i

THE IMPACT OF INFORMATION TECHNOLOGY

ON THE INTERNAL AUDIT ROLE







BY
NGUYEN ANH DUONG
E0900145








Graduation Project Submitted to the Department of Business Studies,
HELP University College, in Partial Fulfillment of the Requirements for
the Degree of Bachelor of Business (Accounting) Hons



OCTOBER 2013
ii

DECLARATION OF ORIGINALITY AND WORD COUNT

DECLARATION OF ORIGINALITY:
I hereby declare that this graduation project is based on my original work except for quotations
and citation which have been duly acknowledged. I also declare that it has not been previously or
concurrently submitted for any other courses/degrees at HELP University College or other
institutions.
WORD COUNT: 12,686 words.






_____________________
NGUYEN ANH DUONG
7 OCTORBER 2013



iii

ACKNOWLEDGEMENT

First of all, I would like to express my sincere appreciation to my supervisor, Associate Professor PHAM
DUC HIEU who has guided me throughout this thesis. His constant guidance, insightful suggestions, and
constructive ideas are the essential inputs and encouragement for me in order to complete this thesis.
In addition, I would like to send my gratitude to Mrs. SUMATHI PARAMASIVAM, the International
School and HELP University College for giving me an opportunity to conduct my study in my favorite
area.
Furthermore, I also address my appreciation to Financial Professor CHU VAN HUNG who supported my
thesis with information related to my thesis. My thankfulness is also addressed to others who have helped
me since the beginning of my study until I can finish my thesis.
Lastly, I would also like to extend my heartfelt gratitude to my family and my friends for their continuous
support, encouragement and contribution, which have been crucial during the presentation of this report.
My thesis cannot be finished without your supports.




iv

ABSTRACT

THE IMPACT OF INFORMATION TECHNOLOGY ON THE INTERNAL
AUDIT ROLE

BY
NGUYEN ANH DUONG
OCTORBER 2013

Supervisor: Assoc. Prof. PHAM DUC HIEU
The word has developing at such an incredible speed, that never before has the system of
information technology, the strategic investigation on the information technology as well as their
internal audit role, become so developed. However, there is a truth fact that the economy is
increased in everyday, so the businesses, auditors and the investors are always looking for the
right direction, beneficial to their investment and to find the keys to success in their business.
One of the factors that make their successful is that they take advantages of services and the
auditing is an indispensable operation in the operation of the market economy in order to
improve the quality of information, which is helping the users decide the appropriate place. An
economy with a healthy development pipeline of capital from the stock market and banks are
required to provide services of high quality audit. The growing economy increasingly complex
economic information will be extremely risky, false, and unreliable. The subjects interested in
financial information of enterprises not only the state but also the management, joint venture
partners and employees. However from many different angles all stakeholders interest is the
v

common aspiration is to use information reliability, accuracy and honesty. If all those who are
interested have to inspect the financial information of enterprises, the cost is too great. So the
organizations need independent, objective examined this information to meet the requirements of
multiple objects using the information.
The role of information technology and how it affects internal audit process in the organization.
Moreover, the study also stresses on the global trend of adopting Information technology system
(software/hardware) in producing a more controlled environment in delivering the auditing
process. It also constitutes on how Information Technology affects internal control (control
environment, risk assessment, control activities, information and communication and
monitoring) and provides guidelines and best practices in evaluating techniques available to
effectively perform auditing tasks internally. It also addresses how technology information
system and the electronic data processing have changed the way organizations conduct its
business, promoting operational efficiency and aid decision making.
It also spotlights many aspects of Information Technology risks and controls and highlights
whether the right people are overseeing Information Technology risks to the degree they should.
It demonstrates the impact of technology convergence on the internal control mechanism of an
enterprise. The emphasizes that the auditor also has a responsibility to assure that the governance
level of management or the audit committee and board of directors understand risks accepted by
management and the liabilities potentially transferred to board members.




vi

TABLE OF CONTENTS
*********
DECLARATION OF ORIGINALITY AND WORD COUNT ................................................ ii
ACKNOWLEDGEMENT ........................................................................................................... iii
ABSTRACT .................................................................................................................................. iv
TABLE OF CONTENTS ............................................................................................................ vi
LIST OF TABLES AND FIGURES ........................................................................................... ix
LIST OF ABBREVIATIONS .................................................................................................. xiiii

CHAPTER I: INTRODUCTION ............................................... Error! Bookmark not defined.
1.1 Background of the study ....................................................................................................... 1
1.2 Problem statement ................................................................................................................. 2
1.3 The objectives of study ......................................................................................................... 6
1.4 Structure of the study ............................................................................................................ 7

CHAPTER II: LITERATURE REVIEW .................................................................................. 8
2.1 Definition of Auditing ........................................................................................................... 8
2.1.1 The History and development of Auditing in the world ................................................. 8
2.1.2 The history and development of Auditing in Vietnam ................................................. 11
2.2 Definition of Internal Auditing ........................................................................................... 12
2.2.1 Concept of Internal Auditing ........................................................................................ 12
2.2.2 Role of Internal Audit in Vietnam ................................................................................ 14
2.2.3 Objective of Internal Auditing ...................................................................................... 16
2.2.4 The Internal Auditors duty .......................................................................................... 16
2.2.5 Relationship between Internal Control and Internal Audit ........................................... 18
vii

2.3 The Relationship between Internal auditor and External Auditor....................................... 20
2.4 Information Technology of Audit ...................................................................................... 21
2.4.1 The development of Information Technology of Auditing .......................................... 22
2.4.2 The standard of Information Technology of Auditing ................................................. 22
2.4.3 The Importance of Information Technology of Auditing ............................................. 23
2.5 How Information Technology that affect the Internal Audit Process ................................. 23
2.5.1 Internal Audit in Computerized Information System Environment ............................. 23
2.5.2 The computerized impact on internal auditing ............................................................. 25
2.6 The Computer Assisted Audit Techniques (CAATS) ......................................................... 26
2.6.1 The oversight on IT risk ............................................................................................... 26
2.6.2 Information technology risks to an organization .......................................................... 27
2.7 Benefits of IT control framework........................................................................................ 28
2.7.1 CICAs internal control guideline ................................................................................ 29
2.7.2 COBIT-control objectives for information and related technology.............................. 29

CHAPTER III: METHODOLOGY ........................................... Error! Bookmark not defined.
3.1 Research Problem ................................................................................................................ 30
3.1.1 Aim of the research ....................................................................................................... 30
3.2 The objective of research .................................................................................................... 31
3.3 Research Methodology ........................................................................................................ 31
3.4 Data Sources ........................................................................................................................ 32
3.4.1 Primary data .................................................................................................................. 32
3.4.2 Secondary data .............................................................................................................. 35
3.5 Research Tools .................................................................................................................... 37
3.5.1 Types of Survey ............................................................................................................ 37
viii

3.5.2 Questionnaires .............................................................................................................. 39
3.6 Sampling .............................................................................................................................. 42
3.7 Limitation of the study ........................................................................................................ 42

CHAPTER IV: ANALYSIS AND DISCUSSION ..................... Error! Bookmark not defined.
4.1 General analysis .................................................................................................................. 44
4.1.1 Gender .......................................................................................................................... 44
4.2 Analysis responses related to software and hardware tools ................................................ 45
4.2.1 Discussion of software and hardware tools to support the audit process ..................... 47
4.2.1.1 The application of CAATs ......................................................................................... 48
4.2.1.2 Audit electronic reporting .......................................................................................... 48
4.2.1.3 The use of electronic ecommerce and internet security ............................................. 49
4.3 Analysis responses related to role of internal auditor with necessary skills ....................... 50
4.3.1 Discussion role of internal auditor with necessary skills .............................................. 52
4.4 Analysis responses related audit tasks and diminish organization risks ............................. 53
4.4.1 Discussion audit tasks and reduce organizational risk ................................................. 55
4.4.2 Evaluate internal controls ............................................................................................. 57
4.5 Analysis responses related to guidelines available for internal audit .................................. 57
4.5.1 Discussion guides are available for internal audit.........................................................60

CHAPTER V: CONCLUSION AND RECOMMENDATIONError! Bookmark not defined.
5.1 In conclusions ...................................................................................................................... 61
5.2 Recommendation ................................................................................................................. 62
5.3 Limitations ........................................................................................................................... 63
5.4 Further Research .................................................................................................................. 63
ix

REFERENCES ............................................................................................................................ 65
APPENDICES ............................................................................................................................. 67






















LIST OF TABLES AND FIGURES

x

Table 1- table of advantages and disadvantages of secondary data
Table 2-table of characteristics of primary data and secondary data
Table 3-table of percentage of respondents rate
Table 4-table of percentage of gender
Figure 1: answers of the respondents regarding the role of the internal auditor with the necessary
skills and competencies through the application of IT
Figure 2: percentage of responses regarding the role of internal audit with skills required and
capabilities passed information technology application
Figure 3: answers of the respondents regarding the role of the internal auditor with the necessary
skills and competencies through the application of IT
Figure 4: percentage of responses related to the role of internal audit with the necessary skills
and competencies through the application of IT
Figures 5 - answers of the respondents related audit tasks and reduce organizational risk through
the application of IT to internal audit
Figure 6-response rate audit related tasks and reduce organizational risk through the application
of IT to internal audit
Figure 7 - answers related to available guidelines for internal audit best practices through the
application of IT
xi

Figure 8 percentage of responses related to available guidelines for internal audit best practices
through the application of IT















xii

LIST OF ABBREVIATIONS

IT Information Technology
CIS Computerize Information Systems
IFAC International Federation of Accountants
CAATs Computer Assisted Audit Techniques
IA Internal Auditing
COSO Committee Of Sponsoring Organizations of the tread way
commission
COCO Criteria of Control

1

CHAPTER I: INTRODUCTION
1.1.Background of the study
The aim of this thesis is to provide a specific impact of Information Technology on auditing. It
would be helpful to give the general background of some terms to easily catch up with the scope
of this thesis.
Firstly, Information technology (IT) is well-known as the outstanding and useful application to
store, retrieve, transmit and manipulate data. Or in brief way, IT mechanism is related to all
collective way to process the data. It helps to analysis all detailed and complicated reports,
especially financial report. Also it creates collective information system to control all e-
documents. Especially, IT enables the speed and accurate transactions which bring the fixed
competitive advantages, including cost savings, effective and error controls to each business
applying. It is no doubt that IT has gradually become a key factor to the whole society in the
general; and to the auditing in particular.
Then, the second definition is auditing; a means of evaluating the effectiveness of a company's
internal controls. It is clear that to promote the system of internal controls is essential to reach the
company's target, to maintain suitable financial analysis on its running as well as to avert fraud
and misappropriation and finally to decrease its cost.
For that reasons, applying IT on auditing is a sole way to carry out all its functional priorities as
IT is capable of sifting through operational data, making decisions about what is going happen in
the specific time, and then road mapping the business influence. By collecting, processing, and
storing data; IT is widely reviewed and reported in details on financial statements. More and
more enterprises are taking advantages of IT into their business. On a daily basis, as far as you
2

