You are on page 1of 15

JOURNAL OF INFORMATION SYSTEMS American Accounting Association

Vol. 30, No. 1 DOI: 10.2308/isys-51315


Spring 2016
pp. 7–20

COMMENTARY

The Current State and Future Direction of IT Audit:


Challenges and Opportunities
Ann C. Dzuranin
Northern Illinois University

Irina Mălăescu
University of Central Florida
ABSTRACT: Embracing the spirit of the Pathways Commission’s focus of enhancing the value of practitioner/
educator exchanges, the inaugural Journal of Information Systems Conference (JISC) brought together 30 academic
researchers and 15 practitioners to discuss the current state and the future direction of information technology (IT)
audit research and practice. Panelists, comprised of practitioners from government, public accounting, and industry,
provided insight into current IT audit issues. The first panel discussed the role of IT auditors in helping organizations
meet compliance requirements and ensuring that information systems add value to the organization. The second
panel addressed the future of IT audit in a world of advanced analytics and emerging technologies. Although the
panels addressed separate topics, common themes emerged from the discussions. Issues facing the IT audit
profession as a result of the increasing volume of data available, coupled with changing technology and increasing
regulatory requirements, underscored much of the discussion. Big Data, compliance, and emerging technology
issues were addressed from both internal audit and external audit perspectives. This commentary provides a review
and synthesis of the information presented during panel discussions at the conference and suggests potential
research questions.
Keywords: IT audit; IT audit analytics; audit data standards; IT compliance; emerging technology.

I. INTRODUCTION

T
his commentary provides a review and synthesis of the information presented during panel discussions at the inaugural
Journal of Information Systems Conference (JISC). The conference brought together 30 academic researchers and 15
practitioners to discuss the current state and the future direction of information technology (IT) audit research and
practice. Panelists, comprised of practitioners from government, public accounting, and industry, provided insight into current
IT audit issues. The first panel addressed the role of IT auditors (both internal and external) in meeting external compliance
requirements and ensuring information systems provide value to the organization. The second panel addressed the future of IT
audit and the implications of emerging technologies on the audit process. Both panels brought to light the key issues facing the
profession and the need for relevant and rigorous research into these issues. The panelists and their affiliations are listed in
Exhibit 1.
Although the panels addressed separate topics, common themes emerged from the discussions. Issues facing the IT audit
profession as a result of the increasing volume of data available, coupled with changing technology and increasing regulatory
requirements, underscored much of the discussion. Data, compliance, and emerging technology issues were addressed from
both internal and external perspectives. Internal perspectives are those issues the organization faces regarding compliance and
performance. External perspectives are those issues facing accountants engaging in external audit and consulting activities.
The topic of data was addressed by most of the panelists. The influences of increasing volumes of data available for
analysis and audit, as well as concerns regarding data integrity, were addressed. Data availability is changing the way
businesses make decisions and is changing the way audits are conducted. At the center of this, however, are concerns about the

Editor’s note: Accepted by Diane J. Janvrin.


Submitted: June 2015
Accepted: October 2015
Published Online: October 2015
7
8 Dzuranin and Mălăescu

EXHIBIT 1
List of Presenters
Name Affiliation
Mikrish Appadu, Manager Ernst & Young
Matt Pickard, Assistant Professor The University of New Mexico
Susan Pierce, Senior Technical Manager AICPA
Joel Pinkus, Program Director KPMG
Srinivas Saraswatula, Managing Partner Accuratus
Donny Shimamoto, Founder IntrapriseTechKnowlogies LLC
Mark Shore, CEO, President Compliancy.com
Beth Wood, State Auditor State of North Carolina

data themselves. Data integrity, reliability, completeness, and security were issues that all the practitioners identified as
concerns when using data to make decisions and conduct audits. Underlying these concerns is that data in and of themselves
present risks of which the companies and their auditors need be cognizant.
Another topic addressed by panelists was the impact of compliance requirements. Worldwide there has been an increase in
regulatory reforms and businesses are struggling to keep pace with the changes. The panelists addressed issues relating to
information technology and compliance, as well as the potential for compliance to be a value-added activity.
The third common topic was emerging issues in IT audit. The emerging issues discussed included the current state of audit
data standard development, the need for new data analytic applications and ways to develop those applications, the potential for
development and use of financial information exchanges, and the potential use of avatars for audit interviews.
The remainder of the paper provides a summary of panelists’ discussions along with suggestions for future research and is
organized as follows. Section II focuses on the discussions related to data and current research in this area. Section III presents
panelists’ thoughts regarding compliance and how compliance can add value. Section IV provides a discussion on emerging
issues in IT audit. Section V presents potential research questions using the research framework suggested by Geerts, Graham,
Mauldin, McCarthy, and Richardson (2013). Section VI concludes the paper.

II. DATA
The auditing literature has explored audit quality mostly in terms of effectiveness (e.g., El-Masry and Hanson 2008; Arena
and Azzone 2009) and/or efficiency (e.g., Murthy and Kerr 2004; Bamber and Iyer 2007; Kaplan, O’Donnell, and Arel 2008;
Mălăescu and Sutton 2015; Farkas and Hirsch 2016). However, in the advent of Big Data and business analytics, companies
need to adapt and transform their decision-making processes and overall business strategies (Griffin and Wright 2015), thus
impacting the audit process (Vasarhelyi and Alles 2008; Vasarhelyi, Alles, and Williams 2010; Kuhn and Sutton 2010; Moffitt
and Vasarhelyi 2013). The effect on the IT audit function of the increasing volume of data accumulated in organizations was
evident in the presentations delivered at the JISC. Data presents both opportunities and challenges for IT audit. Specifically,
how can IT audit leverage data analytics to reduce risks, meet compliance requirements, and increase the value of the
information system? These concerns can be broken down into three areas: data analytics, data quality and access issues, and
data risks.

