The impact of information technology on the internal audit role by nguyen ah duong. Duong's thesis was submitted to HELP University College in Partial Fulfillment of the Requirements for the Degree of Bachelor of Business (Accounting) honours.
The impact of information technology on the internal audit role by nguyen ah duong. Duong's thesis was submitted to HELP University College in Partial Fulfillment of the Requirements for the Degree of Bachelor of Business (Accounting) honours.
The impact of information technology on the internal audit role by nguyen ah duong. Duong's thesis was submitted to HELP University College in Partial Fulfillment of the Requirements for the Degree of Bachelor of Business (Accounting) honours.
Graduation Project Submitted to the Department of Business Studies, HELP University College, in Partial Fulfillment of the Requirements for the Degree of Bachelor of Business (Accounting) Hons
OCTOBER 2013 ii
DECLARATION OF ORIGINALITY AND WORD COUNT
DECLARATION OF ORIGINALITY: I hereby declare that this graduation project is based on my original work except for quotations and citation which have been duly acknowledged. I also declare that it has not been previously or concurrently submitted for any other courses/degrees at HELP University College or other institutions. WORD COUNT: 12,686 words.
_____________________ NGUYEN ANH DUONG 7 OCTORBER 2013
iii
ACKNOWLEDGEMENT
First of all, I would like to express my sincere appreciation to my supervisor, Associate Professor PHAM DUC HIEU who has guided me throughout this thesis. His constant guidance, insightful suggestions, and constructive ideas are the essential inputs and encouragement for me in order to complete this thesis. In addition, I would like to send my gratitude to Mrs. SUMATHI PARAMASIVAM, the International School and HELP University College for giving me an opportunity to conduct my study in my favorite area. Furthermore, I also address my appreciation to Financial Professor CHU VAN HUNG who supported my thesis with information related to my thesis. My thankfulness is also addressed to others who have helped me since the beginning of my study until I can finish my thesis. Lastly, I would also like to extend my heartfelt gratitude to my family and my friends for their continuous support, encouragement and contribution, which have been crucial during the presentation of this report. My thesis cannot be finished without your supports.
iv
ABSTRACT
THE IMPACT OF INFORMATION TECHNOLOGY ON THE INTERNAL AUDIT ROLE
BY NGUYEN ANH DUONG OCTORBER 2013
Supervisor: Assoc. Prof. PHAM DUC HIEU The word has developing at such an incredible speed, that never before has the system of information technology, the strategic investigation on the information technology as well as their internal audit role, become so developed. However, there is a truth fact that the economy is increased in everyday, so the businesses, auditors and the investors are always looking for the right direction, beneficial to their investment and to find the keys to success in their business. One of the factors that make their successful is that they take advantages of services and the auditing is an indispensable operation in the operation of the market economy in order to improve the quality of information, which is helping the users decide the appropriate place. An economy with a healthy development pipeline of capital from the stock market and banks are required to provide services of high quality audit. The growing economy increasingly complex economic information will be extremely risky, false, and unreliable. The subjects interested in financial information of enterprises not only the state but also the management, joint venture partners and employees. However from many different angles all stakeholders interest is the v
common aspiration is to use information reliability, accuracy and honesty. If all those who are interested have to inspect the financial information of enterprises, the cost is too great. So the organizations need independent, objective examined this information to meet the requirements of multiple objects using the information. The role of information technology and how it affects internal audit process in the organization. Moreover, the study also stresses on the global trend of adopting Information technology system (software/hardware) in producing a more controlled environment in delivering the auditing process. It also constitutes on how Information Technology affects internal control (control environment, risk assessment, control activities, information and communication and monitoring) and provides guidelines and best practices in evaluating techniques available to effectively perform auditing tasks internally. It also addresses how technology information system and the electronic data processing have changed the way organizations conduct its business, promoting operational efficiency and aid decision making. It also spotlights many aspects of Information Technology risks and controls and highlights whether the right people are overseeing Information Technology risks to the degree they should. It demonstrates the impact of technology convergence on the internal control mechanism of an enterprise. The emphasizes that the auditor also has a responsibility to assure that the governance level of management or the audit committee and board of directors understand risks accepted by management and the liabilities potentially transferred to board members.
vi
TABLE OF CONTENTS ********* DECLARATION OF ORIGINALITY AND WORD COUNT ................................................ ii ACKNOWLEDGEMENT ........................................................................................................... iii ABSTRACT .................................................................................................................................. iv TABLE OF CONTENTS ............................................................................................................ vi LIST OF TABLES AND FIGURES ........................................................................................... ix LIST OF ABBREVIATIONS .................................................................................................. xiiii
CHAPTER I: INTRODUCTION ............................................... Error! Bookmark not defined. 1.1 Background of the study ....................................................................................................... 1 1.2 Problem statement ................................................................................................................. 2 1.3 The objectives of study ......................................................................................................... 6 1.4 Structure of the study ............................................................................................................ 7
CHAPTER II: LITERATURE REVIEW .................................................................................. 8 2.1 Definition of Auditing ........................................................................................................... 8 2.1.1 The History and development of Auditing in the world ................................................. 8 2.1.2 The history and development of Auditing in Vietnam ................................................. 11 2.2 Definition of Internal Auditing ........................................................................................... 12 2.2.1 Concept of Internal Auditing ........................................................................................ 12 2.2.2 Role of Internal Audit in Vietnam ................................................................................ 14 2.2.3 Objective of Internal Auditing ...................................................................................... 16 2.2.4 The Internal Auditors duty .......................................................................................... 16 2.2.5 Relationship between Internal Control and Internal Audit ........................................... 18 vii
2.3 The Relationship between Internal auditor and External Auditor....................................... 20 2.4 Information Technology of Audit ...................................................................................... 21 2.4.1 The development of Information Technology of Auditing .......................................... 22 2.4.2 The standard of Information Technology of Auditing ................................................. 22 2.4.3 The Importance of Information Technology of Auditing ............................................. 23 2.5 How Information Technology that affect the Internal Audit Process ................................. 23 2.5.1 Internal Audit in Computerized Information System Environment ............................. 23 2.5.2 The computerized impact on internal auditing ............................................................. 25 2.6 The Computer Assisted Audit Techniques (CAATS) ......................................................... 26 2.6.1 The oversight on IT risk ............................................................................................... 26 2.6.2 Information technology risks to an organization .......................................................... 27 2.7 Benefits of IT control framework........................................................................................ 28 2.7.1 CICAs internal control guideline ................................................................................ 29 2.7.2 COBIT-control objectives for information and related technology.............................. 29
CHAPTER III: METHODOLOGY ........................................... Error! Bookmark not defined. 3.1 Research Problem ................................................................................................................ 30 3.1.1 Aim of the research ....................................................................................................... 30 3.2 The objective of research .................................................................................................... 31 3.3 Research Methodology ........................................................................................................ 31 3.4 Data Sources ........................................................................................................................ 32 3.4.1 Primary data .................................................................................................................. 32 3.4.2 Secondary data .............................................................................................................. 35 3.5 Research Tools .................................................................................................................... 37 3.5.1 Types of Survey ............................................................................................................ 37 viii
