information technology (it) related auditing …repository.um.edu.my/859/1/farida bt...
TRANSCRIPT
i
INFORMATION TECHNOLOGY (IT) RELATED AUDITING
IN MALAYSIAN PUBLIC SECTOR:
An Empirical Study of National Audit Department of Malaysia
Farida Binti Veerankutty
Bachelor of Accountancy (Hons)
University Pertanian Malaysia, Malaysia
1996
Submitted to the Graduate School of Business
Faculty of Business and Accountancy
University of Malaya, in partial fulfilment
of the requirement for the Degree of
Master of Business Administration
June 2009
ii
ABSTRACT
Advances in information technology (IT) continuously render control procedures
obsolete. Indispensably audit methodology has to evolve to keep abreast with the
change in technology. This study is to investigate on the adoption and usage of IT
control evaluation and examine IT evaluation based on IT audit objectives,
organisational characteristics, competency of auditor and usage of CAATTs. Mail
self-administered questionnaires were sent to 400 public sector auditors (providing a
usable sample size of 73). The instrument was developed based on the 36 specific
test outlined in IFAC (1995). The results show that application processing control
and data integrity, privacy and security control were the most frequent evaluation
performed by the public sector auditor. It was observed that auditors in different
divisions performed evaluation on system development and acquisition control as
well as system maintenance and program change control differently. IT audit
objectives related to compliance with policies, procedures and regulation is given
higher consideration and performed differently in different divisions. CAATTs has
been used most frequently as the problem solving aid. Only application processing
controls are associated with the percentage of new system. Several appealing
patterns emerged from the regression models. Audit objective related to fairness of
financial statements and accuracy of accounting records appears to have the
greatest association with IT controls. The usage of CAATTs appears to have the
strongest association with IT evaluations. The existence of new systems may play a
role in evaluations. The results will enable management and auditors to better
understand the controls evaluations of their CIS and confer more attention to
evaluations that have been overlooked by the auditors as well as to improve the IT
evaluation procedures. The reviews show that this is the first research done in the
Malaysian public sector. By virtue of this, this study is conducted with the aim in fulfil
the gap.
iii
ACKNOWLEDGEMENT
Firstly I would like to express my deepest gratitude to Allah s.w.t. for His blessing to
allow me to complete this thesis.
I would like to thank my dearest husband, Mohammad Kamarul Shah and my darling
children Nuraqila Yusrah, Suziyanah Natasyah, Aamar Razziq, Aiman Firdaus and
Haffiz Rafi, for their endless support and love throughout the thesis. Many times the
thesis took on a life of its own requiring my family, in particular my husband, to make
many personal sacrifices to enable me to achieve my goal. I would also like to thank
my dearest mom for her incessant support and help during the preparation of this
thesis. I dedicate this thesis to my late father for his encouragement.
In particular, I would like to extend a special thank you to my supervisor,
Dr. Nurmazilah Binti Dato’ Mahzan, who always went the extra mile serving as
constant source of expertise, encouragement and steadfast guidance.
I also would like to express my greatest gratitude to my best friend
Sarimah Binti Umor who help me in every way during my study.
iv
TABLE OF CONTENTS
ABSTRACT
CHAPTER I: INTRODUCTION............................................................................................... 1
1.1 Background ......................................................................................................1 1.2 Problem Statement ..........................................................................................4 1.3 Significance & Contributions of the study.........................................................5 1.4 Research Questions.........................................................................................6 1.5 Research Objectives ........................................................................................7 1.6 Scope of the Study...........................................................................................7 1.7 Research Model ...............................................................................................8 1.8 Organisation of Study.......................................................................................9
CHAPTER II : LITERATURE REVIEW ................................................................................ 11
2.1 Introduction ....................................................................................................11 2.2 The Impact of IT in Malaysian Public Sector ..................................................11 2.3 Public Sector Auditing ....................................................................................12 2.4 IT Related Auditing in Malaysian Public Sector .............................................14 2.5 The Impact of IT on Auditing ..........................................................................16
2.5.1 IT Control Evaluation Activities.............................................................. 19 2.5.2 IT Audit Objectives ................................................................................ 24
2.6 Usage of CAATTs ..........................................................................................25 2.7 Auditors Competencies ..................................................................................27 2.8 Organisational Characteristics .......................................................................29
2.8.1 Type of Auditor ...................................................................................... 29 2.8.2 Size of Organisation .............................................................................. 30 2.8.3 Structure of Computerised Information System .................................... 31 2.8.4 New Computer System ......................................................................... 32
2.9 Summary........................................................................................................32
CHAPTER III: RESEARCH METHODOLOGY..................................................................... 34
3.1 Introduction ....................................................................................................34 3.2 Development of Hypotheses ..........................................................................34
3.2.1 IT Control Evaluation Activities (ITC1-8) ................................................. 34 3.2.2 IT Audit Objectives (X1- 4) ...................................................................... 37 3.2.3 Usage of Computer Assisted Auditing Tools and Techniques (X5) ....... 39 3.2.4 Auditors Competencies (X6) .................................................................. 40 3.2.5 Organisation Characteristics (X7- 10) ...................................................... 42
3.3 Selection of Measures....................................................................................47 3.4 Sampling Design ............................................................................................48 3.5 Data Collection Procedures ...........................................................................48 3.6 Data Analysis Techniques..............................................................................49 3.7 Summary........................................................................................................52
CHAPTER IV: FINDINGS AND DISCUSSION..................................................................... 53
4.1 Introduction ....................................................................................................53 4.2 Demographic Analysis ...................................................................................53 4.3 Descriptive Analysis .......................................................................................55
4.3.1 Hypothesis 1: Performance of IT Control Evaluation Activities ............ 55 4.3.2 Hypothesis 2: Performance of IT Audit Objectives............................... 57 4.3.3 Hypothesis 3: Performance of Various Usage of CAATTs................... 59 4.3.4 Hypothesis 4: Relationship between IT Control Evaluations and Auditors Competencies ......................................................................... 60 4.3.5 Hypothesis 5: Organisation Characteristics and IT Control Evaluations62
v
4.4 Multiple Regression Analysis .........................................................................64 4.4.1 Hypothesis 6: Factors Contributed in the Evaluations of IT Control ...... 64
4.5 Summary........................................................................................................73
CHAPTER V: CONCLUSION AND RECOMMENDATIONS................................................ 75
5.1 Introduction ....................................................................................................75 5.2 Summary and Conclusion ..............................................................................75 5.3 Limitation of the Study....................................................................................77 5.4 Recommendations and Suggestions for Future Research ............................77 5.5 Implications ....................................................................................................78
6 REFERENCES.............................................................................................................. 80
APPENDIX 1......................................................................................................................... 90
APPENDIX 2......................................................................................................................... 91
APPENDIX 3......................................................................................................................... 96
APPENDIX 4......................................................................................................................... 98
APPENDIX 5....................................................................................................................... 103
APPENDIX 6....................................................................................................................... 105
APPENDIX 7....................................................................................................................... 107
APPENDIX 8....................................................................................................................... 108
APPENDIX 9....................................................................................................................... 109
APPENDIX 10..................................................................................................................... 113
APPENDIX 11..................................................................................................................... 120
APPENDIX 12..................................................................................................................... 124
APPENDIX 13..................................................................................................................... 128
vi
LIST OF TABLES
Table 4.1 Demographic Profile of Respondent (N=73)
Table 4.2 Descriptive Statistics on Types of IT Control Evaluation (N=73)
Table 4.3 Descriptive Statistics on IT Audit Objectives (N=73)
Table 4.4 Descriptive Statistics on Usage of CAATTS (N=73)
Table 4.5 Correlations Coefficient between IT Control Evaluation Activities and Auditors Competency (N=73)
Table 4.6 Comparison of Kruskal Wallis Test on IT Control Evaluation Activities by Organisation Characteristics (N=73)
Table 4.7 Summaryof Multiple Regression Analysis - Correlation Coefficient and Significant value of each Independent Variables (N=73)
vii
LIST OF FIGURES
Figure 2.1 National Audit Department Organisation Structure as at 31 December
2008
viii
LIST OF SYMBOLS AND ABBREVIATION
ACL One Types Of Generalised Audit Software
AICPA American Institute Of Certified Public Accountant
AIS Accounting Information System
CAATTs Computer Assisted Audit Tools And Techniques
CIS Computerised Information System
COBIT Control Objectives For Information And Related Technology
COSO Committee Of Sponsoring Organization
EDI Electronic Data Interchange
EDP Electronic Data Processing
ERP Enterprise Resource Planning
GAS Generalised Audit Software
IFAC International Federation Of Accountant
IIA Institute of Internal Auditor
INTOSAI International Organisation Of Supreme Audit Institutions
IS Information Systems
ISACA Information Systems Audit And Control Association
IT / ICT Information Technologies / Information And Communication Technologies Are Used Interchangeably In This Study
MIS Management Information System
MTCP Malaysian Technical Cooperation Program
NAD National Audit Department Of Malaysia – An Organisation That Responsible To Conduct Auditing In Public Sector
OLS Ordinary Least Square Regression
PCAOB Public Company Accounting Oversight Board
1
CHAPTER I: INTRODUCTION
1.1 Background
The impact of information technology (IT) in business has grown exponentially in
recent years and it has changed the audit process and has resulted in opportunities
and challenges for auditors. The audit profession is rapidly advancing in response to
changes in its environment. It is also argued that auditors are struggling to maintain
their identity and purpose as the organisations they audit undergo radical changes
(Solomon and Trotman, 2003). Advances in IT continuously render control
procedures obsolete, and the “value” of traditional audit has become seriously
questioned (Tongren and Warigon, 1997). As IT changes occur more quickly,
auditors must keep pace with emerging technological changes and their impact on
their organisation’s data processing system, as well as their own audit procedures
(Rezaee and Reinstein, 1998). As usage of IT in the organisations increasingly
becoming more complex, auditors must embrace technology, understand it, and be
able to audit effectively the processes and use it as an audit tool. While the
complexity of IT makes auditing more challenging, it also provides an opportunity to
streamline internal audit activities by designing and utilising continuous IT controls.
Training of computer skills for the internal audit staffs would ensure IT knowledge as
an alternative to traditional manual audit techniques (Hass, Abdolmohammadi and
Burnaby, 2006).
IT is an increasingly powerful tool for improving the delivery of government services.
IT and the internet in particular have opened new possibilities for the government
and the governed, just as it has for the businesses and its customers (Hazman and
2
Maniam, 2004; Moon, 2002). Over the past decade many governments including the
Malaysian government, have planned and implemented programmes projected to
start on the government into the digital land. The highly complex bureaucracies that
grew to regulate the economy and society through the highly differentiated but
usually lowly integrated machinery (Marche & McNiven, 2003; Davison, Wagner &
Ma, 2005) can eventually reconstructed through IT. Governments of both developed
and developing countries have embraced IT to improve the quality of public services,
increase public access to information and to energise more participation in public
affairs (Becker, 1998; Moon, 2002). As computer technology has become
sophisticated, government organisations have become progressively more reliant on
computerised information systems (CIS) to perform their operations and to process,
maintain, and report essential information. Besides, the size and intricacy of
government task and the command for timely and accurate information necessitate
the use of IT in public services.
Although overall objective and scope of an audit do not change in a computerised
environment, but the use of IT has tremendously changed the mode and speed of
processing, and storage media of financial data and records (Yang and Guan, 2004).
These changes have significantly inflated the organisation and the procedures of the
clients accounting and internal control systems. Consequently, the reliability of
computerised data and of the systems that process, maintain and report these data
are a major concern to audit. Auditors evaluate the reliability of computer generated
data supporting financial statements and analyse specific programs and their
outcomes. In addition, auditors examine the adequacy of controls in information
systems and related operations to ensure system effectiveness. IT Auditing is the
3
process of collecting and evaluating evidence to determine whether a computer
system has been designed to maintain data integrity, safeguard assets, allows
organisational goals to be achieved effectively, and uses resources efficiently.
Auditor must know the characteristics of users of the information system and the
decision making environment in the client organisation while evaluating the
effectiveness of any systemi.
Public sector audit and accounting practices in Malaysia are experiencing focal
reform aimed at escalating transparency, streamlining accountability and improving
overall financial management in line with international standards and practices.
Improvements in IT have also provided the spur to adopt more cost-effective tools for
overseeing government accounts and supplying information to government decision
makers for effective and efficient financial management. The IT developments in
government have opened new challenges for auditing professions, as now the
auditors have to audit the accounts prepared on CIS. In order to meet these
challenges, Malaysian public sector audit has widely used ACL, which is one of the
most common generalised audit software during 1980’s in conducting the
compliance audit. An enormous shift to IT related auditing in public sector begun in
1998 when National Audit Department of Malaysia (NAD) sent its officer to pursue
studies on Information System Audit at University Technology Malaysia.
Furthermore, some officers were sent to India to gain knowledge on IT related
auditing. In 2002, NAD issues its first IT Audit Guidelines to assist its officer in
conducting IT audits. In addition, a comprehensive IT plan for strategic top down
control of audit has been put in place.
i Retrieved January 28, 2009 from http://www.intosaiitaudit.org/India_GeneralPrinciples.pdf
4
1.2 Problem Statement
The migration of e-business tools and practices into government organisations is
changing the way the citizens and governments interact. Malaysian governments are
transforming themselves as they increasingly move to delivering information and
services electronically. Public sector auditors have a significant interest in these
developments, especially in issues related to prudence and integrity, value for
money, the stewardship of public assets and the quality of information used for
decision making. The CIS and IT have become the backbone of almost every
organisation. As a result, IT audits needed to provide assurance that systems are
adequately controlled, secured and functioning as intended (Petterson, 2005).
Among industries, there are different risks and therefore they require differences in
control frameworks (Hunton, Benford & Arnold, 2000). Traditional control
frameworks, applicable to legacy environments, may not be applicable to current
environment and may in fact subvert (Nearon, 2000). New audit strategies must be
developed for evaluating organisation functions that have begun to utilise e-business
(Attaway, 2000). Now, auditor may decide it is not practical or possible to limit
detection risk to an acceptable level by performing only substantive tests when most
of the business information is in electronic. In such cases, the auditor should gather
evidence about the effectiveness of both the design and operation of controls
intended to reduce the assessed level of control risk (Tucker, 2001). Necessary
assurance could be achieved only when IT controls are selected and implemented
properly based on the risks they are designed to manage (Le Grand, 2005). In an
effort to reduce the number of IT failures, auditors should also provide value-added
services in areas that are often overlooked. An auditor’s involvement in evaluating
5
and improving the quality of the processes which used to validate and document the
systems as well as train the personnel could contribute in achieving a successful IT
implementation (Rishel and Ivancevich, 2003). As information systems are so
pervasive and fundamental to organisation performance, evaluation of IT risks and
controls is crucial to organisation performance (Hermanson, Hill & Ivancevich, 2000).
1.3 Significance & Contributions of the study
This study is to give an insight and assessing IT control evaluation activities
performed by Malaysian public sector auditors, which are often the important risk
element of the overall organisation risk. The intention of this research is to help the
public sector auditors in Malaysia to evaluate on the extent to which auditors
adopted and used IT control evaluation in public sector organisations as well as to
analyse areas where IT control evaluations are not currently used and factors
contributed in the IT control evaluation activities.
Although considerable research exists on IT control and on internal auditing, there is
limited study that addresses IT evaluation control activities in the public sector
auditing. As such, the findings from this research would generate new conclusion to
enrich the existing literatures on IT related auditing. Besides, this is the first study in
Malaysia that looks into IT Audit in public sector. The contribution of this research is
to provide an understanding of the IT control evaluation of Malaysian public sector
auditor. The results will enable auditors to better understand the internal controls
evaluation activities of their CIS and confer more attention to evaluation activities,
which has been overlooked by the auditors. The findings also may improve the IT
6
evaluation activities in the Malaysian public sectors organisation by considering the
important factors that may affect the evaluations.
1.4 Research Questions
The current study explores and investigates the following research questions:-
RQ 1: What is the frequency of performance of the eight IT control evaluation
activities suggested by the IFAC in Malaysian public sector organisations?
RQ 2: What is the frequency of performance of the four IT audit objectives in
Malaysian public sector organisations?
RQ 3: What is the frequency usage of CAATTs by public sector auditors in
performing IT evaluation activities within Malaysian public sector organisations?
RQ 4: Is there any significant correlation between IT control evaluation activities
and competency of auditor in IT?
RQ 5: Are there any significant differences between the IT control evaluations
activities performed by public sector auditor and different organisation
characteristics?
RQ 6: Do IT control evaluations suggested by the IFAC which performed by
public sector auditors are explained differently by (a) audit objectives; (b)
organisational characteristics; (c) competency of auditor and (d) usage of
CAATTs?
7
1.5 Research Objectives
The general objective for the current research is to enhance the awareness of IT
control evaluations and its related activities in Malaysian public sector auditing. This
study is intended to explore the following specific research objectives:
• To investigate the IT control evaluation activities performed by public sector
auditors across the public sector organizations.
• To explore the IT audit objectives performed by public sector auditors across
the public sector organisations.
• To study the various usage of CAATTs by public sector auditors in the public
sector organisations.
• To explore whether IT control evaluation activities are associated with
auditors competencies in IT.
• To examine whether the IT control evaluation activities performed by
Malaysian public sector auditors varies based on organisational
characteristics.
• To investigate whether audit objectives, organisational characteristics, usage
of CAATTs and competencies of auditors have different contribution to the IT
evaluations performed by public sector auditors.
1.6 Scope of the Study
Since this paper focus on the areas of IT related auditing in Malaysian public sector
and specifically in National Audit Department of Malaysia, the scope of the study
would be the organisations that involved in the IT related auditing; represented by
the National Audit Department of Malaysia and internal audit departments of
ministries. Local authorities are excluded from the sample because these
8
organisations are not under the scrutiny of NAD and their least involvement in IT
related auditing.
1.7 Research Model
Auditors are faced with the challenge of understanding client’s IT processing and
control environment. Further complicating the situation are various guidelines and
standards whose application depends on the nature of the entity: a publicly traded
company, a privately held company, or a government agency. Different standards-
setting bodies regulate auditing and assurance services for entities in different
situations, and understanding these different requirements in the context of
information systems processing and controls is critical.
The critical nature of IT control evaluation activities are evidenced by the recent
focus placed on the topic by variety of professional organisations. These
organisations have placed emphasis on the importance of IT processes and controls
in accessing the clients control environment and encourage the auditors to adopt IT
in their auditing. These organisations mainly are the Information System Auditing
Control Association (ISACA), the Internal Auditor Research Foundation (IIA), the
Committee of Sponsoring Organisation (COSO), American Institute of Certified
Public Accountant (AICPA), The Public Company Accounting Oversight Board
(PCAOB), and the International Federation of Accountant (IFAC) (Colbert and
Bowen, 1996; O'Donnell and Rechtman, 2005). Each of these organisations has
published a standard to assist with the definition of control objectives and the
evaluation of internal control related to IT within an organisation. Colbert and Bowen
(1996) have compared some of the documents with the respect to audience, control
9
objectives and focus. They found that the audience and focus for internal control
evaluation varies but the internal control objectives are similar across the 5
documents as per Appendix 1. However, auditing researchers and practitioners still
have little guidance available on what IT control evaluation activities have been or
should be adopted (Janvrin, 2008).
This study has chosen to use the objectives, evaluations and tests delineated by the
IFAC in the statement of Information Technology in the Accounting Curriculum (IFAC
1995) which is in line with the study of Hermanson et al. (2000) and Abu Musa
(2008). The IFAC terminology was used because (1) The AICPA has supported and
indicated that the group of IT controls evaluation used in IFAC are “universally
applicable”: and (2) the IFAC documents grant details of specific evaluations and the
tests within each evaluation. Besides, this IFAC documents found to be comparable
with the IT Audit Manual of National Audit Department of Malaysia.
1.8 Organisation of Study
The study is organised into five chapters. The second chapter reviews pertinent
literatures related to IT control evaluation activities; IT audit objectives; usage of
CAATTs in public sector auditing; the influence of auditors competency in evaluation
IT controls and related organisational characteristics such as size, new system ,
structure of data processing and type of auditor. The third chapter details the
research methodology, which consist of hypothesis development, selection of
measures, sampling design, data collection procedures and data analysis, which
include justification for selected analytical techniques. Further chapter four presents
the demographic profile of the respondent and results of descriptive statistics,
10
correlation and regression analysis on the six hypotheses developed earlier. This
chapter also briefly discuss some findings which are different from the past
researches and relate the findings with the unique characteristics of Malaysian public
sector IT auditing. Finally, chapter fifth detail summary of researchers results,
highlight the limitations of the study, suggest some recommendations and provide
some implications for future research.
11
CHAPTER II : LITERATURE REVIEW
2.1 Introduction
Previous section provides the background of the problems and the objectives of this
paper. The present section provides an overview on the development of IT related
auditing in Malaysian public sector and present an insight and assessment on the IT
control activities performed by auditors, the usage of CAATTs in IT related auditing
as well as literatures on audit objectives, organisational characteristics and
competencies of auditors.
2.2 The Impact of IT in Malaysian Public Sector
The Malaysian government has recognised that IT serves as a foundation condition
that would transform Malaysia from a P-based economy to a K-based
economy. From the 6th Malaysian Plan (RMKe-6; 1991-1995) to the 9th Malaysian
Plan (2005-2010), IT development is seen as an important strategic driver for
positioning Malaysia in global market. In summary, all past and present national
plans were to provide a sound platform for Malaysia to transform into a knowledge-
based society and value-driven economy (Hazman, Jalil, Maniam & Naqiyuddin,
2004). In 1997, the Malaysian Government launched the Electronic Government
initiative, generally known as e-Government, to reinvent itself to lead the country into
the Information Age. The implementation of e-Government in Malaysia heralds the
beginning of a journey of reinventing the government by transforming the way it
operates, modernising and enhancing its public service delivery. In order to
streamline its IT initiatives, the Government of Malaysia launched the Public Sector
Information and Communications Technology (ICT) Strategic Plan (2003) which is a
blueprint that defines the vision, strategic direction and framework for the usage of
12
IT; the objectives and strategic thrust areas of IT development; as well as the
implementation strategies and action plans to be taken to realise the objectives of
the planii.
