the impact of the changes will be on the internal audit function. For an internal audit function
to be able to respond to the changes in IT and to address the new auditing risks it is a must to have talented
professionals with IT skills (PWC, 2007). The internal audit functions of Ahold and Achmea do have such
professionals with relevant certifications (e.g. RE, CISA, CISSP, and CISM), and therefore are able to
respond to the changes in IT and new IT risks. This is also a reason why these internal audit functions do not
need to further develop within the area of IT audit. The management of these functions, which have already
talented professionals employed, do need to ensure that these auditors besides having sufficient knowledge
also have a great fascination for technology as these persons will have to continuously learn and update their
knowledge in the field of IT auditing. As was already stressed in the conclusion of the literature review, this
can mean that internal audit executives should consider refreshing their current IT audit staff with new and
young IT auditors that are fully focused on a career in IT audit. These new and young trained IT auditors are
flexible and can easily adapt their knowledge to the changes in IT that will rapidly occur within their
19
http://www.aicpa.org/Pages/Default.aspx
Page | 58
organizations. Again, it can be argued that small-sized internal audit functions do need to develop as they will
probably not have the availability of professionals with the required IT audit skills. Therefore, when the
organization is adopting emerging IT, these functions should consider developing the basic IT audit
knowledge within the current internal audit staff. For obtaining the required knowledge these internal audit
functions should encourage its staff to obtain one or more of the recognized audit certificates related to IT
such as the RE, CISA, CISM, and CISSP certifications. On the other hand, it can also be decided to hire the
required IT audit knowledge from expert third parties when needed. This will be a better option when, for
example, the current internal audit staff is not eager to learn the knowledge and skills needed to be able to
perform IT audits and identify all the relevant risks that come with the use of emerging IT by their
organizations.
The results of both case studies show that the management of the internal audit functions yearly prepare
the audit plan which includes the audits that need to be performed in order to obtain the required assurance on
the organizations business processes. With preparing the yearly audit plan the needed capacity of the internal
audit staff is determined. When doing this it is important to take the developments within the business and
market into account. It will be assessed how these developments can or will impact the task activities of the
internal auditors. This is done by the internal audit function of Achmea by including a specific paragraph
within the yearly business plan aimed at the impact of the business plan on the task description of the
employees. Both case studies revealed that the management of the internal audit functions is concerned with
constantly updating and enhancing the knowledge of its current internal audit staff. For the internal auditors
this is a necessity as the information technology changes rapidly, meaning that also the risks and controls
need to be adapted to these changes. The internal audit function of Achmea has set up the Business School IA
through which trainings are provided to the internal audit staff regarding relevant and current topics. This is
also being done in a less formal manner by the internal audit function of Ahold. So, based on the case study
results it is clearly shown that the internal audit functions are focused on maintaining and increasing the
knowledge and skills of its current internal audit staff. This is consistent with the findings of the study
performed by PricewaterhouseCoopers (2007), of which the results clearly indicated that Chief Audit
Executives are mostly considering following the strategy of increasing the core skill level of the internal audit
staff to understand and to be able to audit technology risks. According to Saharia et al. (2008) the best ways
to achieve this is to provide in-house trainings and seminars through which relevant topics are explained and
discussed. This is consistent with the results of the case studies which show the importance of attending
seminars and to facilitate trainings for the internal audit staff.
Both case studies also point out the value of hiring expert knowledge to address specific risks. These
results are consistent with the study performed by Flemming (2003) in which it is stated that internal audit
Page | 59
functions more often obtain the required audit capacity and competency through in-sourcing or co-sourcing
agreements. This can be a very efficient strategy as the required knowledge is not always available in-house.
When choosing for co-sourcing arrangements with external parties the company can enjoy incremental
benefits such as knowledge sharing and access to technical expertise (Desai, Gerard, and Tripathy, 2008). To
gain such benefits from co-sourcing arrangements the internal auditors should shadowing the experts hired in
performing the audits. By doing this the internal audit staff will be trained in the specialist areas, thereby
ensuring that the knowledge is maintained within the organization after the contract with the experts end.
The respondents of both case studies indicated that they are also considering attracting people from the
business and retraining them in becoming (IT) auditors for the organization. This can, however, be difficult
as the persons from the business also need to obtain the basic knowledge needed for becoming a valuable
auditor. This can take some time before the required knowledge is obtained, which maybe is also the reason
that only few of the Chief Audit Executives (37%) within the study by PricewaterhouseCoopers (2007)
intended to follow such a strategy to address the needs for IT audit knowledge and skills.
Interesting is the fact that the respondents of both case studies did not mention the strategy of acquiring
more sophisticated technology tools in order to address technology risks. This strategy is ranked number 2
within the study performed by PricewaterhouseCoopers (2007), with 68% of the CAEs who indicated that
they intend to follow this strategy.
Page | 60
5.2 Conclusions
Having analyzed and discussed the results of this research, both from the literature and the case studies,
conclusions can be made regarding the sub questions and subsequently the research question central to the