3.5.2 Questionnaires .............................................................................................................. 39 3.6 Sampling .............................................................................................................................. 42 3.7 Limitation of the study ........................................................................................................ 42
CHAPTER IV: ANALYSIS AND DISCUSSION ..................... Error! Bookmark not defined. 4.1 General analysis .................................................................................................................. 44 4.1.1 Gender .......................................................................................................................... 44 4.2 Analysis responses related to software and hardware tools ................................................ 45 4.2.1 Discussion of software and hardware tools to support the audit process ..................... 47 4.2.1.1 The application of CAATs ......................................................................................... 48 4.2.1.2 Audit electronic reporting .......................................................................................... 48 4.2.1.3 The use of electronic ecommerce and internet security ............................................. 49 4.3 Analysis responses related to role of internal auditor with necessary skills ....................... 50 4.3.1 Discussion role of internal auditor with necessary skills .............................................. 52 4.4 Analysis responses related audit tasks and diminish organization risks ............................. 53 4.4.1 Discussion audit tasks and reduce organizational risk ................................................. 55 4.4.2 Evaluate internal controls ............................................................................................. 57 4.5 Analysis responses related to guidelines available for internal audit .................................. 57 4.5.1 Discussion guides are available for internal audit.........................................................60
CHAPTER V: CONCLUSION AND RECOMMENDATIONError! Bookmark not defined. 5.1 In conclusions ...................................................................................................................... 61 5.2 Recommendation ................................................................................................................. 62 5.3 Limitations ........................................................................................................................... 63 5.4 Further Research .................................................................................................................. 63 ix
Table 1- table of advantages and disadvantages of secondary data Table 2-table of characteristics of primary data and secondary data Table 3-table of percentage of respondents rate Table 4-table of percentage of gender Figure 1: answers of the respondents regarding the role of the internal auditor with the necessary skills and competencies through the application of IT Figure 2: percentage of responses regarding the role of internal audit with skills required and capabilities passed information technology application Figure 3: answers of the respondents regarding the role of the internal auditor with the necessary skills and competencies through the application of IT Figure 4: percentage of responses related to the role of internal audit with the necessary skills and competencies through the application of IT Figures 5 - answers of the respondents related audit tasks and reduce organizational risk through the application of IT to internal audit Figure 6-response rate audit related tasks and reduce organizational risk through the application of IT to internal audit Figure 7 - answers related to available guidelines for internal audit best practices through the application of IT xi
Figure 8 percentage of responses related to available guidelines for internal audit best practices through the application of IT
xii
LIST OF ABBREVIATIONS
IT Information Technology CIS Computerize Information Systems IFAC International Federation of Accountants CAATs Computer Assisted Audit Techniques IA Internal Auditing COSO Committee Of Sponsoring Organizations of the tread way commission COCO Criteria of Control
1
CHAPTER I: INTRODUCTION 1.1.Background of the study The aim of this thesis is to provide a specific impact of Information Technology on auditing. It would be helpful to give the general background of some terms to easily catch up with the scope of this thesis. Firstly, Information technology (IT) is well-known as the outstanding and useful application to store, retrieve, transmit and manipulate data. Or in brief way, IT mechanism is related to all collective way to process the data. It helps to analysis all detailed and complicated reports, especially financial report. Also it creates collective information system to control all e- documents. Especially, IT enables the speed and accurate transactions which bring the fixed competitive advantages, including cost savings, effective and error controls to each business applying. It is no doubt that IT has gradually become a key factor to the whole society in the general; and to the auditing in particular. Then, the second definition is auditing; a means of evaluating the effectiveness of a company's internal controls. It is clear that to promote the system of internal controls is essential to reach the company's target, to maintain suitable financial analysis on its running as well as to avert fraud and misappropriation and finally to decrease its cost. For that reasons, applying IT on auditing is a sole way to carry out all its functional priorities as IT is capable of sifting through operational data, making decisions about what is going happen in the specific time, and then road mapping the business influence. By collecting, processing, and storing data; IT is widely reviewed and reported in details on financial statements. More and more enterprises are taking advantages of IT into their business. On a daily basis, as far as you 2
could see, the completely integrated information system and electronic document management by applying IT are also displayed. The speed and the exactness in transaction processing are maintained and reinforced by IT mechanism to cost savings, to manage operational efficiency, and to lessen human errors. For leaders and auditors, which system can cover fully the internal control of auditing is very important. And the IT is the proper answer for above question. It is considered that IT has been applied in almost industry fields in Vietnam, and of course, the internal control in auditing is also needed to apply IT. Since internal control is regarded as the method to evaluate the effective running within an organization or enterprise. It includes information collecting for each management unit, acknowledging some mistake faults and classifying system of operation to prevent or discover all frauds. It might be said that all auditors need much support from IT. By IT functions, it can improve the transparency of each organization. By applying advanced database, IT also helps to make right decision in each difficult circumstance. Also the reduction of fraud is one helpful aspect of IT can cover. Moreover, IT is made used off to find out the cause of each problem. And it can reinforce the effectiveness of each auditing transaction as well. 1.2.Problem statement Catching up the importance of IT, the thesis named "The impact of Information Technology (IT) on auditing, especially on internal control" was carried out. The applying of IT affects to transaction ways; such as, initiating, recording, processing, and reporting. The automatic procedures applied help the information database within each replace sharply the paper documents by electronic ones. There is much type of electronic documents, including the orders, 3
invoices, shipping documents, and bookkeeping involved. And applying the information technology is the proper way to control all document systems automatically without the manual controls as the past. However, manual controls should be used in parallel with IT controls to supervise the effectiveness of IT the automatic controls. It is the good way to let all system avoid of independence too much on IT. The manual control is performing to conduct with limited exceptions. Therefore, the nature, extent and timing of audit sensitivity to design and perform further audit procedures for risk assessment. The audit procedures is the auditor on duty to check carefully the consequences of risk; the consequences of material misstatement; the features of these types of transactions as, account balance or more disclosure is associated. They are also supposed to evaluate the environment of the specific controls applied IT by their organization. Should they are on the go to check precisely their expectations of evidence collected in each audit; the organizations controls will become less effective to prevent, detect and modify material misstatement. According to ISA401 the environmental Audit of Computer Information Systems, the evaluation process for both internal auditors and external auditors have been changed. The motivating factor for this complication change in the business globalization; advanced technology; the needed for value-added audit; the organization structural of the computer information systems activities of customers; the consequences of the division of tasks and access to the data source document processor computer with concentration or distribution organization; and etc. Some of computer files and additional evidence required by the auditor members can only be expressed in the short term. For that reason, the auditors are supposed to have sufficient knowledge of information system science in order to operate effectively in planning, directing, monitoring 4