could see, the completely integrated information system and electronic document management
by applying IT are also displayed. The speed and the exactness in transaction processing are
maintained and reinforced by IT mechanism to cost savings, to manage operational efficiency,
and to lessen human errors.
For leaders and auditors, which system can cover fully the internal control of auditing is very
important. And the IT is the proper answer for above question. It is considered that IT has been
applied in almost industry fields in Vietnam, and of course, the internal control in auditing is also
needed to apply IT. Since internal control is regarded as the method to evaluate the effective
running within an organization or enterprise. It includes information collecting for each
management unit, acknowledging some mistake faults and classifying system of operation to
prevent or discover all frauds. It might be said that all auditors need much support from IT. By
IT functions, it can improve the transparency of each organization. By applying advanced
database, IT also helps to make right decision in each difficult circumstance. Also the reduction
of fraud is one helpful aspect of IT can cover. Moreover, IT is made used off to find out the
cause of each problem. And it can reinforce the effectiveness of each auditing transaction as
well.
1.2.Problem statement
Catching up the importance of IT, the thesis named "The impact of Information Technology (IT)
on auditing, especially on internal control" was carried out. The applying of IT affects to
transaction ways; such as, initiating, recording, processing, and reporting. The automatic
procedures applied help the information database within each replace sharply the paper
documents by electronic ones. There is much type of electronic documents, including the orders,
3

invoices, shipping documents, and bookkeeping involved. And applying the information
technology is the proper way to control all document systems automatically without the manual
controls as the past. However, manual controls should be used in parallel with IT controls to
supervise the effectiveness of IT the automatic controls. It is the good way to let all system
avoid of independence too much on IT. The manual control is performing to conduct with
limited exceptions. Therefore, the nature, extent and timing of audit sensitivity to design and
perform further audit procedures for risk assessment.
The audit procedures is the auditor on duty to check carefully the consequences of risk; the
consequences of material misstatement; the features of these types of transactions as, account
balance or more disclosure is associated. They are also supposed to evaluate the environment of
the specific controls applied IT by their organization. Should they are on the go to check
precisely their expectations of evidence collected in each audit; the organizations controls will
become less effective to prevent, detect and modify material misstatement.
According to ISA401 the environmental Audit of Computer Information Systems, the evaluation
process for both internal auditors and external auditors have been changed. The motivating
factor for this complication change in the business globalization; advanced technology; the
needed for value-added audit; the organization structural of the computer information systems
activities of customers; the consequences of the division of tasks and access to the data source
document processor computer with concentration or distribution organization; and etc. Some of
computer files and additional evidence required by the auditor members can only be expressed in
the short term. For that reason, the auditors are supposed to have sufficient knowledge of
information system science in order to operate effectively in planning, directing, monitoring
4

performance review. In addition, the auditor should consider the specialized CIS skills applied
widely applied in the audit of a transaction.
Rishel and Ivancevich - Internal auditors indicated the primary responsibility to resolve control
issues, risks, and other factors important during the implementation process related to IT.
Moreover, auditors should pay attention to the value-added sector that is often available
observations to reduce the number of IT failures. For the purpose of legitimizing the system
documentation and training is good, auditors are involved in assessing and improving the quality
of the process. The processing can make IT applications more successful. In addition, internal
auditors are on the road to bring the valuable input of the system is available in an appropriate
configuration under the control of their organizations in the certification and test phase
implementation phase.
In the past thirty years, the internal audit department regarding information technology
development is expected in the development and management from the Meredith and Akers, in
2003. Providing the consulting services under applying IT and the system expanding and level of
internal auditing was developed to test and assessment of internal control resulting. However, the
hidden matters of running the internal auditor while the advisory of above system within the
project is considered as the impaired factors to their independence.
In addition, the ISA 401 has been recognized that the environment of CIS is not generally
changed the goal and the scope of an auditing. Moreover, computer application has been changed
in the way to store and communicate all financial information in deed. These has been affecting
much too both systems of the internal control and the accounting currently applied by the
organization.
5

An acknowledgement of both the significance and complexity of the CIS operations and the
ability to access data application in the auditing is recognized necessary to internal auditors;
however the CIS are quite complicated with hidden and potential risk increasing.
The International Federation of Accountants (IFAC) in 2002 suggests that IT can bring potential
benefits of internal control of an organization with the helpful and efficiency because it creates
conditions for an organization to acquire timely, the credibility, and precision of information;
reduce the risk; and much more.
Everything has both sides, advantages and disadvantages; therefore, IT shares the same aspect.
It creates risks for internal control of an organization such as the lack of precision in data
processing, the extracted user participation, and the potential loss of data.
John Silltow - the managing director of security controlling and audits ltd Company also stated
that internal auditors are more attention with the past than the systems in IT. IT has an important
role in the functioning of contemporary organizations operate. This is capable of to cover all
incorporation in extend of each auditing type required to check some IT maintains.
Another point of view of the engineering Associate Professor Pathak, J emphasized again that
the combinations of these applications and communication systems will be expand a business
system will be an important trend in the future. It will definitely be have an enormous impact in
the total set the knowledge, skill, approach, algorithmic, and strategic of internal auditor.
According to this view, those who deal with the audit profession is required for the development
the skills and fundamental knowledge to cope with the changed recently and the challenges
intangible.
6

1.3.The objectives of study
Audit is an indispensable activity in the operation of the markets economies to improving the
quality of communication; it helps the user decide the right spot. Moreover, an economy with a
healthy development pipeline of capital from the stock market and banks are required to provide
services of high quality audit. The growing of social economy is increasingly complex, more
economic information risky, false, and unreliable.
Anyway, in the subjects of interested in financial, the information of enterprises not just of the
State but also as the management, joint ventures counterparts and workers ... But from many
different perspectives that every stakeholders interest are the common aspiration is to use
information credibility, accurately and faithful. If all people were interested have to check the
financial information of the business, and the expenditure is too great. Therefore, the
organizations need independently, objective test to meet the information requirements of
multiple audiences using the communication that was held audits
It is clear that many fields of daily life are being impacted by IT and so is internal auditing.
Therefore, this thesis will discuss much more influence of IT on auditing. It is the primary
objective of this study to analyse both good impacts on auditing. Even the advantages of
applying IT outweigh than the disadvantages, this study also covers these aspects. By the end of
this analysis, the reader will be able to understand more much the IT impact on auditing.
The second objective is to prepare for auditors to adapt themselves during applying IT to
perform auditing task well as well as to minimize the organizational risks made by IT
disadvantages impacts. It helps to identify auditors skill requirements for their daily work and
7

their applying IT on working. The final objective is also focus much on pointing out the crucial
role of auditors who are skilful and good at auditing applied IT.
1.4.Structure of the study
This study is divided into five chapters as follows:
Chapter I: Introduction.
Chapter II: Literature Review
Chapter III: Research Methodology
Chapter IV: Result Analysis
Chapter V: Conclusion and Recommendation












8

CHAPTER II: LITERATURE REVIEW
2.1. Definition of Auditing

Audit is verification and expression the opinions about the financial situation by the system of
technical methods of auditing the documents and external documents by the auditors, who have
the appropriate level of knowledge, based on the standard of effective legal system.
2.1.1. The History and development of Auditing in the world

Auditing is an indispensable activity during operation of the market economies in order to
improving the quality of information and improves for the users make the decisions suitable. An
efficiently development economy with the capital supplying from the stock market and banks
required to have the high quality auditing services provided. The society is developing more and
more, the economy is becoming more and more complex, economic information might have the
probability of containing risks, errors and less reliable. The objects, which concerns about the
financial information of the enterprises, are not only the Government but also the manager level,
partners and employees.
Although they concern about the problems from different perspective, all the concerning objects
have the same aspiration of using the highly reliable, accurate and honest information. If all the
concerning people must self-organize to check the financial information of enterprise, the
expenditure is too high. As the result, it is necessary to have the independent, objective
organizations, which is the auditing organization, to adapt the requirement from variety of
information user.
According to the opinion of the historical researchers, Auditing was appeared in the third century
before Christ, in conjunction with the civilization of ancient Egyptians and Romans. The first
9

time, auditing is formed at the simple level named Classical Audit. The indication is the
accounting record people read loudly statistic, accounting material to an independent people who
listen and then authenticate. As the consequences, Audit in English is derived from the Latin
Audire which means listening. Together with the growth of society and accounting is the
continuos development of controlling tool of the account.
Whenever there are human activities, there will be the testing, controlling activities and
whenever there is accounting, there will be accounting testing. The accounting auditing
developed from low to high, society developed and wealth was surplus, the accounting activity
expanded more and more complex so that the testing and controlling of accounting and finance
are concerned more and more.
From the ancient, accounting was conducted mainly by the specific symbol on the ropes, stems,
leaves . This way was appropriate with the early stage of the ancient time because the society
did not have the wealthy surplus, the demand of controlling is low and at the simple level.
At the end of the ancient time, production was developed, properties was surplus more and
more, the owners and controllers of assets are separated. The demand of checking the assets and
revenues, expenditures increased in a more complicating way. The simple way of accounting did
not adapt the requirements of managers. As the consequences, independent auditing was arose at
first in France, Rome and England.
In Rome, in the third century before Christ, the authorities (property owners) that are an
employees recruited with expertise and independen to audit the managers annunciate on the
asset situations and give the opinion of accepting or requesting the modification of these reports.
The auditing process was conducted by the managers read loudly those reports to the
independent auditors listening and accepting.
10

In France, King Charlemagne, who also followed the precedents of Rome, has recruited the
senior official responsible for monitoring the task manager; in particular, the financial
transaction of local government officials and presents the results to the King.
In the UK, according to the documant of Parliament, King Edouard First that give Barons the
right of recruiting Auditors, the King also check for the account of the will of the late Queen
Elonor.
From the middle age onwards, the improved the development of accounting and gradually, for
instance, transaction has forced both sides with 2 entries, so comparison has been arising as a
form of accounting test.
In particular, from the XVI century onwards, the appearance of double entry accounting by an
Italian mathematican named Luca Paciola has made the self test approach of accounting more
complete, which met the management demands and property safety at the time.
From the XVII XX century, accounting methods and information technology developed to the
sophisticated level has adapted better the requirement of manager.
Until 1930s of XX century, there were the bankruptcy of financial institutions and economic
crisis, financial recession, the functions of accounting testing have shown the disadvantages,
required the external accounting testing and auditing have been developed again.
After 1934, the security exchange commission has been established and the policy about the
external auditors have come into effects. Simultaneously, the American Institute of Certified
Public Accountant (AICPA) has printed the standard form of auditing report of company
accounts.
11

In 1941, the Institute of Internal Auditors was established, has put into operation and educated
the internal auditors. At the same time, the institute has constructed and issued the standard of
internal auditing of USA in 1978.
In France, the actions of checking independently of external experts was realized and passed by
the laws of commercial company on 24/07/1966. Along with that, the internal auditing in France
also has been established officially in 1960s in XX century in subsidiaries of foreign groups.
From the developed history of Auditing, it seems that Auditing was appeared because of the
independent testing of accounting figures and the financial situation of enterprises. In the
development process, Auditing has not only been limited in the Accounting and Finance area but
also expanded to the controlling area, evaluating the whole management system of enterprises;
not only limited in business enterprises but also expanded in public services units with the
problems of reevaluating the management efficiency of those units.
2.1.2 The history and development of Auditing in Vietnam

