towards a general theory of i .t. auditing · îaudi alteram partem ï (hear the other party) the...

16
7 International Journal of Accounting & Business Management www.ftms.edu.my/journals/index.php/journals/ijabm Vol. 1 (No.1), April, 2013 Page: 07-22 ISSN: 2289-4519 This work is licensed under a Creative Commons Attribution 4.0 International License . Towards a General Theory of I.T. Auditing Andrew D Chambers 1 1 EurIng Professor Andrew D Chambers, BA, PhD, CEng, FCCA, FCA, FIIA, FBCS, CITP, FRSA. Andrew has authored several books on I.T. auditing. He was on the Council of The British Computer Society and a member of their Technical Board. His Chartered Engineering qualification is in the field of software engineering.

Upload: others

Post on 13-Mar-2020

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

7

International Journal of Accounting & Business Management

www.ftms.edu.my/journals/index.php/journals/ijabm

Vol. 1 (No.1), April, 2013 Page: 07-22

ISSN: 2289-4519

This work is licensed under a Creative Commons Attribution 4.0 International License.

Towards a General Theory of I.T. Auditing

Andrew D Chambers1

1EurIng Professor Andrew D Chambers, BA, PhD, CEng, FCCA, FCA, FIIA, FBCS, CITP, FRSA.

Andrew has authored several books on I.T. auditing. He was on the Council of The British Computer

Society and a member of their Technical Board. His Chartered Engineering qualification is in the field

of software engineering.

Page 2: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

8

Abstract This is the first draft of a paper which draws together strands on the philosophy and practice of auditing which the author has written on over the years. They are offered as a basis for endeavouring to develop a general theory of I.T. auditing, though this first draft does not articulate a theory as such in a concise way. The paper touches on how auditing has developed over the centuries. It draws attention to the roots of internal auditing in external auditing from which it splintered commencing about one hundred years ago. The paper suggests that I.T. auditing has more recently splintered from internal auditing. When a general theory for I.T. auditing is developed, it will need to take on board fundamental auditing concepts and apply them to I.T. auditing. These concepts are explored in more general terms within this paper. They include:

1. The notion of three parties involved 2. The attributes of a profession 3. The prerequisites of auditor

independence and competence 4. The need for external quality

oversight of auditors 5. Hearing the other party

Today the extent of I.T. auditing is limited. Many auditors still follow a ‘black box’ approach of auditing round I.T. systems, unable to understand sufficiently the processes within those systems in order to provide audit assurance of their robustness. We live in an I.T.-dependent age where I.T. is taken too much on trust until it fails. It is

inadequate for the I.T. profession to be entrusted with its own oversight. Comments would be gratefully received by the author at [email protected]. Towards a General Theory of IT Auditing Andrew D Chambers

‘Audire’ (‘To hear’)

‘If you suspect my husbandry or falsehood call me before the exactest auditors and set me on the proof.’

Shakespeare2 ‘The great social revolutions of our history reflect the creation of new concepts which, although involving radical upheaval, take root over a considerable period of time.’ Mumford & Ward (1968).

The roots of auditing go far back. Rare audit tables occasionally appear on the antiques market. Geoffrey Chaucer, whose patron was John of Gaunt, the King’s 4th son and father to a future king Henry IV, would have sat at such a table within the audit towers of castles he visited in the 14th century to hear the arguments of those seeking to minimize their tithes. In 1849 a Select Committee of the House of Lords inquired into Audit of Railway Companies. Its report is credited with helping establish the audit profession: certainly by 1872 the Great Western Railway had an external auditor (Mr.

2 Flavius, Steward to Timon, in Timon of

Athens, by William Shakespeare.

Page 3: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

9

Deloitte) and an audit committee (Tricker, 1978, p56):

‘Report of the Audit Committee: ‘The auditors and Mr. Deloitte attended the Committee and explained the various matters connected with the Finances and other departments of the railway, which explanations were highly satisfactory. ‘The Committee consider the Auditors have performed their arduous duties with great care and intelligence and therefore confidently recommend that they be continued in office.’ Benjamin Lancaster Chairman Paddington Station 22nd February, 1872

Internal auditing arose from external auditing It was the financial statements of entities that became the focus of audit assurance. But then a new auditing, internal auditing, was born as a splinter from the external audit of financial statements. The record indicates that the nascency of internal auditing, with its modern roots around the start of the twentieth century, was initially associated with a focus on providing assurance of the proper accounting for transactions, especially those involving handling cash. The principal means employed to arrive at that assurance were for the auditor to reperform accounting operations (Collins, 1904, 1908). Yet, even Collins at that time perceived that internal auditing was not a merely mechanical craft:

'It is only by the exercise of his powers of perception and imagination that an internal auditor can be said to be fulfilling his [sic] purpose.' (Collins, 1904, p.6). and '...it is by the continual use of his auditorial acumen that an internal auditor succeeds.'(Collins, 1904, p.6).

