towards a general theory of i .t. auditing · îaudi alteram partem ï (hear the other party) the...
TRANSCRIPT
7
International Journal of Accounting & Business Management
www.ftms.edu.my/journals/index.php/journals/ijabm
Vol. 1 (No.1), April, 2013 Page: 07-22
ISSN: 2289-4519
This work is licensed under a Creative Commons Attribution 4.0 International License.
Towards a General Theory of I.T. Auditing
Andrew D Chambers1
1EurIng Professor Andrew D Chambers, BA, PhD, CEng, FCCA, FCA, FIIA, FBCS, CITP, FRSA.
Andrew has authored several books on I.T. auditing. He was on the Council of The British Computer
Society and a member of their Technical Board. His Chartered Engineering qualification is in the field
of software engineering.
8
Abstract This is the first draft of a paper which draws together strands on the philosophy and practice of auditing which the author has written on over the years. They are offered as a basis for endeavouring to develop a general theory of I.T. auditing, though this first draft does not articulate a theory as such in a concise way. The paper touches on how auditing has developed over the centuries. It draws attention to the roots of internal auditing in external auditing from which it splintered commencing about one hundred years ago. The paper suggests that I.T. auditing has more recently splintered from internal auditing. When a general theory for I.T. auditing is developed, it will need to take on board fundamental auditing concepts and apply them to I.T. auditing. These concepts are explored in more general terms within this paper. They include:
1. The notion of three parties involved 2. The attributes of a profession 3. The prerequisites of auditor
independence and competence 4. The need for external quality
oversight of auditors 5. Hearing the other party
Today the extent of I.T. auditing is limited. Many auditors still follow a ‘black box’ approach of auditing round I.T. systems, unable to understand sufficiently the processes within those systems in order to provide audit assurance of their robustness. We live in an I.T.-dependent age where I.T. is taken too much on trust until it fails. It is
inadequate for the I.T. profession to be entrusted with its own oversight. Comments would be gratefully received by the author at [email protected]. Towards a General Theory of IT Auditing Andrew D Chambers
‘Audire’ (‘To hear’)
‘If you suspect my husbandry or falsehood call me before the exactest auditors and set me on the proof.’
Shakespeare2 ‘The great social revolutions of our history reflect the creation of new concepts which, although involving radical upheaval, take root over a considerable period of time.’ Mumford & Ward (1968).
The roots of auditing go far back. Rare audit tables occasionally appear on the antiques market. Geoffrey Chaucer, whose patron was John of Gaunt, the King’s 4th son and father to a future king Henry IV, would have sat at such a table within the audit towers of castles he visited in the 14th century to hear the arguments of those seeking to minimize their tithes. In 1849 a Select Committee of the House of Lords inquired into Audit of Railway Companies. Its report is credited with helping establish the audit profession: certainly by 1872 the Great Western Railway had an external auditor (Mr.
2 Flavius, Steward to Timon, in Timon of
Athens, by William Shakespeare.
9
Deloitte) and an audit committee (Tricker, 1978, p56):
‘Report of the Audit Committee: ‘The auditors and Mr. Deloitte attended the Committee and explained the various matters connected with the Finances and other departments of the railway, which explanations were highly satisfactory. ‘The Committee consider the Auditors have performed their arduous duties with great care and intelligence and therefore confidently recommend that they be continued in office.’ Benjamin Lancaster Chairman Paddington Station 22nd February, 1872
Internal auditing arose from external auditing It was the financial statements of entities that became the focus of audit assurance. But then a new auditing, internal auditing, was born as a splinter from the external audit of financial statements. The record indicates that the nascency of internal auditing, with its modern roots around the start of the twentieth century, was initially associated with a focus on providing assurance of the proper accounting for transactions, especially those involving handling cash. The principal means employed to arrive at that assurance were for the auditor to reperform accounting operations (Collins, 1904, 1908). Yet, even Collins at that time perceived that internal auditing was not a merely mechanical craft:
'It is only by the exercise of his powers of perception and imagination that an internal auditor can be said to be fulfilling his [sic] purpose.' (Collins, 1904, p.6). and '...it is by the continual use of his auditorial acumen that an internal auditor succeeds.'(Collins, 1904, p.6).