In Vietnam, auditing in general as well as the accounting testing specifically has been concerned
from the beginning stage of constructing country. Before 1975, in South Vietnam, there have
been the auditing activities of the independent auditing enterprises under the Republic of
Vietnam when Ngo Dinh Diem is the president.
After Vietnam change the management system (1986) from centralized planning to socialism-
oriented market, on 13/05/1991 Ministry of Finance issued two decisions of establishing the first
two auditing companies, which are the Vietnam Auditing Company named VACO with 13
employees, and the Accounting Services Company of Vietnam ASC and later the name will be
changed to Accounting and Auditing Financial Consultancy Company Limited AASC
(Decision No 639- TC/QD/TCCB on 14/09/1993). The number of auditing company has been
12

increased considerably and the sorts of company are more variables, until 10/2006 in Vietnam
there has been 81 auditing company including 75 company had registered its activities in
Ministry of Finance, including three state-owned company (VACO, AASC, AISC), 4 FDI
enterprises (P&C, KPMG, E&Y, Grant Thomtion), 1 joint venture, 5 partnership and 123 public
company and limited company.
Together with the growth of independent auditing, The State Audit Office of Vietnam was
founded according to the Decree70/CP 11/07/1994 of the government and until 13/08/2003
was replaced by the Decree 93/2003/N-CP. On 14/06/2005, the law of State Audit Office of
Vietnam was issued by the Congress and come into effect since 01/01/2006. Until now, The
State Audit Office of Vietnam have 9 units of auditing sector: Sector 1 (Hanoi); Sector 2 (Vinh) ;
Sector 3 (Danang); Sector 4 (Hochiminh City); Sector 5 (Can Tho); Sector 6 (Halong); Sector 7
(Yen Bai); Sector 8 (KhanhHoa) and Sector 9 (TienGiang) Simultaneously, internal audit offices
were established in the large corporation such as Vietnam Airlines Corporation, Vietnam Post
and Telecommunication Group, Petro Vietnam, Electronic Vietnam
2.2 Definition of Internal Auditing

2.2.1 Concept of Internal Auditing

Internal Auditing (IA) is well-known as an isolated, practical and consulting operator system
with an aim to both count up value and ameliorate the organization running. The organization
can reach closer its target as the IA system provides the well-ordered access to figure out and
improve the effectiveness of risk management, control, and governance processes. It might be
considered as the advanced activator to improve the organization management and risk control
13

by offering either the comprehensive view or the bright guidance from its analyses and
assessments of data and business processes.
Within an organization, as far as you could see, the IA covers all organization issues broadly and
profoundly. The good examples of its cover in the organization management and risk control are
the effective operation in assets protection; the credibility of financial and management
statements, and legal compliance and other provisions. In addition, it commits to control fraud
audits actively by finding out the likely fraudulent acts might occur; or joining in fraud
investigation under the instruction of investigation of fraud professionals; and running fraud
result investigation which helps to analyse control breakdowns and build-up the reason leading
to financial loss. It is clear that IA aim is to help the employees of the audited organization in
performing of their responsibilities more efficiently.
In the early period, IA used to mainly focus much on financial and accounting issue. And
nowadays its function has been becoming bigger and bigger by covering on proactive risk
management and organizational governance. Not only has it concentrated on the real transactions
to identify the effectiveness of control systems but recognize also the potential risks which may
be negatively to ruin the organization. In addition, IA helps to assess the control mechanism to
prevent or minimize all problems coming.
As stated above about the function of IA monitoring, IA is the key member on control
organization system which includes all supervision and secure measurement inside the company
that is protect the asset, ensure the tasks accuracy and in accordance with the accounting system.
These missions are original from the purpose to support object as well as to determine
14

compliance the accepted criteria range and all current condition requested by all policies,
regulations, and laws.
In summary, the internal auditing is the helpful tool to control and assess the possibility of
organization running. It plays an important role to ensure the company running more smoothly,
efficiently and economically. Furthermore, it is capable of the acceptance of all managing
regulations. It also ensures that the internal control system works well to prevent all error coming
as well as to identify any fraud and unexpected mistakes. Provided the assurance on risk
management and controlling the governance running within an organization, IA is truly the must-
have tool which all organization must apply.
2.2.2 Role of Internal Audit in Vietnam

If the audit independence was in Vietnam for 19 years ago, the concept of internal audit has not
gaining popularity with administrators in 1997. However, the requirements of the WTO, the
growth of the securities market and the administrators scandal at a huge number of state-owned
enterprises nearby showed the necessity of internal auditing in the business career. Whenever,
the development of internal audit in financial Frauds at WorldCom and Enron Company (U.S.) in
the years 2000-2001, especially as the U.S. Sarbanes-Oxley act was born in 2002. This law
provides for companies listed on the U.S. stock market statements on the effectiveness of internal
control system of the company. While the activities of the independent Auditor limited to the
examination of financial statements (the degree of honesty and fair), the operation of the internal
audit is not limited in scope in whatever firm, from buying, production, and business of the
managements, the financial and human resources, Information Technology.
15

The purpose of the internal audit is the management of the enterprise that is rather than external
partners. Moreover, the internal audit is not only the poor assessment of management systems,
but also assesses the risks both within the outside of the company. The internal Audit can bring
many benefits businesses as well as a tool for improving detection and the weaknesses of the
business management systems. In addition, the board of Directors and the broad can control and
manage operational risk better when the size and complexity of the business beyond the direct
control of businesses. The internal audit as ears, eyes to the broad of the directors, this is
increases shareholders confidence in the quality management and internal controls of business
value.
An auditor will increase the confidence of the shareholders and investors in the stock market of
management system. The statistics show that the companys worldwide internal audit department
is usually timely reporting, financial reporting transparency and accuracy, the ability of business
fraud and ultimately lower efficiency business is higher than companies without the internal
audit department. However, the fact that firms are not always see all of the benefits and measures
to realize the benefits.
Moreover, the internal audit role given to ensure internal audit will provide the service while
ensuring that the internal systems of organizations and enterprises. In the market economy with
the competition, the companies are geared towards multiple targets at once, the encompassing
the array management, economics, business ethics, social and environmental internal control,
etcshould have the skills and the experience to provide the guarantee for the enterprise of their
business that operating effectively to achieve for the objective.
16

This is related to the processes outlined. The internal audit and evaluation guideline risk
management culture of a business, they consider and report on the effectiveness of the
implementation of management policies based on the results of that audit, which are
recommendations to improve the department.
The internal audits in Vietnam are usually limited to the recommendations derived from the
results of the inspection and control of concrete. A finite advisory function of the separate
internal audit (including training) to be used in formal way, the internal audit cannot provide
their counselling services within an enterprise. The independence between the advisory role and
it has not been audited and questioned in the internal audit function.
2.2.3 Objective of Internal Auditing

After getting enough overview of IA, it is bet that the objective which IA covers must be caught
clearly. The first function of IA is to ensure the practise run accurately. Secondly, it also
provides the advanced tool to control all potential risks. And taking best advantage of all
economy to run the business effectively is the last IA function. It might be said that with 3 main
above function, IA has been distributing much more on the growth of each company in specific;
and the whole society in general.
2.2.4 The Internal Auditors duty
Based on the internal auditing processing, an internal audit is considered as a multiple procedure
to identify the current procedure to meet up with the regulation available. And each auditors need
to well-equip their knowledge in comparison criteria. Also they need to mix all related evidences
up to fix well with the present condition.
17

Major roles and responsibilities of each auditor can be divided into two functions; one is for
governance and second is for risk control. In the governance roles, auditors are supposed to do
these tasks as below:
Offer the recommendations to improve effectively the operation of organization
Evaluate the regulatory compliance consultation from Legal Counsel
Link the best connection between the Management Board and Auditing Committee
Improve the tasks to develop in parallel with others within a certain organization
Develop their specific skills by joining in its operation training
Joint hand in against any anti-fraud programs
In the risk control aspect, auditors are on the duty to do many important functions which can be
listed mainly as follows:
Provide the useful measurement to control risk as well as develop the governance
system.
Release the evaluation on risk exposures and information security
Update the risk management report by monthly, quarterly and yearly.
Release reporting internal control deficiencies to be identified directly to the Audit
Committee
Furthermore, the auditors are supposed to demonstrate their conclusion about the effectiveness of
the proposed control system. Also they will focus much on the extent whether the current
condition meet the required criteria or not. And then the results of their working and suggestion
will be reported to all relevant parties to develop if the current ones are good; to improve if the
current ones did not meet as well.
18

It is clear that the important responsibility of auditors is to evaluate, organize and run all
procedure to determine the running within each origination to meet up organization's targets. By
the information they provided, we can get the general view to evaluate the effectiveness as well
as the quality of control system allocated tasks within each organization. The responsibilities of
each auditor are scope all systems, functions, operations, processes, and activities within an
organization.
With above responsibilities, it might be said that an auditor is the key to both create and raise the
good impression on the organization. For example, when the organization comes with bad
reputation, auditor, of course, may not get the refusal and distrust from others. Therefore, how to
raise their skill to maintain the good relations among all departments is truly important for each
auditor. In the past, the internal auditor's role used to ensure the compliance. While now, its task
is up-grading to the highest board to protect organization and get better control over the system.
2.2.5 Relationship between Internal Control and Internal Audit

People consider that the role of internal auditing is to bring the comprehensive evaluation report
on the effectiveness of the internal control system. However, for someone, it is rather hard to link
the term internal control with the responsibilities of internal auditing. By providing some good
illustrations, such as no matching definition or detailed ranges of internal control which the
internal auditing covers on each organization, they are still defending their view on this aspect.
Whereas, majority consider that internal control is the proper way to cover all, instead of
protecting assets, the reliability of financial records as well as avoiding any fraud might occur
only.
19

It is typical to define that internal control works closely with the detailed checks and balances.
But it is not enough, it also covers some elements, including, structure of organization, financial
and operating report, planning report and training process. During the auditing, Internal Control
is a process provides the effect on an entitys board of trustees, administration, and other staff. It
is also regarded as the major tool to ensure actual supply associated with the following
objectives:
Commitment to the laws and regulations
Proficiency and performance
Consistency and accuracy of financial statements
commitment assets
Above all, the main role of internal control is to protect the asset, or to be far away from any
financial loss. With this function, it has been contributing much on the consistency in financial
reporting and adherence under the current laws and regulations.
These components listed below might give you more detailed overview of internal control
included.
Risk assessment: All risks must be recognized, examined, and controlled to achieve its
objectives.
Monitoring: All processes, including the implementation and fixing procedure. They are under
monitoring.
Control environment: It covers the integrity, ethical values, and competence of the entity's
people. Also it covers the foundation for all other components within internal control.
20

Control activities: It is conducted to ensure the right management direction by comprising
policies, procedures, approvals, verifications, reconciliations, reassesses implementing, security
process, and segregation of duties.
Information and communication: With this function, it helps all information systems identified,
captured, and communicated with related information in a form and timeframe that enables those
to perform tasks and accountability maintenance for assets of the entity.
In the way to point out the relationship between internal control and internal audit, it is truly
short-coming if this part is not mentioned to internal audit. It is evaluated through adequacy of
internal control system to perform by internal auditor members.
Therefore, bringing internal audit and internal control together, the organization has been to
apply internal control systems to reduce the risks of material misstatements in financial
statements as well as to maintain the internal control system monitoring through internal audit
function of the internal auditors.
2.3 The Relationship between Internal auditor and External Auditor

Both internal and external auditing is used to check up all activities within a certain organization
and then make a detailed report showing all. To show better the relationship between them, the
similarities and differences are might be mentioned.
One point you should notice that external auditing is the action run by auditors who does not
work within an organization. It focuses much on whether the organization's business activity
fixed with the report run on this organizations own. Also it is considered if the book recording
solutions were suitable with the generally accepted accounting practices.
21