Audit of internal accounting control As businesses grew, the volume of transactions became larger and it became impractical to provide reliable assurance by reperformance, even on an audit sample basis. Though the volume of transactions was growing, the number of business processes being applied to those transactions remained more stable. So, around the middle of the twentieth century the audit focus shifted to providing assurance of the adequacy of the system of internal accounting control, Reperformance of accounting operations was then relegated to sample testing to confirm the auditor’s understanding of the system and that it was being applied as intended. In parallel with this shift came a graduation from an internal audit preoccupation with accounting matters to including within the scope of internal auditing a review of operations. The rationale was that entities achieve their objectives through their operations, not merely through their accounting processes, and both need effective internal control. With this new emphasis on internal control, it was not surprising that the internal control concept was to be developed further.

Page 4: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

10

The control orientation of internal auditing might have developed sooner, and internal audit might have prospered earlier, had a widely available English translation of a seminal work by the ‘father of management theory’ (Fayol, 1916) been available sooner than 1949 (Chambers, 1981a, ch.3). Instead, Fayol’s approach to management was eclipsed by Taylor (1911), the ‘father of management science’ and a Harvard professor, with his emphasis upon specialization and departmentalization within organizations (Chambers, 1976, p.93). Risk-based approaches to auditing This analysis is borne out by McNamee and Selim (1998, p.xiii):

‘The first internal audit paradigm focused on observing and counting. In 1941, Victor Brink introduced the concept of a system of IC and changed the paradigm from a focus on reperformance to a focus on controls. We are at a crossroads – people are trying to change the rules of internal auditing. The third paradigm is based on viewing the business process through a focus on risk.’

Perversely, there is a risk associated with the decline of internal auditors reperforming accounting operations; that is, a risk associated with the risk-based approach to internal auditing. This is the risk that errors and losses may go undetected. Professor Mackenzie, an eminent economist at Manchester University, coined these words as far back as 1966 in his Foreword to a book on auditing in governments by E.L. Normanton based on the latter’s MPhil thesis which Mackenzie had supervised

(Normanton3, 1966, p.vii; Chambers, 2006):

‘Without audit, no accountability; without accountability, no control; and if there is no control, where is the seat of power? ... … great issues often come to light only because of scrupulous verification of detail.’

Now, contemporary automation of audit work can provide the means to somewhat more easily reperform very large volumes of transaction processing. This future development was predicted more than thirty years ago (Chambers, 1981d, p.396). Hearing the other party Discussion of audit assurance would be incomplete without mention that it is usually appropriate for an auditor to hear the responsible party: ‘Audi alteram partem’ (‘Hear the other party’) The legal parallel is that it is natural justice to give parties a right to be heard. Habeas corpus was an early application of this audi alteram partem principle. In auditing today a prominent example is the so-called ‘contradictory process’ which precedes the publication in The Official Journal of the European Communities of the DAS (La Déclaration d’assurance - Statement of Assurance) of the European Court of Auditors’ audit of the European Commission (Edsberg,1994). This ‘contradictory process’ provides the European Commission with the opportunity to

3 Normanton started his career in HM Treasury

before transferring to the European Court of

Auditors.

Page 5: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

11

contest the tentative results of the audit before these results are communicated in final form to other parties. Internal auditors are excellent exemplars of ‘audi alteram partem’: draft internal audit reports are discussed with auditees whose responses are incorporated within final audit reports. In final internal audit engagement reports ‘audit recommendations’ are preferably expressed as ‘agreed action’4 usually with agreed target dates for implementation. A further example is the external auditor’s management letter which draws attention to possible opportunities to improve performance noted by the external auditor during the course of the audit. After prior discussion with management, this is then issued in draft to management before being finalised and communicated to the board’s audit committee (Chambers, 2006, pp.45-46; 2009b, ch.18). Whether for external or internal auditors, audi alteram parte serves the secondary, pragmatic purpose of allowing the auditor to test the validity of audit results before finalisation: those to whom audit results are communicated are often better informed than the auditor. The ‘three party’ relationship Assurance engagements involve three separate parties: a practitioner, a responsible party and intended users

4 That is, agreed between management and

internal audit.