performance review. In addition, the auditor should consider the specialized CIS skills applied widely applied in the audit of a transaction. Rishel and Ivancevich - Internal auditors indicated the primary responsibility to resolve control issues, risks, and other factors important during the implementation process related to IT. Moreover, auditors should pay attention to the value-added sector that is often available observations to reduce the number of IT failures. For the purpose of legitimizing the system documentation and training is good, auditors are involved in assessing and improving the quality of the process. The processing can make IT applications more successful. In addition, internal auditors are on the road to bring the valuable input of the system is available in an appropriate configuration under the control of their organizations in the certification and test phase implementation phase. In the past thirty years, the internal audit department regarding information technology development is expected in the development and management from the Meredith and Akers, in 2003. Providing the consulting services under applying IT and the system expanding and level of internal auditing was developed to test and assessment of internal control resulting. However, the hidden matters of running the internal auditor while the advisory of above system within the project is considered as the impaired factors to their independence. In addition, the ISA 401 has been recognized that the environment of CIS is not generally changed the goal and the scope of an auditing. Moreover, computer application has been changed in the way to store and communicate all financial information in deed. These has been affecting much too both systems of the internal control and the accounting currently applied by the organization. 5
An acknowledgement of both the significance and complexity of the CIS operations and the ability to access data application in the auditing is recognized necessary to internal auditors; however the CIS are quite complicated with hidden and potential risk increasing. The International Federation of Accountants (IFAC) in 2002 suggests that IT can bring potential benefits of internal control of an organization with the helpful and efficiency because it creates conditions for an organization to acquire timely, the credibility, and precision of information; reduce the risk; and much more. Everything has both sides, advantages and disadvantages; therefore, IT shares the same aspect. It creates risks for internal control of an organization such as the lack of precision in data processing, the extracted user participation, and the potential loss of data. John Silltow - the managing director of security controlling and audits ltd Company also stated that internal auditors are more attention with the past than the systems in IT. IT has an important role in the functioning of contemporary organizations operate. This is capable of to cover all incorporation in extend of each auditing type required to check some IT maintains. Another point of view of the engineering Associate Professor Pathak, J emphasized again that the combinations of these applications and communication systems will be expand a business system will be an important trend in the future. It will definitely be have an enormous impact in the total set the knowledge, skill, approach, algorithmic, and strategic of internal auditor. According to this view, those who deal with the audit profession is required for the development the skills and fundamental knowledge to cope with the changed recently and the challenges intangible. 6
1.3.The objectives of study Audit is an indispensable activity in the operation of the markets economies to improving the quality of communication; it helps the user decide the right spot. Moreover, an economy with a healthy development pipeline of capital from the stock market and banks are required to provide services of high quality audit. The growing of social economy is increasingly complex, more economic information risky, false, and unreliable. Anyway, in the subjects of interested in financial, the information of enterprises not just of the State but also as the management, joint ventures counterparts and workers ... But from many different perspectives that every stakeholders interest are the common aspiration is to use information credibility, accurately and faithful. If all people were interested have to check the financial information of the business, and the expenditure is too great. Therefore, the organizations need independently, objective test to meet the information requirements of multiple audiences using the communication that was held audits It is clear that many fields of daily life are being impacted by IT and so is internal auditing. Therefore, this thesis will discuss much more influence of IT on auditing. It is the primary objective of this study to analyse both good impacts on auditing. Even the advantages of applying IT outweigh than the disadvantages, this study also covers these aspects. By the end of this analysis, the reader will be able to understand more much the IT impact on auditing. The second objective is to prepare for auditors to adapt themselves during applying IT to perform auditing task well as well as to minimize the organizational risks made by IT disadvantages impacts. It helps to identify auditors skill requirements for their daily work and 7
their applying IT on working. The final objective is also focus much on pointing out the crucial role of auditors who are skilful and good at auditing applied IT. 1.4.Structure of the study This study is divided into five chapters as follows: Chapter I: Introduction. Chapter II: Literature Review Chapter III: Research Methodology Chapter IV: Result Analysis Chapter V: Conclusion and Recommendation
8
CHAPTER II: LITERATURE REVIEW 2.1. Definition of Auditing
Audit is verification and expression the opinions about the financial situation by the system of technical methods of auditing the documents and external documents by the auditors, who have the appropriate level of knowledge, based on the standard of effective legal system. 2.1.1. The History and development of Auditing in the world
Auditing is an indispensable activity during operation of the market economies in order to improving the quality of information and improves for the users make the decisions suitable. An efficiently development economy with the capital supplying from the stock market and banks required to have the high quality auditing services provided. The society is developing more and more, the economy is becoming more and more complex, economic information might have the probability of containing risks, errors and less reliable. The objects, which concerns about the financial information of the enterprises, are not only the Government but also the manager level, partners and employees. Although they concern about the problems from different perspective, all the concerning objects have the same aspiration of using the highly reliable, accurate and honest information. If all the concerning people must self-organize to check the financial information of enterprise, the expenditure is too high. As the result, it is necessary to have the independent, objective organizations, which is the auditing organization, to adapt the requirement from variety of information user. According to the opinion of the historical researchers, Auditing was appeared in the third century before Christ, in conjunction with the civilization of ancient Egyptians and Romans. The first 9
time, auditing is formed at the simple level named Classical Audit. The indication is the accounting record people read loudly statistic, accounting material to an independent people who listen and then authenticate. As the consequences, Audit in English is derived from the Latin Audire which means listening. Together with the growth of society and accounting is the continuos development of controlling tool of the account. Whenever there are human activities, there will be the testing, controlling activities and whenever there is accounting, there will be accounting testing. The accounting auditing developed from low to high, society developed and wealth was surplus, the accounting activity expanded more and more complex so that the testing and controlling of accounting and finance are concerned more and more. From the ancient, accounting was conducted mainly by the specific symbol on the ropes, stems, leaves . This way was appropriate with the early stage of the ancient time because the society did not have the wealthy surplus, the demand of controlling is low and at the simple level. At the end of the ancient time, production was developed, properties was surplus more and more, the owners and controllers of assets are separated. The demand of checking the assets and revenues, expenditures increased in a more complicating way. The simple way of accounting did not adapt the requirements of managers. As the consequences, independent auditing was arose at first in France, Rome and England. In Rome, in the third century before Christ, the authorities (property owners) that are an employees recruited with expertise and independen to audit the managers annunciate on the asset situations and give the opinion of accepting or requesting the modification of these reports. The auditing process was conducted by the managers read loudly those reports to the independent auditors listening and accepting. 10
In France, King Charlemagne, who also followed the precedents of Rome, has recruited the senior official responsible for monitoring the task manager; in particular, the financial transaction of local government officials and presents the results to the King. In the UK, according to the documant of Parliament, King Edouard First that give Barons the right of recruiting Auditors, the King also check for the account of the will of the late Queen Elonor. From the middle age onwards, the improved the development of accounting and gradually, for instance, transaction has forced both sides with 2 entries, so comparison has been arising as a form of accounting test. In particular, from the XVI century onwards, the appearance of double entry accounting by an Italian mathematican named Luca Paciola has made the self test approach of accounting more complete, which met the management demands and property safety at the time. From the XVII XX century, accounting methods and information technology developed to the sophisticated level has adapted better the requirement of manager. Until 1930s of XX century, there were the bankruptcy of financial institutions and economic crisis, financial recession, the functions of accounting testing have shown the disadvantages, required the external accounting testing and auditing have been developed again. After 1934, the security exchange commission has been established and the policy about the external auditors have come into effects. Simultaneously, the American Institute of Certified Public Accountant (AICPA) has printed the standard form of auditing report of company accounts. 11
In 1941, the Institute of Internal Auditors was established, has put into operation and educated the internal auditors. At the same time, the institute has constructed and issued the standard of internal auditing of USA in 1978. In France, the actions of checking independently of external experts was realized and passed by the laws of commercial company on 24/07/1966. Along with that, the internal auditing in France also has been established officially in 1960s in XX century in subsidiaries of foreign groups. From the developed history of Auditing, it seems that Auditing was appeared because of the independent testing of accounting figures and the financial situation of enterprises. In the development process, Auditing has not only been limited in the Accounting and Finance area but also expanded to the controlling area, evaluating the whole management system of enterprises; not only limited in business enterprises but also expanded in public services units with the problems of reevaluating the management efficiency of those units. 2.1.2 The history and development of Auditing in Vietnam