With these function above of external auditing, the similarities between internal and external
auditing can be clearer. Firstly, both track the method of organization conducting. Evaluating the
fraud possibilities and then making comparison with the current regulations and laws are the
second function which both external and internal auditing covers. AS sharing the same duties, it
might be said that all auditors working each field are required the same training and
qualifications. Also they need to equip themselves the update knowledge of accounting, finance
and current business operating as well. It is clear that the name of each one shows their
difference in details, one covers the internal business activities; while another covers the external
ones.
After acknowledged the basic overview of internal and external auditing, the relationship
between them becomes easier to catch. The external and internal auditing performs the typical
tasks to avoid redundancy and then cooperate all to make comparison. One of them is run for
backup to make preventing plan not to be conquered among the use of various resources. And
catching all record to take examine is the duty of ones to far away from redundancy.
2.4 Information Technology of Audit
Information Technology is now distributing much on many social and economic fields, and of
course auditing is covered by Information technology. The influence is called as the information
technology audit to check up the management control by the information technology system. It
came into the existence from the mid of 1960s with many changes to fix with any updates by
offering the effective and comprehensive tool to control the assets, to maintain the data integrity
without loss and to reach closer to the target set by each organization. And these reports are
22

cooperated with a financial statement audit, internal audit, or other form of attestation
engagement to be more persuasive.
However an IT auditing target is sharply different from a financial audit's one. Auditing is
conducted to assess if the organization is constant with the standard accounting application.
While IT audit is run to take measure the system's internal control design and its effectiveness;
including, efficiency and security protocols, development processes, and IT governance or
oversight.
2.4.1. The development of Information Technology of Auditing

The IT auditing is developed to offer the right answer to allow the internal auditors to analyse the
information stored in the computer system. No longer do the auditors analyse the data by
traditional way; the IT audit offer an innovative way help them ignore what happened to
information as it was processed and stored. Therefore, each auditors need to equip more IT
auditing skills and technical knowledge.
2.4.2. The standard of Information Technology of Auditing

Based on Standard 1210.A3, Internal auditors must have sufficient knowledge about the risks of
information technology; controls and audit techniques based on technology available to perform
their work. On the other hand, not all internal auditors are required degree of an internal auditors
are responsible for auditing the related information technology. With this judgement, the
knowledge of information technology auditing is one which each auditor needs to get full to take
advantage its benefits.
23

2.4.3. The Importance of Information Technology of Auditing

To cover well all IT auditing importance, the benefits which IT auditing brings help us much.
The first benefit is to ensure the good protection by IT system available. Secondly, it offers the
proper information correctly to each users demand; for instance, the managing board need
certain number while the marketing board need others - just by providing an order, they can get
what they really want. Also bringing the proper management to gain the desired benefits is the
third benefits which IT auditing offers. The final benefit of IT auditing is to reduce risks from
incubation data, services interruptions, data loss or leakage, and weak management of IT
systems. With these typical benefits, IT auditing is now playing an important function to well-
control the financial as well as management system.
2.5. How Information Technology that affect the Internal Audit Process

2.5.1. Internal Audit in Computerized Information System Environment

The following factors were affected by IT auditing:
High-speed: Information could be quickly resulted in the environment of CIS. The system of
computer has capability to get information on complex report through different format. It could
reduce time allowed auditors to expand their analysis and assessment with high-speed.
Moreover, internal audits have many opportunities to advance its contents procedure; therefore,
more evidence will get to ensure their opinions.
Low-clerical errors: computer systems provide information without clerical errors.
24

Duty concentration: In CIS's environment, individuals could implement some types of work. It
means that between individuals appears segregation of duties about complex task. Security can
be increased. Thus, internal auditors need spending their time in focusing on the individual tasks.
From outside main factors, the internal auditors should have plans about audit activities based on
aspects below:
Systems and applications: The major objective of the plan is to verify and evaluate
systems and applications appropriate and effective in controlling guaranteed to bring
compelling, relevant, and timely, protection input, and the production process as well as
all levels of operations' system.
Management of Institutional Architecture and IT: management IT has concentrated on
organizational structure and procedure to secure system of environmental management
and good organization to match with processing information.
Facilities of processing information: The operation process is conducted to timely,
accurate and well-organized during application system with the following situations as
well as positions destruction.
System development: All systems need to be developed in associated with the
organization's mission and vision. So development must be completed to match with
standards of system development
Client/Server Intranets and Extranets Telecommunication: The entire network
connections and servers mechanism are located appropriately to match with security at
high level
The internal control system in CIS's environment has a little special when compared to manual
system because of different auditors. From this, internal auditors have to understand internal
25

control system of the CIS's environment to make audit plans and improve procedures of audit to
perform functions of internal audit effectively and efficiently.
2.5.2. The computerized impact on internal auditing

As far as you could see, the auditing approach in CIS environment not only provides necessary
skills, qualification; but the competence for internal auditor. Each internal auditor is well-
equipped the specific skills running based on computer. It easily finds out the impacts of
computerization on the internal audit. They can be listed as follows:
It helps to make plan for the internal audit tests and then apply all results in practise.
It can design the updated and proper internal audit activities computerised.
It is taken advantage of reorganization on the risks of systems, applications, hardware and
controls of the CIS.
Its main duty is to assess and give detailed insight of the financial and internal controls
based in computer.
Also it is used to review the security measures of the CIS.
Besides, these elements focus on the extent, nature and timing of the audit procedures
performed by internal auditor:
Potential to communicate requirements for expert work is needed
Plan must be taken into account the level of computerization
Auditors are expected to find a variety of controls in the manual system
Evidences of the auditors hand may vary in form and they can be for limited
time period
26

2.6 The Computer Assisted Audit Techniques (CAATS)

The Computer Assisted Audit Techniques (CATTs) are regarded as the tool relating to the
applying of computer software in the auditing process automatically. It supports for an efficient
and productive in working. Also auditors can make use of it to select the data they want as
CATTs provides to do search abnormalities from data provided.
In 1993, David Coderee gave the overview of how CATTs can focus automatically on audit
functions within each organization. He also pointed out CATTs' benefits which can be applied in
audit scheme and report; including, increasing auditing coverage; pushing up the integrations of
audit skills, promoting better reliability, enhanced audit function independent from the
information system, improve cost effectiveness for improving computerized techniques as well.
2.6.1 The oversight on IT risk

According to the statement of Linda M. Hadenas, the auditing committee acknowledged the
audit participation in oversight IT risks to dimish the possibility of controlling failure related to
IT. Also Jon Siltow for the claim that the interaction between internal audit and IT risks activities
is made in processing routine work of auditors. He also recommends that the internal auditors
should make sure that their organization plans to outline a scenario to confirm the sources of the
data and its reliability as a result of instances rapidly changing IT environment. Moreover, how
to deal with the potential technology risk is difficult as the organization is required to predict the
problems in the complex environments.
Auditors responsibility is to concern much on the risk associated with the sector to support their
organizations critical system check and make sure the business activities operate efficiently.
27

Internal auditor with full awareness can prevent the attacker, and ensure implementation of
decisions on accurate information and appropriate information as well as maintaining all IT risks
at minimum level.
2.6.2 Information technology risks to an organization

In this part, it is scope with some potential information technology risks which might occur
within an organization. There are 3 main types of risk, inherent risk, Specific risk and
technological risk.
Inherent risk is defined as the risk that exists naturally in a business or specific situations
Specific risk is the risk derived from a place or method of operation of a particular function
Technological risk is the risk of use of technology to response for enterprise objectives.
To find out these above risks, we can base on these criteria below:
The shortcomings and unintentional errors in the processing stage;
unauthorized disclosure, modification, and cancellation of information whether
intentionally or unintentionally;
Disruptions in processing as a result of natural and artificial disasters;
Failing to concerns as well as actively in the implementation and operation of the IT
systems


28

2.7 Benefits of IT control framework

IT control framework has two types, including the internal controls of the CICA Canadian
Institute guide-line internal control guidelines and COBIT the objectives control for information
and related Technologies. Each organization can use IT control framework. It gives better
alignment which is based on a centralized enterprise security technology. Besides, it is easy to
understand IT's views to manage. IT's control framework implements responsibilities and clear
ownership. Understandings are shared among stakeholders by common language. Moreover, it
presents a wide range acceptable to authorities and third parties. Furthermore, it provides an
implementation of the requirements COSO/COCO for IT's environment.
COSO (Committee of Sponsoring Organizations of Tread way Commission) is known as a joint
initiative five private sector organizations in the United States. It established to provide
leadership's thought to framework development and guidance on key factors of internal control,
business ethics and organizational management, risk management, financial reports and fraud
deterrence. It has formed common model of internal control is not favourable for organizations
to evaluate the system.
COCO (Criteria of Control) established in COSO. It is published by the Canadian Institute. It
referred internal control as action to boost all best outcomes for organizations, the elements such
as resources, processes, systems, structure, and culture. It performs tasks to help for achieving
organization's objectives. This model concentrates on specific factors of internal control,
including ability, purposes, participation and supervision.
29

2.7.1 CICAs internal control guideline

CICA is established in 1998 by the Canadian Institute of Chartered Accountants. CICA's internal
control guideline is assessed as a useful reference sources for IT's control with best practice. It
includes in seven sections in risk discussion and control which are related. In the first section, the
responsibility is provided for control and risk management. In the second section, it related to
plans of IT. The development, acquisition and maintenance of IS are provided in the third
section. And computer operation and information system support are mentioned clearly on the
forth section. The fifth section is shown the security of IT. The sixth section is making plans not
only for business continuity but also for recovery of information technology. And application
based controls are finally shown in the last section the seventh section.
2.7.2 COBIT-control objectives for information and related technology

The experiencing of many years and has been integrated into useful management methods, so far
the world has some common management practices such as ITIL, COBIT, ISO17799 /
ISO27001, CMMi, COSO, PMBOX. Among them, COBIT, is one of these methods, though still
quite alien to Vietnam, but this method has many advantages Vietnam, especially the wide
application, suitable for many organizations, and business. COBIT methodology and is currently
the leading method of choice of most organizations and enterprises worldwide. However, the
managers must be equipped with a method of evaluation and management information systems
of your business. A good method to evaluate management and information system of good
business, determine the current position and the goal of business is necessary to ensure success
will be better
30

CHAPTER III: METHODOLOGY
3.1 Research Problem

In the literature review, the researchers collect, review and discuss research and theory related to
the topic of the impact of information technology on the role of internal auditing. Depending on
the literature review in Chapter II, we can see that awareness and understanding of the role of
internal audit and its importance varies from country to country. That is why the study was done
in Vietnam will be the main source of reference for researchers. This chapter provides a
description of the methods that researchers use to collect data and achieve the goal of my
research.
3.1.1 Aim of the research
The purpose of the study is to summarize what will be achieved upon completion of the
supported readers to appreciate the applications of the information technology on internal audit.
Besides, it is analyze the role of the internal auditors through an information technology system.
Normally that is sharing the goals of making the overall goals and specific objectives. The
overall objective is to achieve a general way. However, the specifically targets including smaller
portions and have contact with each other and with the overall objectives reasonably. In
conducting the research necessary to develop research goals to help the research topic is focused
and avoids collecting unnecessary information to solve problems. In addition, the construction of
specific objectives will help to design studies by research organizations goals into sections or
stages defined.
31

3.2 The objective of research
The prior to collecting information and proper data, researchers are responsible for clearly
defined objectives of this research so that they can read to understand the purpose of the study
purpose. In this research, the target of this research is analyze the effect of IT on the role internal
auditing ,the consistent with internal auditors perform auditing tasks and minimize the risk of
organization and suggest a specific role of internal audit, the skills and capabilities necessary for
audit-related IT.
3.3 Research Methodology

To carry out the researchers, the primary data is the most significant establishments for the
researchers because of the limitations in these available secondary data in Viet Nam. Distribution
of the surveys to the targeted people is the way the researchers use for collecting the raw data
that is required. The concepts of internal auditing, Information Technology and the role of
internal auditing are importance in Viet Nam that is rather new for almost of Vietnamese.
Therefore, there are only few studies and researches have been performed on these thread. The
researchers are conducted in several scales: from local or a small scale to the large or even
national scale. However, with this research, the researchers conducted surveys only of 60
auditors in the office a securities firms in Hanoi, Viet Nam. This is because of the limitation in
time and costing.
However, the primary data is not sufficient for researcher to analyzing and offer a logical
conclusion. There are many secondary data within the time limit of these journals, researches and
studies written by many researchers all over the world and in Viet Nam being used by the
researcher. The data is established and existing data have added a lot to researchers knowledge.
32