current study. To recap, the purpose of this study was to explore the impact of emerging IT on the task
description of the internal audit function and to explore which developments internal audit has to undertake
in order to be able to adequately audit the increasing complexity of IT within their organizations. This has led
to the following research question:
“What is the impact of emerging IT on the task description of the internal audit function and which
development processes has internal audit to undertake in order to be able to adequately audit the increasing
complexity of IT within their organizations?”
To answer this research question the following sub questions have been formulated:
1. What is the impact of emerging IT within organizations on the roles and responsibilities of the internal
audit function?
2. How does the internal audit function of Dutch organizations needs to develop in order to be able to
3. Which strategies can be followed by the internal audit function in order to realize the further
development of the function in the area of IT?
The following sub-paragraphs are providing concluding answers to these questions based on the study
results.
5.2.1 Answer to sub question 1
What is the impact of emerging IT within organizations on the roles and responsibilities of the internal audit
function?
Based on the study results it can be concluded that the existing roles and responsibilities of internal
auditors are affected by the use of emerging IT within their organizations. Emerging IT will face internal
auditors with the challenge of monitoring the IT processes and controls, and providing assurance over the IT
environment of their organizations. The impact, however, is low for mature internal audit functions as they
employ specialized IT auditors that have the knowledge and skills to address the new risks and controls that
come with emerging IT. This means that the existing roles and responsibilities of the other internal auditors
(financial, compliance, operational) are not affected because they do not have to focus on the IT risks and
controls as these are addressed by their IT audit colleagues. It has been argued that this will probably be
different for small-sized internal audit functions as they probably only have employed generalist auditors
Page | 61
(financial/operational) and no specialized IT auditors. The use of emerging IT can therefore impact the
existing roles and responsibilities of the whole internal audit staff as they are required to address the new IT
risks. Without having a pool of IT auditors this means that the current auditors should consider obtaining the
required knowledge needed for addressing the technology risks. In case this is not feasible, the organization
should consider hiring the IT audit knowledge required to obtain reasonable assurance on its IT environment.
Given the results of this study it is showed that the increasing complexity of IT within organizations
also has a counter effect as organizations will try to make their use of IT less complex and more efficient, and
thereby becoming stronger competitors in the markets they operate. This will have an impact on the
consulting role of the internal IT auditor, as they can assist the organization in achieving this goal by using
their expert knowledge of the IT systems used and business processes in place. When asking the internal IT
auditors to perform the role of business advisor, internal audit executives should clearly define the
segregation between the advising auditors and monitoring auditors so that the independency and objectivity
of the internal auditors will not be in jeopardy.
Further, it can be concluded that with the increasing reliance on IT within organizations it is the
responsibility of the internal auditor to assist management and the Audit Committee in assessing the IT skill
set of the organization and to promote greater IT risk involvement. This conclusion is particularly relevant for
internal auditors working for organizations that are at the start of enhancing their use of information
technologies for conducting their business and do not have yet implemented professional enterprise risk
management processes to address IT and other risks.
Finally, it can be concluded that the impact of emerging IT on the roles and responsibilities of internal
auditors is moderated in case the organization has outsourced its IT function or parts of it. This conclusion
shows that when examining the impact of emerging IT on the existing roles and responsibilities of internal
auditors, a distinction should be made between different business models. When the IT environment has been
outsourced, emerging IT will not have a direct impact on the task activities of the internal auditor. In case the
IT is outsourced internal auditors are facing the challenge of obtaining sufficient assurance from the service
providers. Here, it is not the internal auditor who is impacted but instead the external auditor who has to
provide reasonable assurance on the services provided by the outsourcing party. A good example is the
upcoming use of Cloud Computing services, which clearly impacts the knowledge and skills required by
external auditors in order to be able to provide assurance on these services.
How does the internal audit function of Dutch organizations needs to develop in order to be able to
Due to emerging IT and the increasing complexity of IT within organizations internal audit functions
need to focus on the development within the area of IT audit. This is, however, not true for all internal audit
functions. To be able to respond to the changes in IT and to address the new auditing risks the internal audit
Page | 62
function should have talented professionals with IT skills. Mature internal audit functions of Dutch
multinationals do have such professionals who also hold the relevant certifications (e.g. RE, CISA, CISSP,
and CISM) and therefore are able to respond to the changes in IT and new IT risks. It can therefore be
concluded that these type of internal audit functions do not have to develop their function in the area of IT
audit as they are already sufficient equipped to audit the increasing complexity of IT within their
organizations. It has been argued that small-sized internal audit functions do need to develop the function in
the area of IT audit as they will probably not have the availability over professionals with the required IT
audit skills. When these small-sized internal audit functions are required to develop in the area of IT audit
because of an increasing reliance of IT by their organizations, the management of the function should
consider to encourage its internal audit staff to obtain one or more of the recognized audit certificates related