In Vietnam, auditing in general as well as the accounting testing specifically has been concerned from the beginning stage of constructing country. Before 1975, in South Vietnam, there have been the auditing activities of the independent auditing enterprises under the Republic of Vietnam when Ngo Dinh Diem is the president. After Vietnam change the management system (1986) from centralized planning to socialism- oriented market, on 13/05/1991 Ministry of Finance issued two decisions of establishing the first two auditing companies, which are the Vietnam Auditing Company named VACO with 13 employees, and the Accounting Services Company of Vietnam ASC and later the name will be changed to Accounting and Auditing Financial Consultancy Company Limited AASC (Decision No 639- TC/QD/TCCB on 14/09/1993). The number of auditing company has been 12
increased considerably and the sorts of company are more variables, until 10/2006 in Vietnam there has been 81 auditing company including 75 company had registered its activities in Ministry of Finance, including three state-owned company (VACO, AASC, AISC), 4 FDI enterprises (P&C, KPMG, E&Y, Grant Thomtion), 1 joint venture, 5 partnership and 123 public company and limited company. Together with the growth of independent auditing, The State Audit Office of Vietnam was founded according to the Decree70/CP 11/07/1994 of the government and until 13/08/2003 was replaced by the Decree 93/2003/N-CP. On 14/06/2005, the law of State Audit Office of Vietnam was issued by the Congress and come into effect since 01/01/2006. Until now, The State Audit Office of Vietnam have 9 units of auditing sector: Sector 1 (Hanoi); Sector 2 (Vinh) ; Sector 3 (Danang); Sector 4 (Hochiminh City); Sector 5 (Can Tho); Sector 6 (Halong); Sector 7 (Yen Bai); Sector 8 (KhanhHoa) and Sector 9 (TienGiang) Simultaneously, internal audit offices were established in the large corporation such as Vietnam Airlines Corporation, Vietnam Post and Telecommunication Group, Petro Vietnam, Electronic Vietnam 2.2 Definition of Internal Auditing
2.2.1 Concept of Internal Auditing
Internal Auditing (IA) is well-known as an isolated, practical and consulting operator system with an aim to both count up value and ameliorate the organization running. The organization can reach closer its target as the IA system provides the well-ordered access to figure out and improve the effectiveness of risk management, control, and governance processes. It might be considered as the advanced activator to improve the organization management and risk control 13
by offering either the comprehensive view or the bright guidance from its analyses and assessments of data and business processes. Within an organization, as far as you could see, the IA covers all organization issues broadly and profoundly. The good examples of its cover in the organization management and risk control are the effective operation in assets protection; the credibility of financial and management statements, and legal compliance and other provisions. In addition, it commits to control fraud audits actively by finding out the likely fraudulent acts might occur; or joining in fraud investigation under the instruction of investigation of fraud professionals; and running fraud result investigation which helps to analyse control breakdowns and build-up the reason leading to financial loss. It is clear that IA aim is to help the employees of the audited organization in performing of their responsibilities more efficiently. In the early period, IA used to mainly focus much on financial and accounting issue. And nowadays its function has been becoming bigger and bigger by covering on proactive risk management and organizational governance. Not only has it concentrated on the real transactions to identify the effectiveness of control systems but recognize also the potential risks which may be negatively to ruin the organization. In addition, IA helps to assess the control mechanism to prevent or minimize all problems coming. As stated above about the function of IA monitoring, IA is the key member on control organization system which includes all supervision and secure measurement inside the company that is protect the asset, ensure the tasks accuracy and in accordance with the accounting system. These missions are original from the purpose to support object as well as to determine 14
compliance the accepted criteria range and all current condition requested by all policies, regulations, and laws. In summary, the internal auditing is the helpful tool to control and assess the possibility of organization running. It plays an important role to ensure the company running more smoothly, efficiently and economically. Furthermore, it is capable of the acceptance of all managing regulations. It also ensures that the internal control system works well to prevent all error coming as well as to identify any fraud and unexpected mistakes. Provided the assurance on risk management and controlling the governance running within an organization, IA is truly the must- have tool which all organization must apply. 2.2.2 Role of Internal Audit in Vietnam
If the audit independence was in Vietnam for 19 years ago, the concept of internal audit has not gaining popularity with administrators in 1997. However, the requirements of the WTO, the growth of the securities market and the administrators scandal at a huge number of state-owned enterprises nearby showed the necessity of internal auditing in the business career. Whenever, the development of internal audit in financial Frauds at WorldCom and Enron Company (U.S.) in the years 2000-2001, especially as the U.S. Sarbanes-Oxley act was born in 2002. This law provides for companies listed on the U.S. stock market statements on the effectiveness of internal control system of the company. While the activities of the independent Auditor limited to the examination of financial statements (the degree of honesty and fair), the operation of the internal audit is not limited in scope in whatever firm, from buying, production, and business of the managements, the financial and human resources, Information Technology. 15
The purpose of the internal audit is the management of the enterprise that is rather than external partners. Moreover, the internal audit is not only the poor assessment of management systems, but also assesses the risks both within the outside of the company. The internal Audit can bring many benefits businesses as well as a tool for improving detection and the weaknesses of the business management systems. In addition, the board of Directors and the broad can control and manage operational risk better when the size and complexity of the business beyond the direct control of businesses. The internal audit as ears, eyes to the broad of the directors, this is increases shareholders confidence in the quality management and internal controls of business value. An auditor will increase the confidence of the shareholders and investors in the stock market of management system. The statistics show that the companys worldwide internal audit department is usually timely reporting, financial reporting transparency and accuracy, the ability of business fraud and ultimately lower efficiency business is higher than companies without the internal audit department. However, the fact that firms are not always see all of the benefits and measures to realize the benefits. Moreover, the internal audit role given to ensure internal audit will provide the service while ensuring that the internal systems of organizations and enterprises. In the market economy with the competition, the companies are geared towards multiple targets at once, the encompassing the array management, economics, business ethics, social and environmental internal control, etcshould have the skills and the experience to provide the guarantee for the enterprise of their business that operating effectively to achieve for the objective. 16
This is related to the processes outlined. The internal audit and evaluation guideline risk management culture of a business, they consider and report on the effectiveness of the implementation of management policies based on the results of that audit, which are recommendations to improve the department. The internal audits in Vietnam are usually limited to the recommendations derived from the results of the inspection and control of concrete. A finite advisory function of the separate internal audit (including training) to be used in formal way, the internal audit cannot provide their counselling services within an enterprise. The independence between the advisory role and it has not been audited and questioned in the internal audit function. 2.2.3 Objective of Internal Auditing
After getting enough overview of IA, it is bet that the objective which IA covers must be caught clearly. The first function of IA is to ensure the practise run accurately. Secondly, it also provides the advanced tool to control all potential risks. And taking best advantage of all economy to run the business effectively is the last IA function. It might be said that with 3 main above function, IA has been distributing much more on the growth of each company in specific; and the whole society in general. 2.2.4 The Internal Auditors duty Based on the internal auditing processing, an internal audit is considered as a multiple procedure to identify the current procedure to meet up with the regulation available. And each auditors need to well-equip their knowledge in comparison criteria. Also they need to mix all related evidences up to fix well with the present condition. 17
Major roles and responsibilities of each auditor can be divided into two functions; one is for governance and second is for risk control. In the governance roles, auditors are supposed to do these tasks as below: Offer the recommendations to improve effectively the operation of organization Evaluate the regulatory compliance consultation from Legal Counsel Link the best connection between the Management Board and Auditing Committee Improve the tasks to develop in parallel with others within a certain organization Develop their specific skills by joining in its operation training Joint hand in against any anti-fraud programs In the risk control aspect, auditors are on the duty to do many important functions which can be listed mainly as follows: Provide the useful measurement to control risk as well as develop the governance system. Release the evaluation on risk exposures and information security Update the risk management report by monthly, quarterly and yearly. Release reporting internal control deficiencies to be identified directly to the Audit Committee Furthermore, the auditors are supposed to demonstrate their conclusion about the effectiveness of the proposed control system. Also they will focus much on the extent whether the current condition meet the required criteria or not. And then the results of their working and suggestion will be reported to all relevant parties to develop if the current ones are good; to improve if the current ones did not meet as well. 18