2.3 Public Sector Auditing
The establishment of National Audit Institution of Malaysia since British Colonisation
in the early 20th
century was an effort to strengthen financial management of the
public sector administration and to ensure all government rules and procedures have
been implemented and complied with. A more organised National Audit Institution in
respect of the structure and audit scope could be traced back to 1906 when W.J.P
Hume was appointed as Director of Audit Malaya for Federated Malay States. When
the Federation of Malaya attained its independence in 1957, the post of Director of
Audit Malaya was changed to the Auditor General. The appointment as well as the
responsibilities of the Auditor General is spelt out under Article 105 of the Federal
Constitution and the Audit Act 1957iii. These laws require the Auditor General to audit
the accounts and activities of the federal government, state governments, federal
and state statutory bodies, local councils, Islamic religious councils and government-
owned companies. Subsequently the name of the institution changed to National
Audit Department (NAD).
Within a period of 100 years, NAD has progressed excellently in response to the
current changes. The obvious developments of the NAD are the changing role,
responsibilities, scope, approach, technique and methodology in conducting the
ii Malaysian Administrative Modernisation and Manpower Planning Unit, (2003). Standards, Policies and Guidelines –Malaysian Public Sector ICT Strategic
Plan Guideline, version 1.0, August 2003.
iii Retrieved January 27, 2009 from http://www.audit.gov.my/eng/index.php?T2RFCC33=ZQ0bSZ2cCC33&S2gNSxqOCC33=ZQH80QqnTxfFCC33
13
audits. These developments contribute to the excellence of auditing in enhancing
accountability in public sector financial management. Public sector auditing has
expanded rapidly in line with the development in the administrative and management
system. The audits carried out earlier were of two types; financial statement audit
and attestation/compliance audit. The shift to new Programme and Performance
Budgeting System (PPBS) of government accounting system in 1970’s has resulted
in amendment of Audit Act in 1978, which gave power to the department to carry out
the performance auditiv. In 2000, public sector accounting system has undergone
tremendous transformation which resulted changes in the accounting system of
federal government, state governments, and statutory bodies. These transformations
of the accounting system gave major impact in the public sector auditing practices. In
line with this changes NAD restructured its organisation in 2008 to guide the
department towards more efficient operations and focusing on the core activities of
the department as well as to undertake more specialised audits. A new division is
created to conduct specialised audits on water management, environment and ITv.
Figure 2.1 shows the organization structure of NAD as at 31 December 2008.
iv Retrieved January 29, 2009 from http://www.audit.gov.my/xboer/upload/kertas01.pdf
v Retrieved January 29, 2009 from http://www.audit.gov.my/xboer/upload/kertas02.pdf
14
Besides, NAD has been lobbying for the last three decades for the establishment of
effective internal audits in ministries and departments to ensure that independent
appraisal functions exist within each organisation to assist controlling officers
discharge their duties effectively as well as to ensure compliance with administrative
and statutory procedures. To date majority of ministries and departments have
established internal audit units and performed various types of audit. Internal audit
reports are made directly to the controlling officers and also made available for
scrutiny by the NAD.
2.4 IT Related Auditing in Malaysian Public Sector
IT related auditing within the NAD encompasses the General ICT Audit; System
Development Audit; Performance Audit in ICT environment; and lastly usage of
CAATTs in auditing. The audit methodology adopted by the NAD requires the
Auditor General
Deputy Auditor General
(Federal Government) Deputy Auditor General
(13 States Governments)
Corporate &
Communication
Statutory Body
(Federal)
Information Technology
/Research/Special Audit
Figure 2.1 Organisation Structure of National Audit Department of Malaysia
as at 31 December 2008
Division which performed IT related auditing
15
auditors to evaluate the auditors CIS to determine whether the systems produce
timely, complete, reliable information in conformity with their management goals and
objectives. The IT related auditing includes technique used for auditing around the
computer, auditing through the computer and auditing with the computervi.
Majority of the auditors who are involved in the financial and attestation audit are
performing the General IT Audit as stipulated in the IT Audit Manual of National Audit
Department which relates to the general controls and application controls of the
accounting system of the public sector organizations in federal government division,
state government division, statutory bodies division and internal audit department of
ministries. Besides, each divisions (federal, state, statutory bodies, ICT) and internal
audit department of ministries has its own IT audit team to perform auditing related to
IT projects and system development and these teams mainly focusing on the System
Development Audit and Performance Audit on IT projects..
Consequent to the current environmental changes in audit profession, the National
Audit Academy , training wing of NAD has conducted many internal training related
to IT such as ICT Awareness, ICT Controls, CAATTs & Data Downloading, Auditing
System Development Life Cycle, ICT Security, ICT Performance Audit, ICT For
managers, MSC-EG Updates, Multimedia and Desktop Publishing and Application
for End Users.
In 2003, NAD of Malaysia presented a paper on ‘Involvement in Systems
Development: Opportunities and Risks’ in the 18th Commonwealth Auditors General
vi National Audit Department of Malaysia. (2002). ICT Audit Manual.
16
Conference which stated that Malaysia need to take a more proactive approach in
the audit of IT projects. This gives the NAD an opportunity to add value to the audit
process and provide quality assurance for various phases of the project. NAD
believes that involvement in the audit of system development can only be carried out
if sufficiently trained staffs are available. Therefore, auditors need to upgrade their
knowledge and skills and reengineer their auditing methodology in view of the
changing IT environmentvii.
Beginning 2007, National Audit Academy has been accredited as the course
provider under the Malaysian Technical Cooperation Program (MTCP) in IT Audit.
The program provides various forms of technical cooperation in the areas where
Malaysia has the experience and expertise. The program aims to provide short-term
courses for international communities among developing countries. The first IT audit
course under the MTCP was held in November, 2007 and the second was held in
November 2008. The course not only introduced the fundamental principles,
concepts and methods of reviewing IT controls but also more importantly promoted
the sharing of knowledge and experience and established professional networking
among the participantsviii.
2.5 The Impact of IT on Auditing
The auditing profession in both the private and public sectors needs to adapt both its
techniques as well as its topics of concern as the world of the clients changes
(Nikoloyuk, Marche & McNiven, 2005). In the public sector, new models of
governance and the privatisation of government services have created an explosive
vii Retrieved January 31, 2009 from http://www.intosaijournal.org/congressesandconferences/congresscommonwealthb.html
viii Retrieved March 30, 2009 from http://www.akademi.audit.gov.my/website/index.php?q=en/MTCP_Course
17
growth in the use of audit as a mechanism for control (Pentland, 2000). Remarkably,
auditors are in a unique position to examine risks and its effects on the internal
control of CIS (Pathak and Roberts, 2007).
Accounting professionals refer rules, policies and procedures in managing an
organisation risk as the “system of internal control.” The way accountant view
internal control changed in early 1990s as result of the landmark study, Internal
Control-Integrated Framework by the Committee of Sponsoring Organisation of the
Treadway Commission (COSO). According to the COSO framework, internal control
is defined as being “designed to provide reasonable assurance regarding the
achievement of objectives on the effectiveness and efficiency of operation; reliability
of financial reporting and compliance with applicable law and regulations; and control
activities are the actual actions taken to minimise the risks (Pathak, 2003).
IT often fundamentally changes the initiating, recording, processing and reporting of
transactions. Similarly the organisation procedures change from paper-based
documents to electronic records and the internal control of the organisation have the
combination of both automated and manual (Ratcliffe and Munter, 2002; Tucker,
2001). Manual control may function independently of the IT system or use
information produced by the IT system to monitor the automated controls. The
appropriate mix of manual and automated controls varies with the nature and
complexity of the IT system. IT controls can provide only reasonable assurance
regarding the achievement of an entity’s control objectives (Ratcliffe and Munter,
2002). All internal control system, regardless of their design, faces certain inherent
limitation that makes absolute assurance impossible. In an IT system, errors can
18
occur in designing, maintaining, or monitoring automated controls. Moreover, IT
effectively extends the organisation, requiring the auditor to consider risks, controls
and processes in a larger context (Helms, 2002).
Organisation today employ IT to particular business unit or it may be complex and
highly integrated system which share data and support all the activities of financial
reporting, operating and compliance objectives of organisations (Tucker, 2001).
Therefore, prior to any installation or shifting over to CIS business environment,
organisation need to ascertain the level of risk exposure on the number of people
involved and the value of the transactions, (Pathak, 2004). As a rule, the more
parties involve, the greater the risk. Similarly, a higher value transaction will generate
greater risk. Streamlining approvals through electronic process (Louis et al., 2002)
may remove existing internal controls and potentially increase the risk further.
An organisation’s auditors are in a sole position to ensure that changes, whether
they are new business models and process or new systems, support the
organisation’s mission and objectives; and that adequate control procedures are an
integral component from the beginning of the system development process. In many
organisations, to mitigate the risk associated with the CIS, the auditors are assigned
the responsibility of implementing system of internal control. Owing to additional risks
associated with CIS, management appreciates the significance of having auditors
participate in the system development process. Thus, internal auditors must be ware
of the organisation objectives and must weigh the cost of implementing a control
against the potential benefit of that control. Maximising organisational benefits
19
through judicious use of control in CIS can enhance control over the systems and
reduce the cost of implementation (Pathak, 2004).
Auditors should check the automated controls implemented in the IT business
environment to minimise the risk of unauthorised, invalid, incomplete, or inaccurate
data and transactions, as well as to ensure timely processing. Controls should focus
on information integrity at the point of entry. The auditor should have sufficient
knowledge of the CIS to plan, direct, supervise and review the work performed (Burr,
Gandara & Robinson, 2002). Auditors also should involve at all stage of the e-
business system development life cycle so as to ensure successful control
implementation. The higher the degree of the auditors participation in system
development, the more likely they will understand the system of internal control that
should be in place (Pathak, 2003).
2.5.1 IT Control Evaluation Activities
IT control evaluation activities are defined as control in computerised information
system which reflect the policies, procedures, practices and organisational structures
where designed to provide reasonable assurance that IT audit objectives will be
achieved. The controls in a computer system ensure effectiveness and efficiency of
operations, reliability of financial reporting and compliance with the rules and
regulations. IT controls are broadly classified into two broad categories general
controls and application controlsix. General controls include the procedures and
processes that support the overall processing of business applications of an
organisation. These controls include areas such as access to programs and data,
ix Retrieved January 28, 2009 from http://www.intosaiitaudit.org/India_GeneralPrinciples.pdf
20
data center operations, program development, program changes, IT disaster
recovery plans, and the proper segregation of duties of information systems
department personnel. The general controls are important because they support
application processing. Computerised application controls include the controls
involving the processing and storing of business transactions. They ensure the
completeness, accuracy, authorisation, and validity of processed transactions.
Application controls include application security, input controls, rejected-transaction
controls, transaction-processing controls, and output controls (O'Donnell and
Rechtman, 2005). Both general and application controls are needed to help ensure
accurate information processing and the integrity of the resulting information needed
to manage, govern and report on the organisation.
A study in 1962 by Brown has highlighted that evaluation of internal control
effectiveness is destined to become the most important part of the auditors program
for evaluation the fairness of financial statements. Auditing in the future will place a
greater emphasis on the system control techniques designed to insure reasonable
accuracy and less emphasis on what has happened in the past. The modern audit
has shifted from a review of past operation to a review of the system of internal
control. He indicates that the first and foremost audit objective will remain the
determination of the fairness of financial statement representation and the reliability
of internal control. The audit will be primarily a system of audit procedures and there
will be acceptance to perform other test to meet the audit objectives.
Internal auditor role evolves over the last decade due to the impacts of IT and
required the auditors to provide value-added services such as developing improved,
21
standardised processes and showing management how to perform control self
assessments; performing financial function reviews and risk assessments; accessing
more information with less disruption to users; and rendering improved ways to
gather and analyse data to make “better” decisions (Glover and Romney,1997). The
scope of internal audit has expanded from measuring and evaluating the
effectiveness of internal controls to providing consulting services related to IT and
systems developments (Meredith and Akers, 2003).
Many researches in the area of IT control evaluation have mainly emphasised
internal auditor’s role. Hermanson et al. (2000) performs an exploratory research
relating to how IT control activities are specific to internal audit’s evaluation efforts. A
questionnaire based on IT control evaluation criteria established by IFAC (1995) was
mailed to 379 internal audit directors in the Southeastern U.S. with a 27 percent
response rate. He found that internal auditors consider more traditional IT control
evaluations activities such as processing application, ensuring data integrity, privacy
and security, and safeguarding IT asset as most important whereas system
maintenance and program changes next in the list. However, disaster recovery
planning has been considered vital by IT-dependent organisations. System
development and acquisition which is one of non-traditional IT control related was
given least attention. In term of specific organisational characteristics, some
evidence indicates that larger internal audit departments along with computer
auditors and new systems are associated with the internal auditor’s IT control
evaluations.
22
Abu Musa (2008) who replicate the study of Hermanson et al. (2000) in the Saudi
Arabia context also discover the results are consistent with Hermanson et al. (2000)
that internal auditors devoted more attentions to traditional IT risks and controls
evaluation activities. He also observed that internal auditors in Saudi organisations
devoted the least attention to system implementation and systems development and
acquisition.
Burr et al. (2002) pointed out, when businesses began adopting IT in their business;
applications were developed and deployed at a rapid pace, sometimes at the
expense of adequate security measures. Unfortunately, many firms did not
appreciate the value of addressing security issues up front and spent considerable
time and money trying to compensate after implementation. It might be dangerous
trap if managers look at short-term profitability as the ultimate driving force and
ignore information system security, audit and control. Organisation making short-
term gains in short term are actually at the cost of long-term sustainability (Pathak,
2004).
All companies are vulnerable to sabotage and espionage from inside and the
outside, risk heightened but not created by the internet. Unfortunately, organisations
probably cannot easily prevent a disgruntled employee from damaging its business.
Not everyone always has a genuine desire to conduct business; some intrude into
organisational systems with specific intent or out of sheer curiosity (Pathak, 2004).
The intrusion may be facilitated either by malicious hacking techniques or by sheer
chance (Birermann, Cloete and Venter, 2001; Gengler, 2002). Thus, any CIS
business environment is a sitting duct with regard to the illicit and illegal objectives of
23
a malicious hacker or intruder who may wreak havoc on the system resources and
data. CIS business environment is risk-based due to the technologies involves
(Sutton and Hampton, 2003) which may expose privacy of data and system privacy
as well as loss of data integrity.
The role of an internal auditor is important in identifying the amount of risk and
assessing the impact of these risks on the overall IT related activities. An audit
review program on e-business will be a critical tool for internal auditors (Pathak,
2000) and the audit review process will provide the closed-loop cycle of continuous
improvement that is imperative in today’s e-business world. Organisation can make
more difficult for saboteur by implementing internal control from a legal, physical and
technical point of view. Protective measures are also advisable if someone leaves on
amicable terms. Auditor must understand that solution is not quick-fix and will build
over time with the awareness of all employees and the support of management
(Pathak, 2004). Knowledge of IT controls, IT auditing techniques, and the current
trends in IT enhance understanding and efficient utilisation of internal audit
resources (Hass et al., 2006). Now, the heart of auditing and assurance involves the
less-structured decisions and analysis that include much uncertainty, caused by risks
and lack of information (Baldwin, Brown, & Trinkle, 2006).
A study found that IT controls do improve operating performance, and some IT
controls improve performance more than others do. The study indicated that just
three controls that related to data integrity, security and privacy able to predict 45
percent of the performance difference across the organisations that have fewer
controls in place, and that tend to be smaller organisations. Smaller organisations
24
typically rely less on documented processes and procedures and they may be more
likely to use tacit knowledge and organisational learning than standardised operating
practices (Phelps and Milne, 2008).
Technology is pervasive in every organisation and few processes are not supported
by information systems. Therefore, it is essential that all auditors understand the
inherent risks of overlooking supporting systems for processes under review and
enhance the audit knowledge base and audit programs to pay close attention to IT. A
greater understanding of general IT controls and application control concepts by all
internal auditors could bridge the knowledge gap and provide a seamless,
appropriately staffed "blended audit" of the business processes that ensures that
significant process risks are identified and addressed (Chaney and Kim, 2007).
2.5.2 IT Audit Objectives
IT Audit objectives is “a statement of the desired result or purpose to be achieved by
implementing control procedures in a particular IT activity”, (ISACA, 1998).
Fundamental audit objective do not change because of the computerised accounting
system. However, additional computer related considerations need to be
incorporated into overall audit planning.
Today, organisations activities have increased the reliance on the use of computer
systems to perform business activities such as financial systems, inventory systems
and customer and supplier database systems. Thus, computer audit increased in
importance because companies need to ensure that their computers and network
systems, which are carriers of critical information such as financial transactions and
25
customer data, are secured. Additionally, the convergence of computing and
telecommunication also has introduced new risks and threats. Consequently, the
impacts on audit objectives and approaches should be reviewed. New methods of
audit and control must be developed to achieve audit objectives. Computers are
viewed as tools to help in achieving audit objectives in the computerised business
environment. Trends in computer audit theory and techniques are more
sophisticated in order to perform an effective and efficient audit in complex computer
processing environments. However, the advent of new technologies has caused
changes in audit approaches and in some cases it may cause change in the audit
objectives (Cooper and Vatanasakdakul, 2002).
2.6 Usage of CAATTs
With the expanding role of e-business in the economy, much of the traditional audit
trail is disappearing. The issuance of some standard and guidelines related to the
impact of IT on internal control signal the diminished likelihood that a traditional ‘audit
around the computer’ approach will be appropriate. As a result, auditor must begin to
incorporate state-of-art auditing software application in the auditing process. This will
not only enable the auditor to perform traditional examinations in an increasingly
paperless environment, but also enable audit process to be more effective because
the scope of transaction being analysed can be increased at a minimal marginal cost
(Braun and Davis, 2003).
CAATTs can be portrayed as the tools and techniques used to examine directly the
internal logic of an application as well as the tools and techniques used to draw
indirectly inferences upon application logic by examining the data processed by the
26
application (Hall, 2000). Of the five CAATTs that have been advance in popular audit
literature, three- test data, integrated test facility and parallel stimulation – directly
examine the internal logic of the application. The remaining of two CAATTs,
embedded audit module and generalised audit software, examine the application’s
logic indirectly (Braun and Davis, 2003). Generalised audit software (GAS)
enables auditors to access live account data stored in various file formats that are
machine-readable only. GAS also can disclose useful information on client master
files that are not included in reports produced by the client. Integrated test facility
(Helms, 2002), parallel simulation, and other ex-post CAATTs can be used to
validate the correctness of the EDP software module (Weber, 2004).
Concurrent CAATTs such as embedded audit modules and system control audit
review file (SCARF) can be installed to examine transaction flows and to detect
exceptions online, such as suspicious transactions (Wells, 2001).
Although, some surveys show that accountants do not frequently and systematically
use these CAATTs in practice (Kalaba, 2002). For example, GAS is not on the list of
the “common software use” according to the survey series conducted by Heffley and
Meunier in 2004. Other surveys (1998-2001) indicate that both ex-post and
concurrent CAATTs are used primarily in internal audit settings by proprietary
implementation. Nevertheless, survey by Robert and Davis in 2003 indicated that
most commonly used of CAATTs is generalised audit software. The key reasons for
the widespread use of generalised audit software include its relative simplicity of use
requiring little specialised information systems knowledge and its adaptability to
variety of environment and users.
27
IT allows auditors to attain new level of testing assurance and electronic
spreadsheets serves as an aid in record keeping and automated working paper
remove some the drudgery form documentation. Now auditors through IT can test
the entire population of transaction and processes as well as latest software that
enable to acquire data from different repositories within the network and validate
whether internal controls are operating effectively. The modern audit environment,
the information technologies are no longer luxury, but a necessity, as they promote
continuous monitoring of risk in a cost-effective fashion (Hespenheide, 2006).
2.7 Auditors Competencies
Technique for testing automated control may differ from those for manual controls.
Specialised computer tools and skills may be needed to design and perform the IT
control evaluation activities (Ratcliffe and Munter, 2002). With the specialised
knowledge, auditors will equip to assist organisation in eliminating control
weaknesses and strengthening internal controls over information systems (Pathak
and Roberts, 2007). The higher the level of skill, experience and attitudes towards e-
business initiatives, the more likely auditors can and will participate in the e-business
systems development (Pathak, 2003). Buckstein (2001), states “. . . public sector
auditors, similar to their counterparts in the private sector, will have to undergo new
skills training to ensure they are able to test systems to provide assurance that
electronic processes are secure”.
A study by Viator and Curts in 1998 suggests that in some cases, there appear to be
an association between IT auditors’ background and their evaluation of automated
control procedures. There were several instances where higher weight were
28
assigned to completely automated control procedures by computer auditors with
Management Information System/Computer Science academic education and MIS
work experience.
Although many auditing software is considered reliable, auditing personnel find
difficulty in using the system because of their insufficient knowledge concerning IT
(Chang, Wu & Chang, 2008). Auditor competencies in area related to IT auditing -
change control, system operations, security and continuity has ranked as low
competency. One reason for this lower overall competency rank may be that audit
positions focused on IT tend to be held by specialised IT auditors. With this in mind,
financial and operationally focused auditors may not see it as a priority to develop
these highly specific audit skills (Marshall and Magliozzi, 2009).
As technological developments continue, auditors will need to expand their
accounting information system (AIS) knowledge and skills in order to perform
effective and efficient audits. When assigning staff to an audit engagement, it may be
prudent to consider the staff members' levels of AIS expertise (with respect to the
client's AIS), in addition to their general audit experience levels. The results of the
study clearly point to the advantages of sufficiently training both auditors and IT
auditors so that they are equipped with the requisite expertise, given the complexity
of their clients' IT. From an educational standpoint, the study points to an increasing
need to improve the system-related educational experiences of accounting students
who will be the IT and financial statement auditors of the future (Brazel, 2008).