(IAASB, 2005, para. 21). Where there is very significant overlap between the responsible party and the intended users, there may be less point in the assurance engagement. Thus, for instance, where management and the shareholders are largely the same, as may be so in a family or other private company, the shareholders are not in the same need of assurance about the account rendered to them by management. This is one reason why there is now audit exemption for small companies.5 Currently, the generally accepted definition of internal auditing specifies that internal auditing activities comprise assurance and consulting activities:

5 Unless the shareholders insist and in certain

other cases, s382-383 of the 2006 UK

Companies Act gives effect to EC Directive

exempting small companies from the

requirement for external audit if two out of the

following three criteria apply:

Turnover: less than £6.5m (net) or

£7.8m (gross);

Balance sheet total: less than £3.26m

(net) or £3.9m (gross);

Fewer than 50 employees

These thresholds have been adjusted upwards

from time to time.

In 2011 the Commission proposed similar audit

exemption for mid-tier companies which would

have taken a further 32,000 UK companies out

of the requirement for mandatory audit. This

was opposed by most member states (though

supported by the UK Department of Business)

and so has not been implemented. The

equivalent thresholds for mid-tier companies are

currently:

Turnover: less than £25.9m (net) or

£31.1m (gross);

Balance sheet total: less than £12.9m

(net) or £15.5m (gross);

Fewer than 250 employees

Page 6: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

12

‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’ (The IIA, 1999)6

6 A full trace of the evolution of The Institute of

Internal Auditors’ definition of internal auditing

is as follows:

1947: ‘Internal auditing is the independent

appraisal activity within an organization for the

review of the accounting, financial and other

operations as a basis for protective and

constructive service to management. It is a type

of control that functions by measuring and

evaluating the effectiveness of other types of

control. It deals primarily with accounting and

financial matters, but it may also properly deal

with matters of an operating nature.’

1957: ‘Internal auditing is an independent

appraisal activity within an organization for the

review of accounting, financial, and other

operations.’

1971: ‘Internal auditing is an independent

appraisal activity within an organization for the

review of operations as a service for

management. It is a managerial control which

functions by measuring and evaluating the

effectiveness of other controls.’

1978: ‘Internal auditing is an independent

appraisal function established within an

organization to examine and evaluate its

activities as a service to the organization. The

objective of internal auditing is to assist

members of the organization in the effective

discharge of their responsibilities. To this end,

internal auditing furnishes them with analyses,

appraisals, recommendations, counsel, and

information concerning the activities reviewed.’

1990: ‘Internal auditing is an independent

appraisal function established within an

organization to examine and evaluate its

activities as a service to the organization. The

objective of internal auditing is to assist

members of the organization in the effective

It has been controversial to include ‘consulting’ within the current definition and it was unfortunate that the first consulting Standards were released just as Enron collapsed and the audit pendulum was about to swing back to ‘assurance’. It is likely that a revised wording to the definition will be:

‘Internal auditing is an independent, objective assurance and advisory activity designed to help an organization accomplish objectives and improve governance, risk management and internal control.’

While the parties to an internal audit assurance engagement are (a) the auditor, (b) those audited, and (c) those to whom assurance is given, a consulting engagement has only two parties – (a) the auditor and (b) whoever consulted the auditor. However, if during a consulting engagement the auditor discovers a matter pertinent to the auditor’s assurance role, it should not be regarded discharge of their responsibilities. To this end,

internal auditing furnishes them with analyses,

appraisals, recommendations, counsel, and

information concerning the activities reviewed.

The audit objective includes promoting effective

control at reasonable cost.’

1999: ‘Internal auditing is an independent,

objective assurance and consulting activity

designed to add value and improve an

organization’s operations. It helps an

organization accomplish its objectives by

bringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk

management, control, and governance

processes.’

2013 (anticipated): ‘Internal auditing is an

independent, objective assurance and advisory

activity designed to help an organization

accomplish objectives and improve governance,

risk management and internal control.’