to IT such as the RE, CISA, CISM, and CISSP certifications. Another way for these types of internal audit
functions to address the need for IT audit resources is to hire expert knowledge from third parties like the big
Accountancy or other IT consulting/audit firms. Further, it has been argued that the development of IT audit
knowledge and skills is more important in developing countries as the use of IT by organization in those
countries is still in the initial phase.
Based on the study results it can be concluded that auditors should continuously develop their (IT) audit
knowledge and skills in order to be able to perform their tasks efficiently and effectively. This is required as
businesses are witnessing rapid changes within the use of IT, which in turn requires continuous re-assessment
of the risks present for the organization and adjustments to the implemented controls to mitigate the new risks
identified. In order to be able to perform these tasks the internal auditor must, therefore, be constantly up to
date with the developments in IT that are (potentially) affecting the organization. This can mean that internal
audit executives should consider refreshing their current IT audit staff with new and young IT auditors that
are fully focused on a career in IT audit. These new and young trained IT auditors are flexible and can easily
adapt their knowledge to the changes in IT that will rapidly occur within their organizations.
Which strategies can be followed by the internal audit function in order to realize the further development of
the function in the area of IT?
The study results show that internal audit executives can follow several strategies to address the needs
for IT audit knowledge and skills. Internal audit executives can determine the knowledge and skill needs
based on preparing a yearly audit plan and assessing what the impact of the audit plan will be on the task
description of the employees. If it turns out that the use of information technology by the organization is
impacting the audit plan, internal audit executives can follow several strategies to be able to address the IT
risks and controls. This research has entailed the most preferable strategies to follow by internal audit
executives to realize the further development of the internal audit function in the area of IT:
Page | 63
1. Increase the core skill level of the current internal audit staff for understanding and auditing IT
risks.
2. Increase the use of sophisticated technology tools with which technology risks within the
organization can be addressed (e.g. CAATs).
3. Making use of third-party experts to address specific technology risks for which the required
knowledge is not available among the current internal audit staff.
5.2.4 Answer to the central research question
What is the impact of emerging IT on the task description of the internal audit function and which
development processes has the internal audit function to undertake in order to be able to adequately audit the
increasing complexity of IT within their organizations?
Based on the answers provided to the sub questions central to this research a well-founded answer is
given to the central research question of this study. Emerging IT and the increasing complexity of IT within
organizations do not have an impact on the task description of mature internal audit functions. The task
description is defined in the current study as the existing roles and responsibilities of the internal auditors
working for the internal audit function. This study has showed that the use of emerging IT or the increasing
complexity of IT within organizations does not have an impact on the existing roles and responsibilities of
internal auditors of mature internal audit functions of Dutch multinationals. This is explained by the fact that
mature internal audit functions, as the cases examined in this study, have a pool of specialized internal IT
auditors who possess the knowledge required to provide assurance on the IT environment of the organization.
As these mature internal audit functions of Dutch multinationals are well prepared in the area of IT there is
no specific need for further development as they already have professionals employed who possess the
required knowledge and skills to adequately audit the increasing complexity of IT. Furthermore, based on the
results of this study it can be concluded that the impact of emerging IT on the task activities of internal
auditors is dependent on the type of business model pursued by the organization. By having outsourced the
IT function, the internal audit function is not directly impacted by emerging IT as this will be managed by the
IT service provider. As opposed to the general conclusion reached by previous research that the complexity
of IT within organizations will increase in the coming years, results of this study show that organizations are
also working on making their IT environment less complex and the use of IT more efficient. From a strategic
perspective this is becoming increasingly important given the fact that organizations are becoming more and
more reliant on IT. Making the use of IT more efficient will therefore help organizations in competing with
their competitors in the coming years as this will have a positive effect on their operating costs. This will not
have an impact on the traditional roles of the internal auditor. However, it is in these situations where the
internal IT auditor should take up the role of consultant. As a trusted business advisor the internal IT auditor
can assist the organization in achieving the goal of making the IT environment less complex and the use of IT
more efficient. For internal audit functions that do not have professionals specialized in the area of IT, the
Page | 64
impact of emerging IT and the increasing complexity of IT within organizations will be great on the existing
roles and responsibilities of the current internal audit staff (mainly consisting of financial/operational
auditors) as they need to address the risks related to the use of IT and the controls to mitigate such risks. This
study indicated that these types of auditors (generalists) do not possess the required IT audit knowledge to
fully address all the relevant IT risks that come with the use of emerging IT or the increasing complexity of
IT within organizations. Internal audit functions that do not have the IT audit resources available to provide
reasonable assurance on the IT environment of their organizations can pursue different strategies to address
the human resources and organizational needs in IT audit. This study showed that these strategies can range
from increasing the knowledge and core skills of the current internal audit staff to increasing the use of