Data Analytics
Although data analytics is not a new topic for accountants and auditors, the ever-increasing amount of data created and
stored by organizations presents new challenges (Alles 2015; Griffin and Wright 2015; Krahel and Titera 2015; Vasarhelyi,
Kogan, and Tuttle 2015; Warren, Moffitt, and Byrnes 2015; Yoon, Hoogduin, and Zhang 2015; Zhang, Yang, and Appelbaum
2015). The challenge now is how to use the vast amount of data created and stored by organizations to reduce risks and
improve the IT audit function. A recurring observation by the panelists is that auditors need to understand the business and the
data, not just the tools. As panelist Mikrish Appadu put it ‘‘For a 1,000-hour job 900 hours will be [spent] just trying to
understand the data.’’ After the data needed are identified, auditors must then develop the correct criteria in the analytics. Only
then can the analytics performed on the data be used to assess risks and evaluate performance.
The need to identify the correct criteria is not trivial. One panelist gave an example of spending over $6 million on an
analytic software tool implemented to identify fraudulent claims. At the time of the acquisition, the tool was estimated to be

Journal of Information Systems


Volume 30, Number 1, 2016
The Current State and Future Direction of IT Audit: Challenges and Opportunities 9

able to find over $50 million in fraudulent transactions, but to date has identified only $454 thousand due to not having the
correct criteria in their analytics.

Data Quality and Access Concerns


Six common quality and access concerns were identified by the panelists in their discussions regarding data: integrity,
reliability, completeness, controls, security, and storage/retrieval. All agreed that data analytics cannot be relied upon by
internal or external auditors unless these concerns are addressed. Beth Wood, North Carolina state auditor, discussed the audit
functions of her office and the specific concerns they have regarding data. She notes that financial statement, compliance, and
performance audits rely heavily on data retrieval and data manipulation. Auditors must be able to identify where the data are
stored and be able to retrieve those data and manipulate them so that they can be analyzed. They use data analytics to identify
where the largest risks are for misstatements or noncompliance. In performance audits, analytics are used to identify fraud;
however, the analysis is only valuable if data integrity, reliability, and completeness are ensured. Controls over the data and the
security of the data are also critical. Management must be able to identify what controls are in place to be sure that the data are
complete and that access to the data is limited to those employees who should have access, before incorporating these reports in
their decision-making process.
Mikrish Appadu, a manager in the EY IT risk and assurance practice, also emphasized the need for organizations to
address controls for the completeness of data. According to Appadu, ‘‘Big Data is just a new way of addressing the same risk
we always have [addressed]. It’s a new way of looking at risks and implementing controls to address these risks.’’ Appadu
noted the importance of getting the proper stakeholders involved to set the stage for a successful implementation of data
analytics in the company: people who understand how the business works, representatives from the IT departments, as well as
the compliance and security teams. Appadu stressed that the controls need to be implemented at the source, and not just in the
financial statements. It is critical that data are tagged appropriately from the beginning, which can only be achieved after
gaining a thorough understanding of the business processes and how the data are being captured within the company. Related to
these concerns the AICPA (2015) has started creating audit data standards to build a common framework for the key
information needed for audits. Audit data standards are discussed more in Section IV, ‘‘Emerging Issues in IT Audit.’’

Data Risks
As discussed above, data can be used to help identify and analyze business risks, but what if the data themselves are a risk?
Vasarhelyi et al. (2015) and Yoon et al. (2015) point out the risk of identifying false positives using Big Data in the course of a
financial statement audit. Panelist Beth Wood concurred with this in her discussion about the potential for wasted time and
effort spent following false positives.
To be able to rely on the data analytics reports, the auditors must verify the completeness and accuracy of the tagged
information that is being aggregated. To minimize the risk of incomplete or inaccurate data, additional controls must be
implemented at the source of the data. These controls should be in addition to those in place at the financial statement and
dashboard level. The panelists pointed out that Big Data tools create additional risks to both the organizations and the
consumers, because they promise quick results in identifying fraud and security breaches, and are therefore usually
implemented as is. As a result, many organizations are now asking accounting firms for help with the independent verification
and validation of these tools, to assess whether they will deliver the expected outcomes.
Retention of data is also a concern facing organizations. Companies need to be able to bring their systems back online as
part of their business continuity planning and to get access to their data for further analysis. The continually increasing amount
of data that organizations are capturing and storing makes it more vulnerable to cyber security threats. The logging of the
information and how the logs are maintained create another risk area. Panelist Appadu noted that most breaches that occur stem
from systems administrator ID vulnerabilities. He recommends having a set of controls to minimize this risk and identify ‘‘red
flags’’ for abnormal logins.
The panelists concurred that companies must look at both business and data risks first and then create controls to manage
these risks. Technology is constantly evolving and, with it, the associated risks are changing as well. As a result, many
organizations are asking accounting firms for help with their security issues. The impact to accounting advisory services is
discussed in more detail in Section IV: ‘‘Emerging Issues in IT Audit.’’