Page 7: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

13

as ‘privileged information’ not to be made use of in the context of the auditor’s assurance role. (Chambers, 2006, p.46; 2009b, ch.1, pps.36-7).7 A further distinction between the internal auditor’s consultancy and assurance roles is that consulting engagements are only undertaken when (a) the auditor and (b) management consulting the auditor, both consider it is a good use of audit time; whereas those to be audited should not be able to veto whether or not an assurance engagement takes place (Chambers, 2009b, ch.18, p.576). Altered reporting lines for internal audit It was consistent with the changing scope of internal auditing that the positioning of internal audit within the organization would change. In Collins’ time (1904) it was seen as appropriate for internal audit to belong to the accounting function, reporting to a middle or senior level accountant; though this should have raised questions about the degree of independence of the internal auditor from what he or she was auditing. Indeed, as recently as the 1970s 95% of heads of internal audit reported to someone within the finance function (Chambers, 1976, p.41). As internal audit gravitated to the audit of operations in general, it became more appropriate for internal audit to report to general management. When internal

7 IIA Standard (2011) 2440.C2 reads:

‘During consulting engagements,

governance, risk management, and control

issues may be identified. Whenever these

issues are significant to the organization,

they must be communicated to senior

management and the board.’

audit found itself auditing high level processes it became appropriate for internal audit to report to top management, and for the chief audit executive to be a senior person. The hallmarks of a profession The nature of a profession and internal audit’s claims and needs for professional status have been discussed in depth in several places (Chambers, 1981a, chs.1 and 21; 1982; 2011a, pp.12-13; 2011b, pp.9-13; Cowton (2008, 2009)). While the attributes of professions vary between professions, and it has been argued that some occupational groups are semi-professions or emerging professions, there is wide acceptance of certain characteristics that mark out professions from other occupational groups, which can be summarized as follows: A profession makes use of a

systematic body of theory, acquired by its members in part through in-depth study of quite abstract concepts.

A profession has authority sanctioned by the community.

A profession is represented by three distinct organizational groups which interact with cross memberships: 1. The organization which renders

the actual service – often a professional practice;

2. The organization that provides group consciousness – the professional body;

3. The organization that develops knowledge and talent – for the professions this is invariably at university level.

Page 8: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

14

Any profession’s body of theory evolves over time and tends to become more complex with the result that specialisms within the profession tend to emerge, sometimes leading to the profession splintering with certain specialisms developing the characteristics of being professions in their own right. Thus it can be argued that internal auditing failed to cherish I.T. auditing sufficiently, providing space for a distinct I.T. auditing profession to emerge. Today the evolution of the accounting profession is evidenced by the development of the concept of fair value accounting including ‘mark to market’ and ‘mark to model’, and the replacement of the ‘prudence’ concept by a ‘neutrality’ concept. There are now suggestions that the external auditing profession is in need to splinter from the accounting profession in order to enhance auditor independence (Chambers, 2012c). The accountancy profession itself was incapable of holding onto internal auditing which has become distinctive from it. UK chartered professional bodies are expected to adopt the public interest as being a guiding principle. IIA(UK) has been a chartered body since 2011 and in 2012 amended their ethical principles to set out their public interest obligation.8The trend towards

8 In April 2012 The IIA (UK) incorporated The

IIA Code of Ethics (which all parts of the

worldwide IIA are required to adopt) into a new,

expanded Code of Professional Conduct for

Chartered Institute of Internal Auditors. It

added two new principles, as follows:

‘Principle of Professionalism – acting in the

public interest

‘Acting in the public interest involves having

regard to the legitimate interests of those who

rely upon the objectivity and integrity of the

professionalization of internal auditing has been explored, with the suggestion it is only legitimate if based on the ideal of improving service quality, while acknowledging there is not universal approval of internal auditing being, or becoming, a profession - especially as management often see no advantage in separating internal auditing from management in general (Chambers, 1979, p.2 andp.6).

assurance about governance and the

management of risk, including control, that the

internal audit profession provides to support the

orderly functioning and propriety of

organizations. These include employers,

employees, investors, the business and financial

community, clients, regulators and government.

This reliance imposes a public interest

responsibility on the internal audit profession.

‘Professional internal auditors should take into

consideration the public interest and reasonable

and informed public perception in deciding the

actions to take, bearing in mind that the level

and nature of the public interest varies between

organizations depending on their role, size,

systemic importance or public prominence.

‘Therefore, a professional internal auditor’s

responsibility is not exclusively to satisfy the

needs of an individual employer or client. In

acting in the public interest a professional

internal auditor should observe and comply

with the ethical requirements of this Code.