They provide of the researchers fundamental understanding about the subject of the impact IT
into the role on the internal audit, its importance for investors and other associated these
concepts. In addition, the advances in information technology of the researchers can get
electronic-journals, online newspaper and electronic-books for references and current internal
audit-related issues. They also help the researcher to create the ideas and construction the
structure of the research.
3.4 Data Sources
Data sources is one of the significant stages is extremely important for the research of social and
economic. However, the data source often takes much more time, the effort and expense.
Therefore, I need to understand the data sources methods that to choose from including the
appropriate method in order to support the research objective in this study. The data source
includes primary and secondary data. The difference between secondary and primary data is
available that the secondary data is readily available and the available to the public through
publications, newspapers and magazines during these primary data is collected directly by the
researchers through an experiment, surveys, questionnaires asked, focus groups discussions,
interviews and taking measurements.
3.4.1 Primary data
The primary data is data that researchers collect in the market data directly in source and process
it for their research. The sources of primary data is the most important type of data, it is the
unprocessed data, gathering for the first time, and collection straight from totality of researchers
unit through all statistics investigations. The requested primary data is researchers, though the
data gathered is generally more intricate and more costly. There are various methods of
33

collecting the primary data. The data gathering for an investigation, and the researcher usually
use a variety of methods to work together to achieve the desired the effect. The following are the
commonly used techniques of primary data into two main methods of Qualitative and
Quantitative below:
The Qualitative of the primary data:
Focus group interviews and consumer panel (in depth)
Gather a group people, especially since the target market of Auditing company and they have a
guide in testing a product and ask their opinion about the impact of information technology in
internal audit role, this method is used primarily to determine whether the important impact that
will be acceptable in the target market
The Quantitative of the primary data:
The surveys (home includes personal interview, mail intercept, in home, telephone,
mail survey, online includes in internet or an email) disvervation (personal or
mechanical) and questionnaires:
Both methods are popular means of data collection and it can reach a large number of people,
however they need to be designed and reedited several times to make them acceptable to the
people. I printed out the copies to give them out to people; the questionnaire is one of the best
options to assemble the information needed to connect to the impact of information technology
on the role of internal auditing. Using the questionnaires as research tools is inexpensive among
others. Specifically, researchers used questionnaires to research in this study. Questionnaires can
34

facilitate researchers to collect a lot of information and data relevant to this study. In this
Quantitative of primary data we have:
Observation: the observations are recorded method that can be control the events; the
behaviour of human beings. This method is commonly used associated with another
method to cross-check the accuracy of the data obtained. The observations are the
most of a simplest method to study the data and will not pay more cost for another
method. Everything is simply being aware of the behaviour of people towards the
products and services. The collect of data can be difficult and can take a long time to
finish, however at the end of research time that I have the necessary information.
Interview: there are three different ways to conduct interviews, and they are:
The face-to-face includes in diversities in quantitative type: the interviews
could be conducted by question and answer sessions with some people. Ask
people on the street, going from door to door to collect the information, or to
make an appointment with a specialist
The web based interviews: on the other hand when I use the internet to gather
information, so I will not have to field it. This is second method is less costly
and more convenient to use
The telephone interview: this method is quite similar to the face-to-face
interview; however they are shorter than the organized. I can also send a letter
to inform people that they are interviewed before they are looking forward to
my call.


35

3.4.2 Secondary data
Secondary data is data derived from the primary data has been analyzed, explained and
discussed. The source data has been collected and processed for certain goals. It is the market
researchers use for their research and it often used the documents for research and the methods
to collect the data. The secondary data is including the type of text documents such as: expense
reports, sales, and articles in magazines, daily newspapers, and internet. There are also other
documents are recording documents, video recordings, and television programs. Additionally,
the secondary data is based on survey data are collected by using surveys strategy that they often
use the questions are analyzed for their original purpose. The secondary data collected through
the surveys, those are three types of survey strategy, such as: a statistical survey, survey
continuous and special survey (for example of special survey in Vietnam is the investigation of
the activities of audit firms operating in our country in December 1, 2009). There are some
advantages and disadvantages in the secondary data can be shown in table below:
Advantages Disadvantages
Save time, money, effort than the
collecting primary data
Secondary data is something that rating
fit within the framework of the
elements of market research
It helps to make the data collection
more specifically since the help of
secondary data, we can make out
the flaws and shortcoming
The accuracy of secondary data is not
known
It helps improve the understanding
of this issue
The synthesis and definitions may not
match
The Uniformity of data Data maybe outdated
Table 1- table of advantages and disadvantages of secondary data
In addition the second data are data that has been collected for the purposes; on the other hand
these data are may be placed quickly and inexpensively. Secondary data is data released by a
36

different that since a physical in which the originally collected and published data. Secondary
data provide a general overview of the concepts involved. In this dissertation secondary data is
collected from research studies written by many authors in different country. The secondary data
consists of two types of data: internal data sources (it is includes the ready to use and requires
further processing), and external data sources (it is includes the published material, computerized
databases and syndicate data services). The internal data source includes data gathered in
companies, for example: financial report, and another reports. The external data sources from the
outside of the company. The sources can be from records, books, biographies, newspapers,
journals or database magazines, and websites.
Through my research and survey to experiment with both methods to make the decision to
choose more effective methods, I found that both methods have advantages and disadvantages
very difference of opinion. The following is a table summary of my thoughts on the primary data
and secondary data. In addition, the secondary data that will help me save money and time.
However, I still want to experience the collection of primary data, because the primary data
collection to help me feel more self-confident in communicating and appreciating in
questionnaire to the auditors and managers. Whenever, the characteristics of both methods are
really clearly to find the different that what is method can be make more effective. In my
opinion, I will summary the characteristics of both methods in the following table below:
Characteristics Primary Data Secondary Data

The consistencies of
research objective
High Low


The existences High Low

37

The reliability High Low

The revise(update
information)
High Low


The economical
(collection cost)
Low High


To collecting
information
Slow Fast


Table 2-table of characteristics of primary data and secondary data
3.5 Research Tools
In my research of this thesis, I used the data to found the result of my questionnaires survey
online. My survey of number is 60 address email of people who is auditors and managers that I
found this email address in the website of AASC Auditing Firm Company Limited (abbreviation:
AASC Auditing Firm) since 1991-, changing its name from Accounting and Auditing Financial
Consultancy Company Limited A member of HLB International in Vietnam A world-wide
network of independent accounting firms and business advisers. AASC Auditing Firm is one of
two first and largest Vietnamese legal organizations in Vietnam operating in the field of auditing,
accounting, tax and financial consultancy, business evaluation. AASC now is head office in 01
Le Phung Hieu, Hoan Kiem district, Hanoi, with a branch in Ho Chi Minh City and a
representative office in Quang Ninh also. I had 3 weeks to send the questionnaires of impact of
information technology in to internal audit role for all auditors and other managers in AASC
Company.
3.5.1 Types of Survey

The survey can be divided into two types: questionnaires and interviews. Moreover, the
questionnaires are used paper and pencil instruments often that the complete answer. Although
38

the interview was completed by the interviewer based on said application, and its hard to tell the
difference between the questionnaire and interviews. For example: some people think that the
question is always asked closed ended short interview while always ask people to expand.
However they will find the questions with open ended questions although they tend to be shorter
than interviews and they will usually be a series of closed ended questions asked in an interview.
There are many survey methods of research; survey is one of many research methods, for
example: documentary research (survey through literature), experiments laboratory
(experimental), action research, case studies, field experiments (experimental), field work
(participant observation and ethnography), simulation, or in-depth interviews. Survey is a way to
collect and analyze data through the survey respondents to answer the questions of statements of
prepared. The survey differs from the data collection method, to ensure the results are accurate
(valid), strict adherences to survey design process, construction and distribution of the
questionnaire. In addition, two terms of questionnaire and survey is used to refer to the same
thing, however, there are important differences between two concepts: survey is a process and
questionnaire of the survey tool. There are two types of survey:
Survey fill in self administered questionnaires: the questionnaire presented to participants
in a survey identical. The purpose of the interview is not repeated, in order to quantify
and compared
In-depth interviews: this is a qualitative research method in which researchers asked the
question open-ended and record the respondents answer.
39

In-depth interview is different from interview survey in which they are less structured. In the
interview survey, the question was rigid structure-all questions must be asked in order. In the
same way, and the only choice answers can be determined to out in-depth qualitative interview.
The researchers used the questionnaire to send online to replies all of internal auditing units. The
using of online questionnaires to help the researchers to saves time and money. Moreover,
through the internet, the researchers have also create conditions multiple programs order to
prevent return of not be comprehensive questions.
3.5.2 Questionnaires
The questionnaire is a used tool in quantitative research to gather information about a certain
issue from many different objects. If someones get a good result they must necessarily to have a
complete the questionnaire and real science as well as the respondents to understand and answer
the problem correctly. In accordance with the wishes of the survey and to do that we first have to
know how to design a good questionnaire for satisfy the above requirements. Moreover, the
questionnaire design requires a careful thought process; the questionnaires have scientific
structure, brief, concise and simple. A long questionnaire will make the reader feel tired and they
are not wanted to answer in the first time.
The beginnings for all questionnaires research of an introductory paragraph are the purpose of
the investigation and the general guidelines. The questionnaires should be arranged in order from
easy to difficult. It often when we use three types of questions: questions allowed respondents
may have other options; questions closed/opened and answer the questions that people have to
write your own opinions. Here is the general concept that summarizes my opinion after reading
40

the references, the questionnaires was used to interview tool, to ask questions and gather the
necessary information.
The questionnaire includes questions were prepared through a rigorous process. It is used both in
the two case studies on the structure and unstructured. The questionnaire survey tool is most
commonly used to collect information from many people and questionnaires can be combined
with many different techniques. The number of questions depends on how much research
content. That is because the questionnaire was based on the psychological principles and these
principles are the foundation for human behaviour. There are two objectives in the design of a
questionnaire:
The optimize the balance of the theme answers
To discover the correct information for our investigation.
When all most people think about the questionnaires, they think of the mail survey. All of us, at
one time or another, received a questionnaires in the mail. There are many advantages to the
survey by mail. They are relatively inexpensive to administer. You can send the exact same tool
for a large number of people. They allow respondents fill their own convenience. But there are
some disadvantages as well. The response rates from the mail surveys are often very low and the
email questions are not the best means to request a written reply in detail.
The data of collection approach is the application of the primary and the secondary data. The
questionnaire is proficient means to collect the responses from a large sample. The
questionnaires must be asked with the best expansion to provide any accurate information
indispensable to get answers from the respondents about the validity of data collected. The
questionnaires are used to ensure that the information collected to support the goal of completing
this research. The researcher made the questionnaires with the aim of making convenient for
41

respondents. By using the questionnaire is the best way to get relevant information in support of
this research. There are four parts of questionnaires in this research:
Part I: The questionnaire of software and hardware tools to support audit process through
the application of IT to internal audit
Part II: The questionnaire of the role of internal audit with the skills and competences
needed by IT applications
Part III: The questionnaire of audit tasks and minimize organizational risk through the
application of IT to internal audit
Part IV: The questionnaire about the rules available for internal audit best practices
through the application of IT
Also, the questionnaire surrounded with "Likert Scale" in the study. People were asked to mark
their agreement with each of twenty questions. Likert Scale is a scale that is used psychological
questionnaires. It is one of the widely approach to assemble the scale of the study. Respondents
could choose from a five-point scale ranged from "strongly disagree" to "strongly agree Likert
scale format in.:
Strongly disagree
Disagree
Neutral
Agree
Strongly agree

42

3.6 Sampling
In fact, the research is focused on collecting and cognitive the understanding of individual
investors in Vietnam on the topic. Wherever, the research is an implementation of the audit firm
and the bank is headquartered in Hanoi, Vietnam. Moreover, the auditors of an AASC auditors
company are chosen as the subject for the research. There are many directors who represent this
companys need to help of auditors in this company. The randomly selected sample of investors
will have to n = 60. Since the investors there are mainly the middle-aged; therefore, the
researchers were able to produce results in limited number and this aspect should not be
considered as the entire population of Viet Nam.
Due to the advantage of geography, the period of distribution and collection questionnaires was
conducted in about three weeks from August 19, 2013 to September 03, 2013, that is the long
period of time. This is longer than the anticipated, due to of the long holiday during that period.
Because the target of the research is inspecting the understanding of information technology
importance on the internal audit role of auditors in Viet Nam; the researcher does not use
professional software such as SPSS. The result of the research is calculated arithmetic means and
standard deviations of each question with Microsoft Excel software.
3.7 Limitation of the study
Limitations of this research are that it is through conventional approaches as opposed to the
research methodology more proactive and intensive research to show any practical meanings to
the auditors generally. Spite of the fact that important things to note that there is no common
patterns for technological tools applied to all institutions, it is also important to get out the
growing dependence on technology to accomplish or assistance virtually all audit operations.
43

The researchers stress limits are common in standard documentation and a key research question
is how to associate the risk of emerging technology in shaping the business drivers, and the
method and auditing techniques. In addition, the language used in the study is one of the barriers
to the researchers for the reason that not all respondents are good knowledge of English.