29
2.8 Organisational Characteristics
2.8.1 Type of Auditor
In 1999, the role of IT audit in the big five was to largely just add support to the
financial audit. However, in time, the position of the IT auditor gradually takes over
the role of the financial auditor (Zhao, Yen & Chang, 2004). In the future, the
services that big five auditors offer will include real-time assurance, continuous
auditing, security outsourcing, privacy and security assurance, and business
continuity assurance. Besides that according to a survey done by Bagranoff and
Vendrzyk (2000), many auditors suggested that academic accounting and MIS
departments must merge in order to be able to produce the job candidate they want
to hire. Developing educational programs that will adjust to the changes that will be
occurring in the field of auditing is very important. It is vital for students and faculty to
understand the change in assurance services taking place within the big five.
It is the time now to knock down the traditional walls that separate general internal
auditors from their IT auditors. There should be no one in the audit team is tagged
with responsibility of IT assignment. Everyone in the audit team should have
sufficient depth of IT knowledge that helps them to audit the IT related system in
their organisation. Technology is such an integral part of business life that it is
virtually impossible to think of a process or activity that does not involve some level
of IT. All business is, to some extent, exposed to IT risk and in fact, there is a danger
if ordinary risk and IT risk been seen as separate issue. Both risks have to be part
and parcel of the same thing. There is some element of risk when general auditor
only looking at the business process and accounting whereas IT people focus on the
system. There should be a closer relationship between the two task and general
30
auditor need to understand IT, up to a point someone need to help in auditing area
related to networks, communication protocols, data security. Some expert recognise
IT audit specialist but they stress that technical knowledge has to be combined with
business sense. Therefore blending the specialty technical skills into work of the
wider audit shop will be more subtle way to face the IT risks. It is also a good way
to make experts of IT work along with the general auditors to gain knowledge and to
make sure the assignment and report not become too technical. As noted system
development projects often go wrong because people tied up in the technical jargon,
rather that thinking about the user needs (Baker, 2007).
2.8.2 Size of Organisation
A study found that the size of the IT audit function, placement of the IT audit function
in the organisation, the extent of formal policies and procedures, and management
concern for IT audit and control are all positively related to the IT audit involvement
in system development. Firms with smaller IT audit staffs were less likely to involve
IT audit in systems development (Morris and Pushkin, 1995). In smaller
organisations, various IT professionals may have informal channels of
communication, which allows them to communicate ongoing activities without
formalised processes. As a result, smaller organisations may have fewer formal IT
operating procedures in place than larger organisations. Another finding showed that
set of nine controls able to predict 60 percent of the performance variation of
organisations with a greater number of controls in place, and that tend to be larger
organisations. The nine controls are related to system implementation, system
maintenance and change management, data integrity, security and privacy,
operating system and procedures and application processing. Larger IT
31
organisations tend to be more geographically dispersed, and have more IT functions,
both of which require greater reliance on IT process and procedures and may also
have a culture that naturally supports greater process consistency (Phelps and
Milne, 2008).
2.8.3 Structure of Computerised Information System
EDI systems involve the exchange of electronic business data in a standard and
structure format between trading partner computer system via telecommunication
network (Chan et al., 1993). A reliable internal control structure is primary means of
providing assurance of the information integrity of the system (Hardy and Reeve,
2000). EDI systems introduce additional complexities in initiating, recording,
executing transaction using network (Hansen and Hill, 1989). The consequences of
unreliable records and information are more far reaching in EDI system due to the
high speed of data interchange within the partner (distributed system) and low level
of human intervention in the conduct of on-line business (Chan, 1992). Therefore,
control over EDI system is essential to reduce the risks, to ensure the integrity of
information and to achieve maximum benefit from the technology (Power and
Carner, 1990; Weiner, 1995). Further, management and auditors are compelled to
review computer based controls more closely due to the heavy reliance place on
these controls with the elimination of traditional paper audit trail (Jamieson, 1994;
Ryrie,1994).
The traditional and proven security control mechanisms used in the mainframe
environments were not applicable to distributed systems, and as a result, a number
of inherent risks were identified with the new technologies. Because of the critical
32
nature of the information assets of organisations, appropriate control policies should
be in place. The changing technology has rendered mainframe centralised security
solutions as ineffective in providing controls on distributed network systems.
Corporate governance guidelines and risk management strategies were required to
protect information assets of an organization (Ward and Smith, 2002).
2.8.4 New Computer System
An ERP is an integrated information systems program that serves all departments in
an organization. The first sign of IT failure may manifest itself in the actions and
behaviors of the end users who are working with the new solution. In others, it may
arise through gaps resulting from new systems security requirements. Or, for some,
it may be the data quality itself that is called into question. The key for any
organization is to recognize the symptoms early, and to accurately diagnose what is
happening and why. As such, the auditors/risk manager has an important role to play
in systems changes, by assessing the proposed implementation plan and identifying
the associated risks and related controls. Organizations that are contemplating
implementation of an ERP system, salvaging a previous effort or upgrading an
existing system should consider should assess current and future business and
technical requirements, concentrate on specific change management efforts, identify
organizational impacts and document and track the results (Harris, 2003).
2.9 Summary
Considerable researches and studies have been conducted in the area related to IT
auditing. The present chapter provides the literature on the impact of IT to Malaysian
public sector IT auditing, IT control evaluation activities, audit objectives, usage of
33
CAATTs, auditors competencies and organisation characteristics. The reviews show
that most of the researches are conducted in developed countries and little related
studies being done in Malaysia.
By virtue of this, this paper is conducted with the aim in fulfil the gap. In the next
chapter, the author is going to present the research methodology that has been used
to assemble the vital data for the topic at hand.
34
CHAPTER III: RESEARCH METHODOLOGY
3.1 Introduction
The previous section reviewed the salient literature on the related area to IT auditing.
This section will describe the research methodology that has been carried out in
order to conduct the study effectively. The first part focuses on the development of
hypotheses that going to be tested. The second part of the section provides the
selections of measures, followed by third section on sampling design which explain
the target population of the study and selected sample size. The fourth section
explains the data collection procedures by which the authors has gone through.
Lastly the data analysis techniques will briefly explain the method of analysis as well
as the specific test being conducted in the course of this study.
3.2 Development of Hypotheses
3.2.1 IT Control Evaluation Activities (ITC1-8)
This study applies 36 specific tests outlined by IFAC which are categorised into eight
types IT evaluation control: System development and acquisition (ITC1); System
implementation (ITC2); System maintenance and program changes (ITC3); IT asset
safeguarding (ITC4); encompasses data integrity, privacy, and security (ITC5);
Continuity of processing/disaster-recovery planning (ITC6); Operating
system/network-processing activities (ITC7); and application processing (ITC8). Each
of the evaluation category is discussed below.
The first three IT evaluation categories, System development and acquisition (ITC1),
System implementation (ITC2), and System maintenance and program changes
(ITC3), address systems under development or revision. The internal auditor's role in
35
system development is to ensure that controls are adequate, to ensure that the
system being developed is auditable, and to help identify design weaknesses in the
system (Morris and Pushkin 1995). Internal auditors’ review of proposed system
changes can enhance organisational goals by ensuring that the system meets the
organisation's needs, thereby eliminating the need to retrofit after the changes have
been made. In addition, in a study of two large financial institutions, Wu (1992) found
that greater involvement by computer auditors in the information system
development stage significantly reduced subsequent software maintenance costs.
Wu (1992) concluded that audit involvement at the early development stage
(definition phase) yielded the greatest subsequent cost savings.
ITC1 is concerned with new systems development and acquisition. The internal
auditor evaluates the acquisition standards and methods that are used, whether the
standards and methods are being used correctly, and whether system development
technologies are being used correctly (Hermanson, et al., 2000).
ITC2 examines systems under development to evaluate the quality of the testing, the
accuracy of the data conversion, and the effectiveness of the post-implementation
evaluations (Hermanson, et al., 2000).
ITC3 considers revision to existing systems and evaluates the program-change
controls, methods, and procedures, and whether these are operating properly
(Hermanson et al., 2000).
36
ITC4 considers IT assets and facilities management. Ensuring IT assets are
safeguarded is an important task for the auditor. The evaluation in this area also may
include inspections of the actual computer locations and assessments of staffing
practices, data center access, and data libraries (Warren, Edelson, Parker & Thrun,
1998).
ITC5 encompasses data integrity, privacy, and security. As open systems, electronic
data interchange (EDI), and internet communications become more prevalent, this
evaluation will become even more important (Hermanson et al., 2000). Uncontrolled
or loosely controlled networks increase business risk by enhancing the possibility of
problems such as data tampering, destruction of data through infection with viruses,
business interruption through loss of network communications, and legal liability
through theft of personally confidential or firm confidential data (Warren et al., 1998).
ITC6 is concerned with continuity of processing/disaster-recovery planning. ITC6
allow organisations to resume their systems operations as quickly as possible
following a disaster (Ivancevich, Hermanson & Smith, 1998). Many organisations
simply cannot conduct business if their information systems are not functioning. This
evaluation considers management support, risk management, backup procedures,
alternative processing arrangements, and how well the disaster-recovery plans are
implemented (Hermanson et al., 2000).
ITC7 considers control over operating systems and networks. Some of the tests
considered in ITC7 include evaluation of the cost effectiveness of the IT, evaluation of
the procedures to manage the operating system and network, evaluation of the
37
network reliability, evaluation of the sufficiency of the performance measures, and
evaluation of compliance with the standards and procedures set for the operating
system and network (Hermanson et al., 2000).
Finally, ITC8 deals with the traditional application-processing flows and controls. This
evaluation includes determining whether the data for the application are processed
correctly, preventing errors and omissions, ensuring the reliability of the data-
processing outputs, and ensuring that only properly authorised transactions are
processed (Hermanson et al., 2000).
Thus, the first hypothesis is to address the frequency of performance of the various
IT control evaluations suggested as important by the IFAC. The purpose of this
hypothesis is to gather baseline information regarding the current state of IT
evaluations by public sector auditors in their respective organisations.
H1 (RQ1) : Malaysian public sector auditors set different level of importance
on each of IT control evaluation activities suggested by the IFAC and the
evaluation varies across the public sector organisations.
Since IT controls evaluation activities is closely related to the IT audit objectives, the
following section talk about audit objectives.
3.2.2 IT Audit Objectives (X1- 4)
An IT control objective is “a statement of the desired result or purpose to be
achieved by implementing control procedures in a particular IT activity”, (ISACA,
1998). Based on IFAC (1995), IT audit objectives that related to IT are:-
• evaluation of efficiency/effectiveness/economy of IT use (X1)
38
• evaluation of compliance with policies, procedures, and regulations (X2)
• evaluation of internal control in computer-based systems (X3)
• Evaluation of fairness of financial statement representations and the accuracy
and completeness of computerised accounting records (X4).
The objectives of internal control are the same in both a manual system and an IT
system. Audit objectives determine the types of evaluations that should be used in
the auditing procedures (Messier, 1997). However, the procedures required to
accomplish these objectives may be influenced by the method of data processing
used. Therefore, the procedures used by an auditor in the evaluation of control to
determine the nature, timing and extent of audit procedures may be affected (Yang
and Guan, 2004).
For example, ITC3, which pertains to system maintenance and program chances,
may be more likely to be performed if the audit objective is to evaluate the internal
control in a computer-based systems (X3) as compared to the audit objective that
seek to determine the efficiency and effectiveness of IT usage. Therefore the
performance of other evaluations is also expected to vary based on audit objectives
(Hermanson et al., 2000).
This study requested respondents to specify which of the four IT audit objectives
stated in the questionnaire are performed by the organisations. This hypothesis is to
address the frequency of performance of the different audit objectives suggested as
important by the IFAC. The purpose of this hypothesis is to gather baseline
information regarding the current state of audit objectives chosen by Malaysian
39
public sector auditors when performing IT controls evaluation activities in their
respective organisations.
H2 (RQ2) : Malaysian public sector auditors give different importance on IT
audit objectives when evaluating IT control and the performance varies across
the public sector organisations.
IT has also impacted the way auditors performed their control evaluation activities.
The next section discusses about the new set of tools and techniques used by
auditors in examining the IT related activities.
3.2.3 Usage of Computer Assisted Auditing Tools and Techniques (X5)
During the IT control evaluation activities, auditors have to reevaluate the
effectiveness of traditional audit procedures, and to explore the possibilities and
opportunities by using IT and data analysis software (Abu-Musa, 2004). Computer
technology gives auditors a new set of audit techniques for examining the automated
business environment. One of the most dynamic areas of audit processing is the use
of Computer Assisted Auditing Tools and Techniques (CAATTs) (Gorham and
Lamont, 1998). Using CAATTs is a technique or tool to help auditors to perform an
audit in a more effective, efficient and timely manner in IT business environment
(Head, 2002).
As early as 1982 CAATTs was a powerful audit tool for detecting financial errors. In
recent years, analytical techniques have become not only more powerful but also
more widely used by auditors. It is only in the last 10 years the use of CAATTs has
become standard practice. Audit software permits auditors to obtain a quick overview
40
of the business operations and drill down into the details of specific areas of interest.
The audit program can also be extended to perform a 100% verification of certain
transactions and a recalculation of important ratios and figures (Coderre, 1999).
Therefore, the third hypothesis addresses the various usages of CAATTs by
Malaysian public sector auditors in different organisations. The purpose of this
hypothesis is to collect essential information regarding the current state of CAATTs
usage in Malaysian public sector organisations.
H3 (RQ3): Malaysian public sector auditors place different importance on the
various usages of CAATTs across the organisations.
In addition to the new set of procedures used in performing IT related auditing, the
current changes have necessitated auditors to gain new IT skills in order to
determine the effect of IT on the audit, to understand IT controls or to design and
perform tests of IT controls and substantive tests (Tucker, 2001). Therefore, the next
section confers on the new skills required by the auditors in performing IT related
auditing.
3.2.4 Auditors Competencies (X6)
The scope of internal audit activities is clearly growing and the skill set and attributes
that internal auditors need are expanding. These changes are needed to respond to
the complex external and internal environment of the contemporary organisation,
due to the impact of regulation, technology, and other factors. Although Institutes of
Internal Auditors (IIA) has responded to the changing organisational environment by
updating the professional practices framework in 2004, but more work needs to be
41
done to prepare the internal auditors for the expanded set of skills and knowledge
required to perform audits of the future (Hass et al., 2006).
A survey in 2003 by Braun and Davis on governmental auditors which inquired about
their perception of a specific type of CAATTs (generalised audit software proxy by
the use of ACL) shows that auditors seemed to perceive the potential benefits
associated of CAATTs; however, they displayed a lower confidence in their technical
abilities in using the application. In addition, the auditors surveyed expressed a
desire to increase their skills through increased ACL training. Taken together, these
results give audit decision makers evidence that additional technical training is
needed and desired by auditors. Moreover, the higher the level of skills, experiences
and attitudes toward e-business initiatives, the more likely the auditors can and will
participate in the e-business system developments (Pathak, 2003).
Training represents the biggest obstacle an audit department faces when any
information system is implemented. Moving into new technology requires a shift in
thinking from the traditional to the most efficient. Adequate training is a necessary
component of the overall evaluation of IT control, without it the entire investment is at
risk (Dave, 2000). Trainings also improve the system acceptance (Bedard, Ettredge,
Jackson & Johnstone, 2003). Completing a training program or reading to acquire a
skill is only first step in preparing the auditor to perform audit tasks appropriate to his
or her skill level. Experience in using the skill is essential (Webb, 1979). Professional
skills are composite of several factors that contribute to the overall skill levels of IT
auditors. These factors are formal training, work experience, continuous professional
development and professional judgment. The appropriate blending of these factors
results in an auditor’s particular skill level. Higher-level skills in the e-business
42
audit context are related to expertise/knowledge of organisational security
vulnerabilities, intrusion protection management, system and network change
management (Pathak and Baldwin, 2009).
Thus the fourth hypothesis identifies whether there is any significant correlation
between competencies of public sector auditors with IT control evaluation activities.
H4 (RQ4): Evaluation of IT control activities are associated with Malaysian
public sector auditors competencies in IT.
Besides, IT has called for auditors to have new specialised skill so that auditors able
to perform their assignment effectively and efficiently. The existing literatures also
support that auditors’ techniques and methodologies in conducting the audit, the
evaluation of system and the related internal control are affected by the
characteristics of the computerised environment of the organisations.
3.2.5 Organisation Characteristics (X7- 10)
Four organisational characteristics are examined and these characteristics were
selected from a review of previous literatures. (e.g., Janvrin, 2008; Warren et al.,
1998; Ivancevich et al., 1998; Morris and Pushkin,1995; Brazel and Agoglia, 2005;
Hermanson et al., 2000; Hunton, Wright & Wright, 2004; Curtis and Cobham, 2002).
• Type of Auditor (X7)
The first organisational characteristic is the type of auditor who performs IT related
auditing. IT Auditor/specialists are individuals within an audit firm who have detailed
knowledge in computer auditing (Janvrin, 2008; Warren et al., 1998) whereas
43
general auditors are those who have basic knowledge on computer auditing. Audit
standards encourage the use of IT specialists when (1) the client's business has
complex systems and IT controls, (2) the client replaces or makes significant
changes to its IT systems, (3) the client shares data extensively between systems,
(4) the client participates in electronic commerce, (5) the client uses emerging
technology, or (6) significant audit evidence is only available electronically. The
presence of the IT specialist allows for more complex evaluations of technology, and
the following are among typical IT specialist tasks: reviews of systems under
development, data center reviews, application systems reviews, and support to non-
IT auditors (Hermanson et al., 2000).
IT auditors recognise more types of security risks related to IT control evaluation
activities than financial auditors (general auditor), yet financial auditors appear to be
overconfident in their ability to recognise risks in IT systems and often do not see a
need to consult with IT specialists when facing clients with ERP systems (Hunton,
Wright & Wright, 2004). Auditors did not use IT specialists frequently in a typical
audit and the extent of IT specialist use was also fairly low (Janvrin, 2008). Some
findings echo concern that auditors are reluctant to consult IT specialists because of
audit efficiency considerations (Carmichael, 2004). Such overconfidence may be a
significant issue, as controls are increasingly embedded in IT systems. In the CIS
setting, auditors reliance on IT specialists increases as the specialists competence
increases, and the accuracy of auditors inherent and control risk assessments is
affected more by IT expertise than by general audit experience (Brazel and Agoglia,
2005). Traditional auditors who possessed a fundamental understanding of IT
systems can successfully work in e-business environments as they can gain
44
necessary support though collaboration with specialist auditors (Price, 2001). As
organisation’s reliance on technology increases, the differences in the role of IT
auditor and general auditors / internal auditors are becoming less distinct (Pathak,
2003).
This study asked respondents to indicate the types of auditors involves in the IT
related auditing. It is anticipated that the types of auditors would vary by IT control
evaluation activities.
• Size of Organisation (X8)
Size was the second organisational characteristic which represented by number of
auditors in the organizations who performed IT related auditing. The availability of
resources plays a part in determining the auditors’ participation in e-business
initiatives (Pathak, 2003). In larger audit department, as opposed to small ones,
there is a greater tendency to participate in e-business system development process.
As e-business systems become increasingly complex, auditors are becoming
involved at the inception stage development. Further, larger number of internal
auditors may signal greater commitment to control, as well as greater resources
available for IT auditing (Hermanson et al., 2000). Larger companies generally have
larger internal audit staffs, and prior research has documented a positive relation
between company size and control strength (Brans and Waterhouse 1975;
Ivancevich et al., 1998; Karnes, King & Welker,1992; Snell, 1992). This study
requested respondents to select one of three ranges given in the questionnaire
which represent the size of their organisations. It is expected that the size of
organisations would vary by IT control evaluation activities.
45
• Structure of Computerised Information Systems (X9)
The third organisational characteristic is whether the organisations computerised
information systems are centralised or decentralised. Centralised systems consist of
a central computer in one location that processes and stores all company's data.
Decentralised systems (also known as distributed systems) allow for more localised
entry, processing, and storage of data (Hermanson et al., 2000). Decentralised
systems present audit concern regarding the completeness, integrity, and security of
the distributed data (Warren et al., 1998). For example, procedures such as data
backups that are routine in a centralised environment may not receive consistent
attention in a distributed environment. Further, distributed system components may
be obtained from different vendors and may have different security capabilities. The
weaknesses of one vendor may compromise the entire distributed network (Warren
et al., 1998). This study requires respondents to indicate the structure of the CIS of
their client’s organisations. It is forecasted that the structure of CIS would influence
the variation of IT control evaluation activities. The significant increase in the number
of distributed systems environments, with nearly every employee having access to
systems, has made the security issue more critical (Zwass, 1997).
• New Computer System (X10)
The fourth organisational characteristic is the percentage of new computer systems
in the client organisation. New systems are defined as those installed within the last
three years. New systems can increase the level of risk in an organisation
(Hermanson et al., 2000). New systems are not implemented in a vacuum and many
authors agree that the first step in developing a business continuation plan is to carry
46
out a risk assessment (Maguire, 2002). Majority of writers in the area of information
systems view risk as something to be addressed once the system is up and running,
i.e. fire, fraud, computer failure and unauthorised access (Hussain and Hussain,
1997; Laudon and Laudon, 1998). Risk assessment should be used at the start of a
project, and at least before system design, to determine the level of risk and identify
the related controls to formulate plans for reducing that risk (Bocu et al., 1999; Curtis
and Cobham, 2002). The first three evaluations in particular (ITC1-ITC3) may be
related to the percentage of new systems, since they are concerned with new
systems development and acquisition, system implementation and program change
(Hermanson, et al., 2000). This study asked respondents to select one of the three
ranges given in the questionnaire which represent their client’s organisations. It is
predicted that the percentage of new computer system would vary by IT control
evaluation activities.
Therefore the fifth hypothesis is to investigate whether there are any significant
differences between IT Control evaluation activities in term of organisation
characteristics.