‘Courtesy and respect

‘Professional internal auditors should treat all

people fairly without prejudice on any grounds.’

Page 9: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

15

Professional oversight An essential attribute of a profession is the oversight by the professional body of its members, the practitioners. When there is no mandatory requirement for many entities to have internal audit, or it is at entities’ discretion whether they staff the function with professionally qualified internal auditors, it is clearly difficult for The IIA to oversee internal audit quality (Chambers, 2006, p.44). ‘Quis custodiet ipsos custodes’ 9 (Who audits the auditor?) The approach of The IIA is that their Standards, mandatory for members and for candidates for their professional qualifications, require periodic internal and external assessments of internal quality, using the Standards themselves as the benchmark, and The IIA has set out how these assessments should be undertaken and by whom. Auditing I.T. governance Key areas where internal audit’s systematic body of theory has evolved are to do with the nature and scope of internal audit work, the consideration of risk in audit planning, and the approach to audit work. The IIA Standards now require the internal audit activity to

‘evaluate and contribute to the improvement of governance, risk

9 Juvenal (c.AD55-127) (6

th Satire): “‘Pone seram,

prohibe.’ Sedquis custodiet ipsos

Custodes?Cautaest et abillis incipit uxor’ - ‘“Put on

a lock! Keep her in confinement!” But who is to

guard the guards themselves? Your wife is as

cunning as you, and begins with them.” ‘Quis

custodiet ipsos Custodes?’ has also been loosely

used to ask ‘Who judges the judges?’ etc.

management, and control processes using a systematic and disciplined approach.’10

A suggestion that audit of governance processes should embrace a consideration of ethics and values was indirectly implied in the following:

‘A further future trend is likely to be an internal audit review of corporate attitudes, advising whether they are consistent with overall objectives and indeed understood and operated throughout the organization. Attitudes (to innovation, work, risk, resource stewardship, staff development and so on) are principal determinants of corporate success or failure – yet they are often left to chance and indeed very rarely the subject of independent review. There is evidence to indicate that most internal auditors consider these matters should come within the scope of internal audit.’(Chambers, 1979; see also 1978b).

10

Standard 2100 (2013).

Page 10: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

16

Assurance to external stakeholders The question arises as to whether internal audit, and indeed I.T. auditing, will morph into providing more assurance to external stakeholders. Both audits must be concerned with governance processes: the question is whether they have a role in the external aspects of corporate governance (see Figure 1). Already there are obligations for internal audit to report certain matters to regulators such as the UK Financial Services Authority or the UK Higher Education Funding Council (2009b, p.601). As far back as the 1970s a report on internal audit, with an overall opinion, appeared annually in the annual report of Anglian Water, addressed to the owners and to other external stakeholders who chose to read it (Chambers, 1998; 2005a, pp.489-495; 2009b, p.600).As early as the 1970s internal auditors in Sweden had a role in providing assurance to worker representatives on the reliability of information to which workers had a statutory right (Chambers, 1979).Today, internal audit reports of UK public bodies, especially local authorities, appear on their websites. Of course, routine internal audit work may impact on the financial statements which are published. So internal audit involvement with the external aspects of corporate governance is already not inconsiderable.

Figure 1: The relationship between governance, risk management and internal control, and the component

part of governance

I.T., fraud and the auditor

‘Nemo repente fuit turpissimus’ (‘No one ever reached the climax of vice at one step’)11 IIA Standards do not require internal auditors

‘to have the expertise of a person whose primary responsibility is detecting and investigating fraud’12

nor that all internal auditors should ‘have the expertise of an internal auditor whose primary responsibility is information technology auditing’.13

Despite a promising start in the 1970s, the profession now has insufficient focus on both fraud and I.T., so ceding pole position in both to other emerging professions.14

11

Juvenal, (c.AD55-127), 2nd

Satire, quoted in

Chambers, A.D. (2006), p.42. 12

IIA Standard 1210.A2. 13

IIA Standard 1210.A3. 14

Respectively, the Association of Certified

Fraud Examiners (ACFE), and the Information

Systems Audit and Control Association

(ISACA).

Page 11: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

17

In a paper that presented the results of research into the incidence and nature of I.T. fraud15, it was suggested that

‘the auditor who is not able to use an inquiry package is the equivalent of a blind auditor having someone read to him the manual accounting records’ (Chambers, 1978a).