sophisticated technology tools and third-party experts. Besides this, it also becomes the responsibility of
these internal auditors to assess the IT skill level of the organization and to promote greater IT risk
involvement by the management of the firm. Regardless of the maturity level of an internal audit function it
has clearly been showed that all auditors that need to address IT risks and design proper controls should
constantly develop their knowledge around the use of information technologies as changes in IT occur
rapidly. Within this study it is therefore argued that internal audit executives should consider refreshing their
current IT audit staff with new and young IT auditors that are fully focused on a career in IT audit. These
new and young trained IT auditors are flexible and can easily adapt their knowledge to the changes in IT that
will rapidly occur within their organizations. Without having the required resources internal audit functions
will not be able to adequately audit the increasing complexity of IT within their organizations. Therefore,
given the results of this study small-sized and/or immature internal audit functions that do not have
specialized IT audit resources available and of which the organizations are starting to become increasingly
reliant on IT need to be aware that this will impact the task description of the current internal audit staff and
need to take timely actions in order to prevent their organizations to be exposed to numerous IT risks that
come with the use of emerging IT.
Page | 65
6. Personal reflection and future research suggestions
This chapter is a personal reflection on the outcomes of this research. With this reflection I focus on the
observations that stood out from this study and any open questions that remain. It further describes the
research limitations that should be considered when making assumptions and conclusions based on the study
results. Based on this reflection future research suggestions are provided that can be performed to obtain
more empirical evidence on the impact of emerging IT on the task description of the internal auditor.
After my switch to the internal audit team of Deloitte Risk Services I was motivated to find a research
subject that would match the requirements of the Postgraduate IT audit course and, at the other hand, would
also be valuable to the knowledge of the internal audit team of which I am part of. With this motivation in
mind I started to read scientific articles on the impact of information technology on the internal audit activity.
Soon I discovered that the general conclusion reached by these scientific studies is that the rapid changes and
developments in IT are significantly impacting the auditing field. This motivated me to examine what the
impact of emerging IT will be on the existing roles and responsibilities of the internal auditor and which
developments the internal audit function has to undertake in order to be able to adequately audit the
increasing complexity of IT within their organizations. With this subject my goal of writing a thesis that is
relevant for the IT audit profession as well as for the internal audit team of which I am part of is achieved.
As there are numerous scientific articles that conclude that emerging IT significantly impacts the
existing roles and responsibilities of all auditors this research, however, shows that the impact is rather low
on the existing roles and responsibilities of internal auditors working for mature internal audit functions. The
reasoning behind this is that these types of internal audit functions have specialized IT auditors employed
who focus on the IT risks and controls within the organization, leaving the other auditors
(financial/operational) of the internal audit function unaffected by the developments of IT. Another
observation that showed to lower the impact of emerging IT on the existing roles and responsibilities of
internal auditors is the type of business model pursued by the organization. Whenever the IT environment has
been outsourced, the use of emerging IT will not have a direct impact on the internal audit function. These
findings demonstrate that before making conclusions regarding the impact of emerging IT on the required
knowledge and skills of auditors, different situations should be examined in order to obtain an accurate and
valid conclusion regarding this relationship. As the scientific literature used for this research does not make
this distinction in making its conclusions I have chosen to also not make this distinction upfront of the study
when selecting the case study participants. This choice has led me to the conclusion as outlined above. The
number of case studies selected is limited due to the time constraints for conducting the study. Therefore,
generalizing the conclusions of this study to all internal audit functions becomes rather difficult. I have
considered the option of developing a questionnaire based on the information gathered from the scientific
literature and to send this out to numerous internal audit executives. However, as my goal was to provide a
complete description of the situation as it is at the internal audit functions selected for this research I decided
Page | 66
to not use a questionnaire as this would not have provided me with the detailed information required to reach
my conclusions on the research subject. Although this research demonstrates that the impact of emerging IT
is rather low on the existing roles and responsibilities of internal auditors working for mature internal audit
functions, the question remains whether this conclusion stays valid in the coming 5 to 10 years. The
automation of business processes continues to accelerate at a high pace. This is evident, for example, in the
banking and insurance industry where Straight Through Processing is a frequently used term, meaning that an
order is being processed without any human intervention. Given these developments it remains relevant to
question whether generalists auditors (financial/operational) do need to expand their skills and knowledge in
the area of IT audit to cope with these future challenges. Based on this I suggest the following research
question for future research:
1) “What is the impact of the increasing automation of business processes on the skill set and knowledge
required for financial/operational/compliance auditors to be able to perform their audit activities?”
Based on this research I argue that the impact of emerging IT on the task description of the internal
auditors working for small-sized and/or immature internal audit functions will be greater than for the mature
internal audit functions, such as the ones selected for this study. The reasoning behind this is that the small-