III. COMPLIANCE AS A VALUE-ADDED ACTIVITY


Although the increasing volume and availability of data raises concerns, it also provides the opportunity to more easily
evaluate compliance with regulatory requirements. The topic of compliance and the role of IT audit was extensively addressed
in the panel discussions.

Journal of Information Systems


Volume 30, Number 1, 2016
10 Dzuranin and Mălăescu

EXHIBIT 2
Benefits of Compliance Technology Automation and Related Existing Research
Benefit Existing Research
Build credibility with auditors and customers Nigrini and Johnson 2008

Reduce cost Rezaee, Sharbatoghlie, Elam, and McMickle 2002;


Pathak, Chaouch, and Sriram 2005; Pathak, Nkurunziza, and Ahmed, 2007;
Mălăescu and Sutton 2015
Reduce business impact Nigrini and Johnson 2008

Improve processes/better control Rezaee, Ford, and Elam 2000; Potla 2003

Reduce risk Rezaee et al. 2002; Potla 2003; Searcy, Ward, and Woodroof 2009
Eliminate duplicate controls

Manage multiple frameworks

Marketing and sales benefit


(compliance badge of honor)
The benefits listed above were provided by Mark Shaw during his JISC panel presentation on March 26, 2015, Raleigh, NC. The citations for existing
research are provided by the authors.

Compliance with regulatory reforms is a key concern for organizations worldwide. Privacy protection such as the
European Union’s Privacy Directive and the United States Health Insurance Portability and Accountability Act (HIPAA) are
examples of regulations that have increased the role of information technology in compliance by organizations. The Sarbanes-
Oxley Act (SOX) in the U.S. explicitly requires that all information systems used to produce financial statements must be
documented and tested for compliance with management’s IT control objectives. Clearly there are costs for noncompliance—
both monetary and reputational—but can it be said that there is value in compliance beyond avoiding penalties?
To evaluate the value of compliance, it is necessary to look beyond meeting compliance minimum standards.
Organizations need to begin with solid risk management and technology can help assess and maintain those risks. Controls
should be designed around the risks identified. With the aid of IT audit, automation can reduce risk and improve operational
efficiency. Mark Shaw, co-founder and president of Compliancy, categorized IT audit/compliance technology automation into
four levels: (1) basic; (2) workflow; (3) governance, risk, and compliance; and (4) continuous control. Spreadsheets, checklists,
email, and shared drives are considered basic tools. Workflow tools include enterprise workflow solutions that provide
enforcement and tracking of controls. The next level—governance, risk, and compliance—is fully integrated database
workflow and business intelligence tools. These tools can manage multiple control frameworks. The highest level of
automation is transaction-based continuous control. Shaw’s description of technology automation is in line with Chan and
Vasarhelyi (2011), who advocate innovation in the implementation of continuous audit.1 Furthermore, according to Shaw, all
companies should be moving toward automation if they want to both add value and meet compliance standards. Shaw
discussed the specific benefits of automation. Exhibit 2 summarizes these benefits and provides examples of existing research,
where applicable.
In addition, Shaw addressed reasons to automate, reasons for failure in automation implementation, the limitations of
automation, and how automation can aid in the management of multiple compliance frameworks. Each of these areas is
discussed below.

Why Automate?
Automation can be used to prevent employee procrastination by providing dashboards to help them better manage their
time. The workload is spread out over the year rather than being concentrated at the end of a financial cycle or during an audit.
Without automation, management does not have a clear view of risk or the status of their control environment. Automation can

1
Chan and Vasarhelyi (2011) propose a four-stage paradigm consisting of automation of audit procedures, data modeling and benchmark development,
data analytics, and reporting.

Journal of Information Systems


Volume 30, Number 1, 2016
The Current State and Future Direction of IT Audit: Challenges and Opportunities 11

address productivity decreases during audit time, as well as administrative costs for activities that otherwise need to be done
manually. Automation enables the external auditor to gain confidence in the reports generated by internal audit and ultimately
rely on their outputs (also see Mălăescu and Sutton 2015). Technology can help manage reputational costs associated with
external auditors, external stakeholders, and other people involved with the organization. Yoon et al. (2015) also discuss how
technology and Big Data may be able to provide evidence beyond a traditional audit, which may become useful in the case of a
fraud investigation.

Reasons for Failure


Technology selection is important due to the high upfront and maintenance costs. Nonetheless, even with proper care,
automation can fail. One of the most common reasons of this is an ineffective or nonexistent company risk evaluation done
before deciding on which solution to implement. Another issue is the use of insufficient or poorly matched technology.
Management needs to be involved in the implementation of the solution. Although automation is meant to help employees
perform their jobs better, it can fail when they do not recognize its benefits. Also, when the employees lack appropriate
guidance and training or do not understand the enterprise-wide risks, the chance of failure is increased. In addition, Shaw
pointed out that segregation of duties issues are mainly seen in smaller companies that fail to revisit the issue of adequate
segregation of duties when they are experiencing rapid growth. Companies need to periodically review controls to ensure they
are appropriate for the current (new) system, rather than use the same controls that were in place in the previous system.
Choosing the right technology is an important decision and an evaluation should be made as to whether there is a real
return on the investment. Shaw recommended that an established procurement process should be in place to address the level of
automation needed, the type of tools and additional services required, as well as the overall cost. Each proposed solution should
be evaluated in conjunction with the company’s current situation and independent of prior experience in other business
environments.