H5 (RQ5): IT control evaluations performed by Malaysian public sector
auditors vary due to different organisational characteristics.
In summary, the discussion above leads to the six hypothesis which addresses
whether the performance of IT control evaluations activities by Malaysian public
sector auditors have association with the following factors:-
X1, X2, X3, X4 - Relates to IT audit objectives described in 3.2.2
X5 - Relates to various usage of CAATTs described in 3.2.3
X6 - Relates to auditors competencies in IT described in 3.2.4
X7, X8, X9, X10 - Relates to organisational characteristics described in 3.2.5
47
H6 (RQ6): Audit objectives, organisational characteristics, usage of CAATTs
and auditors competency have contributed differently in the evaluation of IT
control activities by Malaysian public sector auditors.
3.3 Selection of Measures
The development of the questions and scales of the questionnaires pertaining to
each individual variable in this study was done through replication and adaptation of
the research done by Hermanson et al. (2000) and Abu-Musa (2008). It was revised
to take into consideration of comments and suggestions raised by Burton (2000) and
Jackson (2000) mainly on the aspect of training of auditors and size of the
organisation. Hermanson et al. (2000) developed the original questionnaire based on
the elements of IT as grouped by IFAC in the statement of IT in Accounting
Curriculum (IFAC, 1995). The questionnaire was further adapted to suits the public
sector auditing environment and geographical region of Malaysia.
The questionnaire in Appendix 2 consist of 3 pages with 54 items contains five main
parts which are (a) Objectives of the audit evaluation of CIS, (4 items); (b)
Information on the specific test of IT control evaluation outlined by IFAC, (36 items);
(c) Information related to the usage of CAATTs (5 items); (d) Organisation
characteristics (4) and respondent profile (3 items) and (e) Auditor competencies (2
items). Likert scale of 1 to 5 is chosen and represent the following: 1-rarely done; 2-
occasionally done; 3-frequently done; 4-often done and 5-always done. The above
scales are use as measurement of the IT evaluation, IT objectives and usage of
48
CAATTs. The organisational characteristics and respondent profile were measured
by using ordinal and nominal scale.
3.4 Sampling Design
The public sector auditing is performed by the National Audit Department of Malaysia
(NAD) and as at 31 December 2008 NAD has 2,110 staffs which comprise of various
positions and about 858 staffs are directly involved in the auditing. IT related audits
are conducted in 5 main divisions (federal government, state government, statutory
body, ICT and the internal unit departments of ministries) and it is estimated that 400
staffs across the divisions are proficient in doing IT related auditing. 400 mail self-
administered questionnaires was send to NAD which later been distributed to its
staffs. Cluster sampling technique was applied in the selection process of the
auditors who involved in IT related auditing in different public sector organisations.
3.5 Data Collection Procedures
Primary data are simple data complied from the first hand sources. The primary data
is collected through mail self-administered questionnaires. Respondent of the
questionnaires is limited to both the auditor from internal audit department of
ministries and auditors from National Audit Department who involve in IT related
Auditing. Few interviews also been conducted with the division’s managers and
auditors to discuss some aspects concerning the IT control evaluation activities in
Malaysian public sector. The questionnaires were mailed in January 2009 to NAD
and the response was received in limited period. After excluding the incomplete and
invalid questionnaire from 79 respondents, the research ended with 73 usable
questionnaires which represent a respond rate of 18.25 percent. The literature
49
documents responses to mail questionnaires are generally poor, and it is a common
phenomenon to see return percentages as low as 15% to 20% (Saunders, Lewis &
Thornhill, 1997, p. 131). Therefore, it is important to undertake an examination of
non-response bias in order to identify the reliability and validity of the data.
Based on the received date recorded on each questionnaire, the first 10
questionnaires received from respondents were classified as ‘early’ and the last 10
questionnaires as ‘late’. The early and late responses were matched with the aim of
examining whether significant differences between the two groups exist. The Mann-
Whitney test was used as a statistical tool to examine the differences. No significant
differences were detected between the 10 early and 10 late responses as per
Appendix 3. Thus, the results provide an indication that the respondents who failed
to return the questionnaires would have the same perceptions as those who
responded.
Before and during the preparation of the study, the author has engaged in extensive
literature search and review to aid in the identification of the exact research problem.
The main materials used are journals, unpublished and publish researches,
guidelines and reports. Most of the literature is acquired from online databases such
as Proquest, Emeralds and EBSCOhost.
3.6 Data Analysis Techniques
A reliability test was carried out on the collected data using the Cronbach Alpha
model, to explore the internal consistency of the questionnaire, based on the
average inter-item correlation as per Appendix 4. IT evaluation control, audit
50
objectives and usage of CAATTs show reliability scale of alpha level at 0.974, 0.834
and 0.777 respectively. The result of the overall reliability test shows that the
questionnaire design is highly reliable, and the collected data are highly reliable and
consistent (α = 0.966). This research utilises the descriptive statistics and multiple
regression analysis.
The collected data were processed using SPSS version 17. Descriptive statistics of
collected data were analysed for understanding the main characteristics of the
research variables and to answer H1 – H5 of what is the frequency of internal control
evaluation activities, audit objective, organisation characteristics and the usage of
CAATTs across the Malaysian public sector organisation. The Kruskal Wallis test
analyses the group difference on the organization structure. The correlation matrix
was used to examine the relationship between IT evaluation control activities and
auditors competency.
The hypothesis (H6) related to the factors (IT audit objectives, organisational
characteristics, usage of CAATTs and competency of auditors) that associated with
the difference performance of IT control evaluation activities by public sector auditors
were addressed through eight model of regression (one for each ITC):
ITCi = ββββ0 +∑∑∑∑ ββββj Xj + εεεε
where: ITCi = IT evaluation control activities No.i, i =1,2,…..8 (index of dependent
variable), j=1,2,......10 (index of independent variables); ββββ0 -constant (y intercept); ββββj -
regression confession, εεεε regression error. ITC1 -system development and
acquisitions; ITC2 - system implementation; ITC3 - system maintenance and program
10
j=1
51
changes; ITC4 - IT asset safeguarding; ITC5 - data integrity, privacy and security;
ITC6 - data recovery plan; ITC7 -operating system; ITC8 – application processing; X1 -
evaluation of efficiency, effectiveness and economy of IT use; X2 - evaluation of
compliance with policies, procedures and regulation; X3 - evaluation of internal
control computerised information system (CIS); X4 - evaluation of fairness of financial
statement; X5 - usage of CAATTs; and X6 - competencies of auditors. X7 - types of
auditor in performing IT related audit; X8 - size of the department; X9 - structure of
CIS in data processing; X10 - percentage of new system in the department. The
model was run using the collected data. The dependent variable: ITCi, is measured
as the average of the ratings of five –point Likert scale where 1-rarely and 5 – always
done for the individual tests suggested for use by the IFAC within that evaluation
category. For example, ITC2 is computed as the average score of: evaluation on user
acceptance testing methodology, evaluation on system conversion methodologies
and evaluation of post implementation review practises. The independent variables
of the IT Audit objectives (from X1 to X4) are measured using a five-point Likert scale
where 1 – rarely and 5 – always done. The rest of independent variables which
measure organisational characteristics, usage of CAATTs and auditors
competencies were measured as explained in the methodology section 3.3. Eight
regression runs were done, one for each dependent variable. Besides, an average
score for the eight evaluation models (one for each ITC) was computed and labelled
as “ITC_Overall”. In the overall evaluation model, the dependent variable
“ITC_Overall” was regressed on the ten independent variables, using the regression
equation:
ITCi = ββββ0 + ββββ1 X1 + ββββ2 X2 + ββββ3 X3 + ββββ4 X4 + ββββ5 X5 + ββββ6 X6
+ ββββ7 X7 + ββββ8 X8 + ββββ9 X9 + ββββ10 X10 + εεεε
52
3.7 Summary
The current chapter presents, reviews and defends the methodology employed to
examine the research questions. Questionnaire consist of five sections were
distributed to sample of this study to obtain primary data and the secodary data
especially jurnal articles were used to supplement the primary data. The author then
tabulated them and arranged for the following chapter to explain the analysis and
discussion of the results obtained.
53
CHAPTER IV: FINDINGS AND DISCUSSION
4.1 Introduction
The previous chapter presents the background of the hypotheses development and
related methodology applied in the analysis. This chapter presents demographic
profile of respondent, descriptive statistics, correlation analysis and regression model
results. Demographic profile of respondents provide for public sector organisation
structure, types of auditors, structure of CIS in data processing system and style of
auditing. The descriptive measures are used for percentage of new system, size of
organisation, training and experience of auditors. Descriptive statistics also been
used to analyse hypotheses. Results are organised by hypotheses.
4.2 Demographic Analysis
The collected data showed that 31 respondents were from federal government
division, 20 were from internal audit unit of ministries and departments and 14
respondents were from ICT division, representing 42.5, 27.4 and 19.2 percent
respectively (Table 4.1). Only 6 respondents belong to state government division and
2 from statutory body division. The statistics in Table 4.1 revealed that 59 percent of
the respondents are IT auditors while the remaining balances are general auditors. It
is also observed that approximately one-half of respondent are performing audit with
the computer using software, while 37 percent are conducting the audit through the
computer and 11 percent are around the computer. Almost 58 percent of respondent
are performing audit in decentralised data processing system.
54
Table 4.1 Demographic Profile of Respondent (N=73)
Organisations Characteristics Frequency Percent
(%)
Federal Government Division 31 42.47 Structure of Organisations
Internal Audit Department of Ministries 20 27.40
ICT Audit Division 14 19.18
State Government Division 6 8.22
Statutory Bodies Division 2 2.74
Types of Auditors General Auditor 30 41.1
IT Auditor 43 58.9
Around the Computer 8 11.0
Through the Computer 27 37.0
Style of Auditing
With the Computer 38 52.1
Centralised 31 42.5 Structure of CIS in Data Processing Decentralised 42 57.5
Mean Median
Std. Deviation
Total number of auditor in the organisation 2.27 2.00 0.786
Percentage of new computer in the organisation for past 3 years 2.38 2.00 0.637
Auditors experience in IT related auditing 1.73 2.00 0.672
Average number of IT related training in past 3 year 1.60 1.00 0.740
The responding auditor’s organisations have an average of 2.27 numbers of auditors
and median of two, indicating that majority of the respondent organisations have 10
to 29 staffs. The results also indicate that 70 percent of respondent’s clients have
installed new CIS system in their organisation which represent by mean of 2.38 and
median of two. On average, the respondents have experience in IT related auditing
between 4 to 9 years (mean of 1.73 and median of two) and they have attended IT
related training less than three times a year in past 3 years (mean of 1.60 and
median of 1).
55
4.3 Descriptive Analysis
4.3.1 Hypothesis 1: Performance of IT Control Evaluation Activities
The first hypothesis deals with the frequency of performance of the various IT control
evaluations suggested as important by the IFAC and the variation of the evaluation
across the public sector organisations. The purpose of this hypothesis is to gather
baseline information regarding the current state of IT evaluations by public sector
auditors and its variation across the organisations.
H1 (RQ1) : Malaysian public sector auditors set different level of importance
on each of IT control evaluation activities suggested by the IFAC and the
evaluation varies across the public sector organizations.
Table 4.2 shows the mean rating within each IT control evaluation category. From
these mean ratings (and tests of difference in means), the auditors in public sector
place the greatest weight on application processing control (ITC8) as well as data
integrity, privacy and security control (ITC5). The results are consistent with the
Hermanson et al. (2000) and Abu Musa (2008). The results exposed that moderate
attention has been given to IT asset safeguarding control (ITC4), operating system
processing activity control (ITC7) and system development and acquisition control
(ITC1). It also rendered that public sector auditors place least interest in data
recovery plan (ITC6), system maintenance and program changes control (ITC3) and
system implementation control (ITC2). Detailed descriptive statistics on the specific
IT control evaluation for each category are listed in the Appendix 5.
56
Table 4.2 Descriptive Statistics on Types of IT Control Evaluation (N=73)
Types of IT Control Evaluation Mean Std.
Deviation No of Test
K_W Government (Sig. value)
ITC8 Application Processing Control 4.054795 0.89583 4 0.046
ITC5 Data Integrity, Privacy & Security Control 4.002283 0.903736 6 0.426
ITC4 IT Asset Safeguarding Control 3.794521 1.105025 1 0.005*
ITC7 Operating System Processing Activity Control 3.786693 0.818966 7 0.037
ITC1 System Development & Acquisition Control 3.462329 1.182681 4 0.006*
ITC6 DRP 3.307241 1.168286 7 0.290 ITC3 System Maintenance &
Program Changes Control 3.263699 1.174003 4 0.005* ITC2 System Implementation
Control 3.246575 1.130426 3 0.060 *Significant With Bonferroni Correction for Multiple Comparisons, p05=0.00625
Several interviews were conducted to get some in depth information on the results.
The respondents highlighted that application processing control and data integrity,
privacy and security control were given the highest priority is due to the current
transformation of Malaysian government into e-business. As the internal control is
one of the most important elements in ensuring the reliability of government financial
statement and protecting the confidentiality of government information may resulted
public sector auditors to give more concern on the application processing control.
Besides, billions of public fund were transacted through e-business, thus properly
authorised transactions are very important. Moreover Brown (1962) indicate that
modern audit have shifted from a review of past operation to review of internal
control system to insure the reasonable accuracy of financial information. The notion
of trust and security as become significant in e-business (Slyph and Bennett, 1998;
Burr et al.,2002) therefore it requires auditors to place more concern on these
controls.
57
According to the results of the Kruskal-Wallis test in Appendix 6 and its summary in
Table 4.2, it appear that IT control evaluation activities do not vary across the
different organisation structure explained in section 2.1 apart from system
development & acquisition control (ITC1), system maintenance & program changes
control (ITC3) and IT asset safeguarding control (ITC4) at the significance level
p=0.00625. Auditors in internal audit units of ministries place highest concern on the
ITC3 and ITC4. Further analysis from the interviews shows that internal audit
department of ministries has more IT auditors than in other divisions. It was argued
in the literature that IT people place greater emphasis on the system whereas
general auditor/financial auditors are more concerned with business process and
accounting (Baker, 2007).
4.3.2 Hypothesis 2: Performance of IT Audit Objectives
This study requested respondents to specify which of the four IT audit objectives
stated in the questionnaire are performed by the auditors. This hypothesis addresses
the frequency of performance of the different audit objectives suggested as important
by the IFAC and to identify any variation of performance across the public sector
organisations. The purpose of hypothesis is to gather baseline information regarding
the current state of audit objective which given attention by the auditor when
performing the IT control evaluation activities and its variation across the
organisations.
H2 (RQ2): Malaysian public sector auditors give different importance on IT
audit objectives when evaluating IT control and the performance varies across
the organisations.
58
Table 4.3 Descriptive Statistics on IT Audit Objectives (N=73)
IT Audit Objectives Mean Std.
Deviation
K-W Government (Sig. value)
X2
Evaluation of compliance with policies, procedures & regulations
4.37 .993 0.004*
X3 Evaluation of internal control in CIS 4.16 .913 0.423
X1 Evaluation of efficiency, effectiveness, and economy of IT usage
3.95 1.189 0.373
X4 Evaluation of fairness of financial statement & the accuracy & completeness of record
3.60 1.115 0.156
*Significant With Bonferroni Correction for Multiple Comparisons, p05=0.0125
The statistical results in Table 4.3 show that evaluation of compliance with policies ,
procedures and regulation is the most common IT audit objective when evaluating
CIS (X2 , 4.37) and followed by evaluation of internal control in CIS (X3, 4.16).
Evaluating efficiency, effectiveness and economy of IT usage is moderately given
attention by the public sector auditors (X1, 3.95). Slightest attention is set to evaluate
the fairness of financial statement as well as the accuracy and completeness of
records (X4, 3.6). Audit objective related to the evaluation of the compliance with
policies, procedures and regulations is given high weightage because all Malaysian
public sector organisations are strictly subject to the government circulars and
procedures on financial management of the government fund. Each and every
procedure related to internal control of the financial management is documented and
the entire government organisations have to adhere firmly on it. The results of
Kruskal-Wallis tests in Appendix 7 and its summary in Table 4.3 disclose no
significant differences among different divisions in the government regarding the
evaluation objectives except for evaluation of compliance with policies, procedures
and regulations (X2) at significance level p=0.0125.
59
4.3.3 Hypothesis 3: Performance of Various Usage of CAATTs
The third hypothesis attends to the various usages of CAATTs by public sector
auditors. The purpose of this hypothesis is to gather basic information regarding the
current state of CAATTs usage in public sector auditing.
H3 (RQ3): Malaysian public sector auditors place different importance on the
various usages of CAATTs across the organizations.
From the Table 4.4 shows that public sector auditors mostly use CAATTs as problem
solving aid (3.51) and secondly use in data integrity tests (3.38). Usage of CAATTs
in system analysis and documentation is moderate (3.19). Least attention are given
to CAATTs as program or system testing tool (3.05) and administrative tool (2.92).
The results of Kruskal-Wallis tests in Appendix 8 and its summary in Table 4.4 reveal
that the usage of CAATTs did not vary across the government audit structure at
significance level p=0.01.
Table 4.4 Descriptive Statistics of Usage of CAATTs (N=73)
Usage of CAATTs Mean Std.
Deviation
K-W Government (Sig. value)
CAATTs as problem solving aids 3.5068 1.27064 0.128
CAATTs in data integrity testing 3.3836 1.32948 0.482
CAATTs use in system analysis and documentation
3.1918 1.37090 0.610
CAATTs use in system or program testing
3.0548 1.34258 0.758
CAATTs an administrative tool 2.9178 1.26659 0.480
*Significant With Bonferroni Correction for Multiple Comparisons, p05=0.01
The result of third hypothesis shows that CAATTs has been used most frequently as
the problem solving aid and data integrity testing. CAATTs is a wide range of
techniques and tools to automate the test procedures on internal control, obtaining
evidence and data analysis. The most widely used CAATTs in Malaysian public
60
sector auditing is the ACL one of generalised audit software utilities. From
interviews, the respondents indicate that ACL heavily been used in data integrity
testing to verify the data, to prove the completeness and reconciliation, detect
duplicates, find gap and re-performing calculation. ACL also been used
as problem solving in sampling, planning tools and file interrogation tools. Braun and
Davis (2003) added that most commonly used CAATTs is ACL (generalised audit
software) because of the widespread of its usage, the simplicity which require little
specialised information knowledge and its adaptability to variety of environments.
The usage of CAATTs as data integrity testing is also concurrent with earlier results
on the most frequent IT control evaluation activities (i.e. application processing
control and data integrity, privacy and security control). Besides, the finding shows
that all the public sector organisations (federal government division, state
government division, statutory bodies division, ICT division and internal audit
department of ministries) pay equal attention on the usage of CAATTs in their IT
related auditing. This may be due to the expanding role of e-business in the
Malaysian government as such auditors begin to incorporate state-of-art auditing
software application in the auditing process (Braun and Davis, 2003).
4.3.4 Hypothesis 4: Relationship between IT Control Evaluations and Auditors Competencies
The fourth hypothesis identifies whether there is any significant correlation between
competencies of auditors and the IT control activities performed. The rationale of this
hypothesis is to investigate whether the performance of the IT control evaluation by
public sector auditors varies with the auditor’s competencies.
H4 (RQ4): Evaluation of IT control activities are associated with Malaysian
public sector auditors’ competencies in IT.
61
Table 4.5 Correlations Coefficient between IT Control Evaluation
Activities and Auditors Competency (N=73)
Auditors Competencies
Correlation Coefficient Sig.(2-tailed)
ITC1 System Development & Acquisition Control
-.001 .994
ITC2 System Implementation Control .058 .625
ITC3 System Maintenance & Program Changes Control
.143 .228
ITC4 IT Asset Safeguarding Control .020 .867 ITC5 Data Integrity, Privacy & Security
Control .073 .539
ITC6 Disaster Recovery Plan (DRP) Control .100 .401 ITC7 Operating System Processing Control .042 .727 ITC8 Application Processing Control .181 .125
* Significant at the 0.05 level (2-tailed).
The result in table 4.5 shows that there is no significant correlation between the
auditor competencies. However, this result contradicts with many literatures that
found competencies are associated with the IT control evaluations (Ratcliffe and
Munter, 2002 ; Pathak and Roberts, 2007; Viator and Curts, 1998). Recent study
indicated that auditors competencies in area related to IT auditing especially in
change control, system operations, security and continuity has ranked as low
competency and one reason for this lower rank may be that audit positions focused
on IT in the organisation tend to be held by specialised IT auditors. With this in mind,
financial and operationally focused auditors may not see it as a priority to develop
these highly specific audit skills (Marshall and Magliozzi, 2009). As the samples for
this study consist of IT auditors who are trained to be IT specialist and general
auditors whom have basic IT knowledge, there is a possibility that auditors do not
see the necessity to develop comprehensive IT skills. As technological
developments continue, auditors will need to expand their IT knowledge and skills in
order to perform effective and efficient audits. When assigning staff to an audit
engagement, it may be prudent to consider the staff members levels of IT expertise
62
(with respect to the clients IT environment), in addition to their general audit
experience levels (Brazel, 2008).
4.3.5 Hypothesis 5: Organisation Characteristics and IT Control Evaluations
Based on many researches, IT control evaluation activities along with their related
internal control are also affected by the characteristics of organisations. This
hypothesis is to identify impact of different organisational characteristics on the IT
control evaluations.
H5 (RQ5): IT control evaluations performed by Malaysian public sector
auditors vary due to different organisational characteristics.