sized/immature internal audit functions probably do not have specialized IT auditors employed, but only
traditional financial and/or operational auditors. The fact that no such internal audit functions are selected for
this research represents a limitation of this study. It would therefore be interesting to investigate whether the
conclusion reached through this research that the impact of emerging IT on internal auditors is low within
high mature and large internal audit functions, will be different for the small-sized and low mature internal
audit functions within small-medium sized (SMEs) organizations that are at the start of becoming
increasingly reliant on information technologies. How relevant becomes the question for these types of
organizations to focus on IT risks and controls and how do these organizations anticipate on the risks they
will face due to the increasing reliance on IT? Based on this I suggest the following research question for
future research:
2) “What is the impact of becoming more reliant on IT on the perception of entrepreneurs of SMEs towards
the importance of IT risk management within their organizations and how can the IT auditor assist these
entrepreneurs in obtaining reasonable assurance on their IT environment?”
Finally, the literature review shows that a great number of scientific articles are writing about the
ever increasing complexity of IT within organizations and the impact of this development on the internal
audit profession. This research demonstrates that due to this development organizations are, on the other
hand, putting effort in trying to standardize their IT environment and thereby making it less complex and
more efficient. This is a logical reaction to the conclusions reached in previous research that the complexity
Page | 67
of IT is increasing within organizations. In order for organizations to remain strong or even become stronger
competitors in the markets they operate, they can benefit from increasing the efficiency and effectiveness of
their use of IT. This will lower the operating costs of the business operations and therefore can lead to better
financial performance. The results of the case study imply that this can lead to less need for IT audit
resources as the scope and the complexity of the audit object will decrease. On the other hand, however, I see
this as an opportunity for the internal IT auditor as they can assist their organizations in achieving the goal of
standardizing the IT environment and thereby increasing the efficiency of its use of IT. It is the internal IT
auditor who has the expert knowledge of the IT systems and business processes of the organization required
to advise the business in achieving its goal. This is also in line with the evolving role of the internal auditor
into that of the consulting arena. Utilizing the internal IT auditor as a trusted business advisor can in these
situations therefore add value to the organization in achieving its strategic objectives. Based on this I suggest
the following research questions for future research:
3) “What is the role of the IT auditor in assisting organizations achieving the goal of standardizing the IT
environment and thereby increasing the efficiency of its use of IT and what is the added value of the IT
auditor in performing this role?”
4) “What is the difference between an IT consultant and an IT auditor and which aspects of these two
professions are the most important in assisting organizations achieving the goal of standardizing the IT
environment and thereby increasing the efficiency of its use of IT?”
With this personal reflection on the current research I have pointed out what stood out from this study,
the open questions that remained, the research limitations, and my suggestions for future research. I do
encourage future researchers in the area of IT audit to consider the future research suggestions provided in
this chapter. Based on a review on the existing IT audit literature I have noted that these topics have not yet
been explored in depth. This makes it relevant for them to be investigated through further research.
Page | 68
References
 Abdolmohammadi, M.J., & Boss, S.R. (2010). Factors associated with IT audits by the internal audit
function. International Journal of Accounting Information Systems, 11(3), 140-151.
 Abu-Musa, A.A. (2008). Information technology and its implications for internal auditing.
Managerial Auditing Journal, 23(5), 438-466.
 Anderson, M., Banker, R., and Ravindran, S. (2006). Value implications of investments in
information technology. Management Science, 52(2), 1359–1376.
 Aral, S., & Weill, P. (2007). IT assets, organizational capabilities, and firm performance.
Organization Science, 18(5), 763–780.
 Bedard, J.C., Jackson, C., Etteredge, M.L., and Johnstone, K.M. (2003). The Effect of Training on
Auditors’ Acceptance of an Electronic Work System. International Journal of Accounting
Information Systems, 4, 227-250.
 Bierstaker, J.L., Burnaby, P., and Thibodeau, J. (2001). The impact of information technology on
the audit process: an assessment of the state of the art and implications for the future. Managerial
Auditing Journal, 16(3), 159-164.
 Blumberg, B., Cooper, D.R., and Schindler, S. (2005). Business research methods. McGraw-Hill
Education: Berkshire.
 Borek, A., Helfert, M., Ge, M., and Parlikad, A.K. (2011). An information oriented framework for
relating IS/IT resources and business value. Accepted at the 18th EurOMA Conference: Exploring
Interfaces, Cambridge, UK.
 Bou-Raad, G. (2000). Internal auditors and a value added approach: the new business regime.
 Brazel, J.F., & Agoglia, C.P. (2007). An examination of auditor planning judgments in a complex
accounting information system environment. Contemporary Accounting Research 24 (4): 1059–
1083.
 Brody, R.G., & Lowe, D.J. (2000). The new role of the internal auditor: implications for internal
auditor objectivity. International Journal of Auditing, 4, 169-176.
 Bruce, R. (1996). They should be: are they. Accountancy, June, 64.
 Brynjolfsson, E., Hitt, L.M., and Yang, S. (2002). Intangible assets: computers and organizational
capital. Brookings Papers on Economic Activity, 1, 137–181.
 Caroll, M., Van Der Merwe, A., and Lubbe, S. (2009). An information systems auditor’s profile.
International Journal for the Study of Southern African Literature and Languages, 16(1), 318–355.
 COSO (2011). Internal Control – Integrated Framework. Framework, December 2011. URL:
www.ic.coso.org
Page | 69
 Curtis, M.B., Jenkings, J.G., Bedard, J.C., and Deis, D.R. (2009). Auditors’ training and proficiency
in information systems: A research synthesis. Journal of Information Systems, 23(1), 79-96.
 Damianides, M. (2005). Sarbanes-Oxley and it governance: new guidance on it control and