Limitations of Automation
Companies need to ensure the major stakeholders are involved in the implementation of automation. In addition,
management should find the right people to be involved with control activities and make sure they are doing what they are
supposed to do, when they are supposed to do it. Evidence is collected continuously throughout the year. Therefore, it is crucial
to establish early on the correct parameters to collect the evidence and to avoid unnecessary delays and sifting through large
quantities of useless data. Moreover, management is responsible for proper administration and training for the personnel
involved with the technology.

Management of Multiple Control Frameworks


To respond to the increasing number of frameworks and regulations that companies need to comply with, businesses are
looking to use automation tools that manage multiple frameworks at the same time. Such tools would allow them to look at all
the compliance requirements globally and capture all the information required to generate each compliance report. Companies
should implement adequate risk assessment to encompass all the compliance frameworks and regulations and implement global
control activities to address their requirements.

IV. EMERGING ISSUES IN IT AUDIT


Section II discussed the importance of data in IT audit, and Section III presented the use of IT audit as a way to meet
compliance requirements and add value to the organization. The panel discussion on emerging issues in IT audit was related to
both of these topics. Specifically, panelists addressed the need for audit data standards, the development of data analytics
applications, the potential for the use of financial information exchanges, the potential use of avatars for audit interviewing, and
the challenges/risks presented by emerging technologies.

Audit Data Standards


Panelists from KPMG and the AICPA discussed the need for and development of audit data standards and data analytics
applications. Susan Pierce, senior technical manager—Information Management and Technology Assurance (IMTA) for the
AICPA, discussed the impact the digital world has on the accounting profession and the key initiatives of the AICPA IMTA
(Exhibit 3).
Although audit and tax services remain the central focus of accounting firms, advisory services offer the most growth
opportunities. Interviews conducted with six large CPA firms by the IMTA last year found that data assurance was the largest

Journal of Information Systems


Volume 30, Number 1, 2016
12 Dzuranin and Mălăescu

EXHIBIT 3
AICPA Information Management and Technology Assurance Services Key Initiatives
Integrated Financial Statement Audit
 Technology Implication for Audits
 Process Assurance and Data Standards
 Service Organization Controls 1
 CAATs Tools/Continuous Monitoring/Audit Apps

Security and Privacy


 Cyber Security
 Trust Services Principles and Criteria/Service Organization Controls (SOC) 2 and SOC 3 report engagements
 Practitioners’ Privacy

Governance, Risk, and Compliance


 Practice Management
 IT Governance and Risk

Source: Susan Pierce, JISC panel presentation, March 27, 2015, Raleigh, NC.

area of growth opportunity for each of the firms. The IMTA also interviewed 100 practitioners and found that the most
requested resource was the Service Organization Control (SOC) report practitioner guides. The future of audit lies in
information assurance. Thus, the need for auditors to be able to use the technology tools and understand the impact and risk of
using technology as it relates to the audit engagement is imperative. The AICPA established the Assurance Services Executive
Committee Emerging Assurance Technologies Task Force to aid auditors in this endeavor. The task force established the Audit
Data Standards (ADS) working group to help develop new technologies that will contribute to the effectiveness, timeliness, and
efficiency of the audit process. To date three standards have been issued: Base, General Ledger, and Accounts Receivable
Subledger. Implementing these standards will allow auditors to more easily access data and use enhanced analytics to improve
the timeliness and effectiveness of the audit process (see Zhang, Pawlicki, McQuilken, and Titera [2012] for a more detailed
discussion of the development of data standards and suggestions for key areas to be researched in the future).

Crowdsourcing to Build Tools for Data Analytics


Although data standards will certainly aid in the acquisition of data needed for analysis, developing adequate data analytics
tools is also crucial. Panelist Joel Pinkus (KPMG and Audit Data Standards working group member) discussed the need for
audit data analytics applications and the potential use of crowdsourcing to develop these applications. Crowdsourcing is the use
of an online community of people to obtain needed services, ideas, or content rather than from traditional employees (Howe
2006). Business use of crowdsourcing continues to grow, as does the research in this area (Zhao and Zhu 2014). The AICPA is
working with companies such as ACL and IDEA to look into the availability of specific routines that can work with SAP,
Oracle, etc. to collect the necessary data. In addition, the AICPA is looking for graduate students and universities to develop
some applications that can be shared within the auditing community. These applications can be in Excel or other tools for
analyzing data. Developed applications can employ a traditional or a new approach.
Figure 1 summarizes the process envisioned by the AICPA ADS working group.
Data will be tagged using audit data standards. Routines will be developed using methodologies and frameworks. Audit
applications will use the tagged data and routines to analyze the data. The AICPA is looking to provide the crowdsourced audit
applications as a resource for internal and external auditors. In addition, the AICPA is looking for help aligning the auditing
standards to the IT controls. Researchers interested in this opportunity are encouraged to reach out to the AICPA.2

Financial Information Exchange


Another possible way to more easily acquire data would be through the use of an independent financial data information
exchange. Panelist Donny Shimamoto (managing director at IntrapriseTechKnowlogies and former chair of the AICPA IMTA
executive committee) discussed the potential to develop and use a financial data information exchange. The exchange would