44

CHAPTER IV: ANALYSIS AND DISCUSSION
4.1 General analysis

In this chapter, data and information which are collected in the working process would be
explained. In this study, the researcher uses primary data through questionnaires to get
information. All questionnaires sent to 60 Vietnamese individual auditors through email address
at AASC Company in Hanoi, Vietnam. But only 58 questionnaires were received their answers.
It means that 2 questionnaires sent to wrong email address. The percentage of respondents can be
shown in table below:
Sample Successfully
sent
Number of
Respond
% Respondents
Rate
100 60 58 96.66666667
Table 3-table of percentage of respondents rate
4.1.1 Gender

Gender Frequency Percent
Male 30 51.72%
Female 28 48.28%
Total 58 100.00%
Table 4-table of percentage of gender
Based on the table above, the percentage of male answered the surveys made up more than
female. Male accounted for 51.72% of whole sample and female is 48.28%. In spite of good
ideas for study, but it does not make clear purpose of this research.
45

4.2 Analysis responses related to software and hardware tools assist to audit process
through the application of IT to internal audit and discussion
In Appendix A, questions about assist audit process through application of IT such as hardware
and software tools of internal audit are mentioned. Based on Figure 1 below, it shows questions'
results:
Questions Strongly
disagree
Disagree Neutral Agree Strongly
agree
Total
Respondents
Question 1 5 2 27 14 10 58
Question 2 1 3 9 23 22 58
Question 3 1 2 8 20 27 58
Question 4 3 7 15 17 16 58
Question 5 0 1 5 30 22 58
Question 6 0 1 3 33 21 58
Figure 1: answers of the respondents regarding the role of the internal auditor with the necessary skills and
competencies through the application of IT

According to Figure 1, the percentage of these responses is shown in Figure 2 below:
Questions
Total
Respondents
Strongly
disagree
Disagree Neutral Agree
Strongly
agree
Total
Question 1 58 9% 3% 47% 24% 17% 100%
Question 2 58 2% 5% 15% 40% 38% 100%
Question 3 58 2% 3% 14% 34% 47% 100%
Question 4 58 5% 12% 26% 29% 28% 100%
Question 5 58 0% 2% 8% 52% 38% 100%
Question 6 58 0% 2% 5% 57% 36% 100%
Figure 2: percentage of responses regarding the role of internal audit with skills required and capabilities
passed information technology application
46

From Figure 2 above, there have 58 auditors as well as managers sent answers to my e-mail. The
percentage of people answered the questions expressed through 5 levels. Each question has
different rate of answers.
In the first question, the percentage of people chooses Neutral accounted for 47% out of 100%.
The auditors and managers think that technology features affect large internal audit with
usefulness and easy to use at moderate level. Besides, the percentage of Agree and Strongly
Agree accounted higher at 24% and 17% while Disagree and Strongly Disagree was 3% and 9%.
The second question asked about assumes of auditors and managers that the CAATs can be used
by internal auditors in financial performance to achieve efficiency, effectiveness and quality of
the audit. It is more difficult to answer because it requires auditors and managers think carefully.
In Figure 2, the percentage of Agree and Strongly Agree is higher at 40% and 38%. Average
accounted for 15%. The percentage of Disagree and Strongly Disagree only made up 5% and
2%. It means that the CAATs have been used very much for auditors' benefits. Moreover, the
implementation brought effectiveness and get auditors' appreciation.
In the third question, it mentioned benefits which CAATs can bring to organization. The
question is do you think CAATs can assist internal auditors in making consulting and supporting
services, benefits for the organization. The percentage of Agree and Strongly Agree accounted
for very high was 34% and 47%. Neutral was at 14%. Total percentage of Disagree and Strongly
Disagree only made up 5%.
In the fourth question, it related to an auditor when using electronic mail and file transfer
software which are tools to transmit information, share data and get in touch with businesses.
47

The percentage of Disagree and Strongly Disagree accounted for small rate was 12% and 5%. It
means they do not believe in effectiveness. It can due to power outages, cut cable, wireless lost
or error in electronic mailbox. On the other hand, the total percentage rate of Agree and Strongly
Agree accounted for 57%. The result at average is 26%. It means that the auditors and the
managers of AASC companies use e-mail software helpful and effective.
In the fifth question, the question mentioned to the auditors and managers can assess the ability
to automate paperwork and allow auditors to manage, organize, link and locate documents,
spreadsheet, and graph easily. It is proved through the result that the total percentage of Agree
and Strongly Agree accounted for 90% while the percentage of Disagree and Strongly Disagree
were 2% and 0%. Besides, Neutral is only 8%.
The last question shows the percentage of people believe in the effectiveness of control internal
audit through the Internet, LAN, WAN, intranet and wireless network connections. Neutral is
5%. Total percentage of Disagree and Strongly Disagree is 2%. On the other hand, the
percentage of Agree and Strongly Agree accounted for 57% and 36%. It means that more and
more people believe in the effectiveness of control internal audit.
4.2.1 Discussion of software and hardware tools to support the audit process through the
application of IT to internal audit
The result of the experts needed software to support growing the internal audit is by the software.
Audit tools are becoming more influential and complex. It is also developing a more simply to
understand and apply. On the other hand, the audit tools are required to account for the complex
and constantly changing environment. The features software testing and software features are
48

create a conflict on the computer and the network as well. Therefore, the auditing tools must be
carefully managed. Auditors can use the software with the features and services that provide
direct a lot of system resources such as memory, processor cycles, communication bandwidth
and storage.
4.2.1.1 The application of CAATs
The Elliott in 1994 said that the way within the organization and function of interacting with
external organizations significantly altered by the application of IT. According to Anderson
(ROIA, 2003, p. 115), the IT changes required to increase the information security, computer
systems with security, quality assurance activities, and control of the privacy of data. Moreover,
fierce competition in market leads to increased productivity cost effectiveness, and other
requirements. In the expectation and pressure, the internal auditors are required to provide a wide
range of detection risk for the organization. To meet these requirements, internal auditors can
use to increase the CATTs audit activities with effectively and efficiently.
4.2.1.2 Audit electronic reporting
Provide automated auditing tools to connect job performed in auditors assessments of the
information collected and the information used in audit report. Through the use of audit tools,
audit reports can present the information to be made by individual auditors. It supports the
auditor to monitor the situation does not get out of the full project audit. These reports allow
supervisor to focus on the process of auditing that the problem and the resources for the
department in the following schedule. The audit report has links to spreadsheets, documents,
graphs, and other documents will be updated automatically when data changes.
49

4.2.1.3 The use of electronic ecommerce and internet security
Electronic ecommerce via internet e-mail is to develop new technologies. In recent years, it has
grown faster and faster. Most organizations are adopting Business-to-Business (B2B) and
Business-to-Consumer (B2C) the electronic commerce system through internet tools. The
opportunity and fierce competition in the business is the driving force for this growth. The faster
development of electronic ecommerce may be creating problems.
The Internet makes it possible for communication via email. Email became popular in modern
life. Its become standard for improving speed. It is also a reaction to most organizations.
Equivalent to the Internet, browse this website and also set a standard for organization
information.
However, the availability also leads to risk. Connection information can be generated. The
Internet, public networks and other organizations related to customers, suppliers, and business
partners. As a result, the connection information risks appear outside. Information technology
deals with the organization became a part of the information infrastructure in the global modern
day life. The organizations are obliged to assemble information infrastructure to high standard.
There are weakness existing components in the infrastructure. Therefore, it can be placed at risk
the organization.
Accordingly, the involvement of auditors situation provides security and operating system
information associated with the internet. The electronic commerce tools auditor is emerging
tools. Thus, almost auditors apply the tools and information professional security and system
administrators to assess the development of security features through the operating system, virus
protection system, firewalls, intrusion detection systems, and many more under development.
50

The electronic commerce tools, including encryption, the public key infrastructure, and
correlates. What could make the release and certification of the encryption keys as well as related
services? Another feature of the business activities through the Internet is to get the services of
trusted agents while ensuring an applicable agreement and privacy protection. System, network,
and operations support for the assessment of major public infrastructure, certification authority
concerned, and the third group features beyond the capabilities of most auditors number now.
Auditors are required to complete a problem-solving expertise of electronic commerce systems,
controllers, and ensuring the security audit. These include the auditor is a leader in the
implementation of electronic commerce systems for the internet and working organization. The
organization here is the bank and the relevant provider assoc credit card, financial institutions,
processing units and large manufacturing organizations. The organizations involved in electronic
B2B and B2C, the leading provider of technology and similar institutions in advanced.
4.3 Analysis responses related to role of internal auditor with necessary skills and
competencies through the application of IT and discussion
In Appendix B, questions mention to role of internal auditor with necessary skills and
competencies through applying IT. Based on Figure 3 below, it shows questions' results:
Questions
Strongly
disagree
Disagree Neutral Agree
Strongly
agree
Total
Respondents
Question 1 2 2 8 34 12 58
Question 2 0 0 3 44 11 58
Question 3 2 0 0 30 26 58
Question 4 0 0 2 27 29 58
Figure 3: answers of the respondents regarding the role of the internal auditor with the necessary skills and
competencies through the application of IT