Audit of internal accounting control As businesses grew, the volume of transactions became larger and it became impractical to provide reliable assurance by reperformance, even on an audit sample basis. Though the volume of transactions was growing, the number of business processes being applied to those transactions remained more stable. So, around the middle of the twentieth century the audit focus shifted to providing assurance of the adequacy of the system of internal accounting control, Reperformance of accounting operations was then relegated to sample testing to confirm the auditor’s understanding of the system and that it was being applied as intended. In parallel with this shift came a graduation from an internal audit preoccupation with accounting matters to including within the scope of internal auditing a review of operations. The rationale was that entities achieve their objectives through their operations, not merely through their accounting processes, and both need effective internal control. With this new emphasis on internal control, it was not surprising that the internal control concept was to be developed further.
10
The control orientation of internal auditing might have developed sooner, and internal audit might have prospered earlier, had a widely available English translation of a seminal work by the ‘father of management theory’ (Fayol, 1916) been available sooner than 1949 (Chambers, 1981a, ch.3). Instead, Fayol’s approach to management was eclipsed by Taylor (1911), the ‘father of management science’ and a Harvard professor, with his emphasis upon specialization and departmentalization within organizations (Chambers, 1976, p.93). Risk-based approaches to auditing This analysis is borne out by McNamee and Selim (1998, p.xiii):
‘The first internal audit paradigm focused on observing and counting. In 1941, Victor Brink introduced the concept of a system of IC and changed the paradigm from a focus on reperformance to a focus on controls. We are at a crossroads – people are trying to change the rules of internal auditing. The third paradigm is based on viewing the business process through a focus on risk.’
Perversely, there is a risk associated with the decline of internal auditors reperforming accounting operations; that is, a risk associated with the risk-based approach to internal auditing. This is the risk that errors and losses may go undetected. Professor Mackenzie, an eminent economist at Manchester University, coined these words as far back as 1966 in his Foreword to a book on auditing in governments by E.L. Normanton based on the latter’s MPhil thesis which Mackenzie had supervised
(Normanton3, 1966, p.vii; Chambers, 2006):
‘Without audit, no accountability; without accountability, no control; and if there is no control, where is the seat of power? ... … great issues often come to light only because of scrupulous verification of detail.’
Now, contemporary automation of audit work can provide the means to somewhat more easily reperform very large volumes of transaction processing. This future development was predicted more than thirty years ago (Chambers, 1981d, p.396). Hearing the other party Discussion of audit assurance would be incomplete without mention that it is usually appropriate for an auditor to hear the responsible party: ‘Audi alteram partem’ (‘Hear the other party’) The legal parallel is that it is natural justice to give parties a right to be heard. Habeas corpus was an early application of this audi alteram partem principle. In auditing today a prominent example is the so-called ‘contradictory process’ which precedes the publication in The Official Journal of the European Communities of the DAS (La Déclaration d’assurance - Statement of Assurance) of the European Court of Auditors’ audit of the European Commission (Edsberg,1994). This ‘contradictory process’ provides the European Commission with the opportunity to
3 Normanton started his career in HM Treasury
before transferring to the European Court of
Auditors.
11
contest the tentative results of the audit before these results are communicated in final form to other parties. Internal auditors are excellent exemplars of ‘audi alteram partem’: draft internal audit reports are discussed with auditees whose responses are incorporated within final audit reports. In final internal audit engagement reports ‘audit recommendations’ are preferably expressed as ‘agreed action’4 usually with agreed target dates for implementation. A further example is the external auditor’s management letter which draws attention to possible opportunities to improve performance noted by the external auditor during the course of the audit. After prior discussion with management, this is then issued in draft to management before being finalised and communicated to the board’s audit committee (Chambers, 2006, pp.45-46; 2009b, ch.18). Whether for external or internal auditors, audi alteram parte serves the secondary, pragmatic purpose of allowing the auditor to test the validity of audit results before finalisation: those to whom audit results are communicated are often better informed than the auditor. The ‘three party’ relationship Assurance engagements involve three separate parties: a practitioner, a responsible party and intended users
4 That is, agreed between management and
internal audit.