2
For more information visit the AICPA Audit Data Standard working group website: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/
pages/auditdatastandardworkinggroup.aspx

Journal of Information Systems


Volume 30, Number 1, 2016
The Current State and Future Direction of IT Audit: Challenges and Opportunities 13

FIGURE 1
Development Components for Audit Data Analysis

Adapted from Joel Pinkus, JISC panel presentation, March 27, 2015, Raleigh, NC.
This graphic illustrates the iterative nature of developing and using audit data analytic applications. The audit applications use organizational data to
perform analytical routines. The results of the analysis inform the auditor about the present analysis and provide feedback for future analyses.

contain the transactional level financial data and would be available for internal and external auditors to use. Figure 2 provides
an overview of the finance information exchange as proposed by Mr. Shimamoto.
Data would be provided to the exchange from the entity at the summary and transaction levels for auditors and specialists
to access. After the audit and expert analysis are performed, the financial information would be returned to the exchange at the
summary level with assurance. Entity stakeholders (e.g., investors and lenders), as well as public policy users (e.g., SEC,
regulators, legislators) and industry analysts would be able to access the summary-level financial information. This type of
exchange will bring together the flow of financial data with assurance already attached to it. According to Shimamoto, such an
exchange has been successfully deployed at a startup in Silicon Valley. The financial data information exchange provides an
exciting area for future research.

Avatar Interviewing
Panelist Matt Picard led a discussion about avatar interviewing technology and the potential uses for such technology in
accounting. In computer science, an avatar is defined as a movable image that represents a person in a virtual reality
environment or in cyberspace. The specific type of avatar suggested for interviewing is an autonomous computer interface
capable of conversing verbally and nonverbally with humanlike features and responses.3 Avatars can potentially be used to
quickly screen a large number of applicants (e.g., in job hiring/recruiting, port of entry rapid screening), as well as to gather
sensitive information that a person may be reluctant to share due to some perceived social stigma (e.g., psychiatric therapy, and
healthcare). In accounting, avatar interviewing could be used in IT audits, internal and external audits, job hiring, fraud
investigations, and testing interview questions.
Picard pointed out that substantial research shows that people reveal more to/through computers than to human
interviewers. Furthermore, people tend to treat computers as social actors. Avatars are capable of building rapport and
likeability leading to greater self-disclosure from the interviewee.
Although avatars cannot completely replace the effectiveness of a human interviewer, there are many benefits to
supplementing human interviews with avatar interviews. For example, an avatar will be unbiased and unprejudiced. The avatar
will not fatigue, get frustrated, or discouraged, thus enabling more accurate and reliable data collection (Danziger, Levav, and

3
This type of avatar is considered an Embodied Conversational Agent (ECA). See Picard, Burns, and Moffitt (2013) for a theoretical justification for
using ECAs in accounting interviews.

Journal of Information Systems


Volume 30, Number 1, 2016
14 Dzuranin and Mălăescu

FIGURE 2
Finance Information Exchange

Source: Donny Shimamoto, IntrapriseTechKnowledgies LLC, JISC panel presentation, March 27, 2015, Raleigh, NC.

Avnaim-Pesso 2011). Avatar technology allows for easily manipulated and customized interviews. Finally, avatars can be a
more cost effective method for conducting interviews.

Emerging Technologies Challenges/Risks


Few would argue that emerging technologies provide both benefits and risks to organizations. The panelists discussed the
current risks faced by organizations from various technologies, the impact of new regulatory requirements, and the implications
for IT audit. Exhibit 4 lists the most challenging emerging technologies for organizations.

Journal of Information Systems


Volume 30, Number 1, 2016
The Current State and Future Direction of IT Audit: Challenges and Opportunities 15

EXHIBIT 4
Increasing Risks from New Technology
Technology Issue Risk
Hyperconnectivity The ability to connect technology devices is increasing making security more difficult.
New payment methods Apple Pay and Google Wallet. Security issues related to new payment methods are
increasing.
Open APIs Application Programming Interface. Many companies use this interface with customers.
Open platform increases security risks.
Big Data Organizations do not know how to audit it.
BYOT (bring your own technology) The lines are getting blurred between organization’s technology and employees’ personal
technology. How do you control this? How do you audit these?
Internet of things Ability to transfer data over a network without requiring human-to-human or human-to-
computer interaction. Increased security risk.
XaaS (Everything as a Service) Platforms supported by other companies and are very difficult to audit.
Social business Uber, AirBnB, etc. are difficult to audit.
Source: Srinivas Saraswatula, JISC panel presentation, March 27, 2015, Raleigh, NC.

IT audit is going to be more and more involved within the organization as a result of these new technologies. As a result,
the need for qualified IT auditors will continue to grow.
Coupled with these risks are the increasing regulatory requirements. For example, the SEC Office of Compliance
Inspections and Examinations (OCIE) began a cybersecurity initiative in 2014 focusing on the securities industry. The program
is designed to assess cybersecurity preparedness and obtain information about recent cyber threats (SEC 2015). The first report
was issued on February 2, 2015 and details the findings from a cybersecurity examination of 57 registered broker-dealers and
49 registered investment advisors.4
In light of the regulatory requirements, as well as recent well-publicized cybersecurity breaches (e.g., Sony, Target, Home
Depot), audit committees need to have greater involvement in the governance of cybersecurity issues.