51

From the Figure 3, the percentage of responses is calculated in Figure 4 below:
Questions
Total
Respondents
Strongly
disagree
Disagree Neutral Agree
Strongly
agree
Total
Question 1 58 3% 3% 14% 59% 21% 100%
Question 2 58 0% 0% 5% 76% 19% 100%
Question 3 58 3% 0% 0% 52% 45% 100%
Question 4 58 0% 0% 3% 47% 50% 100%
Figure 4: percentage of responses related to the role of internal audit with the necessary skills and competencies through
the application of IT
In Appendix B, through the statistics I got, there are 4 questions about reaction analysis for role
of internal audit based on necessary skills and efforts through applying IT.
In the first question, the questions sent to the auditors and managers to ask their thoughts about
problems of internal audit is modified in a positive trend by using network security, e-commerce
and email. The numbers of people Strongly Agree and Agree accounted for higher proportion at
21% and 59%. Furthermore, when an auditor may use network security and e-commerce will not
only provide benefits and cost time savings but also help to be safe and reliable. Moreover,
Neutral is at 14%. That is some people think that it will bring benefits by using network. By
thoughts that did not receive benefits when using network, the number of people Strongly
Disagree and Disagree only made up 6%.
In the second question, this question is a bit more complex towards auditors and managers, it
asked their opinion about expanding knowledge and skills to acquire proficiency, efficiency and
quality of service is important for internal audit. The numbers of people Agree and Strongly
Agree made up highest proportion are 95%. It means that they believe in advanced technology,
52

social development, changes and improvement are always needed. Besides, Neutral is only 5%.
Surprisingly, no one chooses Disagree and Strongly Disagree.
In the third question, the question asked knowledge expansion about IT risks, controls and
necessary skills can be achieved. The number of people Agree and Strongly Agree made up high
proportion are at 52% and 45%. The auditors should have knowledge expansion to solve when
they meet problems. Moreover, they will not be confused to solve problems when applying IT.
Total people Disagree and Strongly Disagree are only 3%.
In the last question, it is a very close question which related to auditors' work, they think that
internal auditors need to advance internal controls to help identify weaknesses and expand
effective solutions. This is the real question without annotation and notes. The total percentage of
people Agree and Strongly Agree accounted for 97%. Neutral is at 3%. No one chooses Disagree
and Strongly Disagree. It means that it is important for auditors to develop internal controls.
4.3.1 Discussion role of internal auditor with necessary skills and competencies through
the application of IT
IIA Standard 1210.A3 proposes that contain is the internal auditors should aware of the general
risk of key information technology and control engineering technology-based audit can be
achieved. Also, 122.A2 standard stipulates that all internal auditors are required to perform in
accordance with the professional care through the use of CAATTs.
To accommodate the growing IT environment, change addresses the role of continuous auditing
skills and local knowledge is essential. The skills and knowledge of the internal auditor is
advanced with the changing demands of the business processes to implement the financial
53

information and audit evidence in electronic forms (Rezaee et al., 2001). To be consistent with
the management audit standards in 2030, the internal audit resources suitable, adequate and
effective organization to achieve the approved plan.
4.4 Analysis responses related audit tasks and diminish organization risks through the
application of IT to internal audit and discussion

In appendix C, I got the results for these questions in Figure 5 below:
Questions
Strongly
disagree
Disagree Neutral Agree
Strongly
agree
Total
Respondents
Question 1 0 0 2 21 35 58
Question 2 0 1 3 31 23 58
Question3 2 2 4 30 20 58
Question 4 0 1 7 25 25 58
Question 5 5 0 8 18 27 58
Figures 5 - answers of the respondents related audit tasks and reduce organizational risk through the application of IT to
internal audit
From Figure 5, in Figure 6 below shows the percentage of respondents:
Questions
Total
Respondents
Strongly
disagree
Disagree Neutral Agree
Strongly
agree
Total
Question 1
58 0% 0% 3% 37% 60% 100%
Question 2
58 0% 2% 5% 53% 40% 100%
Question3
58 3% 3% 7% 52% 35% 100%
Question 4
58 0% 2% 12% 43% 43% 100%
Question 5
58 9% 0% 14% 31% 46% 100%
Figure 6-response rate audit related tasks and reduce organizational risk through the application of IT to internal audit
There are five questions from easy to difficult levels, it stated respondent's opinions about
responsibilities of audit organization and reduce risk by applying IT. These questions is easier to
54

answer, but the survey required knowledge as well as experience when they use IT and identify
high or low risk that they suggest.
In the first questions, the question for auditors and the managers ask their thoughts and
assessment for function of internal audit such as fraud investigation, risks determination, advices
for risk management and process improvement. The proportion chooses Strongly Agree and
Agree accounted for 97%. Neutral made up 3%. No one answers other choices. This leads to
auditors' thoughts and assessment are necessary for function of internal audit.
In the second question, the internal audit is considered as to identify clearly risk of information
systems by computer. The answer is a difficult form and need time to think carefully before
choosing. The proportion of respondents Strongly Agree and Agree are 93%. Moreover, 5% of
people choose Neutral. Total people choose Disagree and Strongly Disagree are only 2 percent.
It means that identifying clearly risk is important for any internal audit.
In the third question, the question match with content of the internal audit is to focus on risk
capital and controls as well as evaluation of auditors and managers. The total proportion Strongly
Agree and Agree are 87%. Percentage of average level made up 7%. Strongly Disagree and
Disagree only accounted for small percentage at 6%.
In the same as question series, the fourth question asked for auditors should have experience for
suitable controls to manage risk in different environments. This question is very easy, therefore
the auditors and managers does not take too much time to think. Based on the results, the total
percentage of people Strongly Agree and Agree accounted for 76%. At average, the proportion is
only at 12 percent and only 2% of people Disagree and Strongly Disagree.
55

One last question, this question asked about internal auditors must understand details about risks
related to operations and contribute to assess risk in the field of activity. Through results of
survey, the choice of Strongly Agree and Agree are totally 77%. Neutral made up 14%. Only 9%
of people choose Strongly Disagree and Disagree. This leads to the auditors need to understand
risks and find out solutions to prevent damages in business
4.4.1 Discussion audit tasks and reduce organizational risk through the application of IT
to internal audit

Scope and develop audit objectives have been identified to assess areas indicate the greatest risk
to the organization. Auditors must risk measurement, risk management and seeks contact with
management to ensure reliability of the observed risk when risk management is not an
appropriate process management. Measuring risk is an iterative process. Risk measurement
results necessary to keep the smooth implementation of the progress of the references and
updating of auditors through audit next project.
The elements of risk analysis are a list of auditors that risks due to management, the auditors
added. The next step requires the evaluation of the probability of exposure derived from the risk
and intangible costs. For that reason, auditors uses the tools of information technology as easy as
spreadsheets, databases, or prevent more complex systems can be attached to a system of
management audit integrated. Risk assessment of audit firms must be connected to whatever
management methods and tools used. In addition, risk assessment and management should be a
general consensus to provide guarantees on effective communication of goals, priorities, and
audit scope.
56

According Allgrini and D' Onza (2003), relating to the internal auditor in assessing risk
management organizational structure includes accounts identify risk factors and to verify the
level of risk acceptable as part of the organizations risk assessment.
2110.A1 standard that internal audit should examine and evaluate the risk management system of
the organization is effective and efficient . 2110. A2 standards, this is an assessment of risks
related to the consistency and reliability of information, performance and operational efficiency,
ensuring assets, and compliance. Therefore, internal auditors are supposed to understand how
important sources of risk that affect IT organizations.
Internal Audit is responsible to ensure the level of governance in the management of the Audit
Committee and Board of Directors. It understands the acceptable risk management has the
potential to transfer to the board members.
There are a number of effective governance and management when operating without a clear
understanding of risk management within the organization. First, risk decisions can be created at
all levels of the organization. It is less satisfactory to understand and to ensure accountability of
the potential consequences of risk acceptance. Next, decide the risk may not be appropriate to
inform management and executive management. Accordingly, they will not know of the risks
that accepted instead of individuals and organizations. Finally, the lack of resources makes
managing risk in the important areas of information security by senior management with
unawareness of potential outcomes.
To access the level of risk in any environment that the internal auditors through the tools
necessary to select and control data. The control and data must be checked. Through the control
57

and data, the auditor shall examine, evaluate, and contribute significantly to the management for
all the problems.
4.4.2 Evaluate internal controls

Control Self Assessment (CSA) is an accepted method to identify and assess internal controls. It
helps to focus on the risks as well as the means to reduce or better control these risks. In general,
internal audit, such as the use of CSA support group discussions to identify and evaluate internal
control agreement with the strengths and weaknesses of them and look for opportunities of
improvement.
CSA Technology for links to software and hardware devices to interact face to face meeting for
group communication. It claims questioned or involved with a choice of responses that are often
proposed on a large screen so that more people can see it. This software makes a graph of the
results of response keyboard. Some systems provide answers unstructured text. The answer is
unknown to the typical confidence of honest, open and frank. Feedback is immediate basic
features of the CSA system.
4.5 Analysis responses related to guidelines available for internal audit best practice
through the application of IT and discussion
For the part IV the questions in Appendix D, I received the result as below:
Questions
Strongly
disagree
Disagree Neutral Agree
Strongly
agree
Total
respondents
Question 1 0 0 15 23 20 58
Question 2 0 9 2 26 21 58
58

Question 3 0 0 3 30 25 58
Question 4 2 4 7 26 19 58
Question 5 3 6 12 20 17 58
Figure 7 - answers related to available guidelines for internal audit best practices through the application of IT
From the figure 7, the percentage of responses related to guidelines available for internal audit
best practice through the application of IT is calculated as below:
Questions
Total
Respondents
Strongly
disagree
Disagree Neutral Agree
Strongly
agree
Total
Question 1 58 0% 0% 26% 40% 34% 100%
Question 2 58 0% 16% 3% 45% 36% 100%
Question 3 58 0% 0% 5% 52% 43% 100%
Question 4 58 3% 7% 12% 45% 33% 100%
Question 5 58 5% 10% 21% 35% 29% 100%
Figure 8 percentage of responses related to available guidelines for internal audit best practices through the application
of IT
In the part IV of the appendix D, the calculated as the percentage of the respondents to these
question, I can make a general comment that the auditors in Vietnam always looking for new and
better more to improve the risk and improve the features of IT in their work. The final part in this
part 4 is the questions referred to the problem of questionnaire on the instructions available for
internal audit best practices through the application of IT.
In the first question, I want to know who thought of that I think the survey in the implementation
of internal audit. The best practice from diverse experience and sills of auditors participate in
professional training. Some people choose strongly agree and agree relatively high proportion,
which is 34% and 40%. Another people choose the neutral for their suitable answer is 26%.
Nobody answered disagree and strongly disagree;
In the second question, the question of the thinking of auditors and the managers of a real
internal audit function should best be concentrated risk. In these answer, some people agree and
59

strongly agree accounted for 45% and 36%. Besides, some people choose the neutral to think
that internal audit is not necessarily the best risk focused. Also, some people disagree is 16%.
There is no one answer choice of strongly disagree;
In the third question, the question of an actual internal audit function should be the best source of
advice on governance, risk and control. In this question, the number of people agree and strongly
agree are 52% and 43%. Besides, I get the results in a 6% neutral option in addition to not pick
anyone disagree and strongly disagree;
In the fourth question, the question is quite easy for auditors and managers is the best way of the
internal audit function should have sufficient resources to be effective. In this question, the
numbers of people who are agreed and strongly agree are the percentage accounted for 45% and
33%. In addition, there are 22% is allocated to the 3 mixed opinions as neutral is 12%, 7% of
disagree and 3% of strongly disagree;
The last question, as well as questions for the end of my questionnaire in this research is the
attention give of the auditor and the management of internal audit best practices is done by using
software to automate the process of implementing closed impressive results from the internal
audit program. In this question, the answer choices people agree and strongly agree that the
percentage accounted for 35 % and 29 %. Besides the selection of neutrals also quite similar
quantities is 21 %. Also, some people disagree and strongly disagree proportion is 15 %.


60

4.5.1 Discussion guides are available for internal audit best practices through the
application of IT

Through allow transaction processing in real time and facilitates relationships with global
customers and investors, information technology have increased the efficiency, effectiveness and
productivity of operations business.
Perform internal audits, best practices from diverse experience and skills of audit staff is
professionally trained to participate. Leading companies take advantage of the professionalism of
internal audit staff in the company's activities to develop skills in identifying and minimizing
risks. In addition, the audit function of the company is to provide smart and competent resources
defined in the audit charter established by the board, senior management and the audit committee
to accomplish the task of department effectively. In this way, best practices for internal auditors
in collaboration with the department of information technology to minimize the risk of
information technology.