(IAASB, 2005, para. 21). Where there is very significant overlap between the responsible party and the intended users, there may be less point in the assurance engagement. Thus, for instance, where management and the shareholders are largely the same, as may be so in a family or other private company, the shareholders are not in the same need of assurance about the account rendered to them by management. This is one reason why there is now audit exemption for small companies.5 Currently, the generally accepted definition of internal auditing specifies that internal auditing activities comprise assurance and consulting activities:
5 Unless the shareholders insist and in certain
other cases, s382-383 of the 2006 UK
Companies Act gives effect to EC Directive
exempting small companies from the
requirement for external audit if two out of the
following three criteria apply:
Turnover: less than £6.5m (net) or
£7.8m (gross);
Balance sheet total: less than £3.26m
(net) or £3.9m (gross);
Fewer than 50 employees
These thresholds have been adjusted upwards
from time to time.
In 2011 the Commission proposed similar audit
exemption for mid-tier companies which would
have taken a further 32,000 UK companies out
of the requirement for mandatory audit. This
was opposed by most member states (though
supported by the UK Department of Business)
and so has not been implemented. The
equivalent thresholds for mid-tier companies are
currently:
Turnover: less than £25.9m (net) or
£31.1m (gross);
Balance sheet total: less than £12.9m
(net) or £15.5m (gross);
Fewer than 250 employees
12
‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’ (The IIA, 1999)6
6 A full trace of the evolution of The Institute of
Internal Auditors’ definition of internal auditing
is as follows:
1947: ‘Internal auditing is the independent
appraisal activity within an organization for the
review of the accounting, financial and other
operations as a basis for protective and
constructive service to management. It is a type
of control that functions by measuring and
evaluating the effectiveness of other types of
control. It deals primarily with accounting and
financial matters, but it may also properly deal
with matters of an operating nature.’
1957: ‘Internal auditing is an independent
appraisal activity within an organization for the
review of accounting, financial, and other
operations.’
1971: ‘Internal auditing is an independent
appraisal activity within an organization for the
review of operations as a service for
management. It is a managerial control which
functions by measuring and evaluating the
effectiveness of other controls.’
1978: ‘Internal auditing is an independent
appraisal function established within an
organization to examine and evaluate its
activities as a service to the organization. The
objective of internal auditing is to assist
members of the organization in the effective
discharge of their responsibilities. To this end,
internal auditing furnishes them with analyses,
appraisals, recommendations, counsel, and
information concerning the activities reviewed.’
1990: ‘Internal auditing is an independent
appraisal function established within an
organization to examine and evaluate its
activities as a service to the organization. The
objective of internal auditing is to assist
members of the organization in the effective
It has been controversial to include ‘consulting’ within the current definition and it was unfortunate that the first consulting Standards were released just as Enron collapsed and the audit pendulum was about to swing back to ‘assurance’. It is likely that a revised wording to the definition will be:
‘Internal auditing is an independent, objective assurance and advisory activity designed to help an organization accomplish objectives and improve governance, risk management and internal control.’
While the parties to an internal audit assurance engagement are (a) the auditor, (b) those audited, and (c) those to whom assurance is given, a consulting engagement has only two parties – (a) the auditor and (b) whoever consulted the auditor. However, if during a consulting engagement the auditor discovers a matter pertinent to the auditor’s assurance role, it should not be regarded discharge of their responsibilities. To this end,
internal auditing furnishes them with analyses,
appraisals, recommendations, counsel, and
information concerning the activities reviewed.
The audit objective includes promoting effective
control at reasonable cost.’
1999: ‘Internal auditing is an independent,
objective assurance and consulting activity
designed to add value and improve an
organization’s operations. It helps an
organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance
processes.’
2013 (anticipated): ‘Internal auditing is an
independent, objective assurance and advisory
activity designed to help an organization
accomplish objectives and improve governance,
risk management and internal control.’