The test data method and audit inquiry packages had been trailed earlier as I.T. audit methjodologies, together with the use of resident audit programs within real-time systems (Chambers, 1975a, p.101; 1975b, pp.11-12 and 154; 1981d, pp.393-5) – a harbinger of today’s intensive focus on ‘continuous auditing’ (Marks, N., 2011).

‘There seems little doubt that integrated, or embedded, audit techniques will be the future way ahead. With these methods, programmed audit routines are embedded into application software, preferably with a measure of protection from scrutiny or modification by others. The audit routines may be designed to monitor transactions while they are being processed making a note of any which are of interest to the auditor.’ (Chambers, 1981b, p.293).

Hacking was also then trailed as a likely issue to emerge as important:

‘Mathematical wizards may crack competitors’ user codes in less than twenty-four hours, so frequent amendment of the user code may be an inadequate precaution.’(Chambers, 1975b, p.8).

15

The unclear Table 1 (p196) in Chambers

(1978c), which is a summary of the data on

computer abuse, is identical to Table 16

(pp.178-9) in Chambers, A.D. (1981c).

Arguments for and against pre-event auditing, supported by empirical data, were reported (Chambers, 1978b, p.96; 1981b; 1981d, pp.390-3). A widely accepted definition of audit trail was formulated at an early stage (Chambers, 1975b, p.11).16 Filling the board’s assurance vacuum The global financial crisis that erupted in 2007 showed vividly that boards were insufficiently cognisant of the risks their companies were running. A key question that needs to be addressed is how can boards obtain the assurance they need that their policies are being implemented as intended by management; and that there are no ‘banana skins’ round the corner, known or not to management, over which the entity may slip in the future. Lenz and Sarens (2012) extensively cited Chambers (2008a) on this issue.

‘Boards are exposed to a partial assurance vacuum which urgently needs to be filled. If internal audit can make a further quantum leap, as internal audit has done in other respects in the past, then internal audit

16

‘Audit trail implies the preparation and

retention within the organization: (a) for an

adequate period, (b) in a reasonably accessible

form, and (c) in enough detail to satisfy the

auditors, of records which allow each detailed

accounting element of any transaction to be

tracked from its source4 through each

intermediate stage to its final disposition (or

dispositions) whether in detailed or summary

form or both; and vice versa (that is, the facility

to use records to trace back in detail from the

final outcome (or outcomes) through the

intermediate stages back to the initial source (or

sources) of the transaction.’ (Chambers, 1975b,

p.11)

Page 12: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

18

may fulfil this need.’ (Chambers, 2008a, p.47).

Marks (2010) wrote:

‘Chambers makes the cogent argument that internal audit should report not only functionally, but also administratively to the board’s lead independent director, and the internal audit budget should be part of the board’s budget.’(Chambers, 2008a; 2008b; 2008c; 2009a; 2009b, ch.19).

Fuzzy auditing We would expect a continued development of what the author coined as ‘fuzzy auditing’. For instance, narrative reporting is becoming more important than it has been and we can expect progressive moves to ensure that narrative reports are audited, notwithstanding that they are more subjective and less standardised than financial statements. We would also expect ‘fuzzy auditing’ to be applied more frequently to providing assurance on matters where no statement at all, whether quantitative or narrative, is made by the audited party. One characteristic of ‘fuzzy auditing’ is likely to be a greater use by those providing assurance of long form, discursive assurance reports rather than short, boilerplate audit opinions. Those providing assurance in the future are more likely to address opportunities for continual improvement within their assurance reports (Chambers, 2006, p.53). In a context where ‘fuzzy auditing’ is likely to be more commonplace, it may seem out of place to predict that future auditing will become deeper and less

superficial. But we note disenchantment with the lack of in-depth rigor applied today by so many internal and external auditors. With internal auditors it manifests as excessive reliance on interviews and minimal use of detailed testing. With both external and internal auditors it manifests itself in certain aspects of their respective risk-based approaches (Chambers, 2006, p.53). REFERENCES

Chambers, A.D. (1975a) Audit test packs

and computer audit programs,

The Computer Journal, 18(2),

pp.98–101. [Oxford University

Press, print ISSN 0010-4620,

online ISSN 1460-2067].

Chambers, A.D. (1975b) in Chambers,

A.D. and Hanson, O. (eds.) (1975)

Keeping Computers Under Control,

London: Gee & Co Publishers,

SBN 85258 150 5, PB, 202 pps.