V. POTENTIAL RESEARCH OPPORTUNITIES


The combination of the panelist presentations, audience participation, and the papers presented at the conference provided
fertile ground for research ideas. In the preceding sections we have provided a summary of the topics discussed. In this section
we present ideas for future research based on those discussions.
The need for alignment between academic research and practical relevance has been addressed in recent literature (Kaplan
2011; Basu 2012; McCarthy 2012; Geerts et al. 2013). Geerts et al. (2013) provide a research framework to aid in the
integration of information technology accounting research and practice. The framework is comprised of three cycles:
Relevance, Design, and Rigor. Research should begin with identifying business needs and the accounting information system
artifact to address that need (Relevance Cycle). Research should then be designed that either aids in the development of the
accounting artifact, builds theory to explain how or why an artifact works, evaluates how well the artifact works, or justifies
why and how the artifact works (Design Cycle). The research results should address the practical application, as well as add to
the research knowledge base (Rigor Cycle). Figure 3 illustrates the framework.
The business needs addressed in the panel discussions can be included in the relevance cycle of the research framework.
With this framework in mind, we provide some potential research ideas derived from the panel discussions. Exhibit 5 presents a
list of suggested research questions in the order in which we discussed the topics in previous sections.
The topic of data and IT audit provides many potential research questions. We use one of those topics to illustrate the
application of the Geerts et al. (2013) research framework. As discussed above, it is important to start with a research question
that is relevant to practice. Per the panelist discussions, one of the most pressing problems is being able to identify appropriate
criteria in the analytics program so that the audit is efficient and effective. Fraud detection analytical procedures that did not

4
For the detailed report see: https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

Journal of Information Systems


Volume 30, Number 1, 2016
16 Dzuranin and Mălăescu

FIGURE 3
Research Frameworka

a
Source: Geerts et al. (2013).

meet expectations were one of the examples provided by the panelists. Figure 4 illustrates how this business need can be
addressed by research.
As depicted in Figure 4, the research process begins with the business need. That need can be addressed via development
of the fraud criteria to be used in an application (Develop). After identifying the criteria, research can be designed to test the
efficacy of the criteria (Evaluate) or to explain why and how it works (Justify). Researchers should leverage the existing
knowledge base to help develop, evaluate, or justify the accounting information system artifact.

VI. CONCLUSION
The purpose of this commentary is to provide insight into the current issues facing IT audit, as seen by the variety of
practitioners that participated in two panel discussions at the 2015 JISC. Kaplan (2011, 368) stresses that academic
scholars should contribute to ‘‘advancing the profession’s body of knowledge, especially when innovation is high and
major changes are occurring in the practice environment of the profession.’’ Clearly, the IT audit area is in a state of
constant innovation driven both by technology and stakeholder demands. These innovations, along with regulatory
compliance requirements, are changing the practice environment. Section II highlights the influence of the increased
volume and availability of data on both internal and external audit functions. Research has already begun in the area of
‘‘Big Data,’’ but more is needed to address the current IT audit practice environment (Alles 2015; Griffin and Wright 2015;
Krahel and Titera 2015; Vasarhelyi et al. 2015; Warren et al. 2015; Yoon et al. 2015; Zhang et al. 2015).5 Wang and

5
See Section II for specific references to these papers.

Journal of Information Systems


Volume 30, Number 1, 2016
The Current State and Future Direction of IT Audit: Challenges and Opportunities 17

EXHIBIT 5
Potential Research Questions
Topic Area Possible Research Questions
I. Data
Data Analytics  Is the failure to identify the appropriate criteria the reason audit data analytics do not
produce the results anticipated?
 How do companies ensure their data analytics systems are using the appropriate criteria?
 Can data analytics help audit firms improve audit quality?
 What changes should be implemented in accounting education as a response to the spread
of data analytics?
Data Quality and Access Concerns  How can companies efficiently and reliably combine data from both new and legacy
systems?
 What changes need to be implemented in the audit process as a response to data concerns
in companies that rely heavily on analytics?
Data Risks  What are the effects of more controls over data in supply chain relations?
 How do companies in different industries address data risks? Are some more vulnerable
than others?
 How are data risks incorporated in enterprise risk management? What is management’s
response to these risks?
II. Compliance
Automation and  Is there a benefit to compliance beyond meeting regulatory requirements? How can this
Value benefit be quantified?
 Is compliance the floor or the ceiling? What lessons can be learned from each management
approach?
 How can compliance be streamlined using automation? Can compliance audits be simplified
as a result of automation?
 What is the impact of following the letter of the law vs. the spirit of the law on different
stakeholders (employees, investors, community, etc.)?
III. Emerging Issues
Audit Data Standards  How will data standards improve audit analytics?
 How can data standards be aligned with IT control frameworks?
 What efficiencies will be gained by companies adopting the AICPA data standards?
 What are the characteristics of companies adopting the AICPA data standards?
Audit Data Analytics  Is crowdsourcing the development of audit data analytics feasible and, if so, how will the
quality of the analytics be assessed?
 What are some of the measures auditors take to ensure a crowdsourced audit application
uses criteria that are not known by the entity audited?
Avatar Interviewing  Will the use of an avatar elicit as much information as human interviews?
 Under what circumstances will avatar interviewing provide better information than human
interviews?
Financial Information Exchanges  Is a financial information exchange a viable option for improving the efficiency and
effectiveness of internal and external audit? Will it improve audit quality?
 Will auditors (both internal and external) rely on the information exchange? What are some
necessary changes to the audit process?
 Who will provide assurance over an information exchange? What is the appropriate audit
methodology for an exchange?
 How will an information exchange affect B2B relations?
Emerging Technologies  What are the specific audit issues related to emerging technologies?
 How do investors value new technologies?
 To what extent can/should auditors examine risks related to data collected via sensors?