13
as ‘privileged information’ not to be made use of in the context of the auditor’s assurance role. (Chambers, 2006, p.46; 2009b, ch.1, pps.36-7).7 A further distinction between the internal auditor’s consultancy and assurance roles is that consulting engagements are only undertaken when (a) the auditor and (b) management consulting the auditor, both consider it is a good use of audit time; whereas those to be audited should not be able to veto whether or not an assurance engagement takes place (Chambers, 2009b, ch.18, p.576). Altered reporting lines for internal audit It was consistent with the changing scope of internal auditing that the positioning of internal audit within the organization would change. In Collins’ time (1904) it was seen as appropriate for internal audit to belong to the accounting function, reporting to a middle or senior level accountant; though this should have raised questions about the degree of independence of the internal auditor from what he or she was auditing. Indeed, as recently as the 1970s 95% of heads of internal audit reported to someone within the finance function (Chambers, 1976, p.41). As internal audit gravitated to the audit of operations in general, it became more appropriate for internal audit to report to general management. When internal
7 IIA Standard (2011) 2440.C2 reads:
‘During consulting engagements,
governance, risk management, and control
issues may be identified. Whenever these
issues are significant to the organization,
they must be communicated to senior
management and the board.’
audit found itself auditing high level processes it became appropriate for internal audit to report to top management, and for the chief audit executive to be a senior person. The hallmarks of a profession The nature of a profession and internal audit’s claims and needs for professional status have been discussed in depth in several places (Chambers, 1981a, chs.1 and 21; 1982; 2011a, pp.12-13; 2011b, pp.9-13; Cowton (2008, 2009)). While the attributes of professions vary between professions, and it has been argued that some occupational groups are semi-professions or emerging professions, there is wide acceptance of certain characteristics that mark out professions from other occupational groups, which can be summarized as follows: A profession makes use of a
systematic body of theory, acquired by its members in part through in-depth study of quite abstract concepts.
A profession has authority sanctioned by the community.
A profession is represented by three distinct organizational groups which interact with cross memberships: 1. The organization which renders
the actual service – often a professional practice;
2. The organization that provides group consciousness – the professional body;
3. The organization that develops knowledge and talent – for the professions this is invariably at university level.
14
Any profession’s body of theory evolves over time and tends to become more complex with the result that specialisms within the profession tend to emerge, sometimes leading to the profession splintering with certain specialisms developing the characteristics of being professions in their own right. Thus it can be argued that internal auditing failed to cherish I.T. auditing sufficiently, providing space for a distinct I.T. auditing profession to emerge. Today the evolution of the accounting profession is evidenced by the development of the concept of fair value accounting including ‘mark to market’ and ‘mark to model’, and the replacement of the ‘prudence’ concept by a ‘neutrality’ concept. There are now suggestions that the external auditing profession is in need to splinter from the accounting profession in order to enhance auditor independence (Chambers, 2012c). The accountancy profession itself was incapable of holding onto internal auditing which has become distinctive from it. UK chartered professional bodies are expected to adopt the public interest as being a guiding principle. IIA(UK) has been a chartered body since 2011 and in 2012 amended their ethical principles to set out their public interest obligation.8The trend towards
8 In April 2012 The IIA (UK) incorporated The
IIA Code of Ethics (which all parts of the
worldwide IIA are required to adopt) into a new,
expanded Code of Professional Conduct for
Chartered Institute of Internal Auditors. It
added two new principles, as follows:
‘Principle of Professionalism – acting in the
public interest
‘Acting in the public interest involves having
regard to the legitimate interests of those who
rely upon the objectivity and integrity of the
professionalization of internal auditing has been explored, with the suggestion it is only legitimate if based on the ideal of improving service quality, while acknowledging there is not universal approval of internal auditing being, or becoming, a profession - especially as management often see no advantage in separating internal auditing from management in general (Chambers, 1979, p.2 andp.6).
assurance about governance and the
management of risk, including control, that the
internal audit profession provides to support the
orderly functioning and propriety of
organizations. These include employers,
employees, investors, the business and financial
community, clients, regulators and government.
This reliance imposes a public interest
responsibility on the internal audit profession.
‘Professional internal auditors should take into
consideration the public interest and reasonable
and informed public perception in deciding the
actions to take, bearing in mind that the level
and nature of the public interest varies between
organizations depending on their role, size,
systemic importance or public prominence.
‘Therefore, a professional internal auditor’s
responsibility is not exclusively to satisfy the
needs of an individual employer or client. In
acting in the public interest a professional
internal auditor should observe and comply
with the ethical requirements of this Code.
‘Courtesy and respect
‘Professional internal auditors should treat all
people fairly without prejudice on any grounds.’