Table 4.6 Comparison of Kruskal Wallis Tests on IT Control Evaluation Activities by
Organisation Characteristics (N=73)
Type of
Auditors* Size**
Structure Of CIS*
New System**
Sig. value
ITC1 System Development & Acquisition Control
.181 .505 .645 .249
ITC2 System Implementation Control .126 .386 .923 .556
ITC3 System Maintenance & Program Changes Control
.098 .097 .114 .722
ITC4 IT Asset Safeguarding Control .451 .143 .907 .061
ITC5 Data Integrity, Privacy & Security Control
.281 .257 .210 .221
ITC6 DRP Control .065 .093 .234 .390
ITC7 Operating System Processing Control
.385 .066 .151 .339
ITC8 Application Processing Control .636 .451 .488 .007*
Significant With Bonferroni Correction for Multiple Comparisons: *p.05=0.025 ; **p.05=0.0167
The Kruskal Wallis tests in Appendix 9 and its summary in Table 4.6 indicated that
both general auditor and IT auditor gave an equal importance on the all IT control
evaluation activities at significance level p=0.025. This may due to the organisations
heavy emphasis on IT related auditing as a result of the e-government
implementation. Besides, the accounting records and audit evidences which are in
63
electronic form need to be verified and validated by all auditors. The results also
exposed that public sector auditors are giving equal attention when evaluating the IT
control irrespective of the size (p=0.0167), structure of CIS in data processing
(p=0.025) and the implementation of new system in the clients organisations
(p=0.0167) apart from evaluation of application processing (ITC8 ) which indicates
auditors place different emphasis when clients organisations have implemented new
system. This may due to auditors concern on the correctness and validity of the new
transaction flow and to ensure all the general and application controls are tested
accordingly.
In summary the above results show that only application processing controls which
score the highest scores in the first hypothesis is associated with the percentage of
new system in the organisation. From the interviews, the respondent point out that
the recent changes into e-government and the implementation of new government
accounting system has led the public sector auditors to emphasise more on the
application processing control when conducting IT evaluation. Besides, some of
public sector auditors were selected to become the member of steering committee of
the new system. This result is consistent with the Morris and Pushkin (1995) which
stated that auditors should be involved in the development of new and complex
system in order to ensure adequate internal control measures are in the system.
64
4.4 Multiple Regression Analysis
4.4.1 Hypothesis 6: Factors Contributed in the Evaluations of IT Control
Finally, hypothesis H6 being examined using the following OLS regression model.
H6 (RQ6): Audit objectives, organisational characteristics, usage of CAATTs
and auditors competencies have contributed differently in the evaluation of IT
control activities of Malaysian public sector auditors.
Before conducting the regression analysis, the variables are analysed for their
distribution. The purpose of the normality test is to determine the correct type of
statistical analysis to be employed in further examining the relationship of the
variables. Detailed results on descriptive statistics, histograms, box plots and M-
estimator tests are listed out in Appendix 10. The normal plot of regression
standardised residuals for dependent variables of the nine models indicated a
relatively normal distribution and the scatterplot of residuals against predicted values
(Appendix 11) for the entire nine models show that there is no clear relationship
between the residual and the predicted value that is consistent with the assumption
of linearity. The correlation matrix for the nine models in Appendix 12 confirms that
there is no multicollinearity among variables since none of the variables correlates
above 0.8. In addition, there are no predictor variables that produce variance inflation
factor (VIF) greater than 10, confirming that multicollinearity is not a problem in this
study.
OLS regression models are used to address the H6 for the purpose of investigating
the relationship between IT control evaluation activities (dependent variable) and the
65
independent variables of IT audit objectives, organisational characteristics (types of
auditors, size of organisation, structure of CIS, new system in the organisation),
usage of CAATTs and auditors competencies. The following regression equation is
used:
ITCi = ββββ0 + ββββ1 X1 + ββββ2 X2 + ββββ3 X3 + ββββ4 X4 + ββββ5 X5 + ββββ6 X6
+ ββββ7 X7 + ββββ8 X8 + ββββ9 X9 + ββββ10 X10 + εεεε
The results of the eight models (one for each ITC) give insight into the factors
associated with differential performance of IT control evaluations activities by
Malaysian public sector auditors. The statistical results exposed that across the eight
individual OLS regression models, the adjusted R2 has varied from 16 to 53 percent,
and all the eight models (one for each ITC) are significant at p=0.016. The results
proposed that the regression models appear to have important explanatory power
and support the hypothesis that the evaluations of IT control activities performed by
public sector auditors are connected to the IT audit objectives, organisational
characteristics, usage of CAATTs and the competency of auditors. The results of
OLS regression models summaries are listed in the Appendix 13 and the summary
of correlation coefficient and its significant values are demonstrated in Table 4.7.
66
Table 4.7 Summary of Multiple Regression Analysis –
Correlation Coefficient and Significant value of each Independent Variables (N=73)
Independent Variables
Sign of Coefficient Model
Sig. Value
Adj. R
2
Sig. β0 X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Dependent Variables
Efficiency, Effective Economy
Compliance Internal Control
Financial Statement
CAATTs Competency Types of Auditors
Size Structure of CIS
New System
ITC1 0.350
0.000 bj -.182 .020 1.909 1.615 -2.053 .238 -.227 .808 .538 -.928 .909
Sys. Development & Acquisition
Sig. .964 .975 .052* .074 .000* .021* .0561 .428 .441 .390 .280
ITC2 0.166 0.016 bj .769 .175 .878 .732 -.871 .242 .021 1.138 -.177 -.209 -.208
Sys. Implementation Sig. .815 .737 .266 .315 .038* .004* .947 .171 .755 .812 .760
ITC3 0.281 0.000 bj .444 .942 .654 1.469 -2.192 .195 .442 1.591 .610 .023 -.312
Sys. Maintenance & Program Change
Sig. .916 .163 .518 .119 .000* .067 .0278 .137 .403 .984 .721
ITC4 0.201 0.006 bj 1.477 .200 -.292 .616 -.314 .067 -.005 .641 -.375 .241 -.095
IT Safeguarding Sig. .163 .231 .246 .010* .020* .013* .958 .017* .041* .390 .663
ITC5 0.318 0.000 bj 2.597 .947 .799 1.459 -.521 .423 .022 2.324 .994 1.246 -2.011
Data integrity, privacy, security
Sig. .586 .211 .483 .167 .385 .001* .962 .055 .227 .326 .044*
ITC6 0.344 0.000 bj 1.109 .661 1.737 2.688 -2.580 .703 .222 3.695 .169 -3.557 -1.149
Disaster Recovery Plan Sig. .875 .554 .304 .087 .005* .000* .742 .040* .889 .061 .431
ITC7 0.342 0.000 bj 5.264 1.702 .900 1.052 -.464 .392 -.137 1.022 1.816 .723 -2.030
Operating system Sig. .289 .033* .447 .336 .456 .002* .773 .411 .036* .583 .051*
ITC8 0.533 0.000 bj 5.143 .350 .809 1.794 -.619 .261 .298 .451 .389 -.554 -2.092
Application processing Sig. .052 .397 .196 .003* .062 .000* .236 .490 .385 .424 .000*
ITC Overall
0.415 0.000 bj 16.621 4.997 7.394 11.424 -9.613 2.521 .636 11.669 3.965 -3.016 -6.986
Overall ITC Evaluation Sig. .507 .209 .218 .041* .003* .000* .791 .066 .357 .650 .179
*Significant at the 0.05 level (2-tailed).
ITC1 - System Development and Acquisition
The results of the study show that a number of factors are correlated at difference
degree of emphasis with system development and acquisition of control (ITC1). ITC1
positively and significantly correlated with audit objective related to the compliance
with policies, procedures and regulations (X2) and negatively and significantly
associated with the evaluation on the fairness of financial statement and the
accuracy and completeness of records (X4), at significance level p = 0.05 (Table
4.7). ITC1 has positively and significantly correlated with the usage of CAATTs (X5) in
performing the IT control evaluations. From the results it shows that none of the
67
organisational characteristics (X7, X8, X9 and X10) have any association with the
system development and acquisition process.
The results are consistent with previous finding which indicated that more auditors
are involved in evaluating ITC1 process and auditors are also giving high priority to
X3 when performing IT control evaluation activities (Hermanson et al., 2000). The
results also show that IT control evaluations related to X4 are significantly given low
attention by public sector auditor. This may also due to the structure of the public
sector organisations in which separate the financial & attestation auditing from IT
related auditing in different unit and have been performed by different personnel.
Perhaps auditors only consider X4 when the evaluation is requested by the
management. In addition, it may be that auditors who performed the IT related
auditing are primarily concern with the functionality of the software and that fairness
of financial statement issues are considered only after the system is up and running.
The results also indicate that auditors place more attention in using CAATTs when
performing system development and acquisition control evaluations. This might
explain by the usage of CAATTs as system development tools. Systematic Test and
Evaluation Process (STEP) approach could enhance auditors' participation in the
development of application systems and provide a base for ongoing system
validation (Durant, 1991).
ITC2 - System Implementation
ITC2 narrate to the conversion, testing and review aspects of CIS in the organisation.
The results show a negatively significant (p=0.05) association between the system
implementation control and IT audit objective on the evaluation of fairness of
68
financial statement as well as accuracy and completeness of records (X4). It seems
reasonable that X4 is related to ITC2, since correctness of data conversion would
have a significant impact on the fairness of the financial statement and accuracy of
accounting records. The potential reasons for the above results could be public
sector auditors place little emphasis on this audit objective because public sector
auditors only play a minimum role by becoming a member in the steering committee
of IT projects. The results also show that usage of CAATTs (X5) has significant
positive (p=0.05) association with system implementation controls. The CAATTs has
been used heavily by the public sector auditors in evaluating system implementation
controls may due to the characteristics of the implementation process which require
auditors to verify and validate the processes. As such the integrated test facility
(Helms, 2002) and parallel simulations can be used to validate the correctness of the
system software module (Weber, 2004).
ITC3 - System Maintenance and Program Changes
IT control evaluation activities which test the system maintenance and program
change (ITC3) provide evidence of a negative significant relation exist on fairness of
financial statements as well as the accuracy of accounting records (X4) in Malaysian
public sector auditing at significance level p=0.05. However, the result is not
consistent with Abu Musa (2008) which showed a positive association between the
ITC3 and X4. The usage of CAATTs (X5) has a positive significant (p=0.05)
relationship with ITC3. The above result between ITC3 and X4 could be explained that
public sector auditors place little emphasis on X4 because majority of the system
maintenance and program changes are usually done by the IT specialist in the
clients organisations. Further, it is made clear by few public sector auditors
69
interviewed on their involvement in ITC3 which gave the potential reasons for the
above result could be the lack of resources, lack of technical sophistication of
internal audit management or lack of technical strength of individual auditor.
Furthermore, the lack of qualified audit staff and the small size of many audit
departments have led to the reliance of outsourcing of such services through
external professional experts (Abu Musa, 2008).
ITC4 - IT Asset Safeguarding
Asset safeguarding is fundamental to internal control and testing in the area of IT
asset safeguarding is positively associated with X3 (internal control in CIS). In
addition, the fairness of financial statement audit objective (X4) offer a significant
negative (p=0.05) correlation with ITC4. This result supports the contention that
safeguarding electronic documents and accounting records are crucial in expressing
opinion on the fairness of the financial statement. However, auditor place little
attention on this objective and this may due to the structure of the organization which
separates the financial auditing from IT related auditing. The results also show that
types of auditors and size are significantly (p=0.05) and positively correlated with
ITC4. The Kruskal Wallis tests in Appendix 9 indicate that both general auditor and IT
auditor gave equal importance on the ITC4 and may due to the implementation of
e-government. ITC4 does not vary across the size of organization and this result
contradicted with Abu Musa (2008) finding. Usage of CAATTs shows a positive
significant (p=0.05) association with ITC4 and this result may due to the availability of
audit tools to verify and validate the authentication of physical access in the
organisation.
70
ITC5 - Data integrity, privacy and security
Although data integrity, privacy and security is the most important control that restrict
the access to computer systems, confidentiality and effectiveness of security
controls but the statistical result does not show any significant association of that
variable with any of the four IT audit objectives. However, the result reveals a
significant positive correlation between ITC5 with new systems and usage of CAATTs
at significance level p=0.05. Auditors place equal attention to the each new system in
the organisation when they perform ITC5 and this may due to the initial testing of
new systems to ensure valid and reliable data is produced by the system as well as
to certify that the data is protected from intruders and hackers. Availability of
CAATTs such as integrated test facility and generalised audit software in the market
to evaluate the integrity and security of data has resulted auditors to give more
emphasis on usage of CAATTs when evaluating ITC5.
ITC6 - Disaster Recovery Plan (DRP) Control
DRP is a significant part of the internal control environment (Ivancevich et al., 1998)
therefore organisation may not resume to business if the CIS is not working. The
statistical results shows evaluation on the fairness of financial statement and the
accuracy as well as completeness of accounting record (X4) is significantly and
negatively associated with ITC6 at significance level p=0.05. DRP control also
associated with types of auditor and the usage of CAATTs at p=0.05. Public sector
auditors place equal attention when performing ITC5 because the organization
cannot conduct business if the CIS are not functioning (Ivancevich et al., 1998).
CAATTs also has been given emphasis when evaluation DRP control because this
71
audit tools enable the auditors to analyse and find any invalid and incomplete
accounting records due to business interruptions.
ITC7 - Operating System
Operating system control evaluation activities significantly and positively associated
with IT audit objective on the evaluation of efficiency, effectiveness and economy of
IT usage (X1) at significance level p=0.05. This result surprisingly in conflict with
finding by Hermanson et al. (2000) which indicated ITC7 is the weakest model (R2 =
25 percent) and not related to any of the audit objectives. However is in line with the
study of Abu Musa (2008) which found X1 is significantly related to ITC7. With
respect to organisational characteristics this study shows there is a significant
positive relationship between ITC7 and the size of organisation, new system and the
usage of CAATTs at p=0.05. However, public sector auditors place equal attention
when performing IT evaluation irrespective of the organization characteristic. These
results appear reasonable in light of the more technical nature of this area
(Hermanson et al., 2000).
ITC8 - Application Processing
The model for ITC8 has the most explanatory power (Adjusted R2 = 53.3 percent)
and ITC8 is positively and significantly associated with audit objective on internal
control (X3) at the significance level p=0.05. These results perhaps due to the efforts
to ensure all application risks related to reliability and integrity of information are
mitigated effectively. It is also observed that new system has significant and positive
relation with ITC8 and auditors place different consideration on the evaluation when
72
the client organization has implemented new system. This result may due to greater
concern on the reliability of the new system. ITC8 also significantly and positively
related to the usage of CAATTs in performing the evaluation activities. Concurrent
CAATTs such as embedded audit modules and system control review file (SCARF)
may used to examine transaction flows and to identify the unauthorized and invalid
transactions (Wells, 2001).
ITC Overall – Overall Model
As extension of the study by Hermanson et al. (2000), this study further analyse the
overall model of IT control evaluation activities. This model is aimed to determine
which predictors give the most significant contribution to the IT control evaluation
activities performed by public sector auditors. The overall regression model appear
to have substantial explanatory power (Adjusted R2 = 41.5 percent) and the model is
significant at p=0.000. The statistical results provide strong evidence that the overall
regression model (ITC_Overall) is significantly (p=0.05) and positively related to
internal control audit objective (X3). In contrast, the results reveal a negative
significant association between ITC_Overall and audit objective on fairness of
financial statement (X4) at the significance level p=0.05. The results also reveal that
the overall control evaluation not associated with any of the organisational
characteristics (X7, X8, X9, and X10) and ITC_Overall is positively associated with
usage of CAATTs. The findings indicate that public sector auditors pay least
attention to the audit objectives of financial statement when performing the
evaluation. This may be explained by the structure of the public sector audit
organisation which segregate the IT related audit from financial and attestation audit.
This particular finding is further probed by conducting interviews and the results
73
indicate that public sector auditors who conducting IT related auditing is also
involved in the financial and attestation audit upon the instruction from the
management. Audit objectives related to internal control and financial statement has
most contribution in the IT control evolutions in public sector organisation and this
may due to the emphasis given by the management to manage the public funds
efficiently and to ensure the information given to public is accurate and reliable. The
usage of CAATTs has also given significant contribution to IT evaluations. This result
is in line with the early and heavy usage of ACL since 1980 by public sector auditors
in performing the audit and its simplicity as well as various usage of CAATTs (Braun
and Davis, 2003).
4.5 Summary
The current chapter presents the results of analyses that were done by the auditors
in order to fulfil the objectives of the study. First objective to investigate the IT
control evaluation activities performed by the public sector auditors across
organizations is achieved. Public sector auditors performed differently on IT control
evaluations and three IT control varies across the organizations. Second objective to
explore the IT audit objectives performed by public sector auditors across the
organization is met. Audit objectives related to IT controls are given different
consideration and only one audit objectives is performed differently across the
organisations. Third objective to study the various usages of CAATTs by public
sector auditors is reached. Public sector auditors gave different consideration on the
various usages of CAATTs and the usages do not vary across the organisations.
Fourth objective to explore whether IT control evaluation are associated with auditors
competencies in IT is attained. IT controls are not associated with auditors
74
competencies. Fifth objective to examine whether the IT control evaluations
performed by public sector auditors vary based on organisational characteristics is
accomplished. Most of the IT control evaluations do not vary across the
organizations characteristics and only one IT controls vary according to percentage
new system. Finally, sixth objective to investigate whether audit objectives,
organisational characteristics, usage of CAATTs and competencies of auditors have
different contribution to the IT evaluations performed by public sector auditors is
achieved. Different factors are contributed differently in IT control evaluation
activities performed by public sector auditors.
75
CHAPTER V: CONCLUSION AND RECOMMENDATIONS
5.1 Introduction
This final chapter has been written by the author with the main objective of providing
some implications of this study to the readers. However, before commencing on the
implication, a summary and conclusion of this research finding have been done to
clarify and integrate the main findings which yielded in the previous chapter. The
summary section briefly details the salient points that are deemed important for the
understanding of the topic of study. Finally the implications have been developed
based on the results obtained from the analysis.
5.2 Summary and Conclusion
In summary, the current exploratory research signifies an initial move in addressing
the main IT control evaluation activities performed by the Malaysian public sector
auditors. This study provides evidence on the current performance of IT control
evaluation activities, audit objective and usage of CAATTs. It also presents an
indication of the relation between IT control evaluation with audit objectives,
organisational characteristics, usage of CAATTs and competencies of auditors. It
appears that the most frequently performed IT control evaluations are application
processing control and data integrity, privacy and security control. System
maintenance and program change control and system implementation control are
given least attention. It observed that public sector auditors in different divisions
performed differently evaluation on system development and acquisition control as
well as system maintenance and program change control and IT asset safeguarding.
IT audit objectives related to compliance with policies, procedures and regulation is
given higher consideration while objective related to fairness of financial statement
76
and accuracy of accounting record is given lower consideration during the IT control
evaluations. Public sector auditors in different divisions performed differently when
evaluating audit objective related to compliance. Malaysian public sector auditors
frequently used CAATTs as problem solving aids and infrequently used CAATTs as
administrative tool. Furthermore the usage of CAATTs did not vary across the
divisions. The study also point out that IT control evaluations are not associated with
public sector auditor’s competencies. IT control evaluations performed by public
sector auditors are not affected by organisation characteristics except for application
processing control which vary according to the new system in the client organisation.
Several appealing patterns emerge from the eight regression models (one for each
ITC). First, audit objectives related to fairness of financial statements and accuracy
of accounting records appear to have the greatest association with the area of
evaluation identified by IFAC. Public sector auditors with fairness of financial
statement objectives are more likely to perform evaluation in five out of the eight
control evaluations. Second, the usage of CAATTs appears to have the strongest
association with the IT control evaluation activities. Public sector auditors mostly
used CAATTs in evaluating seven out of eight IT control evaluations. Third, the
existence of new systems may play a role in public sector auditors evaluations.
There is some evidence in three out of eight IT control evaluation that testing is more
extensive when new computerised systems are involved. Fourth, auditors’
competencies and structure of CIS do not have any association with the IT control
evaluation. Finally, audit objective related to compliance, efficiency, effectiveness
and economy of IT use, internal control as well as types of auditors and size of the
77
organisation only have minimal impact on the IT control evaluations. These factors
only appear to significantly affect one or two out of eight IT evaluation activities.
5.3 Limitation of the Study
The responses from the respective samples were relatively small while obtaining the
mail feedback within the limited time frame has delayed the statistical process. The
respondents resources allocation duly depends on divisions and structure of the
organizations. As such, the comparability and generalisability may differ from the
overall perceptions.
5.4 Recommendations and Suggestions for Future Research
The study revealed that public sector auditors are currently concentrating application
processing and data integrity control when evaluating IT controls. This may be due to
the small number of IT specialist in the public sectors organizations and majority of
the auditors are trained to be an IT auditor. As such auditors did not have the
detailed knowledge to perform system related controls. Thus, the public sector
auditors tend to concentrate more on the traditional evaluation in respect of the
internal control and the process flow of the transactions. The role of IT audit in the
public sector organizations was to largely just add support to the financial and
performance audit. Therefore it is suggested that public sector organisations should
emphasize and expand the IT audit teams. Besides, public sector organization
should recruit more audit personnel with IT background in order to perform more
evaluations on system related controls. Various usages of CAATTs have played an
important role in IT control evaluation. Public sector auditors need to acquire IT
78
auditing tools and techniques which may enhance the understanding and efficient
utilisation of audit resources.
It is suggested that further studies should be embark on Malaysian private sector
auditors to investigate the current pattern of the IT control evaluation activities.
Besides, future researchers should also further interrogate why public sector auditors
seem to be performing less work relating to system implementation control, system
maintenance & program changes control, and IT asset safeguarding. It is also
recommended to investigate whether usages of CAATTs and auditor competency
have acted as mediator or moderator in IT control evaluation activities.
5.5 Implications
This study contributes an understanding of the IT control evaluation activities of the
Malaysian public sector auditors. This study offers the auditors to better understand
the internal controls evaluation activities of their CIS and confer more attention to
evaluation activities which has been overlooked by the auditors as well as to improve
the IT evaluation procedures. Besides, the results of the study will enable policy
makers to incorporate the role of IT auditors (specialist) in the implementation of the
IT projects to ensure all related controls and risks are given adequate attention. It
may be prudent for organisation to consider the combined capabilities of IT auditors
and general auditors when assigning them to engagements with complex CIS
environment. In addition, this study contributes to the literature by exploring the
factors of audit objectives, organisation characteristics, usage of CAATTs and
auditors’ competency on the IT control evaluation activities.