Chambers, A.D. (1976) Internal auditing

as a university pursuit, in:

Proceedings of the 1st Conference

on Recent Developments in

Internal Auditing, London, The

Graduate Business Centre of City

University, February, pp.93-128.

Chambers, A.D. (1978a) Computer fraud

and abuse’, The Computer Journal,

21(3), pp.194-198 [Oxford

University Press, print ISSN

0010-4620, online ISSN 1460-

2067].

Chambers, A.D. (1978b) The internal

audit of research and

Page 13: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

19

development, R&D Management,

February, 8(2), pp.95-99. [Wiley-

Blackwell, ISSN 1467 9310].

Chambers, A.D. (1979) The future of

internal auditing, Accountancy en

Bedrijfskunde (Journal edited by

Prof. R. Paeleliere and academic

board, 4(2), pp.5-32. [c/o CED-

SAMSON, Philippe de

Champagnestraat 7, 1000

Brussel].

Chambers, A.D. (1981a, reprinted 1984)

Internal Auditing, 1st ed. London:

Pitman Publishing, HB, ISBN 0-

273-01632-6, 368 pps.

Chambers, A.D. (1981b) Current

strategies for computer auditing

within an organization, The

Computer Journal, 24(4), Oxford

University Press, print ISSN

0010-4620, online ISSN 1460-

2067, pp.290-294.

Chambers, A.D. (1981c) Computer

Auditing, 1st ed. London: Pitman

Publishing, ISBN 0 273 01633 4,

237 pps. [Also Australia: CCH

and New Zealand: CCH (Library

of Congress Catalog Card Number

81-65899). Japanese translation

(1986), Japan: Doyukan, ISBN 4-

496-01300-2].

Chambers, A.D. (1981d) The state of the

art of computer auditing within

organizations, Tijdschrift Voor

Economie en Management,

Autumn, No. 3 [Journal of the

Faculteit de Economische en

Toesepaste Economische

Wetenschappen, Katholieke

Universiteit, Leuven, Belgium].

Chambers, A.D. (1982) Research in

internal auditing: issues and

possibilities, in Bromwich, M.,

Hopwood, A.G. and Shaw, J. (eds.)

Auditing Research: Issues and

Opportunities, London: Pitman,

ISBN 0 273 01852 3, pp.99-128.

Chambers, A.D. (2006) Assurance of

performance, Measuring Business

Excellence - The Journal of

Business Performance

Management, 10(3), pp.41-55.

[Emerald, ISSN 1368-3047].

Chambers, A.D. (2008a) The board’s

black hole – filling their

assurance vacuum: can internal

audit rise to the

challenge?’,Measuring Business

Excellence - The Journal of

Business Performance

Management, 12(1), Emerald,

ISSN 1368-3047, pp.47-63.

Chambers, A.D. (2008b) The board’s

black hole: filling their assurance

vacuum – can internal audit rise

to the challenge? Internal Audit e-

Bulletin, ACCA UK, December,

issue 5. [Online]. Available at:

http://newsweaver.co.uk/accaia

bulletin/e_article001278734.cfm

?x=b11,0,w. [Accessed 4

September 2011].

Page 14: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

20

Chambers, A.D. (2008c) Bring on the

super auditors, Internal Auditing,

The Institute of Internal

Auditors-UK, ISSN 1757-0999,

32(12), December, pp.18-21.

Chambers, A.D. (2009a) The black hole of

assurance, The Internal Auditor,

The Institute of Internal Auditors

Inc., ISSN0020-5745, April, 66(2),

pp.28-29.

Chambers, A.D. (2009b) Tolley’s Internal

Auditing Handbook. 2nd ed.

London: LexisNexis Butterworths

Tolley, ISBN 978140573674, 724

pps.

Chambers, A.D. (2011a) Audit Market

Concentration: Implications and

Solutions – a Personal Perspective

(on the House of Lords’ Inquiry

Report on Audit Market

Concentration), Online for BAFA

Auditing SiG On-line Newsletter;

placed by SiG on their website at

http://static.aston.ac.uk/asig/Ho

use%20of%20Lords%20Inquiry_

Binder.pdf, accessed 6 May

2012].