15
Professional oversight An essential attribute of a profession is the oversight by the professional body of its members, the practitioners. When there is no mandatory requirement for many entities to have internal audit, or it is at entities’ discretion whether they staff the function with professionally qualified internal auditors, it is clearly difficult for The IIA to oversee internal audit quality (Chambers, 2006, p.44). ‘Quis custodiet ipsos custodes’ 9 (Who audits the auditor?) The approach of The IIA is that their Standards, mandatory for members and for candidates for their professional qualifications, require periodic internal and external assessments of internal quality, using the Standards themselves as the benchmark, and The IIA has set out how these assessments should be undertaken and by whom. Auditing I.T. governance Key areas where internal audit’s systematic body of theory has evolved are to do with the nature and scope of internal audit work, the consideration of risk in audit planning, and the approach to audit work. The IIA Standards now require the internal audit activity to
‘evaluate and contribute to the improvement of governance, risk
9 Juvenal (c.AD55-127) (6
th Satire): “‘Pone seram,
prohibe.’ Sedquis custodiet ipsos
Custodes?Cautaest et abillis incipit uxor’ - ‘“Put on
a lock! Keep her in confinement!” But who is to
guard the guards themselves? Your wife is as
cunning as you, and begins with them.” ‘Quis
custodiet ipsos Custodes?’ has also been loosely
used to ask ‘Who judges the judges?’ etc.
management, and control processes using a systematic and disciplined approach.’10
A suggestion that audit of governance processes should embrace a consideration of ethics and values was indirectly implied in the following:
‘A further future trend is likely to be an internal audit review of corporate attitudes, advising whether they are consistent with overall objectives and indeed understood and operated throughout the organization. Attitudes (to innovation, work, risk, resource stewardship, staff development and so on) are principal determinants of corporate success or failure – yet they are often left to chance and indeed very rarely the subject of independent review. There is evidence to indicate that most internal auditors consider these matters should come within the scope of internal audit.’(Chambers, 1979; see also 1978b).
10
Standard 2100 (2013).
16
Assurance to external stakeholders The question arises as to whether internal audit, and indeed I.T. auditing, will morph into providing more assurance to external stakeholders. Both audits must be concerned with governance processes: the question is whether they have a role in the external aspects of corporate governance (see Figure 1). Already there are obligations for internal audit to report certain matters to regulators such as the UK Financial Services Authority or the UK Higher Education Funding Council (2009b, p.601). As far back as the 1970s a report on internal audit, with an overall opinion, appeared annually in the annual report of Anglian Water, addressed to the owners and to other external stakeholders who chose to read it (Chambers, 1998; 2005a, pp.489-495; 2009b, p.600).As early as the 1970s internal auditors in Sweden had a role in providing assurance to worker representatives on the reliability of information to which workers had a statutory right (Chambers, 1979).Today, internal audit reports of UK public bodies, especially local authorities, appear on their websites. Of course, routine internal audit work may impact on the financial statements which are published. So internal audit involvement with the external aspects of corporate governance is already not inconsiderable.
Figure 1: The relationship between governance, risk management and internal control, and the component
part of governance
I.T., fraud and the auditor
‘Nemo repente fuit turpissimus’ (‘No one ever reached the climax of vice at one step’)11 IIA Standards do not require internal auditors
‘to have the expertise of a person whose primary responsibility is detecting and investigating fraud’12
nor that all internal auditors should ‘have the expertise of an internal auditor whose primary responsibility is information technology auditing’.13
Despite a promising start in the 1970s, the profession now has insufficient focus on both fraud and I.T., so ceding pole position in both to other emerging professions.14
11
Juvenal, (c.AD55-127), 2nd
Satire, quoted in
Chambers, A.D. (2006), p.42. 12
IIA Standard 1210.A2. 13
IIA Standard 1210.A3. 14
Respectively, the Association of Certified
Fraud Examiners (ACFE), and the Information
Systems Audit and Control Association
(ISACA).
17
In a paper that presented the results of research into the incidence and nature of I.T. fraud15, it was suggested that
‘the auditor who is not able to use an inquiry package is the equivalent of a blind auditor having someone read to him the manual accounting records’ (Chambers, 1978a).