compliance. Information Systems Management, 22(1), 77-85.
 Desai, N.K., Gerard, G.J., and Tripathy, A. (2008). Co-sourcing and external auditors’ reliance on
the internal audit function. The Institute of Internal Auditors Research Foundation. ISBN 978-0-
89413-659-7.
 Dewett, T., & Jones, G. R. (2001). The role of information technology in the organization: a review,
model, and assessment. Journal of Management, 27, 313.
 Fernandes, J.J. (2000). Internal audit in the next millennium. Auditwire, January/February, 1-2.
 Flemming, R.T. (2003). The internal audit function: an integral part of organizational governance.
The Institute of Internal Auditors Research Foundation, 73-96. URL:
http://users.cba.siu.edu/odom/acct465/roia/Ch3.pdf
 Furnel, S. (2006). Securing mobile devices: technology and attitude. Network Security, 2006(8), 9-
13.
 Gallegos, F., Senft, S., Manson, D.P., and Gonzales, C. (2004). Information technology control and
audit. Auerbach Publications: New York.
 Greenstein, M. & McKee, T.E. (2004). Assurance practitioners’ and educators’ self-perceived IT
knowledge level: an empirical assessment. International Journal of Accounting Information
Systems, 5, 213-243.
 Hadden, L.B., DeZoort, F.T., and Hermanson, D.R. (2003). IT Risk Oversight: The Roles of Audit
Committees, Internal Auditors, and External Auditors. Internal Auditing, 18(6), 28-30.
 Hall, J.A., & Singleton, T. (2005). Information Technology Auditing and Assurance. Thomson
(South Western). Florida, 2nd ed.
 Heiser, J., & Nicolett, M. (2008). Gartner Report. URL: http://cloud.ctrls.in/files/assessing-the-