61

CHAPTER V: CONCLUSION AND RECOMMENDATION
5.1 In conclusions

In the present day, IT has become a resource which is necessary for everyone in the world. It also
affects internal audit areas. Therefore, internal auditors needed to promote the importance of
technological knowledge to assess IT based on processes and controls. The role of internal audit
has changed by the development of IT environment. Internal auditors are expected to influence
in skills and knowledge of technological environment to match with expectation of audit
committee and top management.
From modifying traditional documents on paper of audit to applying IT on processes and
transactions, information technology has altered type of business process. On point of view, the
role of internal audit modified to implement responsibilities, assurance commitments and
consultant services. However, because the complexity of IT environment increased, internal
audit staff's skills, identifying the result of complete their responsibilities are limited. Internal
auditors with knowledge and intellectual skills to carry out their duties to contribute consultant
services and assurance objectives through applying information technology play basic role to
support the expectation of top management and audit committee in the future.
IT environment changes will lead to change the issues of role functions of internal auditor.
Internal audit function exists due to the result of providing capability to assess objectively and
effectively. It means that basic consultancy of internal auditor depends on knowledge and
intellectual skills of technological development. Internal auditors must have abilities to grasp
clearly as well as to analyze businesss needs and find out recommendations about carrying out
62

electronic applications in all operations match with expectation of top management. The business
processes modifies related to carrying out audit evidences and financial IT are internal auditors
need to get more knowledge and advance skills. Based on information technology, internal
auditors core activities related to reviewing development of new system expectations.
The competence of internal auditor is to understand more about implication of IS quality. It
creates conditions for internal auditor to review risk management as well as internal control
procedures. If information has lower quality, it will not be detected and solved timely in process
system. It means that management decisions can be unsecured of entities are existing.
In systems to evaluate internal control, poor function of internal audit in objective assurance has
reflected confusion in detecting and preventing from risk of information security. Thus, to carry
out role of internal audit in reporting consistently and timely and supporting, internal auditors are
required to get more understanding about IT's knowledge and skills. To have efficient and
effective internal control is risk elements in consistent system security and quality information
are recognized.
5.2 Recommendation
This thesis only provides information related to applying IT of auditors. It means that no general
model for technological tools match with all businesses. To support and complete for all audit's
activities, it is required to realize base on technological development. Topic about technological
form based on the proportion of the incremental and professional skills and auditors knowledge.
The importance related to succeed of audit activity is the use of technological tools effectively.
However, it is only movement to understand more about changes in technology which implement
63

in audit profession and business. To foster and develop the efforts of providers' system,
important role towards professional auditors is reducing new technologies performance to
advance the examination and assurance features of systems which is no in their views as process
or as elements. The auditors' important role is to understand and modify of technology. Besides,
they also give explanations to others for these. The importance of interpersonal contact in audit
the same as email and keyboard is certain that it cannot substitute to the need of interpersonal
skills.
5.3 Limitations
The study just uses conventional approach. It is not proactive method as well as deeply research
to provide any practical suggestions to auditors. It does not have general model for technological
tools match with all companies. It is important to realize the technological reliance to support
and complete for audit's activities is increasing. In the benchmarking literature, the research
emphasized limitations. This research has some difficulties which related to problems of how to
integrate new technological risks to determine business controls, audit techniques and
approaches. Moreover, the survey's results through questionnaires may be inaccurate because
some respondents do not read carefully and no think too much when they answer.
5.4 Further Research

Further research is important to complete the researchs limitations. Further research is possible
to find out the impact of IT in complexity on internal audit role is increasing. Further research
would become important to approach into development of internal auditor role for whom take
part in information technology of audit. Further research in the same studies contribute
64

opportunities to make information become available useful to internal audit profession which
design to be simple in awareness of the role development of internal audit match with the impact
of information systems and IT development.
















65

REFERENCES

1. Abu-Musa, A. Ahmad (2008), Information technology and Its Implications for Internal
Auditing. assessed on 1
st
September, 2013
https://docs.google.com/viewer?a=v&q=cache:k01QONigZAMJ:www1.kku.edu.sa/Conf
erences/SSEFP/Researches/Dr%2520%2520Abu-Musa%2520paper-
MAJ.doc+the+impact+of+information+technology+on+the+internal+audit+role&hl=en&
gl=vn&pid=bl&srcid=ADGEESjeMPTRTb8lELnnDkJRjID0VDf5DfqMLMWCGG6eX
q18pfefmQP-
LIzPL96BkFn9p4wShv_zfco45jJqxsaT6cKeNbiJOFZMHzsROUufBpSR9PsvAYWAPf
F-vasFkm1eN8qct9iq&sig=AHIEtbTj_QR9yj0d4WW0H0ui0HvO_DVh7Q

2. Allegrini, M. and DOnza, G. (2003), Internal auditing and risk assessment in large
Italian companies: an empirical survey, International Journal of Auditing, Vol. 7,
pp.191-208. assessed on 5
th
September, 2013

3. Elliott, R.K., Confronting the Future: Choices for the Attest Function, Accounting
Horizons, September 1994, pp. 106-124. assessed on 5
th
September, 2013


4. Hermanson, D. R.; M. C. Hill; and D. M. Ivancevich, (2000) Information Technology-
Related Activities of Internal Auditors, J ournal of I nformation Systems, (Supplement,
Vol. 14, Issue 1), pp. 39-53. assessed on 7
th
September, 2013

5. The relationship between the internal audit and the external audit. assessed on 9
th

September, 2013

http://freedownloadb.com/pdf/the-relationship-between-internal-and-external-audit-
5859443.html


6. The definition of Information technology Audit. assessed on 9
th
September, 2013

http://jobsearchtech.about.com/od/historyoftechindustry/g/IT_Audit.htm

7. The information about the computer assisted audit techniques and the definition of
CAAT. assessed on 9
th
September, 2013

http://big4guy.com/web/computer-assisted-audit-techniques-caat-what-is-a-caat/12/


8. The definition of Information Technology. assessed on 10
th
September, 2013

http://microsolve.com.au/IT-Terms-Definitions/
66


9. The accounting standard of internal audit. assessed on 10
th
September, 2013

http://wircicai.org/wirc_referencer/Acconting%20&%20Auditing/Standards%20of%20In
ternal%20Audit.htm

10. The information about COSO. assessed on 10
th
September, 2013

http://www.coso.org/

11. Hany B. Ahmed - MSc Accounting & Finance; Information Systems Development and
the Changing Role of Internal Audit. assessed on 10
th
September, 2013

12. Institute of Internal Auditing (IIA) (2000), Definition of internal auditing, [Online]
www.theiia.org/guidance/standards-and-practices/professional-practices-framework/

13. Institute of Internal Auditors (IIA) (2004), Understanding the revised standards,
[Online] www.theiia.org/download.cfm?file=1340

14. Management Audit Circular No : DM.107- Guidelines for Internal Auditing in a
Computerized Information System (CIS) Environment

15. Meredith M.; and M. D. Akers (2003), "Internal audit's role in systems development: The
CEO's perspective", I nternal Auditing, Boston, Jan / Feb Vol. 18, Iss. 1, pp. 35 39.

16. M. Krishna Moorthy, A. Seetharaman Zulkifflee Mohamed, Meyyappan Gopalan and
Lee Har San (2011); The impact of information technology on internal auditing

17. Rezaee, Z. and Reinstein, A. (1998); The impact of emerging information technology on
auditing; Managerial Auditing Journal, Vol. 13 No. 8, pp. 465-471

18. Rezaee, Z., Elam, R. and Sharbatoghlie, A. (2001); Continuous auditing: The audit of
the future; Managerial Auditing Journal; Vol. 16 No. 3; pp. 150-158

19. Rishel, T. D.; and S. H. Ivancevich (2003), Additional opportunities for Internal auditors
in IT implementations, I nternal Auditing, Boston, Mar/Apr, Vol. 18, Iss. 2, pp. 35 - 39.

20. ROIA: Research Opportunities in Internal Auditing. The Institute of Internal Auditors
Research Foundation monograph co-edited by Andrew D. Bailey, Audrey A. Gramling
and Sridhar Ramamoorti. Individual chapters written by several authors. Referenced as:
[Author name(s), ROIA, 2003]



67

APPENDIX A QUESTIONNAIRES

Please respond to the questions below by tick to the appropriate point on the scale. Please answer
all questions below:
Part I _ questionnaire about software and hardware tools assist to audit process
through the application of IT to internal audit




Question
Strongly
Disagree
Disagree Neutral Agree
Strongly
Agree
Do you think features of technology have a great
impact in the internal audit profession with usefulness,
and ease of use?

Do you think CAATs can used by internal auditors in
financial and implementation auditing to attain the
efficiency, effectiveness, and quality of the audit?

Do you think CAATs can support for internal auditors
in bringing consulting services, facilitation services,
and added value for the organization?

Do you think email and file transfer software can help
internal auditors without difficulty and fast of sharing
data and keep contact?

Do you think automated work- papers allows auditors
to easily manage, organize, link and locate text,
spreadsheets, graphs?

Do you think the Internet, LANs, WANs, intranets, and
wireless network bring the connectivity and efficiency
for internal auditors?

68

APPENDIX B QUESTIONNAIRES

Please respond to the questions below by tick to the appropriate number on the scale. Please
answer all questions below:
Part II_ questionnaire about role of internal auditor with necessary skills and
competencies through the application of IT
Question
Strongly
Disagree
Disagree Neutral Agree
Strongly
Agree
Do you think task of internal auditor is
changed in positive trend through the use
of electronic ecommerce and internet
security?

Do you think the expansion of IT
knowledge and skills to attain proficiency,
the effectiveness and quality services are
needed to internal auditor?

Do you think internal auditors should have
wide-ranging knowledge of main
information technology risks as well as
controls and obtainable technology-based
audit techniques?

Do you think that internal auditor should
increase internal control in assisting the
company identify weaknesses and expand
cost-effective solution to solve those
weaknesses?






69

APPENDIX C QUESTIONNAIRE

Please respond to the questions below by tick to the appropriate number on the scale. Please
answer all questions below:
Part III _ questionnaire about audit tasks and diminish organization risks through the
application of IT to internal audit




Question
Strongly
Disagree
Disagree Neutral Agree
Strongly
Agree
Do you think the function of the internal audit
includes fraud investigations, identification of
organizational risks, and consultations to the senior
management related to risk management, process
improvement or global operations?

Does the internal auditor obviously identify the risk
areas in the Computerized Information System
environment?

Do you think internal audit should focus on areas of
high inherent risk, high residual risk, and key
controls in the organization?

Do you think internal auditor should have extensive
experience of appropriate controls to manage risks
in a diversity of relevant environments?

Do you think internal auditor must understands the
specific risks related to operational activities and is
able to contribute to the review of risks in
operational areas?

70

APPENDIXE D QUESTIONNAIRE

Please respond to the questions below by tick to the appropriate number on the scale. Please
answer all questions below:
Part IV_ questionnaire about guidelines available for internal audit best practice
through the application of IT
Question
Strongly
Disagree
Disagree Neutral Agree
Strongly
Agree
Do you think in performing internal audit, best
practices come from varied in experiences and skills
of audit staff that are participated in the professional
training?

Do you think a best practice internal audit function
should be risks focused?

Do you think a best practice internal audit function
should be a source of advice on governance, risk and
controls?

Do you think a best practice internal audit function
should be having sufficient resources to be effective?

Do you think the best practice internal audit is
implemented by using software to automate the
closed-loop process in realizing impressive results
from its internal audit program?







71