The test data method and audit inquiry packages had been trailed earlier as I.T. audit methjodologies, together with the use of resident audit programs within real-time systems (Chambers, 1975a, p.101; 1975b, pp.11-12 and 154; 1981d, pp.393-5) – a harbinger of today’s intensive focus on ‘continuous auditing’ (Marks, N., 2011).
‘There seems little doubt that integrated, or embedded, audit techniques will be the future way ahead. With these methods, programmed audit routines are embedded into application software, preferably with a measure of protection from scrutiny or modification by others. The audit routines may be designed to monitor transactions while they are being processed making a note of any which are of interest to the auditor.’ (Chambers, 1981b, p.293).
Hacking was also then trailed as a likely issue to emerge as important:
‘Mathematical wizards may crack competitors’ user codes in less than twenty-four hours, so frequent amendment of the user code may be an inadequate precaution.’(Chambers, 1975b, p.8).
15
The unclear Table 1 (p196) in Chambers
(1978c), which is a summary of the data on
computer abuse, is identical to Table 16
(pp.178-9) in Chambers, A.D. (1981c).
Arguments for and against pre-event auditing, supported by empirical data, were reported (Chambers, 1978b, p.96; 1981b; 1981d, pp.390-3). A widely accepted definition of audit trail was formulated at an early stage (Chambers, 1975b, p.11).16 Filling the board’s assurance vacuum The global financial crisis that erupted in 2007 showed vividly that boards were insufficiently cognisant of the risks their companies were running. A key question that needs to be addressed is how can boards obtain the assurance they need that their policies are being implemented as intended by management; and that there are no ‘banana skins’ round the corner, known or not to management, over which the entity may slip in the future. Lenz and Sarens (2012) extensively cited Chambers (2008a) on this issue.
‘Boards are exposed to a partial assurance vacuum which urgently needs to be filled. If internal audit can make a further quantum leap, as internal audit has done in other respects in the past, then internal audit
16
‘Audit trail implies the preparation and
retention within the organization: (a) for an
adequate period, (b) in a reasonably accessible
form, and (c) in enough detail to satisfy the
auditors, of records which allow each detailed
accounting element of any transaction to be
tracked from its source4 through each
intermediate stage to its final disposition (or
dispositions) whether in detailed or summary
form or both; and vice versa (that is, the facility
to use records to trace back in detail from the
final outcome (or outcomes) through the
intermediate stages back to the initial source (or
sources) of the transaction.’ (Chambers, 1975b,
p.11)
18
may fulfil this need.’ (Chambers, 2008a, p.47).
Marks (2010) wrote:
‘Chambers makes the cogent argument that internal audit should report not only functionally, but also administratively to the board’s lead independent director, and the internal audit budget should be part of the board’s budget.’(Chambers, 2008a; 2008b; 2008c; 2009a; 2009b, ch.19).
Fuzzy auditing We would expect a continued development of what the author coined as ‘fuzzy auditing’. For instance, narrative reporting is becoming more important than it has been and we can expect progressive moves to ensure that narrative reports are audited, notwithstanding that they are more subjective and less standardised than financial statements. We would also expect ‘fuzzy auditing’ to be applied more frequently to providing assurance on matters where no statement at all, whether quantitative or narrative, is made by the audited party. One characteristic of ‘fuzzy auditing’ is likely to be a greater use by those providing assurance of long form, discursive assurance reports rather than short, boilerplate audit opinions. Those providing assurance in the future are more likely to address opportunities for continual improvement within their assurance reports (Chambers, 2006, p.53). In a context where ‘fuzzy auditing’ is likely to be more commonplace, it may seem out of place to predict that future auditing will become deeper and less
superficial. But we note disenchantment with the lack of in-depth rigor applied today by so many internal and external auditors. With internal auditors it manifests as excessive reliance on interviews and minimal use of detailed testing. With both external and internal auditors it manifests itself in certain aspects of their respective risk-based approaches (Chambers, 2006, p.53). REFERENCES
Chambers, A.D. (1975a) Audit test packs
and computer audit programs,
The Computer Journal, 18(2),
pp.98–101. [Oxford University
Press, print ISSN 0010-4620,
online ISSN 1460-2067].
Chambers, A.D. (1975b) in Chambers,
A.D. and Hanson, O. (eds.) (1975)
Keeping Computers Under Control,
London: Gee & Co Publishers,
SBN 85258 150 5, PB, 202 pps.