security-risks.pdf
 Hermanson, D.R., Hill, M.C., and Ivancevich, D.M. (2000). Information technology-related
activities of internal auditors. Journal of Information Systems, 14, 39-53.
 Hermanson, D.R., & Rittenberg, L.E. (2003). Internal audit and organizational governance. The
Institute of Internal Auditors research Foundation. ISBN 0-89413-498-1.
 Hinson, G. (2007). The state of IT auditing in 2007. EDPACS, 36(1), 13-31.
 Huber, G. P. (1990). A theory of the effects of advanced information technologies on organizational

design intelligence, and decision making. Academy of Management Review, 15 (1), 47–71.
 Hunton, J. E., Wright, A.M., and Wright, S. (2004). Are financial auditors overconfident in their
ability to assess risks associated with enterprise resource planning systems? Journal of Information
Systems, 18(2), 7–28.
Page | 70
 International Federation of Accountants. ‘‘Information Technology in the Accounting Curriculum’’,
International Federation of Accountants Education Committee Guideline 11; 1995 [December].
 Institute of Internal Auditors (IIA) (2000). Internal Auditing; adding value across the board.
Corporate Brochure, IIA.
 International Standard on Auditing 401 (2002), Auditing in Computer Information Systems

Environment. URL: http://www.icisa.cag.gov.in/Background%20Material-IT%20Environment/IT-
Audit-
Environment/Auditing%20in%20a%20Computer%20Information%20Systems%20Audit%20.pdf
 Jeffers, P.I., Muhanna, W.A., and Nault, B.R. (2008). Information technology and process
performance: an empirical investigation of the interaction between IT and non-IT resources.
Decision Sciences, 39(4), 403–434.
 Kaplan, A.M., & Haenlein, M. (2010). Users of the world, unite! The challenges and opportunities
of Social Media. Business Horizons, 53(1), 59-68.
 Kimpton, C., & Martin, D. (2001). Overview of Principal IT Evaluation Models: Tools for IT
Auditors. Information Systems Control Journal, 5, 49-53.
 Krishnan, R., Peters, J., Padman, R., and Kaplan, D. (2005). On data reliability assessment in
accounting information systems. Information Systems Research, 16(3), 307–326.
 Levitt, A. (1999). An Essential Next Step in the Evolution of Corporate Governance. Speech to the
Audit Committee Symposium, June 29.
 Lindgreen, E.R. (2005). Opkomst, ondergang en opleving van een raamwerk voor
informatiebeheersing. Bestuurlijke Informatieverzorging, Mei, 206-211.
 Mansour, C. (2005). Global Perspectives: The Changing Role of the IT Auditor – A UK Perspective.
Information Systems Control Journal, 2005(3), 22.
 McCollum, T. (2002). IS guidance for government auditors. Internal Auditor, 59(2), 16-17.
 Merhout, J.F., & Cothran, P.E. (2006). Increasing demand for IT auditing creates new career options
for AIS/MIS/IT students. Review of Business Information Systems, 10(4), 41-50.
 Moorthy, M.K., Seetharaman, A., Mohamed, Z., Gopalan, M., and Har San, L. (2011). The impact
of information technology on internal auditing. African Journal of Business Management, 5(9),
3523-3539.
 Nagy, A.L., & Cenker, W.J. (2002). An assessment of the newly defined internal audit function.
 Neo, B. S. (1988). Factors facilitating the use of information technology for competitive advantage:
an exploratory study. Information and Management, 15, 191–201.
 NIST (The National Institute of Standards and Technology) (2006). Federal information processing
standards publication: minimum security requirements for federal information and information
Page | 71
systems. Gaithersburg, MD: Computer Security Division, The national institute of standards and
technology. URL: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-finalmarch.pdf).
 Organisation for Economic Co-operation and Development (OECD) (1999). OECD Principles of
Corporate Governance (http://www.oecd.org).
 Oxner, T., Hawkins, K. and Rivers, R. (1995), ‘A study of computer usage by internal auditors in
Canada and United States’, Journal of International Accounting Auditing & Taxation, 4(1), 27-37.
 Pathak, J. (2003). IT auditing and electronic funds transfers. Internal Auditing, 18(5), 28.
 Pathak, J. (2005). Risk management, internal controls and organizational vulnerabilities. Managerial
Auditing Journal, 20(6), 569-577.
 Power, M. (2009). The risk management of nothing. Account Organizations & Society, 34(6/7),
849–855.
 Powell, T. C., & Dent-Micallef, A. (1997). Information technology as competitive advantage: the
role of human, business, and technology resources. Strategic Management Journal, 18 (5), 375–405.
 PricewaterhouseCoopers (2007). Internal Audit 2012*: a study examining the future of internal
auditing and the potential decline of a controls-centric approach. Advisory Services Internal Audit,
1-68.
 Ravichandran, T., & Lertwongsatien, C. (2005). Effect of information systems resources and
capabilities on firm performance: a resource-based perspective. Journal of Management Information
Systems, 21(4), 237–76.
 Ray, G., Muhanna, W.A., and Barney, J.B. (2005). Information technology and the performance of
the customer service process: a resource-based analysis. MIS Quarterly, 29(4), 625–651.
 Ray, M., & Ramaswamy, P. (2007). Global technology Audit Guide (GTAG) 7: Information
technology outsourcing. The Institute of Internal Auditors, March 2007.
 Rezaee, Z., Elam, R. and Sharbatoghlie, A. (2001), ‘Continuous auditing: The audit of the future’,
 Rezaee, Z., & Reinstein, A. (1998). The impact of emerging information technology on auditing.
 Ryan, J.J.C.H., & Schou, C.D. (2004). On Security Education, Training and Certifications.
Information Systems Control Journal, 2004(6), 27-30.
 Saharia, A., Koch, B., and Tucker, R. (2008). ERP systems and internal audit. Issues in Information
Systems, 9(2), 578-586.
 Sambamurthy, V., Bharadwaj, A., and Grover, V. (2003). Shaping agility through digital options:
reconceptualizing the role of information technology in contemporary firms. MIS Quarterly, 27(2),
237–63.
 Sayana, S. A. (2003). Using CAATs to Support IS Audit. Information Systems Control Journal, 1,
pp. ?
 Selim, G., & McNamee, D. (1999b). The risk management and internal auditing relationship:
developing and validating a model. International Journal of Auditing, 3(3), 159-174.
Page | 72
 Silltow, J. (2003). Shedding light on information technology risks. The internal Auditors, 60(6), 32-
39.
 Spira, L.F., & Page, M. (2003). Risk management: the reinvention of internal control and the
changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640-661.
 Stoel, M.D., & Muhanna, W.A. (2011). IT internal control weaknesses and firm performance: An
organizational liability lens. International Journal of Accounting Information Systems, 12(4), 280-
304.
 Suen, J. (2009). Computer Assisted Audit Techniques : A study of the tools, their usage, and future
initiatives. URL: http://uwcisa.uwaterloo.ca/Biblio2/Year/2009/Jonathan_Suen.pdf
 Tongren, J.D. (1997). Coactive audit: the enhancement audit model. Managerial Finance, 23(12),
44-51.
 Tuttle, B., & Vandervelde, S.D. (2007). An empirical examination of CobiT as an internal control
framework for information technology. International Journal of Accounting Information Systems, 8,
240-263.
 Wade, M.W., & Hulland, J. (2004). The resource-based view and information systems research:
review, extension, and suggestions for future research. MIS Quarterly, 28(1), 107–42.
 Wang, L., & Alam, P. (2007). Information technology capability: firm valuation, earnings
uncertainty, and forecast accuracy. Journal of Information Systems, 21(2), 27–48.
 Whitman, M.E., & Mattord, H.J. (2005). Principles of Information Security, 2nd ed., Boston:
Thomson Course Technology.
Page | 73