79
Finally, IT has become a critical component of an organisation. As the society
demands continued improvement in business processes largely to enhance future
business capacity, IT will continue to be thoroughly scrutinised. As such, the entire
auditors will potentially incur increased responsibilities and auditors must continually
develop, maintain and evaluate all appropriate IT control.
6 REFERENCES Abu-Musa, A.A. (2008). Information technology and its implications for internal
auditing: An empirical study of Saudi Organisation. Managerial Auditing Journal, 23 (5), 438-466.
Attaway, M.C. Sr (2000). What every auditor needs to know about e-business. The Internal Auditor, 57(3), 56-60.
Bagranoff, N. and Vendrzyk, V. (2000). The changing role of IS audit among the big five accounting firms. Information Systems Control Journal, 5, 33-7.
Balwin, A. A., Brown, C.E. and Trinkle, B.S. (2006). XBRL: An impacts framework and research challenge. Journal of Emerging Technologies in Accounting (3): 97-116.
Becker T. (1998). Governance and electronic innovation: A clash of paradigms. Information, Communication & Society Journal, 1(3), 339-343.
Bedard, J. C., and Biggs S. (1991). Pattern recognition, hypotheses generation, and auditor performance in an analytical task. The Accounting Review, 66 (3), 622-642.
Bedard, J., Ettredge M., Jackson C. and Johnstone K. (2003). The effect of training on auditors' acceptance of an electronic work system. International Journal of Accounting Information Systems, 4, 227-250.
Biermann, E., Cloete, E. and Venter, L.M. (2001). A comparison of intrusion detection system. Computers and Security, 20(8), 676-83.
Bocu, P., Chaffey, D., Greasley, A. and Hickie, S. (1999), Business Information Systems, Technology, Development and Management. Financial Times Pitman, London.
Braun, R.L. and Davis, H.E. (2003). Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal, 18 (9), 725-731.
Brazel, J. F., and Agoglia, C.P. (2005). An examination of auditor planning judgments in a complex AIS environment: The moderating role of auditor AIS expertise. Working paper, North Carolina State University.
Brazel, J.F. (Nov, 2008). How do financial statement auditors and IT auditors work together? The CPA Journal, 78(11), 38-42.
Brown, R.G.(1962). Changing audit objectives and techniques. The Accounting Review, 37 (4): 696-703.
Buckstein, J. (2001). The impact of e-business and electronic service delivery on Canada’s federal government. CGA Discussion Paper, Ottawa, retrieved from www.cga-canada.org/eng/news/_Product/ca_rep_2001-10_e-business.pdf
81
Burr, T., Gandara M., and Robinson K. (October, 2002). E-business: Auditing the rage. The Internal Auditor, 59(5), 49-55.
Burton, R.N. (2000). Discussion of information technology-related activities of internal auditors. Journal of Information Systems,14(1), 57-60, Supplement.
Carmichael, D.R. (2004). The PCAOB and the social responsibility of independent auditor. Accounting Horizons, 18, 12-133.
Chan, S. (1992). Establishing reliability in EDI environment. The EDP Auditor Journal, II, 47-51.
Chan. S, M.Govindan, Picard, J.Y. and Leschiutta, E. (1993). EDI for managers and auditors, 2nd ed. The Canadian Institure of Chartered Accountant, Canada.
Chaney, C. and Kim, G. (August, 2007). The Integrated Auditor. The Internal Auditor, 64 (4), 46-52.
Chang, S-I., Wu, C-C. and Chang, I-C. (2008). The development of computer auditing system sufficient for Sarbanes-Oxley section404 – A study on the purchasing and expenditure cycle of the ERP system. Information System Management, 25(3), 211-229.
Coderre, G.D. (1999). Fraud Detection: Using Data Analysis Techniques to Detect Fraud. Vancover: Global Audit Publications (GAP).
Colbert, J., and Bowen, P. (1996). A comparison of internal controls: COBIT, SAC, COSO and SAS 55/78. IS Audit & Control Journal, 4, 26-35.
Curtis, G. and Cobham, D. (2002), Business Information Systems: Analysis, Design, and Practice. Financial Times/Prentice-Hall, Hemel Hempstead.
Davison, R.M., Wagner, C. and Ma, L.C.K. (2005). From government to e-government: a transition model. Information Technology & People, 18, (3), 280-299.
Durant, J. E. (February, 1991). Applying systematic testing to application development audits. The Internal Auditor, 38-44. Retrieved March 14, 2009 form http://findarticles.com/p/articles/mi_m4153/is_n1_v48/ ai_10380967
Ellison, A. (2003). 18th commonwealth auditors general conference. International Journal of Government Auditing. Retrieved January 31, 2009 from http://www.intosaijournal.org/congressesandconferences/ congresscommonwealthb.html
Gengler, B. (2002). Intrusion detection system new to market. Computers Fraud and Security, 5, 4.
Glover, S. and Romney, M. (August, 1997). Software – 20 hot trends. The Internal Auditor, 54, 28-35.
82
Hall, J. (2000). Information Systems Auditing and Assurance (1 ed.). South-Western College Publishing, Mason, OH.
Hansen, J. and Hill, N.C. (1989). Control and audit of electronic data interchange. MIS Quarterly, 13, 403-413.
Hass, S., Abdolmohammadi, M.J. and Burnaby, P. (2006). The Americas literature review on internal auditing. Managerial Auditing Journal, 21(8), 835-844.
Hazman S. A. and Maniam K. (2004). Development of E-government in Malaysia: The role of leadership and organisational efficacy. Unpublished research report, Institute of Research, Development and Commercialisation, Universiti Teknologi MARA, Malaysia.
Hazman S.A., Jalil A., Maniam K. and Naqiyuddin A. (2004). E-government in evolution: An evaluative survey of government websites in Malaysia. Unpublished research report, Institute of Research, Development and Commercialisation, Universiti Teknologi MARA, Malaysia.
Head, K. (2002). Implementing data analysis and extraction tools such as ACL. University of South Florida. Retrieved August 30, 2008 from http://tampabayiia.org/Worddocs/Implementing_data_ analysis_tools.doc
Heffley, J. and Meunier, P. (2004). Proceeding of the 37th Hawaii International Conference on System Sciences, HICSS, Hawaii.
Helms, G.L. (April, 2002). Traditional and emerging methods of electronic commerce. The CPA Journal, 72(11), 26-30.
Hermanson D.R., Hill, M., and Ivancevich, D.M. (2000).Information technology-related activities of internal auditor. Journal of Information Systems, 14(1), 39. Retrieved July 20, 2008, from Business Source Premier database.
Hespenheide, E. (Feb/Mac, 2006). Optimising the role of internal audit in the Sarbanes-Oxley era. Corporate Finance Review,10(4). Retrieved November 23, 2008 from ABI/INFORM Global database.
Hunton, J. E., Wright, A.M. and Wright, S. (2004). Are financial auditors overconfident in their ability to assess risks associated with enterprise resource planning systems? Journal of Information Systems, 18 (2), 7–28.
Hunton, J.E., Benford, T., Arnold, V. and Sutton, S. (2000). The impact of electronic commerce assurance on financial analysts’ earnings forecasts and stock price estimates. Auditing: A Journal of Practice & Theory, 19, 5-23.
Hussain, K.M. and Hussain, D. (1997), Information Technology Management. Butterworth Heinemann, Oxford.
83
INTOSAI Working Group on IT Audit. Information Technology Audit: General Principles(IT audit monograph series 1). Retrieved on January 28, 2008 from http://www.intosaiitaudit.org/India_GeneralPrinciples.pdf.
ISACA, (1998). Review Technical Information Manual. USA: Information Systems and Control Association.
Ivancevich, D. M., Hermanson, D. R., and. Smith, L. M (1998). The association of perceived disaster recovery plan strength with organisational characteristics. Journal of Information Systems, 12(1), 31-40.
Jackson, C. (2000). Discussion of information technology-related activities of internal auditors. Journal of Information Systems 14(1), 55-6, Supplement.
Jamieson, R. (1994). EDI – an Audit Approach. Monograph Series, The EDP Auditors Foundation Inc. USA.
Janvrin, D., Bierstaker, J. and Lowe, D.J. (Mar, 2008). An examination of audit information technology use and perceived importance. Accounting Horizons,Sarasota, 22 (1), 1-21.
Kalaba, L.A. (2002). The benefits of CAAT”, IT Audit, 5.
Karnes, A., King, J. and Welker, R. (April, 1992). GASS and the small business audit: Ten years later. The CPA Journal 34-40.
Laudon, K.C. and Laudon, J.P. (1998), Management Information Systems. PrenticeHall, Englewood Cliffs, NJ.
Le Grand, C.H. (2005). Information Technology Controls. Altamonte Springs FL: The Institute of Internal Auditors Research Foundation.
Louis, S., Carvalho, L., Jeffrey, R., D’Ambra, J. and Becker-Kornstaedt, U. (2002). Understanding the use of an electronic process guide. Information and Software Technology, 44(10), 601.
Maguire, S. (2002). Identifying risks during information system development: Managing the process. Information Management & Computer Security, 10(2/3), 126. Retrieved June 4, 2009, from ABI/INFORM Global database.
Malaysian Administrative Modernisation and Manpower Planning Unit (2003). Malaysian Public Sector ICT Strategic Plan. Retrieved November 27, 2008 from http://www.mampu.gov.my/mampu/pdf/ISPlan/ispdoc/ ICT%20Strategic%20Plan%20(ISP)%20Guidelines.pdf
Marche, S. and McNiven, J.D., (2003). E-government and governance: the future isn’t what is used to be. Canadian Journal of Administrative Science, 20(1), 74-86.
84
Marshall, R. and Magliozzi, R. (Feb/March, 2009). The changing landscape for iInternal auditors in financial institutions. Bank Accounting and Finance.
Meredith, M. and Akers, M.D. (Jan/Feb, 2003). Internal audit’s role in systems development: the CEO’s perspective. Internal Auditing, 18 (1), 35-39.
Messier, W.F.(1997). Auditing A Systematic Approach. New York; McGrwa-Hill.
Moon, M.J. (2002). The evolution of e-Government among municipalities: rhetoric or reality? Public Administration Review, 62(4), 424-433.
Morris, B., and Pushkin, A. (1995). Determinants of information systems audit involvement in EDI systems development. Journal of Information Systems, 9(2), 111-128.
National Audit Academy of Malaysia. Training Program. Retrieved March 30, 2009 from http://www.akademi.audit.gov.my/website/index.php?q=en/ MTCP_Course
National Audit Department of Malaysia (2007). Emerging issues and global challenges in the public sector audit in the 21st century - Malaysian perspective. Proceeding of the Seminar on Public Sector Audit, Jakarta, Indonesia. Retrieved January 29, 2009 from http://www.audit.gov.my/xboer/upload/kertas02.pdf
National Audit Department of Malaysia (2008). Performance management of National Audit Department of Malaysia. Proceeding of the 20th Commonwealth Auditors General Conference, Hamilton, Bermuda. Retrieved January 29, 2009 fromhttp://www.audit.gov.my/xboer/ upload/ kertas01.pdf
National Audit Department of Malaysia. (2002). ICT Audit Manual.
Nearon, B.H. (December, 2000). Auditing e-business. The CPA Journal, 70(11), 22-7.
Neil Baker, (August, 2007). Internal auditing& business risk. Internal Auditor.
Nikoloyuk, G.M., Marche, S. and McNiven, J. (2005). E-commerce impact on Canadian public sector audit practice. International Journal of Public Sector Management, 18(1), 83-95.
O'Donnell, J.B., and Rechtman, Y. (Jul, 2005). Navigating the standards for information technology controls. The CPA Journal, 75(7), 64.
Pathak, J. (Jan, 2004). Internal audit and corporate governance: A program for information security. EDPACS, 3(7), 1-7.
Pathak, J. (Mar/April, 2003). Internal audit and e-commerce controls. Internal Auditing, 18 (2), 30-4.
85
Pathak, J. and Baldwin, A.A. (2009). Audit resource planning success in B2B E-commerce: Development and testing of a measurement scale. Information Systems Management, 25: 230–243.
Pathak, J. and Roberts, T. (May/Jun, 2007). E-commerce information system auditing and control issues. Internal Auditing, 22(3). Retrieved from ABI/INFORM Global.
Pentland, B.T. (2000). Will auditors take over the world? Program, technique and the verification of everything. Accounting, Organisations and Society, 25(3), 307-12.
Petterson, M. (2005). The key to effective IT auditing. The Journal of Corporate Accounting & Finance,16(5), 41-47.
Phelps, D. and Milne, K. (2008). Leveraging IT Control To Improve Organisational Performance. Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation.
Power, W.J. and Carner, T. (1990). EDI: Control and audit issue. The EDP Auditor Journal, I, 25-30.
Ratcliffe, T.A. and Munter, P. (April, 2002). Information technology, internal control, and financial statement audits. The CPA Journal, 72(4), 40. Retrieved from ABI/INFORM Global.
Rezaee, Z., and Reinstein (1998). The impact of emerging information technology on auditing. Managerial Auditing Journal, 13(8), 465–471.
Rishel, T.D. and Ivancevich, S.H. (2003). Additional opportunities for internal auditors in IT implementations. Internal Auditing, 18(2), 35-9.
Ryrie, T. (1994). Paper Less. Charter, February, 28-29.
Saunders, M., Lewis, P. and Thornhill, A. (1997). Research Methods for Business Students. London: Pitman Publishing.
Slyph, J. and Bennett, C. (1998). The trust business: assurance services and e-commerce. Australian Accountant, 68(2), 43-4.
Snell, S., (1992). Control theory in strategic human resource management: The mediating effect of administrative information. Academy of Management Journal, 35, 292-327.
Solomon, I., and Trotman, K. (2003). Experimental judgment and decision research in auditing: The first 25 years of AOS. Accounting, Organisations and Society, 28, 395-412.
86
Sutton, S. and Hampton, C. (2003). Risk assessment in an extended enterprise environment: redefining the audit model. International Journal of Accounting Information Systems, 4(1), 37-73.
Tongren J., Warigon, S. (1997). A preliminary survey of COBIT Use. EDP Audit, Control and Security Newsletter.
Tucker, G.H. (2001). IT and the audit. Journal of Accountancy, 192(3), 41. Retrieved from ABI/INFORM Global database.
Vatanasakdakul, S. and Cooper, J. (2002). The implications of e-business on control assurance services. Proceeding from the 7th Collaborative Electronic Commerce Technology and Research (CollECTeR) Conference on Electronic Commerce, Melbourne, Australia. Retrieved January 28, 2008 from http://www.collecter.org/archives/ 2002_December/ 06.pdf
Viator, R.E., and Curtis, M.B. (1998). Computer auditor reliance on automated and non-automated controls as a function of training and experience. Journal of Information System, Spring, 19-30.
Ward, P. and Smith, C.L. (2002). The development of access control policies for information technology systems.Computers & Security, 21 (4), 356-71.
Warren, J., Edelson, L., Parker, X. and Thrun, R. (1998). Handbook of IT Auditing. New York, NY: Warren, Gorham & Lamont.
Webb, R.D. (1979). Audit planning - EDP consideration. Journal of Accountancy (pre-1986), 65. Retrieved from ABI/INFORM Global.
Weber, R. (2004). Information Systems Control and Audit. Englewood Cliffs, NJ: Prentice-Hall.
Weiner, S. (1995). Business risk, internal control, audit implications of EDI. The CPA Journal, 65, 56-61.risk
Wells, J.T. (2001). And nothing but the truth, uncovering fraudulent disclosures. Journal of Accountancy, 192(7), 47-52.
Wu, R. C. (1992). The information systems auditor's review of the systems development process and its impact on software maintenance costs. Journal of Information Systems, 6(1), 1-13.
Wyle, Dave. (December, 2000). Paperless engagement systems give your firm big five efficiency. The Free Library. Retrieved July 15, 2008 from http://www.thefreelibrary.com/Paperless Engagement Systems Give Your Firm Big Five Efficiency-a067886962.
Yang, D.C. and Guan, L. (2004). The evolution of IT auditing and internal control standards in financial statement audits :The case of the United States. Managerial Auditing Journal, 19(4), 544-555.
87
Zhao, N., Yen, D.C. and Chang, I-C. (2004). Auditing in the e-commerce era. Information Management & Computer Security, 12(5), 389-399.
Zwass, V. (1997), Foundations of Information Systems. Irwin McGraw-Hill, Middleton, WI.
APPENDICES
90
APPENDIX 1
A Comparison of Recent IT Control Related Documents
91
APPENDIX 2
COVER LETTER FROM AUDITOR GENERAL OF MALAYSIA
92
Dear Sir,
I am examining the usage and assessment of IT Control Evaluation Activities by Malaysian
public sector auditors as a part of my MBA programme thesis requirement at University
Malaya Kuala Lumpur.
This study is designed:
• to provide audit directors with an overview of departments approaches to auditing
Computerized Information System;
• to provide information on the extent to which auditors have adopted and have used IT
control evaluation activities, and to analyze areas where IT control evaluations are not
currently used;
• to examine whether the IT control evaluation activities performed by auditors vary
based on audit objectives or organizational characteristics, training; and
• to grant an overview on the usage of CAATTs in audit department
Please take approximately 15 minutes to complete the enclosed questionnaire. You have our
personal and professional assurance that all responses will remain anonymous. No results will
be attributed to any particular organization.
I would very much appreciate your kind assistance with this research. Your response is very
important to the study, and I thank you in advance for your participation.
Sincerely,
Farida Binti Veerankutty
UNIVERSITY OF MALAYA
Graduate School of Business
Master of Business Administration
93
Section A – Evaluation Objectives
As your audit department evaluates computerized information system, what are the primary (most common)
objectives of your evaluation? Please rate � the four possible objectives below.
No. Evaluation Objectives
Rarely
Done (1)
Occasionally
Done (2)
Frequently
Done (3)
Often
Done (4)
Alw
ays
Done (5)
1. Evaluation of efficiency /effectiveness/ economy of IT usage
2. Evaluation of compliance with policies, procedures, and
regulations
3. Evaluation of internal control in computer based system
4. Evaluation of fairness of financial statement representations and
the accuracy and completeness of computerized accounting record
Section B – Types of IT Control Evaluation Activities
Evaluation of computerized information system (CIS) can involves a number of specific tests. Please rate �
based on the frequency in performing the following evaluation and test.
No. Types of IT Control Evaluation Activities
Rarely
Done (1)
Occasionally
Done (2)
Frequently
Done (3)
Often
Done (4)
Alw
ays
Done (5)
1. System Development and Acquisition
a. I evaluate the acquisition/development standards and method
b. I test the compliance of development method to standards
c. I evaluate the acquisition / development control
d. I evaluate technology related to system development
2. System Implementation
a. I evaluate the a user acceptance testing methodologies
b. I evaluate the system conversion methodologies
c. I evaluate post implementation review practices
3. System Maintenance and Program Changes
a. I evaluate standards related to system maintenance and program
change
b. I evaluate the control of system maintenance and program change
c. I test the control of system maintenance and program change
d. I test the production library security and its control
4. IT Asset Safeguarding
I evaluate the activities related to facilities management and IT
asset safeguarding
5. Data Integrity, Privacy and Security
a. I try to understand data protection legislation, if applicable
b. I give consideration to personnel issues and confidentiality
c. I evaluate the applicable security standards and procedures
d. I evaluate the physical and logical access controls and security
e. I test the compliance to security standards and policies
f. I test the effectiveness of the control
6. Disaster Recovery Planning
a. I evaluate the threat and risk management method
b. I evaluate software and data backup techniques
c. I evaluate the alternate processing facility arrangements
d. I evaluate the disaster recovery plan, testing and documentation
e. I evaluate the integration of IS plan with user department plans
f. I test the compliance of recovery procedures to standards
94
No. Types of IT Control Evaluation Activities
Rarely
Done (1)
Occasionally
Done (2)
Frequently
Done (3)
Often
Done (4)
Alw
ays
Done (5)
7. Operating System Processing Activities
a. I evaluate the operating activities
b. I evaluate the performance monitoring activities
c. I evaluate the control over productivity and service quality
d. I evaluate the technologies used to automate Information System
operation
e. I test the compliance to operational policies
f. I test of effectiveness of general controls
g. I test performance achievement
8. Application Processing
a. I identify the transaction flow
b. I evaluate the strength and weaknesses of the application
c. I test the controls within the application
d. I integrate the evaluation of application control and general
controls
Section C – Usage of Computer-Assisted Audit Tools & Technique
CAATTs is a wide range of techniques and tools to automate the test procedures for evaluating control,
obtaining evidence and data analysis. Examples of CAATTs are audit software such as Audit Command
Languange (ACL), Interactive Data Extraction Analysis (IDEA), Structured Query Language (SQL) and
electronic working paper (eSPP).
Please rate � the extent to which you use the following techniques.
No. Usage of Computer-Assisted Audit Tools & Technique
(CAATTs) Rarely
Done (1)
Occasionally
Done (2)
Frequently
Done (3)
Often
Done (4)
Always
Done (5)
1. I use CAATTs in system analysis and documentation
- e.g. flowcharting packages, review of program logic
2. I use CAATTs in system/ program testing
- e.g. test data, integrated test facility, parallel stimulation
3. I use CAATTs in data integrity testing
- e.g. generalized audit software utilities
4. I use CAATTs as problem-solving aids
- e.g. spreadsheet, database , on-line databases
5.
I use CAATTs as administrative aids
- e.g. word processing, audit program generator, automated
working paper
Section D – Organisation Background
Please tick � in the box that best describe your audit department.