Cuthbertson (2015), for example, discuss eight issues on data analytics where research is needed, and these coincide with
the panelists’ discussions. In addition, Schneider, Dai, Janvrin, Ajayi, and Raschke (2015) identify emerging management
and regulatory challenges related to data analytics and suggest new research opportunities. Section III discusses the issue
of compliance and raises the question of whether there is value beyond simply meeting compliance standards. Specifically,
how can the automation of audit procedures improve not only the audit process but also add value to the organization?

Journal of Information Systems


Volume 30, Number 1, 2016
18 Dzuranin and Mălăescu

FIGURE 4
Application of Geerts et al.’s (2013) Framework

Section IV provides a summary of the panelists’ views on emerging issues related to audit data standards, audit analytics
applications, financial data exchanges, the use of avatar interviewing, and other emerging technologies. Each of these
areas provides a variety of research opportunities. In Section V we outline a list of potential research questions based on
the panel discussions. Identifying the business needs in the current IT audit environment and using those needs as a basis
for research questions enhances the relevance of academic research. We have also included an example of how the Geerts
et al. (2013) framework can be applied to one of the identified research questions.
Although we hope our commentary on the panel discussions will help provide ideas for future research, we do not contend
that it is inclusive of all current issues facing IT audit. Care was taken to include as much of the discussions as possible;
however, it is possible we may have missed or omitted information.
This paper contributes to the literature by providing insights into emerging professional challenges and opportunities. The
suggested research questions, along will an illustration of incorporating those questions into a research framework, will help
inspire ideas to develop research that is relevant to both practice and academia. Overall, our hope is that researchers will use the
information presented in this paper and the context of a research framework (e.g., Geerts et al. 2013) to develop rigorous
research in emerging areas that are relevant to practice.

Journal of Information Systems


Volume 30, Number 1, 2016
The Current State and Future Direction of IT Audit: Challenges and Opportunities 19

REFERENCES
Alles, M. G. 2015. Drivers of the use and facilitators and obstacles of the evolution of Big Data by the audit profession. Accounting
Horizons 29 (2): 439–449.
American Institute of Certified Public Accountants (AICPA). 2015. Audit Data Standard Working Group. Available at: http://www.aicpa.
org/interestareas/frc/assuranceadvisoryservices/pages/auditdatastandardworkinggroup.aspx
Arena, M., and G. Azzone. 2009. Identifying organizational drivers of internal audit effectiveness. International Journal of Auditing 13
(1): 43–60.
Bamber, E. M., and V. M. Iyer. 2007. Auditor’s identification with their clients and its effect on auditors’ objectivity. Auditing: A Journal
of Practice & Theory 26 (2): 1–24.
Basu, S. 2012. How can accounting researchers become more innovative? Accounting Horizons 26 (4): 851–870.
Cao, M., R. Chychyla, and T. Stewart. 2015. Big Data analytics in financial statement audits. Accounting Horizons 29 (2): 423–429.
Chan, D. Y., and M. A. Vasarhelyi. 2011. Innovation and practice of continuous auditing. International Journal of Accounting
Information Systems 12 (2): 152–160.
Danziger, S., J. Levav, and L. Avnaim-Pesso. 2011. Extraneous factors in judicial decisions. Proceedings of the National Academy of
Sciences 108 (17): 6889–6892.
El-Masry, E., and K. A. Hanson. 2008. Factors affecting auditors’ utilization of evidential cues: Taxonomy and future research directions.
Managerial Auditing Journal 23 (1): 26–50.
Farkas, M. J., and R. M. Hirsch. 2016. The effect of frequency and automation of internal control testing on external auditor reliance on
the internal audit function. Journal of Information Systems (forthcoming).
Geerts, G. L., L. E. Graham, E. G. Mauldin, W. E. McCarthy, and V. J. Richardson. 2013. Integrating information technology into
accounting and practice. Accounting Horizons 27 (4): 815–840.
Griffin, P. A., and A. M. Wright. 2015. Commentaries on Big Data’s importance for accounting and auditing. Accounting Horizons 29
(2): 377–379.
Howe, J. 2006. The rise of crowdsourcing. Wired Magazine 14 (6): 1–4.
Issa, H., and A. Kogan. 2014. A predictive ordered logistic regression model as a tool for quality review of control risk assessments.
Journal of Information Systems 28 (2): 209–229.
Kaplan, R. S. 2011. Accounting scholarship that advances professional knowledge and practice. The Accounting Review 86 (2): 367–383.
Kaplan, S. E., E. F. O’Donnell, and B. M. Arel. 2008. The influence of auditor experience on the persuasiveness of information provided
by management. Auditing: A Journal of Practice & Theory 27 (1): 67–83.
Koskivaara, E. 2000. Artificial neural network models for predicting patterns in auditing monthly balances. Journal of the Operational
Research Society 51: 1060–1069.
Koskivaara, E. 2004. Artificial neural networks in analytical review procedures. Managerial Auditing Journal 19 (2): 191–223.
Koskivaara, E. 2007. Integrating analytical procedures into continuous audit environment. Journal of Information Systems and
Technology Management 3 (3): 331–346.
Krahel, J. P., and W. R. Titera. 2015. Consequences of Big Data and formalization on accounting and auditing standards. Accounting
Horizons 29 (2): 409–422.
Kuhn, J. R., Jr., and S. G. Sutton. 2010. Continuous auditing in ERP system environments: The current state and future directions. Journal
of Information Systems 24 (1): 91–112.
Mălăescu, I., and S. G. Sutton. 2015. The reliance of external auditors on internal audit’s use of continuous audit. Journal of Information
Systems 29 (1): 95–114.
McCarthy, W. E. 2012. Accounting craftspeople versus accounting seers: Exploring the relevance and innovation gaps in academic
accounting research. Accounting Horizons 26 (4): 833–843.
Moffitt, K., and M. A. Vasarhelyi. 2013. AIS in an age of Big Data. Journal of Information Systems 27 (2): 1–19.
Murthy, U. S., and D. S. Kerr. 2004. Comparing audit team effectiveness via alternative modes of computer-mediated communication.
Auditing: A Journal of Practice & Theory 23 (1): 141–52.
Nigrini, M. J., and A. J. Johnson. 2008. Using key performance indicators and risk measures in continuous monitoring. Journal of
Emerging Technologies in Accounting 5 (1): 65–80.
Pathak, J., B. Chaouch, and R. S. Sriram. 2005. Minimizing cost of continuous audit: Counting and time dependent strategies. Journal of
Accounting and Public Policy 24 (1): 61–75.
Pathak, J., S. Nkurunziza, and S. E. Ahmed. 2007. General theory of cost minimization strategies of continuous audit of databases.
Journal of Accounting and Public Policy 26 (5): 621–633.
Perols, J. L., and U. S. Murthy. 2012. Information fusion in continuous assurance. Journal of Information Systems 26 (2): 35–52.
Picard, M. D., M. B. Burns, and K. C. Moffitt. 2013. A theoretical justification for using embodied conversational agents (ECAs) to
augment accounting-related interviews. Journal of Information Systems 27 (2): 159–176.
Potla, L. 2003. Detecting accounts payable abuse through continuous auditing. IT Audit 6.
Rezaee, Z., W. Ford, and R. Elam. 2000. Real-time accounting systems. Internal Auditor 57 (2): 62.
Rezaee, Z., A. Sharbatoghlie, R. Elam, and P. L. McMickle. 2002. Continuous auditing: Building automated auditing capability.
Auditing: A Journal of Practice & Theory 21 (1): 147–163.