Chambers, A.D. (2011b) Audit Market

Concentration: Implications and

Solutions - A Personal

Perspective, International Journal

of Governance, ISSN 2224-5359,

1(3), 12 May

[www.ijgmagzine.com, available

at

http://www.ijgmagzine.com/ind

ex.php/ijg/issue/view/5/showT

oc: accessed 8 December 2011].

Chambers, A.D. (2012c) Is Audit Failing

the Global Capital

Markets?,International Journal of

Disclosure and Governance,

Palgrave,Macmillan Publishers

Ltd, ISSN: 1741-3591, EISSN:

1746-6539. [Advance online

publication, 11 October 2012;

doi:10.1057/jdg.2012.18;

www.palgrave-

journals.com/jdg/. To appear in

hard copy of JDG in 2013. Paper

first presented at the 10th

International Conference on

“Corporate Governance:

“Corporate Governance and

Universal Acceptance: Taking

Stock of Progress and Indicators of

Future Trends”, Centre for

Corporate Governance Research,

Birmingham University, chaired

by Sir Adrian Cadbury, 25th June].

Collins, A. (1904) A Municipal Internal

Audit, London, Gee & Co., HB, 142

pps. [later revised editions in

1913, 1922, 1931 and 1934].

Collins, A. (1908) The Organization and

Audit of Local Authorities,

London, Gee &Co..

Cowton, C.J. (2008) Governing the

corporate citizen: reflections on

the role of professionals, in Conill,

J., Luetge, C. and Schönwälder-

Küntze, T. (eds), Corporate

Citizenship, Contractarianism and

Page 15: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

21

Ethical Theory: On Philosophical

Foundations of Business Ethics,

Aldershot: Ashgate), pp. 29-47.

Edsberg, J. (1994) The European

Community’s budget: budget

discipline and budget accounting,

Financial Accountability and

Management in Governments,

Public Services and Charities,

Blackwell, ISSN 0267-4424,

10(1), February.

Fayol, Henri (1916) (in French),

Administration Industrielle et

Générale; Prévoyance,

Organization, Commandement,

Coordination, Controle, Paris, H.

Dunod et E. Pinat.

IAASB (The International Auditing and

Assurance Standards Board)

(2005) International Framework

for Assurance Engagements.

Lenz, R. and Sarens, G. (2012) Reflections

on the internal auditing

profession: what might have gone

wrong? Managerial Auditing

Journal, 27(6).

Marks, N. (2011) Continuous auditing:

putting theory into practice, Best-

Practice Approaches to Internal

Auditing, Bloomsbury, ISBN-10:

1-84930-023-0, pp.15-22. [see

also (all accessed on 07May12):

http://normanmarks.wordpress.com/20

11/11/18/continuous-auditing-

that-should-not-be-performed-

by-internal-audit/;

http://www.theiia.org/blogs/ma

rks/index.cfm/post/Reflections

%20on%20Continuous%20Audit

ing;

http://www.scribd.com/doc/868

92335/Continuous-Auditing-

Putting-Theory-Into-Practice;

http://www.bloomsburyprofessi

onal.com/1399/Bloomsbury-

Professional-Best-Practice-

Approaches-to-Internal-Auditing-

.html)

Marks, N. and Taylor, J.R. (2009) The

current state of internal auditing:

a personal perspective and

assessment, EDPACS, (39)4, April.

Marks, N. (2009) A Look Into the Future:

the Next Evolution of Internal

Audit – Continuous Risk and

Control Assurance, SAP.

Marks, N. (2010) Continuous auditing

reexamined, ISACA Journal, Vol.

1.]

McNamee, D. and Selim, G. (1998) Risk

Management: Changing the

Internal Auditor’s Paradigm,

Florida, The Institute of Internal

Auditors Research Foundation,

ISBN 0-89413-421-3.

Mumford, E. and Ward, T.B. (1968)

Computers: Planning for People,

Batsford.

Normanton, E.L. (1966) The

Accountability and Audit of

Governments, Manchester

University Press and Frederick A.

Page 16: Towards a General Theory of I .T. Auditing · îAudi alteram partem ï (Hear the other party) The legal parallel is that it is natural justice to give parties a right to be heard

22

Prager, New York. [quotation

from foreword by Professor

W.J.M. Mackenzie]

Taylor, F. (1911) Principles of Scientific

Management, New York and

London, Harper & Brothers.

Tricker, R.I. (1978) The Independent

Director – A Study of the Non-

executive Director and the Audit

Committee, Tolley Publishing.