Chambers, A.D. (1976) Internal auditing
as a university pursuit, in:
Proceedings of the 1st Conference
on Recent Developments in
Internal Auditing, London, The
Graduate Business Centre of City
University, February, pp.93-128.
Chambers, A.D. (1978a) Computer fraud
and abuse’, The Computer Journal,
21(3), pp.194-198 [Oxford
University Press, print ISSN
0010-4620, online ISSN 1460-
2067].
Chambers, A.D. (1978b) The internal
audit of research and
19
development, R&D Management,
February, 8(2), pp.95-99. [Wiley-
Blackwell, ISSN 1467 9310].
Chambers, A.D. (1979) The future of
internal auditing, Accountancy en
Bedrijfskunde (Journal edited by
Prof. R. Paeleliere and academic
board, 4(2), pp.5-32. [c/o CED-
SAMSON, Philippe de
Champagnestraat 7, 1000
Brussel].
Chambers, A.D. (1981a, reprinted 1984)
Internal Auditing, 1st ed. London:
Pitman Publishing, HB, ISBN 0-
273-01632-6, 368 pps.
Chambers, A.D. (1981b) Current
strategies for computer auditing
within an organization, The
Computer Journal, 24(4), Oxford
University Press, print ISSN
0010-4620, online ISSN 1460-
2067, pp.290-294.
Chambers, A.D. (1981c) Computer
Auditing, 1st ed. London: Pitman
Publishing, ISBN 0 273 01633 4,
237 pps. [Also Australia: CCH
and New Zealand: CCH (Library
of Congress Catalog Card Number
81-65899). Japanese translation
(1986), Japan: Doyukan, ISBN 4-
496-01300-2].
Chambers, A.D. (1981d) The state of the
art of computer auditing within
organizations, Tijdschrift Voor
Economie en Management,
Autumn, No. 3 [Journal of the
Faculteit de Economische en
Toesepaste Economische
Wetenschappen, Katholieke
Universiteit, Leuven, Belgium].
Chambers, A.D. (1982) Research in
internal auditing: issues and
possibilities, in Bromwich, M.,
Hopwood, A.G. and Shaw, J. (eds.)
Auditing Research: Issues and
Opportunities, London: Pitman,
ISBN 0 273 01852 3, pp.99-128.
Chambers, A.D. (2006) Assurance of
performance, Measuring Business
Excellence - The Journal of
Business Performance
Management, 10(3), pp.41-55.
[Emerald, ISSN 1368-3047].
Chambers, A.D. (2008a) The board’s
black hole – filling their
assurance vacuum: can internal
audit rise to the
challenge?’,Measuring Business
Excellence - The Journal of
Business Performance
Management, 12(1), Emerald,
ISSN 1368-3047, pp.47-63.
Chambers, A.D. (2008b) The board’s
black hole: filling their assurance
vacuum – can internal audit rise
to the challenge? Internal Audit e-
Bulletin, ACCA UK, December,
issue 5. [Online]. Available at:
http://newsweaver.co.uk/accaia
bulletin/e_article001278734.cfm
?x=b11,0,w. [Accessed 4
September 2011].
20
Chambers, A.D. (2008c) Bring on the
super auditors, Internal Auditing,
The Institute of Internal
Auditors-UK, ISSN 1757-0999,
32(12), December, pp.18-21.
Chambers, A.D. (2009a) The black hole of
assurance, The Internal Auditor,
The Institute of Internal Auditors
Inc., ISSN0020-5745, April, 66(2),
pp.28-29.
Chambers, A.D. (2009b) Tolley’s Internal
Auditing Handbook. 2nd ed.
London: LexisNexis Butterworths
Tolley, ISBN 978140573674, 724
pps.
Chambers, A.D. (2011a) Audit Market
Concentration: Implications and
Solutions – a Personal Perspective
(on the House of Lords’ Inquiry
Report on Audit Market
Concentration), Online for BAFA
Auditing SiG On-line Newsletter;
placed by SiG on their website at
http://static.aston.ac.uk/asig/Ho
use%20of%20Lords%20Inquiry_
Binder.pdf, accessed 6 May
2012].