Journal of Information Systems


Volume 30, Number 1, 2016
20 Dzuranin and Mălăescu

Searcy, D. L., T. J. Ward, and J. B. Woodroof. 2009. Continuous reporting benefits in the private debt capital market. International
Journal of Accounting Information Systems 10 (3): 137–151.
Securities and Exchange Commission (SEC). 2015. Cybersecurity Examination Sweep Summary. Available at: http://www.sec.gov/about/
offices/ocie/cybersecurity-examination-sweep-summary.pdf
Schneider, G., J. Dai, D. Janvrin, K. Ajayi, and R. L. Raschke. 2015. Infer, predict, and assure: Accounting opportunities in data analytics.
Accounting Horizons 29 (3): 719–742. doi: dx.doi.org/10.2308/acch-51140
Vasarhelyi, M. A., and M. G. Alles. 2008. The ‘‘now’’ economy and the traditional accounting reporting model: Opportunities and
challenges for AIS research. International Journal of Accounting Information Systems 9 (4): 227–239.
Vasarhelyi, M. A., M. G. Alles, and K. Williams. 2010. Continuous Assurance for the Now Economy. Available at: http://raw.rutgers.edu/
Continuous_Assurance_for_the_Now_Economy_-_2nd_draft%20mav.pdf
Vasarhelyi, M. A., A. Kogan, and B. Tuttle. 2015. Big Data in accounting: An overview. Accounting Horizons 29 (2): 381–396.
Wang, T., and R. Cuthbertson. 2015. Eight issues on audit data analytics we would like researched. Journal of Information Systems 29
(1): 155–162.
Warren, J. D., Jr., K. C. Moffitt, and P. Byrnes. 2015. How Big Data will change accounting. Accounting Horizons 29 (2): 397–407.
Yoon, K., L. A. Hoogduin, and L. Zhang. 2015. Big Data as complementary audit evidence. Accounting Horizons 29 (2): 431–438.
Zhang, J., X. Yang, and D. Appelbaum. 2015. Toward effective Big Data analysis in continuous auditing. Accounting Horizons 29 (2):
469–476.
Zhang, L., A. R. Pawlicki, D. McQuilken, and W. R. Titera. 2012. The AICPA assurance services executive committee emerging
assurance technologies task force: The audit data standards (ADS) initiative. Journal of Information Systems 26 (1): 199–205.
Zhao, Y., and Q. Zhu. 2014. Evaluation on crowdsourcing research: Current status and future direction. Information Systems Frontier 16:
417–434.

Journal of Information Systems


Volume 30, Number 1, 2016
Copyright of Journal of Information Systems is the property of American Accounting
Association and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.