It is clear that the important responsibility of auditors is to evaluate, organize and run all procedure to determine the running within each origination to meet up organization's targets. By the information they provided, we can get the general view to evaluate the effectiveness as well as the quality of control system allocated tasks within each organization. The responsibilities of each auditor are scope all systems, functions, operations, processes, and activities within an organization. With above responsibilities, it might be said that an auditor is the key to both create and raise the good impression on the organization. For example, when the organization comes with bad reputation, auditor, of course, may not get the refusal and distrust from others. Therefore, how to raise their skill to maintain the good relations among all departments is truly important for each auditor. In the past, the internal auditor's role used to ensure the compliance. While now, its task is up-grading to the highest board to protect organization and get better control over the system. 2.2.5 Relationship between Internal Control and Internal Audit
People consider that the role of internal auditing is to bring the comprehensive evaluation report on the effectiveness of the internal control system. However, for someone, it is rather hard to link the term internal control with the responsibilities of internal auditing. By providing some good illustrations, such as no matching definition or detailed ranges of internal control which the internal auditing covers on each organization, they are still defending their view on this aspect. Whereas, majority consider that internal control is the proper way to cover all, instead of protecting assets, the reliability of financial records as well as avoiding any fraud might occur only. 19
It is typical to define that internal control works closely with the detailed checks and balances. But it is not enough, it also covers some elements, including, structure of organization, financial and operating report, planning report and training process. During the auditing, Internal Control is a process provides the effect on an entitys board of trustees, administration, and other staff. It is also regarded as the major tool to ensure actual supply associated with the following objectives: Commitment to the laws and regulations Proficiency and performance Consistency and accuracy of financial statements commitment assets Above all, the main role of internal control is to protect the asset, or to be far away from any financial loss. With this function, it has been contributing much on the consistency in financial reporting and adherence under the current laws and regulations. These components listed below might give you more detailed overview of internal control included. Risk assessment: All risks must be recognized, examined, and controlled to achieve its objectives. Monitoring: All processes, including the implementation and fixing procedure. They are under monitoring. Control environment: It covers the integrity, ethical values, and competence of the entity's people. Also it covers the foundation for all other components within internal control. 20
Control activities: It is conducted to ensure the right management direction by comprising policies, procedures, approvals, verifications, reconciliations, reassesses implementing, security process, and segregation of duties. Information and communication: With this function, it helps all information systems identified, captured, and communicated with related information in a form and timeframe that enables those to perform tasks and accountability maintenance for assets of the entity. In the way to point out the relationship between internal control and internal audit, it is truly short-coming if this part is not mentioned to internal audit. It is evaluated through adequacy of internal control system to perform by internal auditor members. Therefore, bringing internal audit and internal control together, the organization has been to apply internal control systems to reduce the risks of material misstatements in financial statements as well as to maintain the internal control system monitoring through internal audit function of the internal auditors. 2.3 The Relationship between Internal auditor and External Auditor
Both internal and external auditing is used to check up all activities within a certain organization and then make a detailed report showing all. To show better the relationship between them, the similarities and differences are might be mentioned. One point you should notice that external auditing is the action run by auditors who does not work within an organization. It focuses much on whether the organization's business activity fixed with the report run on this organizations own. Also it is considered if the book recording solutions were suitable with the generally accepted accounting practices. 21
With these function above of external auditing, the similarities between internal and external auditing can be clearer. Firstly, both track the method of organization conducting. Evaluating the fraud possibilities and then making comparison with the current regulations and laws are the second function which both external and internal auditing covers. AS sharing the same duties, it might be said that all auditors working each field are required the same training and qualifications. Also they need to equip themselves the update knowledge of accounting, finance and current business operating as well. It is clear that the name of each one shows their difference in details, one covers the internal business activities; while another covers the external ones. After acknowledged the basic overview of internal and external auditing, the relationship between them becomes easier to catch. The external and internal auditing performs the typical tasks to avoid redundancy and then cooperate all to make comparison. One of them is run for backup to make preventing plan not to be conquered among the use of various resources. And catching all record to take examine is the duty of ones to far away from redundancy. 2.4 Information Technology of Audit Information Technology is now distributing much on many social and economic fields, and of course auditing is covered by Information technology. The influence is called as the information technology audit to check up the management control by the information technology system. It came into the existence from the mid of 1960s with many changes to fix with any updates by offering the effective and comprehensive tool to control the assets, to maintain the data integrity without loss and to reach closer to the target set by each organization. And these reports are 22
cooperated with a financial statement audit, internal audit, or other form of attestation engagement to be more persuasive. However an IT auditing target is sharply different from a financial audit's one. Auditing is conducted to assess if the organization is constant with the standard accounting application. While IT audit is run to take measure the system's internal control design and its effectiveness; including, efficiency and security protocols, development processes, and IT governance or oversight. 2.4.1. The development of Information Technology of Auditing
The IT auditing is developed to offer the right answer to allow the internal auditors to analyse the information stored in the computer system. No longer do the auditors analyse the data by traditional way; the IT audit offer an innovative way help them ignore what happened to information as it was processed and stored. Therefore, each auditors need to equip more IT auditing skills and technical knowledge. 2.4.2. The standard of Information Technology of Auditing
Based on Standard 1210.A3, Internal auditors must have sufficient knowledge about the risks of information technology; controls and audit techniques based on technology available to perform their work. On the other hand, not all internal auditors are required degree of an internal auditors are responsible for auditing the related information technology. With this judgement, the knowledge of information technology auditing is one which each auditor needs to get full to take advantage its benefits. 23
2.4.3. The Importance of Information Technology of Auditing
To cover well all IT auditing importance, the benefits which IT auditing brings help us much. The first benefit is to ensure the good protection by IT system available. Secondly, it offers the proper information correctly to each users demand; for instance, the managing board need certain number while the marketing board need others - just by providing an order, they can get what they really want. Also bringing the proper management to gain the desired benefits is the third benefits which IT auditing offers. The final benefit of IT auditing is to reduce risks from incubation data, services interruptions, data loss or leakage, and weak management of IT systems. With these typical benefits, IT auditing is now playing an important function to well- control the financial as well as management system. 2.5. How Information Technology that affect the Internal Audit Process
2.5.1. Internal Audit in Computerized Information System Environment
The following factors were affected by IT auditing: High-speed: Information could be quickly resulted in the environment of CIS. The system of computer has capability to get information on complex report through different format. It could reduce time allowed auditors to expand their analysis and assessment with high-speed. Moreover, internal audits have many opportunities to advance its contents procedure; therefore, more evidence will get to ensure their opinions. Low-clerical errors: computer systems provide information without clerical errors. 24
