Determining appropriate controls in internal audit to minimise IT risk

Abstract

Purpose: As yet, there is insufficient research on the ever-growing impact that IT risks have on organisations. Therefore, this study sets out to discover ways in which internal audit may properly understand these risks, as well reduce them to as low a level as is feasible. The study also recommends improvements that may be made in this area. Design: In order to achieve these objectives, semi-structured interviews were carried out with internal auditors working at different organisations, namely internal auditors working at audit firms, banks, hotels, etc. Findings: The findings revealed that internal auditors attend many training events to keep themselves up-to-date. However, there is not enough expertise in Malta. Also, the attitude towards IT risk varies across organisations. Some organisations are out some form of continuous auditing. However, the majority still persist with periodic auditing. This study also found that the communication levels between the internal audit functions and information technology departments is on the low side. Conclusions: Information technology provides internal auditors with a plethora of benefits that can be used to increase the effectiveness and efficiency of their audits. In spite of this, internal auditors do not take full advantage of technology. The main reasons for this are the lack of expertise in the internal audit functions, and the lack of knowledge. Value: The results of this study confirm that there are several areas in need of improvement which can be introduced or developed in order to mitigate IT risks. To this effect, recommendations include providing more training to internal auditors and senior management about the constant developments of IT, as well implementing continuous auditing at a low level, at least. The adoption of such measures should result in a more robust system of internal controls.