1. Are the evaluation of computerized information system usually performed by :
Only by IT auditors / computer audit specialist
By general / internal auditor
2. Is your organization typical style to audit primarily:
Around the computer
Through the computer
With the computer
95
3. Department Demographic
a. Types of Government Organisation
Federal Division
State Division
ICT Division
Statutory Body Division
Others : Specify
b. Size of Department /Number of Auditor :
More than 30
Between 29 to 10
Less than 10
4. Structure of Computerized Information System
a. What type of data processing does your client department has?
Centralized
Decentralized
b. What is the percentage of new computer system in your clients department for the past 3 years?
More than 70%
Between 69% to 30%
Less 30%
c. What is the percentage of computer system in the department which is outdated?
More than 70%
Between 69% to 30%
Less 30%
Section E – Training and Education
Please tick � in the box that best describe your audit department.
1. Auditor’s experience in IT related auditing:
More than 10 years
Between 9 to 4 years
Less than 4 years
2. Average number of IT related training in past 3 years :
More than 6 times a year
Between 5 to 3 times a year
Less than 3 times a year
THANK YOU VERY MUCH FOR PARTICIPATING IN THIS STUDY:
� Please return the questionnaire in the reply envelope to or email to :
Farida Binti Veerankutty Email: [email protected] Contact Number : 017-2565055
No.10, Jalan Suadamai 11/4, Bandar Tun Hussien Onn 43200 Cheras, Selangor
96
APPENDIX 3
Comparing Early and Late Response of Sample of Study Mann-Whitney Test
Ranks
Early_late N
Mean Rank
Sum of Ranks
early 10 9.85 98.50 Usage of Computer Assisted Audit Tools & Techniques
late 10 11.15 111.50
early 10 12.80 128.00 Application Processing Control
late 10 8.20 82.00
early 10 12.45 124.50 Operating System Processing Activity Control
late 10 8.55 85.50
early 10 11.90 119.00 DRP
late 10 9.10 91.00
early 10 11.40 114.00 Data Integrity, Privacy & Security Control
late 10 9.60 96.00
early 10 13.75 137.50 IT Asset Safeguarding Control
late 10 7.25 72.50
early 10 12.25 122.50 System Maintenance & Program Changes Control
late 10 8.75 87.50
early 10 11.55 115.50 System Implementation Control
late 10 9.45 94.50
early 10 11.25 112.50 System Development & Acquisition Control
late 10 9.75 97.50
early 10 11.95 119.50 Auditors Competency
late 10 9.05 90.50
early 10 10.20 102.00 Evaluation of efficiency, effectiveness, and economy of IT usage
late 10 10.80 108.00
early 10 10.00 100.00 Evaluation of compliance with policies, procedures & regulations
late 10 11.00 110.00
early 10 11.00 110.00 Evaluation of internal control in CIS
late 10 10.00 100.00
Evaluation of fairness of financial statement & the accuracy & completeness of record
early 10 9.50 95.00
97
APPENDIX 3
Test Statisticsb
Mann-Whitney U Wilcoxon W Z Asymp. Sig.
(2-tailed)
Exact Sig. [2*(1-tailed Sig.)]
Usage of Computer Assisted Audit Tools & Techniques
43.500 98.500 -.495 .620 .631a
Application Processing Control
27.000 82.000 -1.760 .078 .089a
Operating System Processing Activity Control
30.500 85.500 -1.495 .135 .143a
DRP 36.000 91.000 -1.068 .285 .315a
Data Integrity, Privacy & Security Control
41.000 96.000 -.684 .494 .529a
IT Asset Safeguarding Control
17.500 72.500 -2.619 .009 .011a
System Maintenance & Program Changes Control
32.500 87.500 -1.344 .179 .190a
System Implementation Control
39.500 94.500 -.807 .420 .436a
System Development & Acquisition Control
42.500 97.500 -.573 .567 .579a
Training_Exper 35.500 90.500 -1.145 .252 .280a
Evaluation of efficiency, effectiveness, and econo,u of IT usage
47.000 102.000 -.236 .814 .853a
Evaluation of compliance with policies, procedures & regulations
45.000 100.000 -.401 .688 .739a
Evaluation of internal control in CIS
45.000 100.000 -.401 .688 .739a
Evaluation of fairness of financial statement & the accuracy & completeness of record
40.000 95.000 -.795 .426 .481a
a. Not corrected for ties.
b. Grouping Variable: Early_late
98
APPENDIX 4
Detailed Reliability Test Of The Variables
Dependent Variable : IT Control Evaluation Activities
Reliability Statistics
Cronbach's Alpha N of Items
.974 36
Item-Total Statistics
Scale Mean if Item Deleted
Scale Variance if
Item Deleted
Corrected Item-Total Correlation
Cronbach's Alpha if Item
Deleted
ITC1_Sys_Dev_Acq_a 126.8082 894.657 .636 .974
ITC1_Sys_Dev_Acq_b 126.9178 901.243 .594 .974
ITC1_Sys_Dev_Acq_c 126.7534 882.994 .737 .973
ITC1_Sys_Dev_Acq_d 126.9863 881.403 .727 .973
ITC2_Sys_Imp_a 126.7808 886.924 .727 .973
ITC2_Sys_Imp_b 127.1507 893.102 .715 .973
ITC2_Sys_Imp_c 127.3151 888.497 .723 .973
ITC3_Sys_Main_PrgChange_a 126.9178 882.910 .789 .973
ITC3_Sys_Main_PrgChange_b 126.7945 875.554 .794 .973
ITC3_Sys_Main_PrgChange_c 127.2055 886.499 .753 .973
ITC_Sys_Main_PrgChange_d 127.3425 889.284 .718 .973
ITC4_IT_Asset_Safeguarding 126.5342 901.058 .644 .973
ITC5_Data_Integrity_Privacy_Security_a 126.4658 884.030 .814 .973
ITC5_Data_Integrity_Privacy_Security_b 126.2740 899.313 .672 .973
ITC5_Data_Integrity_Privacy_Security_c 126.1781 896.843 .759 .973
ITC5_Data_Integrity_Privacy_Security_d 126.3014 905.575 .669 .973
ITC5_Data_Integrity_Privacy_Security_e 126.4384 907.805 .614 .974
ITC5_Data_Integrity_Privacy_Security_f 126.3014 897.102 .723 .973
ITC6_DRP_a 127.0000 879.611 .811 .973
ITC6_DRP_b 126.7260 882.785 .854 .973
ITC6_DRP_c 127.1507 874.713 .815 .973
ITC6_DRP_d 126.8767 876.443 .832 .973
ITC6_DRP_e 127.0274 878.805 .831 .973
ITC6_DRP_f 127.2055 888.277 .750 .973
ITC6_DRP_g 127.1644 884.723 .763 .973
ITC7_Operating_Sys_Process_a 126.2192 902.118 .673 .973
ITC7_Operating_Sys_Process_b 126.3973 910.521 .619 .974
ITC7_Operating_Sys_Process_c 126.6301 901.764 .669 .973
ITC7_Operating_Sys_Process_d 126.9452 888.914 .766 .973
ITC7_Operating_Sys_Process_e 126.4247 906.859 .561 .974
ITC7_Operating_Sysy_Process_f 126.4658 918.002 .455 .974
ITC7_Operating_Sys_Process_g 126.7123 911.902 .512 .974
ITC8_Applctin_Process_a 126.0411 906.707 .688 .973
ITC8_Applctin_Process_b 126.3014 909.797 .594 .974
ITC8_Applctin_Process_c 126.3288 909.224 .624 .974
ITC8_Applctin_Process_d 126.4247 895.248 .685 .973
99
APPENDIX 4 Independent Variable : IT Audit Objectives
Reliability Statistics
Cronbach's Alpha N of Items
.843 4
Item-Total Statistics
Scale Mean if Item Deleted
Scale Variance if Item Deleted
Corrected Item-Total
Correlation
Cronbach's Alpha if Item
Deleted
OB1_3C 12.16 6.111 .745 .772
OB2_Compliance 11.74 6.973 .763 .768
OB3_Eval_ITC 11.95 7.580 .703 .797
OB4_FinStat 12.52 7.281 .545 .862
Independent Variable : Usage Of CAATTs
Reliability Statistics
Cronbach's Alpha N of Items
.777 5
Item-Total Statistics
Scale Mean if Item Deleted
Scale Variance if Item Deleted
Corrected Item-Total
Correlation
Cronbach's Alpha if Item
Deleted
CAATTS_a 12.8630 14.314 .648 .701
CAATTS_b 13.0000 14.472 .650 .701
CAATTS_c 12.6712 15.279 .564 .731
CAATTS_d 12.5479 16.390 .477 .760
CAATTS_e 13.1370 16.953 .418 .778
100
APPENDIX 4
Reliability Test For Variables : IT Audit Objectives, IT Control Evaluatioans, Auditors And Usage Of CAATTs
Reliability Statistics
Cronbach's Alpha N of Items
.966 45
Item-Total Statistics
Scale Mean if
Item Deleted
Scale Variance if Item Deleted
Corrected Item-Total Correlation
Cronbach's Alpha if Item
Deleted
Evaluation of efficiency, effectiveness, and economy of IT usage
158.5205 1120.975 .364 .967
Evaluation of compliance with policies, procedures & regulations
158.0959 1120.005 .457 .966
Evaluation of internal control in CIS 158.3014 1126.269 .396 .966
Evaluation of fairness of financial statement & the accuracy & completeness of record
158.8630 1147.731 .032 .968
Evaluate the acquisition/develp standards & method
158.9452 1096.775 .624 .966
Test the compliance of development & method 159.0548 1103.053 .595 .966
Evaluate the acquisition/developmnt control 158.8904 1085.877 .703 .965
Evaluate technology related to system development
159.1233 1083.582 .701 .965
Evaluate User acceptance test methodology 158.9178 1089.354 .702 .965
Evaluate system conversion methodologies 159.2877 1094.402 .711 .965
Evaluate post implementation review practices 159.4521 1089.612 .715 .965
Evaluate std related to sys maintenance & prgm chance
159.0548 1086.219 .747 .965
Evaluate the control system of maintenance and prgm chance
158.9315 1078.954 .747 .965
Evaluate the test system of maintenance and prgm chance
159.3425 1089.951 .714 .965
Test the production library security and its control
159.4795 1092.003 .692 .965
Evaluate activities related to facilities management and IT asset safeguarding
158.6712 1104.529 .621 .966
Try to understand data protection legislation 158.6027 1084.576 .807 .965
Give consideration to personnel issue and confidentiality
158.4110 1100.801 .674 .966
Evaluate the applicable security std and procedures
158.3151 1097.969 .762 .965
Evaluate the physical & logical access control 158.4384 1108.389 .660 .966
Test compliance to security 158.5753 1109.414 .628 .966
Test the effectiveness of control 158.4384 1097.527 .737 .965
Evaluate threat and risk management method 159.1370 1079.842 .802 .965
Evaluate software &data backup technique 158.8630 1084.564 .828 .965
101
Reliability Statistics
Cronbach's Alpha N of Items
102
APPENDIX 4
Item-Total Statistics
Scale Mean if Item
Deleted Scale Variance if
Item Deleted
Corrected Item-Total Correlation
Cronbach's Alpha if Item
Deleted
Evaluate alternatives processing facility arrangement
159.2877 1074.097 .810 .965
Evaluate the Disaster Recovery Plan(DRP), testing and documentation
159.0137 1076.903 .817 .965
Evaluate the integration of IS Plan with user department plan
159.1644 1079.139 .820 .965
Test the compliance of recovery procedures to standard
159.3425 1087.589 .764 .965
Test the effectiveness of recovery procedures to standard
159.3014 1085.575 .754 .965
Evaluate operating system 158.3562 1102.427 .697 .965
Evaluate performance monitoring system 158.5342 1112.419 .634 .966
Evaluate control over productivity & service quality
158.7671 1105.070 .648 .966
Evaluate technology used to automate the CIS operation
159.0822 1090.215 .755 .965
Test the compliance to operational policies 158.5616 1107.555 .585 .966
Test performance achievement 158.8493 1113.880 .527 .966
Identify transaction flow 158.1781 1107.065 .722 .965
Evaluate the strength & weakness of application
158.4384 1111.194 .616 .966
Test the control within the application 158.4658 1111.752 .627 .966
Integrate the evaluation of application and general control
158.5616 1095.777 .694 .965
CAATTs use in system analysis and documentation
159.2740 1125.368 .262 .967
CAATTs use in system or prgm testing 159.4110 1124.190 .282 .967
CAATTs is data integrity testing 159.0822 1117.438 .362 .967
CAATTs as problem solving aids 158.9589 1113.207 .431 .967
CAATTs an administrative tool 159.5479 1140.584 .108 .968
103
APPENDIX 5 Descriptive Statistic for Each IT Evaluation Control Activities
Mean Median
Std. Deviation
System Development and Acquisition (ITC1)
Evaluate the acquisition/development standards & method 3.52 4.00 1.281
Test the compliance of development & method 3.41 4.00 1.188
Evaluate the acquisition/development control 3.58 4.00 1.374
Evaluate technology related to system development 3.34 4.00 1.426
System Implementation (ITC2)
Evaluate User acceptance test methodology 3.55 4.00 1.302
Evaluate system conversion methodologies 3.18 4.00 1.183
Evaluate post implementation review practices 3.01 3.00 1.275
System Maintenance and Program Changes (ITC3)
Evaluate std related to sys maintenance & program chance 3.41 4.00 1.289
Evaluate the control system of maintenance and program chance 3.53 4.00 1.435
Evaluate the test system of maintenance and program chance 3.12 3.00 1.269
Test the production library security and its control 2.99 3.00 1.264
IT Asset Safeguarding (ITC4)
Evaluate activities related to facilities mgnt & IT asset safeguarding 3.79 4.00 1.105
Data Integrity, Privacy and Security (ITC5)
Try to understand data protection legislation 3.86 4.00 1.228
Give consideration to personnel issue and confidentiality 4.05 4.00 1.104
Evaluate the applicable security std and procedures 4.15 4.00 1.036
Evaluate the physical & logical access control 4.03 4.00 .957
Test compliance to security 3.89 4.00 .980
Test the effectiveness of control 4.03 4.00 1.080
Disaster Recovery Plan (ITC6)
Evaluate threat and risk management method 3.33 4.00 1.323
Evaluate software &data backup technique 3.60 4.00 1.199
Evaluate alternatives processing facility arrangement 3.18 3.00 1.418
Evaluate the Disaster Recovery Plan(DRP), testing and documentation
3.45 4.00 1.354
Evaluate the integration of IS Plan with user department plan 3.30 4.00 1.309
Test the compliance of recovery procedures to standard 3.12 3.00 1.235
Test the effectiveness of recovery procedures to standard 3.16 3.00 1.291
Operating System Processing (ITC6)
Evaluate operating system 4.11 4.00 1.035
Evaluate performance monitoring system 3.93 4.00 .903
Evaluate control over productivity & service quality 3.70 4.00 1.050
Evaluate technology used to automate the CIS operation 3.38 4.00 1.198
Test the compliance to operational policies 3.90 4.00 1.095
Test the effectiveness of general control 3.86 4.00 .947
Test performance achievement 3.62 4.00 1.036
Application Processing (ITC8)
Identify transaction flow 4.29 5.00 .905
Evaluate the strength & weakness of application 4.03 4.00 .957
Test the control within the application 4.00 4.00 .928
Integrate the evaluation of application and general control 3.90 4.00 1.180
104
Scale if from 1= Rarely Done to 5= Always Dane
APPENDIX 5
Descriptive Statistics for IT Control Evaluation Activities Statistics
N
Valid Missing Mean Mode Std.
Deviation
System Development & Acquisition Control
73 0 13.8493 18.00 4.73072
System Implementation Control 73 0 9.7397 12.00 3.39128
System Maintenance & Program Changes Control
73 0 13.0548 17.00 4.69601
IT Asset Safeguarding Control 73 0 3.7945 4.00 1.10503
Data Integrity, Privacy & Security Control
73 0 24.0137 28.00 5.42242
DRP Control 73 0 23.1507 28.00 8.17800
Operating System Processing Activity Control
73 0 26.5068 30.00 5.73276
Application Processing Control 73 0 16.2192 20.00 3.58332
105
APPENDIX 6
H1 (RQ 1) : Comparison of Kruskal Wallis on IT Control Evaluation by Government Structure
Ranks Test Statisticsa,b
Organisation Structure N Mean Rank Chi-
Square df Asymp. Sig.
Federal 31 32.29 14.472 4 .006
State 6 18.42
Statutory Body 2 23.25
Internal Audit Department 20 49.70
System Development & Acquisition Control
ICT Audit 14 39.21
Federal 31 33.58 9.029 4 .060
State 6 26.17
Statutory Body 2 33.00
Internal Audit Department 20 48.53
System Implementation Control
ICT Audit 14 33.32
Federal 31 35.02 15.067 4 .005
State 6 20.75
Statutory Body 2 21.75
Internal Audit Department 20 51.00
System Maintenance & Program Changes Control
ICT Audit 14 30.54
Federal 31 31.97 9.246 4 .005
State 6 50.50
Statutory Body 2 11.75
Internal Audit Department 20 42.48
IT Asset Safeguarding Control
ICT Audit 14 38.14
Federal 31 34.15 3.852 4 .426
State 6 35.33
Statutory Body 2 36.00
Internal Audit Department 20 44.80
Data Integrity, Privacy & Security Control
ICT Audit 14 33.04
Federal 31 33.90 10.812 4 0.29
State 6 28.42
Statutory Body 2 32.25
Internal Audit Department 20 49.85
DRP
ICT Audit 14 29.86
106
APPENDIX
6
Ranks Test Statisticsa,b
Organisation Structure N Mean Rank Chi-
Square df Asymp. Sig.
Federal 31 32.03 10.206 4 .037
State 6 33.00
Statutory Body 2 33.00
Internal Audit Department 20 49.83
Operating System Processing Activity Control
ICT Audit 14 31.96
Federal 31 30.42 9.687 4 .046
State 6 32.50
Statutory Body 2 63.00
Internal Audit Department 20 45.30
Application Processing Control
ICT Audit 14 37.93
a. Kruskal Wallis Test
b. Grouping Variable: Government Audit Structure
107
APPENDIX 7
H2 (RQ 2) : Comparison of Kruskal Wallis on IT Audit Objectives by Government Structure
Ranks Test Statisticsa,b
Organisation Structure N Mean Rank
Chi- Square df
Asymp. Sig.
Federal 31 33.08 4.255 4 .373
State 6 28.92
Statutory Body 2 44.75
Internal Audit Department
20 42.20
Evaluation of efficiency, effectiveness, and economy of IT usage
ICT Audit 14 40.61
Federal 31 31.56 15.163 4 .004
State 6 22.58
Statutory Body 2 49.00
Internal Audit Department
20 47.60
Evaluation of compliance with policies, procedures & regulations
ICT Audit 14 38.36
Federal 31 33.77 3.879 4 .423
State 6 32.75
Statutory Body 2 57.50
Internal Audit Department
20 38.65
Evaluation of internal control in CIS
ICT Audit 14 40.68
Federal 31 40.34 6.651 4 .156
State 6 41.25
Statutory Body 2 62.50
Internal Audit Department
20 31.65
Evaluation of fairness of financial statement & the accuracy & completeness of record
ICT Audit 14 31.79
Descriptive Statistics on IT Audit Objectives
Statistics
N
Valid Missing Mean Mode
Std. Deviation
Evaluation of efficiency, effectiveness, and economy of IT usage
73 0 3.95 5 1.189
Evaluation of compliance with policies, procedures & regulations
73 0 4.37 5 .993
Evaluation of internal control in CIS 73 0 4.16 5 .913
Evaluation of fairness of financial statement & the accuracy & completeness of record
73 0 3.60 3 1.115
108
APPENDIX 8 H3 (RQ 3) : Comparison of Kruskal Wallis on Usage of CAATTs by Government Structure
Ranks Test Statisticsa,b
Organisation Structure N Mean Rank
Chi-Square df
Asymp. Sig.
Federal 31 38.95 2.695 4 .610
State 6 30.50
Statutory Body 2 39.75
Internal Audit Department 20 40.13
CAATTs use in system analysis and documentation
ICT Audit 14 30.61
Federal 31 38.08 1.880 4 .758
State 6 33.00
Statutory Body 2 22.00
Internal Audit Department 20 35.58
CAATTs use in system or prgm testing
ICT Audit 14 40.50
Federal 31 37.90 3.473 4 .482
State 6 33.83
Statutory Body 2 46.50
Internal Audit Department 20 31.30
CAATTs is data integrity testing
ICT Audit 14 43.14
Federal 31 35.60 7.145 4 .128
State 6 33.75
Statutory Body 2 43.00
Internal Audit Department 20 45.98
CAATTs as problem solving aids
ICT Audit 14 27.82
Federal 31 37.19 3.487 4 .480
State 6 34.33
Statutory Body 2 31.00
Internal Audit Department 20 42.90
CAATTs an administrative tool
ICT Audit 14 30.14
Descriptive Statistics for Usage of CAATTs Statistics
N
Valid Missing Mean Mode
Std. Deviation
CAATTs use in system analysis and documentation
73 0 3.1918 4.00 1.37090
CAATTs use in system or prgm testing 73 0 3.0548 3.00 1.34258
CAATTs is data integrity testing 73 0 3.3836 3.00 1.32948
CAATTs as problem solving aids 73 0 3.5068 4.00 1.27064
CAATTs an administrative tool 73 0 2.9178 3.00 1.26659
109
APPENDIX 9
H5 (RQ 5): Comparison of IT Evaluation Control Activities by Organization Characteristics
Type of Auditor (X5)
Ranks Test Statisticsa,b
Type of Auditor N
Mean Rank
Chi-Square df
Asymp. Sig.