Duty concentration: In CIS's environment, individuals could implement some types of work. It means that between individuals appears segregation of duties about complex task. Security can be increased. Thus, internal auditors need spending their time in focusing on the individual tasks. From outside main factors, the internal auditors should have plans about audit activities based on aspects below: Systems and applications: The major objective of the plan is to verify and evaluate systems and applications appropriate and effective in controlling guaranteed to bring compelling, relevant, and timely, protection input, and the production process as well as all levels of operations' system. Management of Institutional Architecture and IT: management IT has concentrated on organizational structure and procedure to secure system of environmental management and good organization to match with processing information. Facilities of processing information: The operation process is conducted to timely, accurate and well-organized during application system with the following situations as well as positions destruction. System development: All systems need to be developed in associated with the organization's mission and vision. So development must be completed to match with standards of system development Client/Server Intranets and Extranets Telecommunication: The entire network connections and servers mechanism are located appropriately to match with security at high level The internal control system in CIS's environment has a little special when compared to manual system because of different auditors. From this, internal auditors have to understand internal 25
control system of the CIS's environment to make audit plans and improve procedures of audit to perform functions of internal audit effectively and efficiently. 2.5.2. The computerized impact on internal auditing
As far as you could see, the auditing approach in CIS environment not only provides necessary skills, qualification; but the competence for internal auditor. Each internal auditor is well- equipped the specific skills running based on computer. It easily finds out the impacts of computerization on the internal audit. They can be listed as follows: It helps to make plan for the internal audit tests and then apply all results in practise. It can design the updated and proper internal audit activities computerised. It is taken advantage of reorganization on the risks of systems, applications, hardware and controls of the CIS. Its main duty is to assess and give detailed insight of the financial and internal controls based in computer. Also it is used to review the security measures of the CIS. Besides, these elements focus on the extent, nature and timing of the audit procedures performed by internal auditor: Potential to communicate requirements for expert work is needed Plan must be taken into account the level of computerization Auditors are expected to find a variety of controls in the manual system Evidences of the auditors hand may vary in form and they can be for limited time period 26
2.6 The Computer Assisted Audit Techniques (CAATS)
The Computer Assisted Audit Techniques (CATTs) are regarded as the tool relating to the applying of computer software in the auditing process automatically. It supports for an efficient and productive in working. Also auditors can make use of it to select the data they want as CATTs provides to do search abnormalities from data provided. In 1993, David Coderee gave the overview of how CATTs can focus automatically on audit functions within each organization. He also pointed out CATTs' benefits which can be applied in audit scheme and report; including, increasing auditing coverage; pushing up the integrations of audit skills, promoting better reliability, enhanced audit function independent from the information system, improve cost effectiveness for improving computerized techniques as well. 2.6.1 The oversight on IT risk
According to the statement of Linda M. Hadenas, the auditing committee acknowledged the audit participation in oversight IT risks to dimish the possibility of controlling failure related to IT. Also Jon Siltow for the claim that the interaction between internal audit and IT risks activities is made in processing routine work of auditors. He also recommends that the internal auditors should make sure that their organization plans to outline a scenario to confirm the sources of the data and its reliability as a result of instances rapidly changing IT environment. Moreover, how to deal with the potential technology risk is difficult as the organization is required to predict the problems in the complex environments. Auditors responsibility is to concern much on the risk associated with the sector to support their organizations critical system check and make sure the business activities operate efficiently. 27
Internal auditor with full awareness can prevent the attacker, and ensure implementation of decisions on accurate information and appropriate information as well as maintaining all IT risks at minimum level. 2.6.2 Information technology risks to an organization
In this part, it is scope with some potential information technology risks which might occur within an organization. There are 3 main types of risk, inherent risk, Specific risk and technological risk. Inherent risk is defined as the risk that exists naturally in a business or specific situations Specific risk is the risk derived from a place or method of operation of a particular function Technological risk is the risk of use of technology to response for enterprise objectives. To find out these above risks, we can base on these criteria below: The shortcomings and unintentional errors in the processing stage; unauthorized disclosure, modification, and cancellation of information whether intentionally or unintentionally; Disruptions in processing as a result of natural and artificial disasters; Failing to concerns as well as actively in the implementation and operation of the IT systems
28
2.7 Benefits of IT control framework
IT control framework has two types, including the internal controls of the CICA Canadian Institute guide-line internal control guidelines and COBIT the objectives control for information and related Technologies. Each organization can use IT control framework. It gives better alignment which is based on a centralized enterprise security technology. Besides, it is easy to understand IT's views to manage. IT's control framework implements responsibilities and clear ownership. Understandings are shared among stakeholders by common language. Moreover, it presents a wide range acceptable to authorities and third parties. Furthermore, it provides an implementation of the requirements COSO/COCO for IT's environment. COSO (Committee of Sponsoring Organizations of Tread way Commission) is known as a joint initiative five private sector organizations in the United States. It established to provide leadership's thought to framework development and guidance on key factors of internal control, business ethics and organizational management, risk management, financial reports and fraud deterrence. It has formed common model of internal control is not favourable for organizations to evaluate the system. COCO (Criteria of Control) established in COSO. It is published by the Canadian Institute. It referred internal control as action to boost all best outcomes for organizations, the elements such as resources, processes, systems, structure, and culture. It performs tasks to help for achieving organization's objectives. This model concentrates on specific factors of internal control, including ability, purposes, participation and supervision. 29
2.7.1 CICAs internal control guideline
CICA is established in 1998 by the Canadian Institute of Chartered Accountants. CICA's internal control guideline is assessed as a useful reference sources for IT's control with best practice. It includes in seven sections in risk discussion and control which are related. In the first section, the responsibility is provided for control and risk management. In the second section, it related to plans of IT. The development, acquisition and maintenance of IS are provided in the third section. And computer operation and information system support are mentioned clearly on the forth section. The fifth section is shown the security of IT. The sixth section is making plans not only for business continuity but also for recovery of information technology. And application based controls are finally shown in the last section the seventh section. 2.7.2 COBIT-control objectives for information and related technology
The experiencing of many years and has been integrated into useful management methods, so far the world has some common management practices such as ITIL, COBIT, ISO17799 / ISO27001, CMMi, COSO, PMBOX. Among them, COBIT, is one of these methods, though still quite alien to Vietnam, but this method has many advantages Vietnam, especially the wide application, suitable for many organizations, and business. COBIT methodology and is currently the leading method of choice of most organizations and enterprises worldwide. However, the managers must be equipped with a method of evaluation and management information systems of your business. A good method to evaluate management and information system of good business, determine the current position and the goal of business is necessary to ensure success will be better 30
CHAPTER III: METHODOLOGY 3.1 Research Problem
In the literature review, the researchers collect, review and discuss research and theory related to the topic of the impact of information technology on the role of internal auditing. Depending on the literature review in Chapter II, we can see that awareness and understanding of the role of internal audit and its importance varies from country to country. That is why the study was done in Vietnam will be the main source of reference for researchers. This chapter provides a description of the methods that researchers use to collect data and achieve the goal of my research. 3.1.1 Aim of the research The purpose of the study is to summarize what will be achieved upon completion of the supported readers to appreciate the applications of the information technology on internal audit. Besides, it is analyze the role of the internal auditors through an information technology system. Normally that is sharing the goals of making the overall goals and specific objectives. The overall objective is to achieve a general way. However, the specifically targets including smaller portions and have contact with each other and with the overall objectives reasonably. In conducting the research necessary to develop research goals to help the research topic is focused and avoids collecting unnecessary information to solve problems. In addition, the construction of specific objectives will help to design studies by research organizations goals into sections or stages defined. 31
3.2 The objective of research The prior to collecting information and proper data, researchers are responsible for clearly defined objectives of this research so that they can read to understand the purpose of the study purpose. In this research, the target of this research is analyze the effect of IT on the role internal auditing ,the consistent with internal auditors perform auditing tasks and minimize the risk of organization and suggest a specific role of internal audit, the skills and capabilities necessary for audit-related IT. 3.3 Research Methodology