Chambers, A.D. (2011b) Audit Market
Concentration: Implications and
Solutions - A Personal
Perspective, International Journal
of Governance, ISSN 2224-5359,
1(3), 12 May
[www.ijgmagzine.com, available
at
http://www.ijgmagzine.com/ind
ex.php/ijg/issue/view/5/showT
oc: accessed 8 December 2011].
Chambers, A.D. (2012c) Is Audit Failing
the Global Capital
Markets?,International Journal of
Disclosure and Governance,
Palgrave,Macmillan Publishers
Ltd, ISSN: 1741-3591, EISSN:
1746-6539. [Advance online
publication, 11 October 2012;
doi:10.1057/jdg.2012.18;
www.palgrave-
journals.com/jdg/. To appear in
hard copy of JDG in 2013. Paper
first presented at the 10th
International Conference on
“Corporate Governance:
“Corporate Governance and
Universal Acceptance: Taking
Stock of Progress and Indicators of
Future Trends”, Centre for
Corporate Governance Research,
Birmingham University, chaired
by Sir Adrian Cadbury, 25th June].
Collins, A. (1904) A Municipal Internal
Audit, London, Gee & Co., HB, 142
pps. [later revised editions in
1913, 1922, 1931 and 1934].
Collins, A. (1908) The Organization and
Audit of Local Authorities,
London, Gee &Co..
Cowton, C.J. (2008) Governing the
corporate citizen: reflections on
the role of professionals, in Conill,
J., Luetge, C. and Schönwälder-
Küntze, T. (eds), Corporate
Citizenship, Contractarianism and
21
Ethical Theory: On Philosophical
Foundations of Business Ethics,
Aldershot: Ashgate), pp. 29-47.
Edsberg, J. (1994) The European
Community’s budget: budget
discipline and budget accounting,
Financial Accountability and
Management in Governments,
Public Services and Charities,
Blackwell, ISSN 0267-4424,
10(1), February.
Fayol, Henri (1916) (in French),
Administration Industrielle et
Générale; Prévoyance,
Organization, Commandement,
Coordination, Controle, Paris, H.
Dunod et E. Pinat.
IAASB (The International Auditing and
Assurance Standards Board)
(2005) International Framework
for Assurance Engagements.
Lenz, R. and Sarens, G. (2012) Reflections
on the internal auditing
profession: what might have gone
wrong? Managerial Auditing
Journal, 27(6).
Marks, N. (2011) Continuous auditing:
putting theory into practice, Best-
Practice Approaches to Internal
Auditing, Bloomsbury, ISBN-10:
1-84930-023-0, pp.15-22. [see
also (all accessed on 07May12):
http://normanmarks.wordpress.com/20
11/11/18/continuous-auditing-
that-should-not-be-performed-
by-internal-audit/;
http://www.theiia.org/blogs/ma
rks/index.cfm/post/Reflections
%20on%20Continuous%20Audit
ing;
http://www.scribd.com/doc/868
92335/Continuous-Auditing-
Putting-Theory-Into-Practice;
http://www.bloomsburyprofessi
onal.com/1399/Bloomsbury-
Professional-Best-Practice-
Approaches-to-Internal-Auditing-
.html)
Marks, N. and Taylor, J.R. (2009) The
current state of internal auditing:
a personal perspective and
assessment, EDPACS, (39)4, April.
Marks, N. (2009) A Look Into the Future:
the Next Evolution of Internal
Audit – Continuous Risk and
Control Assurance, SAP.
Marks, N. (2010) Continuous auditing
reexamined, ISACA Journal, Vol.
1.]
McNamee, D. and Selim, G. (1998) Risk
Management: Changing the
Internal Auditor’s Paradigm,
Florida, The Institute of Internal
Auditors Research Foundation,
ISBN 0-89413-421-3.
Mumford, E. and Ward, T.B. (1968)
Computers: Planning for People,
Batsford.
Normanton, E.L. (1966) The
Accountability and Audit of
Governments, Manchester
University Press and Frederick A.
22
Prager, New York. [quotation
from foreword by Professor
W.J.M. Mackenzie]
Taylor, F. (1911) Principles of Scientific
Management, New York and
London, Harper & Brothers.
Tricker, R.I. (1978) The Independent
Director – A Study of the Non-
executive Director and the Audit
Committee, Tolley Publishing.