1074 Definitief Wesley-Honselaar

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1074 Definitief Wesley-Honselaar

Uploaded by

Copyright:

Available Formats

The Internal Audit Function: A Study Examining the

Impact of Emerging IT on the Development of the

Keywords: Internal Audit; IT Audit; Emerging IT; Information Technologies

Management summary ................................................................................................................................................3

1. Introduction and research question ..................................................................................................................7

2. Research design ................................................................................................................................................. 10

2.1 Crystallization of research question ........................................................................................................... 10

4.1 Case study 1 - Ahold .................................................................................................................................. 40

5.1 Comparison of case study results ...................................................................................................................... 53

2.1 Crystallization of research question

2.2 Data collection method

2.3 Control of variables by researcher

2.4 Study’s purpose

2.5 The time dimension

2.6 The topical scope

2.7 Research environment

2.8 Perceptions of participants

2.9 Approach for answering the research questions

3.1 The role of IT in organizations and the essence of good IT control

3.1.1 The role of IT in organizations

Organizational Characteristics Organizational Outcomes

Source: Tuttle and Vandervelde, 2007.

3.2 Internal audit function

3.2.1 Definition of the internal audit function

3.2.2 Roles and responsibilities of the internal audit function

Roles of the internal auditor

Risk Confirming Analyzing Reviewing Control

3.2.3 COSO framework for internal control

 Effectiveness and efficiency of operations.

 Internal control is a process. It is a means to an end, not an end in itself.

 Having documented company principles and values.

3.2.4 An update to the COSO framework

3.3 Impact of emerging IT on the internal audit function

3.3.2 IT audit knowledge and skills development

Projected Strategy to address HR & organizational needs in IT audit

Source: PricewaterhouseCoopers, 2007

3.4 Summary of literature review

4.1 Case study 1 - Ahold

4.1.1 Organization description

4.1.2 The internal audit function of Ahold

4.1.4 The development of the (IT) internal audit function

4.2 Case study 2 - Achmea

4.2.1 Organization description

5.1 Comparison of case study results

5.1.2 The development of the (IT) internal audit function

5.2.1 Answer to sub question 1

5.2.2 Answer to sub question 2

5.2.3 Answer to sub question 3

5.2.4 Answer to the central research question

 Damianides, M. (2005). Sarbanes-Oxley and it governance: new guidance on it control and

 Heiser, J., & Nicolett, M. (2008). Gartner Report. URL: http://cloud.ctrls.in/files/assessing-the-

 Hinson, G. (2007). The state of IT auditing in 2007. EDPACS, 36(1), 13-31.

 Huber, G. P. (1990). A theory of the effects of advanced information technologies on organizational

 International Standard on Auditing 401 (2002), Auditing in Computer Information Systems

You might also like