To carry out the researchers, the primary data is the most significant establishments for the researchers because of the limitations in these available secondary data in Viet Nam. Distribution of the surveys to the targeted people is the way the researchers use for collecting the raw data that is required. The concepts of internal auditing, Information Technology and the role of internal auditing are importance in Viet Nam that is rather new for almost of Vietnamese. Therefore, there are only few studies and researches have been performed on these thread. The researchers are conducted in several scales: from local or a small scale to the large or even national scale. However, with this research, the researchers conducted surveys only of 60 auditors in the office a securities firms in Hanoi, Viet Nam. This is because of the limitation in time and costing. However, the primary data is not sufficient for researcher to analyzing and offer a logical conclusion. There are many secondary data within the time limit of these journals, researches and studies written by many researchers all over the world and in Viet Nam being used by the researcher. The data is established and existing data have added a lot to researchers knowledge. 32
They provide of the researchers fundamental understanding about the subject of the impact IT into the role on the internal audit, its importance for investors and other associated these concepts. In addition, the advances in information technology of the researchers can get electronic-journals, online newspaper and electronic-books for references and current internal audit-related issues. They also help the researcher to create the ideas and construction the structure of the research. 3.4 Data Sources Data sources is one of the significant stages is extremely important for the research of social and economic. However, the data source often takes much more time, the effort and expense. Therefore, I need to understand the data sources methods that to choose from including the appropriate method in order to support the research objective in this study. The data source includes primary and secondary data. The difference between secondary and primary data is available that the secondary data is readily available and the available to the public through publications, newspapers and magazines during these primary data is collected directly by the researchers through an experiment, surveys, questionnaires asked, focus groups discussions, interviews and taking measurements. 3.4.1 Primary data The primary data is data that researchers collect in the market data directly in source and process it for their research. The sources of primary data is the most important type of data, it is the unprocessed data, gathering for the first time, and collection straight from totality of researchers unit through all statistics investigations. The requested primary data is researchers, though the data gathered is generally more intricate and more costly. There are various methods of 33
collecting the primary data. The data gathering for an investigation, and the researcher usually use a variety of methods to work together to achieve the desired the effect. The following are the commonly used techniques of primary data into two main methods of Qualitative and Quantitative below: The Qualitative of the primary data: Focus group interviews and consumer panel (in depth) Gather a group people, especially since the target market of Auditing company and they have a guide in testing a product and ask their opinion about the impact of information technology in internal audit role, this method is used primarily to determine whether the important impact that will be acceptable in the target market The Quantitative of the primary data: The surveys (home includes personal interview, mail intercept, in home, telephone, mail survey, online includes in internet or an email) disvervation (personal or mechanical) and questionnaires: Both methods are popular means of data collection and it can reach a large number of people, however they need to be designed and reedited several times to make them acceptable to the people. I printed out the copies to give them out to people; the questionnaire is one of the best options to assemble the information needed to connect to the impact of information technology on the role of internal auditing. Using the questionnaires as research tools is inexpensive among others. Specifically, researchers used questionnaires to research in this study. Questionnaires can 34
facilitate researchers to collect a lot of information and data relevant to this study. In this Quantitative of primary data we have: Observation: the observations are recorded method that can be control the events; the behaviour of human beings. This method is commonly used associated with another method to cross-check the accuracy of the data obtained. The observations are the most of a simplest method to study the data and will not pay more cost for another method. Everything is simply being aware of the behaviour of people towards the products and services. The collect of data can be difficult and can take a long time to finish, however at the end of research time that I have the necessary information. Interview: there are three different ways to conduct interviews, and they are: The face-to-face includes in diversities in quantitative type: the interviews could be conducted by question and answer sessions with some people. Ask people on the street, going from door to door to collect the information, or to make an appointment with a specialist The web based interviews: on the other hand when I use the internet to gather information, so I will not have to field it. This is second method is less costly and more convenient to use The telephone interview: this method is quite similar to the face-to-face interview; however they are shorter than the organized. I can also send a letter to inform people that they are interviewed before they are looking forward to my call.
35
3.4.2 Secondary data Secondary data is data derived from the primary data has been analyzed, explained and discussed. The source data has been collected and processed for certain goals. It is the market researchers use for their research and it often used the documents for research and the methods to collect the data. The secondary data is including the type of text documents such as: expense reports, sales, and articles in magazines, daily newspapers, and internet. There are also other documents are recording documents, video recordings, and television programs. Additionally, the secondary data is based on survey data are collected by using surveys strategy that they often use the questions are analyzed for their original purpose. The secondary data collected through the surveys, those are three types of survey strategy, such as: a statistical survey, survey continuous and special survey (for example of special survey in Vietnam is the investigation of the activities of audit firms operating in our country in December 1, 2009). There are some advantages and disadvantages in the secondary data can be shown in table below: Advantages Disadvantages Save time, money, effort than the collecting primary data Secondary data is something that rating fit within the framework of the elements of market research It helps to make the data collection more specifically since the help of secondary data, we can make out the flaws and shortcoming The accuracy of secondary data is not known It helps improve the understanding of this issue The synthesis and definitions may not match The Uniformity of data Data maybe outdated Table 1- table of advantages and disadvantages of secondary data In addition the second data are data that has been collected for the purposes; on the other hand these data are may be placed quickly and inexpensively. Secondary data is data released by a 36
different that since a physical in which the originally collected and published data. Secondary data provide a general overview of the concepts involved. In this dissertation secondary data is collected from research studies written by many authors in different country. The secondary data consists of two types of data: internal data sources (it is includes the ready to use and requires further processing), and external data sources (it is includes the published material, computerized databases and syndicate data services). The internal data source includes data gathered in companies, for example: financial report, and another reports. The external data sources from the outside of the company. The sources can be from records, books, biographies, newspapers, journals or database magazines, and websites. Through my research and survey to experiment with both methods to make the decision to choose more effective methods, I found that both methods have advantages and disadvantages very difference of opinion. The following is a table summary of my thoughts on the primary data and secondary data. In addition, the secondary data that will help me save money and time. However, I still want to experience the collection of primary data, because the primary data collection to help me feel more self-confident in communicating and appreciating in questionnaire to the auditors and managers. Whenever, the characteristics of both methods are really clearly to find the different that what is method can be make more effective. In my opinion, I will summary the characteristics of both methods in the following table below: Characteristics Primary Data Secondary Data
The consistencies of research objective High Low
The existences High Low
37
The reliability High Low
The revise(update information) High Low
The economical (collection cost) Low High
To collecting information Slow Fast
Table 2-table of characteristics of primary data and secondary data 3.5 Research Tools In my research of this thesis, I used the data to found the result of my questionnaires survey online. My survey of number is 60 address email of people who is auditors and managers that I found this email address in the website of AASC Auditing Firm Company Limited (abbreviation: AASC Auditing Firm) since 1991-, changing its name from Accounting and Auditing Financial Consultancy Company Limited A member of HLB International in Vietnam A world-wide network of independent accounting firms and business advisers. AASC Auditing Firm is one of two first and largest Vietnamese legal organizations in Vietnam operating in the field of auditing, accounting, tax and financial consultancy, business evaluation. AASC now is head office in 01 Le Phung Hieu, Hoan Kiem district, Hanoi, with a branch in Ho Chi Minh City and a representative office in Quang Ninh also. I had 3 weeks to send the questionnaires of impact of information technology in to internal audit role for all auditors and other managers in AASC Company. 3.5.1 Types of Survey