General Auditor 30 33.05 1.788 1 .181 System Development & Acquisition Control IT Auditor 43 39.76
General Auditor 30 32.52 2.343 1 .126 System Implementation Control
IT Auditor 43 40.13
General Auditor 30 32.12 2.741 1 .098 System Maintenance & Program Changes Control IT Auditor 43 40.41
General Auditor 30 34.87 .568 1 .451 IT Asset Safeguarding Control
IT Auditor 43 38.49
General Auditor 30 33.82 1.164 1 .281 Data Integrity, Privacy & Security Control IT Auditor 43 39.22
General Auditor 30 31.55 3.407 1 .065 DRP
IT Auditor 43 40.80
General Auditor 30 34.43 .755 1 .385 Operating System Processing Activity Control IT Auditor 43 38.79
General Auditor 30 38.38 .224 1 .636 Application Processing Control
IT Auditor 43 36.03
a. Kruskal Wallis Test
b. Grouping Variable: Types of Auditor
110
APPENDIX 9
H5 (RQ 5): Comparison of IT Evaluation Control Activities by Organization Characteristics
Size of Department (X6)
Ranks Test Statisticsa,b
Size of department N
Mean Rank Chi-Square df
Asymp. Sig.
More than 30 15 33.67 1.368 2 .505
Between 29 to 10 23 34.63
System Development & Acquisition Control
9 and less 35 39.99
More than 30 15 40.10 1.906 2 .386
Between 29 to 10 23 32.07
System Implementation Control
9 and less 35 38.91
More than 30 15 30.87 4.676 2 .097
Between 29 to 10 23 32.61
System Maintenance & Program Changes Control
9 and less 35 42.51
More than 30 15 46.17 3.893 2 .143
Between 29 to 10 23 34.83
IT Asset Safeguarding Control
9 and less 35 34.50
More than 30 15 33.40 2.716 2 .257
Between 29 to 10 23 32.91
Data Integrity, Privacy & Security Control
9 and less 35 41.23
More than 30 15 40.33 4.740 2 .093
Between 29 to 10 23 29.09
DRP
9 and less 35 40.77
More than 30 15 32.17 5.444 2 .066
Between 29 to 10 23 31.04
Operating System Processing Activity Control
9 and less 35 42.99
More than 30 15 42.93 1.592 2 .451
Between 29 to 10 23 34.63
Application Processing Control
9 and less 35 36.01
a. Kruskal Wallis Test
b. Grouping Variable: Total number of auditor in the department
111
APPENDIX 9
H5 (RQ 5): Comparison of IT Evaluation Control Activities by Organization Characteristics
Structure of CIS (X7)
Ranks Test Statisticsa,b
Structure of
CIS N
Mean
Rank
Chi-
Square df Asymp. Sig.
Centralized 31 35.68 .212 1 .645 System Development &
Acquisition Control Decentralized 42 37.98
Centralized 31 37.27 .009 1 .923 System Implementation
Control Decentralized 42 36.80
Centralized 31 32.47 2.498 1 .114 System Maintenance &
Program Changes Control Decentralized 42 40.35
Centralized 31 36.68 .014 1 .907 IT Asset Safeguarding
Control Decentralized 42 37.24
Centralized 31 33.40 1.572 1 .210 Data Integrity, Privacy &
Security Control Decentralized 42 39.65
Centralized 31 40.42 1.419 1 .234 DRP
Decentralized 42 34.48
Centralized 31 32.87 2.066 1 .151 Operating System
Processing Activity Control Decentralized 42 40.05
Centralized 31 38.97 .481 1 .488 Application Processing
Control Decentralized 42 35.55
a. Kruskal Wallis Test
b. Grouping Variable: Structure of CIS in data processing
112
APPENDIX 9 H5 (RQ 5): Comparison of IT Evaluation Control Activities by Organization Characteristics
Percentage of New Computer in the Department (X8)
Ranks Test Statisticsa,b
Percentage of New
Computer N
Mean
Rank
Chi-
Square df
Asymp.
Sig.
Less than 30^% 6 23.75 2.783 2 .249
Between 69 to 30% 33 37.02
System Development &
Acquisition Control
More than 70% 34 39.32
Less than 30^% 6 29.58 1.173 2 .556
Between 69 to 30% 33 39.20
System Implementation
Control
More than 70% 34 36.18
Less than 30^% 6 33.42 .652 2 .722
Between 69 to 30% 33 35.55
System Maintenance &
Program Changes Control
More than 70% 34 39.04
Less than 30^% 6 32.67 5.596 2 .061
Between 69 to 30% 33 43.15
IT Asset Safeguarding
Control
More than 70% 34 31.79
Less than 30^% 6 28.00 3.019 2 .221
Between 69 to 30% 33 41.33
Data Integrity, Privacy &
Security Control
More than 70% 34 34.38
Less than 30^% 6 27.75 1.885 2 .390
Between 69 to 30% 33 39.89
DRP
More than 70% 34 35.82
Less than 30^% 6 25.17 2.164 2 .339
Between 69 to 30% 33 38.91
Operating System
Processing Activity
Control More than 70% 34 37.24
Less than 30^% 6 33.42 9.992 2 .007
Between 69 to 30% 33 45.41
Application Processing
Control
More than 70% 34 29.47
a. Kruskal Wallis Test
b. Grouping Variable: Percentage of New Computer in the department for past 3 years
11
3
APPENDIX 10 Descriptive Statistics, Histogram, Box-plot and M-estimators of Dependent and Independent variables
DESCRIPTIVE STATISTICS: INDEPENDENT VARIABLES
Statistics
Evaluation of efficiency,
effectiveness, and economy of IT usage
Evaluation of
compliance with
policies, procedures
& regulations
Evaluation of internal control in
CIS
Evaluation of fairness of financial
statement & the accuracy
& completeness
of record
Usage of Computer Assisted
Audit Tools &
Techniques Auditors
Competency
Types of
Auditors Size of
Organisation
Structure of CIS in
data processing
Percentage of New Computer
in the department for past 3 years
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Valid 73 73 73 73 73 73 73 73 73 73 N
Missing 0 0 0 0 0 0 0 0 0 0
Mean 3.95 4.37 4.16 3.6 16.0548 3.3288 1.59 2.27 1.58 2.38
Median 4 5 4 3 16 3 2 2 2 2
Mode 5 5 5 3 15.00a 2 2 3 2 3
Std. Deviation 1.189 0.993 0.913 1.115 4.78682 1.21398 0.495 0.786 0.498 0.637
Variance 1.414 0.986 0.834 1.243 22.914 1.474 0.245 0.618 0.248 0.406
Skewness -0.911 -1.246 -0.899 -0.142 -0.281 0.581 -0.37 -0.531 -0.311 -0.54
Std. Error of Skewness 0.281 0.281 0.281 0.281 0.281 0.281 0.281 0.281 0.281 0.281
Kurtosis -0.193 0.096 -0.008 -0.856 -0.054 -0.483 -1.917 -1.18 -1.958 -0.605
Std. Error of Kurtosis 0.555 0.555 0.555 0.555 0.555 0.555 0.555 0.555 0.555 0.555
Minimum 1 2 2 1 5 2 1 1 1 1
Maximum 5 5 5 5 25 6 2 3 2 3
a. Multiple modes exist. The smallest value is shown
11
4
APPENDIX 10
HISTOGRAM FOR INDEPENDENT VARIABLES
11
5
APPENDIX 10
NORMALITY TEST - M-ESTIMATORS : INDEPENDENT VARIABLES
M-Estimators
e
Evaluation of efficiency,
effectiveness, and econo,u of
IT usage
Evaluation of compliance with
policies, procedures & regulations
Evaluation of internal control
in CIS
Evaluation of fairness of financial
statement & the accuracy &
completeness of record
Usage of Computer
Assisted Audit Tools &
Techniques Auditors
Competency
Total number of auditor in the department
Percentage of New
Computer in the
department for past 3
years
Huber's M-Estimatora 4.10 . 4.22 3.68 16.1446 3.1875 2.27 2.39
Tukey's Biweighta 4.10 . 4.23 3.62 16.3298 3.2160 2.30 2.40
Hampel's M-Estimatora 4.04 . 4.20 3.63 16.1865 3.2528 2.27 2.38
Andrews' Wavea 4.10 . 4.23 3.62 16.3425 3.2170 2.30 2.40
a. The weighting constant is 1.339.
b. The weighting constant is 4.685.
c. The weighting constants are 1.700, 3.400, and 8.500
d. The weighting constant is 1.340*pi.
e. Some M-Estimators cannot be computed because of the highly centralized distribution around the median.
11
6
APPENDIX 10
DESCRIPTIVE STATISTICS: DEPENDENT VARIABLES
Statistics
System Development & Acquisition
Control
System Implementation Control
System Maintenance & Program Changes Control
IT Asset Safeguarding
Control
Data Integrity, Privacy & Security Control DRP
Operating System
Processing Activity Control
Application Processing
Control ITC_overall
ITC1 ITC2 ITC3 ITC4 ITC5 ITC6 ITC7 ITC8 ITCoverall
Valid 73 73 73 73 73 73 73 73 73 N
Missing 0 0 0 0 0 0 0 0 0
Mean 13.8493 9.7397 13.0548 3.7945 24.0137 23.1507 26.5068 16.2192 130.3288
Median 15.0000 10.0000 14.0000 4.0000 26.0000 26.0000 28.0000 17.0000 139.0000
Mode 18.00 12.00 17.00 4.00 28.00 28.00 30.00 20.00 154.00
Std. Deviation 4.73072 3.39128 4.69601 1.10503 5.42242 8.17800 5.73276 3.58332 30.74133
Variance 22.380 11.501 22.053 1.221 29.403 66.880 32.865 12.840 945.029
Skewness -.472 -.407 -.567 -.912 -.725 -.619 -.771 -.787 -.563
Std. Error of Skewness
.281 .281 .281 .281 .281 .281 .281 .281 .281
Kurtosis -.973 -.882 -.835 .372 -.623 -.619 .252 -.305 -.857
Std. Error of Kurtosis .555 .555 .555 .555 .555 .555 .555 .555 .555
Minimum 4.00 3.00 4.00 1.00 11.00 7.00 10.00 8.00 63.00
Maximum 20.00 15.00 20.00 5.00 30.00 35.00 35.00 20.00 178.00
11
7
APPENDIX 10
HISTOGRAM FOR DEPENDENT VARIABLES
11
8
APPENDIX 10
NORMALITY TEST - M-ESTIMATORS : DEPENDENT VARIABLES
M-Estimators
System
Development & Acquisition
Control
System Implementatio
n Control
System Maintenance &
Program Changes Control
IT Asset Safeguarding
Control
Data Integrity, Privacy & Security Control DRP
Operating System
Processing Activity Control
Application Processing
Control ITC_overall
ITC1 ITC2 ITC3 ITC4 ITC5 ITC6 ITC7 ITC8 ITCoverall
Huber's M-Estimatora 14.2296 10.2218 13.8176 3.9215 25.2852 24.4792 27.3449 16.6876 135.0424
Tukey's Biweighta 14.2083 10.3245 13.9774 3.9182 25.7644 25.0701 27.9364 16.6692 136.0663
Hampel's M-Estimatora 14.0521 10.0366 13.5743 3.8715 25.0137 24.2001 27.2837 16.4594 133.6666
Andrews' Wavea 14.2069 10.3246 13.9745 3.9175 25.7727 25.0788 27.9377 16.6670 136.0621
a. The weighting constant is 1.339.
11
9
APPENDIX 10
BOX PLOT FOR DEPENDENT VARIABLES
120
APPENDIX 11
Scatter Plot And P-P Normal Plot Of Regression Models
MODEL : ITC 1
MODEL : ITC 2
MODEL : ITC 3
121
APPENDIX 11
MODEL : ITC 4
MODEL : ITC 5
MODEL : ITC 6
122
APPENDIX 11
MODEL : ITC 7
MODEL : ITC 8
MODEL : ITC _OVERALL
123
124
APPENDIX 12
Coefficient Correlation of Dependent Variables
Total number of
auditor
Structure of CIS in
data processing
Percentage of New
Computer
Evaluation of efficiency,
effective and economy of
IT usage
Evaluation of
compliance with
policies, procedure
Evaluation of internal control in
CIS
Evaluation of fairness of financial statement
Auditor’s Competcy
Usage of CAATTs
Pearson Correlation
.257* .015 .242
* -.039 .031 -.186 -.149 -.096 .103
Sig. (2-tailed) .028 .902 .039 .745 .795 .114 .209 .421 .384
Type of Auditors
N 73 73 73 73 73 73 73 73 73
Pearson Correlation
.337** .397
** -.117 .011 -.141 -.128 .093 .166
Sig. (2-tailed) .004 .001 .322 .928 .234 .282 .432 .161
Total number of auditor
N 73 73 73 73 73 73 73 73
Pearson Correlation
.083 -.134 .154 .003 -.208 .004 -.089
Sig. (2-tailed) .486 .259 .195 .980 .077 .970 .453
Structure of CIS in data processing
N 73 73 73 73 73 73 73
Pearson Correlation
.193 .168 -.062 .120 .032 .107
Sig. (2-tailed) .102 .156 .602 .313 .787 .368
Percentage of New Computer
N 73 73 73 73 73 73
Pearson Correlation
.735** .610
** .549
** -.035 -.014
Sig. (2-tailed) .000 .000 .000 .766 .906
Evaluation of efficiency, effectiveness, and economy of IT usage N 73 73 73 73 73
Pearson Correlation
.774** .436
** -.010 -.066
Sig. (2-tailed) .000 .000 .932 .581
Evaluation of compliance with policies, procedures
N 73 73 73 73
Pearson Correlation
.447** .063 -.145
Sig. (2-tailed) .000 .594 .221
Evaluation of internal control in CIS
N 73 73 73
Pearson Correlation
.026 .038
Sig. (2-tailed) .827 .750
Evaluation of fairness of financial statement
N 73 73
Pearson Correlation
.210
Sig. (2-tailed) .075
Auditor’s Competency
N 73
125
APPENDIX 12
TEST OF MULTICOLINEARITY
Coefficientsa
Model : ITC1
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .245 .429 .334 -.148 .184 .000 .192 .183 .085 .185
Partial .004 .244 .225 -.457 .289 -.074 .101 .098 -.109 .137
Correlations
Part .003 .188 .172 -.385 .226 -.056 .076 .074 -.082 .103
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: System Development & Acquisition Control
Coefficientsa
Model : ITC2
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .203 .301 .234 -.057 .294 .058 .192 .038 .016 .028
Partial .043 .141 .128 -.260 .353 .008 .173 -.040 -.030 -.039
Correlations
Part .036 .121 .109 -.228 .319 .007 .149 -.034 -.026 -.033
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: System Implementation Control
Coefficientsa
Model: ITC3
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .195 .293 .241 -.235 .179 .143 .213 .173 .117 .053
Partial .177 .082 .197 -.466 .231 .138 .188 .106 .003 -.045
Correlations
Part .141 .065 .158 -.414 .187 .109 .150 .084 .002 -.036
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: System Maintenance & Program Changes Control
Coefficientsa
Model : ITC4
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .150 .146 .240 -.112 .186 .020 .173 -.190 -.009 -.123
Partial .152 -.147 .321 -.290 .310 -.007 .297 -.256 .109 -.055
Correlations
Part .128 -.123 .281 -.252 .270 -.006 .258 -.220 .091 -.046
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: IT Asset Safeguarding Control
126
Coefficientsa
Model: ITC6
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .235 .292 .268 -.057 .382 .100 .242 .030 -.158 -.009
Partial .075 .131 .216 -.349 .456 .042 .258 .018 -.236 -.100
Correlations
Part .057 .099 .166 -.280 .385 .032 .201 .013 -.182 -.076
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: DRP
Coefficientsa
Model: ITC7
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .432 .462 .377 .173 .299 .042 .109 .203 .096 .007
Partial .267 .097 .122 -.095 .377 -.037 .105 .263 .070 -.245
Correlations
Part .209 .073 .093 -.072 .306 -.028 .079 .205 .053 -.191
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: Operating System Processing Activity Control
Coefficientsa
Model: ITC7
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .371 .484 .570 .140 .267 .181 -.035 -.056 -.048 -.281
Partial .108 .164 .370 -.235 .458 .150 .088 .110 -.102 -.444
Correlations
Part .069 .105 .253 -.153 .326 .096 .056 .070 -.065 -.314
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
Dependent Variable: Application Processing Control
APPENDIX 12
TEST OF MULTICOLINEARITY
Coefficientsa
Model: ITC5
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .315 .404 .339 .093 .333 .073 .199 .162 .131 -.042
Partial .158 .089 .175 -.110 .415 .006 .241 .153 .125 -.252
Correlations
Part .123 .069 .136 -.085 .350 .005 .190 .119 .096 -.200
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.856 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: Data Integrity, Privacy & Security Control
127
APPENDIX 12
TEST OF MULTICOLINEARITY
Coefficientsa
Model: ITC Overall
X1 X2 X3 X4 X5 X6 X7 X8 X9 X10
Zero-order .337 .441 .390 -.019 .342 .097 .205 .120 .026 -.006
Partial .159 .156 .256 -.364 .460 .034 .231 .117 -.058 -.170
Correlations
Part .114 .112 .188 -.277 .368 .024 .169 .084 -.041 -.122
Tolerance .350 .220 .306 .633 .877 .912 .803 .679 .709 .714 Collinearity Statistics VIF 2.85
6 4.538 3.265 1.581 1.140 1.096 1.245 1.473 1.410 1.401
a. Dependent Variable: ITC_overall
128
APPENDIX 13
Model Summaries and ANOVA Table of Regression Models
MODEL: ITC1 : Dependent Variable: System Development & Acquisition Control
Model Summaryb
Change Statistics
Model R
R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change
F Change df1 df2
Sig. F Change
Durbin-Watson
1 .664a .441 .350 3.81325 .441 4.881 10 62 .000 2.202
a. Predictors: (Constant), X1-X10
b. Dependent Variable: System Development & Acquisition Control
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 709.810 10 70.981 4.881 .000a
Residual 901.533 62 14.541
1
Total 1611.342 72
b. Dependent Variable: System Development & Acquisition Control
MODEL: ITC2 : Dependent Variable: System Implementation Control
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change
F Change df1 df2
Sig. F Change
Durbin-Watson
1 .531a .282 .166 3.09684 .282 2.434 10 62 .016 1.997
a. Predictors: (Constant), X1-X10
b. Dependent Variable: System Implementation Control
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 233.450 10 23.345 2.434 .016a
Residual 594.605 62 9.590
1
Total 828.055 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: System Implementation Control
129
APPENDIX 13
Model Summaries and ANOVA Table of Regression Models
MODEL: ITC3 : Dependent Variable: System Maintenance & Program Changes Control
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change
F Change df1 df2
Sig. F Change
Durbin-Watson
1 .617a .381 .281 3.98071 .381 3.820 10 62 .000 1.809
a. Predictors: (Constant), X1-X10
b. Dependent Variable: System Maintenance & Program Changes Control
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 605.324 10 60.532 3.820 .000a
Residual 982.457 62 15.846
1
Total 1587.781 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: System Maintenance & Program Changes Control
MODEL: ITC4 : Dependent Variable: IT Asset Safeguarding Control
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change
F Change df1 df2
Sig. F Change
Durbin-Watson
1 .558a .312 .201 .98805 .312 2.806 10 62 .006 1.990
a. Predictors: (Constant), X1-X10
b. Dependent Variable: IT Asset Safeguarding Control
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 27.390 10 2.739 2.806 .006a
Residual 60.528 62 .976
1
Total 87.918 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: IT Asset Safeguarding Control
130
APPENDIX 13
Model Summaries and ANOVA Table of Regression Models
MODEL: ITC5: Dependent Variable: Data Integrity, Privacy & Security Control
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change F Change df1 df2
Sig. F Change
Durbin-Watson
1 .643a .413 .318 4.47766 .413 4.359 10 62 .000 1.796
a. Predictors: (Constant), X1-X10
b. Dependent Variable: Data Integrity, Privacy & Security Control
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 873.923 10 87.392 4.359 .000a
Residual 1243.063 62 20.049
1
Total 2116.986 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: Data Integrity, Privacy & Security Control
MODEL: ITC6: Dependent Variable: Disaster Recovery Plan
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of the
Estimate
R Square Change F Change
df1 df2
Sig. F Change
Durbin-Watson
1 .660a .435 .344 6.62454 .435 4.773 10 62 .000 1.637
a. Predictors: (Constant), X1-X10
b. Dependent Variable: DRP
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 2094.498 10 209.450 4.773 .000a
Residual 2720.845 62 43.885
1
Total 4815.342 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: DRP
131
APPENDIX 13
MODEL: ITC7: Dependent Variable: Operating System Processing Control
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change
F Change df1 df2
Sig. F Change
Durbin-Watson
1 .658a .433 .342 4.65177 .433 4.735 10 62 .000 1.856
a. Predictors: (Constant), X1-X10
b. Dependent Variable: Operating System Processing Activity Control
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 1024.631 10 102.463 4.735 .000a
Residual 1341.616 62 21.639
1
Total 2366.247 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: Operating System Processing Activity Control
MODEL: ITC8: Dependent Variable: Application Processing Control
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change
F Change df1 df2
Sig. F Change
Durbin-Watson
1 .773a .598 .533 2.44855 .598 9.220 10 62 .000 1.821
a. Predictors: (Constant), X1-X10
b. Dependent Variable: Application Processing Control
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 552.779 10 55.278 9.220 .000a
Residual 371.714 62 5.995
1
Total 924.493 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: Application Processing Control
132
APPENDIX 13
MODEL: ITC overall : Dependent Variable: Overall ITC
Model Summaryb
Change Statistics
Model R R
Square
Adjusted R
Square
Std. Error of
the Estimate
R Square Change
F Change df1 df2
Sig. F Change
Durbin-Watson
1 .705a .497 .415 23.50343 .497 6.117 10 62 .000 1.764
a. Predictors: (Constant), X1-X10
b. Dependent Variable: ITC_overall
ANOVAb
Model Sum of
Squares df Mean Square F Sig.
Regression 33792.612 10 3379.261 6.117 .000a
Residual 34249.497 62 552.411
1
Total 68042.110 72
a. Predictors: (Constant), X1-X10
b. Dependent Variable: ITC_overall