The survey can be divided into two types: questionnaires and interviews. Moreover, the questionnaires are used paper and pencil instruments often that the complete answer. Although 38
the interview was completed by the interviewer based on said application, and its hard to tell the difference between the questionnaire and interviews. For example: some people think that the question is always asked closed ended short interview while always ask people to expand. However they will find the questions with open ended questions although they tend to be shorter than interviews and they will usually be a series of closed ended questions asked in an interview. There are many survey methods of research; survey is one of many research methods, for example: documentary research (survey through literature), experiments laboratory (experimental), action research, case studies, field experiments (experimental), field work (participant observation and ethnography), simulation, or in-depth interviews. Survey is a way to collect and analyze data through the survey respondents to answer the questions of statements of prepared. The survey differs from the data collection method, to ensure the results are accurate (valid), strict adherences to survey design process, construction and distribution of the questionnaire. In addition, two terms of questionnaire and survey is used to refer to the same thing, however, there are important differences between two concepts: survey is a process and questionnaire of the survey tool. There are two types of survey: Survey fill in self administered questionnaires: the questionnaire presented to participants in a survey identical. The purpose of the interview is not repeated, in order to quantify and compared In-depth interviews: this is a qualitative research method in which researchers asked the question open-ended and record the respondents answer. 39
In-depth interview is different from interview survey in which they are less structured. In the interview survey, the question was rigid structure-all questions must be asked in order. In the same way, and the only choice answers can be determined to out in-depth qualitative interview. The researchers used the questionnaire to send online to replies all of internal auditing units. The using of online questionnaires to help the researchers to saves time and money. Moreover, through the internet, the researchers have also create conditions multiple programs order to prevent return of not be comprehensive questions. 3.5.2 Questionnaires The questionnaire is a used tool in quantitative research to gather information about a certain issue from many different objects. If someones get a good result they must necessarily to have a complete the questionnaire and real science as well as the respondents to understand and answer the problem correctly. In accordance with the wishes of the survey and to do that we first have to know how to design a good questionnaire for satisfy the above requirements. Moreover, the questionnaire design requires a careful thought process; the questionnaires have scientific structure, brief, concise and simple. A long questionnaire will make the reader feel tired and they are not wanted to answer in the first time. The beginnings for all questionnaires research of an introductory paragraph are the purpose of the investigation and the general guidelines. The questionnaires should be arranged in order from easy to difficult. It often when we use three types of questions: questions allowed respondents may have other options; questions closed/opened and answer the questions that people have to write your own opinions. Here is the general concept that summarizes my opinion after reading 40
the references, the questionnaires was used to interview tool, to ask questions and gather the necessary information. The questionnaire includes questions were prepared through a rigorous process. It is used both in the two case studies on the structure and unstructured. The questionnaire survey tool is most commonly used to collect information from many people and questionnaires can be combined with many different techniques. The number of questions depends on how much research content. That is because the questionnaire was based on the psychological principles and these principles are the foundation for human behaviour. There are two objectives in the design of a questionnaire: The optimize the balance of the theme answers To discover the correct information for our investigation. When all most people think about the questionnaires, they think of the mail survey. All of us, at one time or another, received a questionnaires in the mail. There are many advantages to the survey by mail. They are relatively inexpensive to administer. You can send the exact same tool for a large number of people. They allow respondents fill their own convenience. But there are some disadvantages as well. The response rates from the mail surveys are often very low and the email questions are not the best means to request a written reply in detail. The data of collection approach is the application of the primary and the secondary data. The questionnaire is proficient means to collect the responses from a large sample. The questionnaires must be asked with the best expansion to provide any accurate information indispensable to get answers from the respondents about the validity of data collected. The questionnaires are used to ensure that the information collected to support the goal of completing this research. The researcher made the questionnaires with the aim of making convenient for 41
respondents. By using the questionnaire is the best way to get relevant information in support of this research. There are four parts of questionnaires in this research: Part I: The questionnaire of software and hardware tools to support audit process through the application of IT to internal audit Part II: The questionnaire of the role of internal audit with the skills and competences needed by IT applications Part III: The questionnaire of audit tasks and minimize organizational risk through the application of IT to internal audit Part IV: The questionnaire about the rules available for internal audit best practices through the application of IT Also, the questionnaire surrounded with "Likert Scale" in the study. People were asked to mark their agreement with each of twenty questions. Likert Scale is a scale that is used psychological questionnaires. It is one of the widely approach to assemble the scale of the study. Respondents could choose from a five-point scale ranged from "strongly disagree" to "strongly agree Likert scale format in.: Strongly disagree Disagree Neutral Agree Strongly agree
42
3.6 Sampling In fact, the research is focused on collecting and cognitive the understanding of individual investors in Vietnam on the topic. Wherever, the research is an implementation of the audit firm and the bank is headquartered in Hanoi, Vietnam. Moreover, the auditors of an AASC auditors company are chosen as the subject for the research. There are many directors who represent this companys need to help of auditors in this company. The randomly selected sample of investors will have to n = 60. Since the investors there are mainly the middle-aged; therefore, the researchers were able to produce results in limited number and this aspect should not be considered as the entire population of Viet Nam. Due to the advantage of geography, the period of distribution and collection questionnaires was conducted in about three weeks from August 19, 2013 to September 03, 2013, that is the long period of time. This is longer than the anticipated, due to of the long holiday during that period. Because the target of the research is inspecting the understanding of information technology importance on the internal audit role of auditors in Viet Nam; the researcher does not use professional software such as SPSS. The result of the research is calculated arithmetic means and standard deviations of each question with Microsoft Excel software. 3.7 Limitation of the study Limitations of this research are that it is through conventional approaches as opposed to the research methodology more proactive and intensive research to show any practical meanings to the auditors generally. Spite of the fact that important things to note that there is no common patterns for technological tools applied to all institutions, it is also important to get out the growing dependence on technology to accomplish or assistance virtually all audit operations. 43
The researchers stress limits are common in standard documentation and a key research question is how to associate the risk of emerging technology in shaping the business drivers, and the method and auditing techniques. In addition, the language used in the study is one of the barriers to the researchers for the reason that not all respondents are good knowledge of English.
44
CHAPTER IV: ANALYSIS AND DISCUSSION 4.1 General analysis
In this chapter, data and information which are collected in the working process would be explained. In this study, the researcher uses primary data through questionnaires to get information. All questionnaires sent to 60 Vietnamese individual auditors through email address at AASC Company in Hanoi, Vietnam. But only 58 questionnaires were received their answers. It means that 2 questionnaires sent to wrong email address. The percentage of respondents can be shown in table below: Sample Successfully sent Number of Respond % Respondents Rate 100 60 58 96.66666667 Table 3-table of percentage of respondents rate 4.1.1 Gender
Gender Frequency Percent Male 30 51.72% Female 28 48.28% Total 58 100.00% Table 4-table of percentage of gender Based on the table above, the percentage of male answered the surveys made up more than female. Male accounted for 51.72% of whole sample and female is 48.28%. In spite of good ideas for study, but it does not make clear purpose of this research. 45
4.2 Analysis responses related to software and hardware tools assist to audit process through the application of IT to internal audit and discussion In Appendix A, questions about assist audit process through application of IT such as hardware and software tools of internal audit are mentioned. Based on Figure 1 below, it shows questions' results: Questions Strongly disagree Disagree Neutral Agree Strongly agree Total Respondents Question 1 5 2 27 14 10 58 Question 2 1 3 9 23 22 58 Question 3 1 2 8 20 27 58 Question 4 3 7 15 17 16 58 Question 5 0 1 5 30 22 58 Question 6 0 1 3 33 21 58 Figure 1: answers of the respondents regarding the role of the internal auditor with the necessary skills and competencies through the application of IT
According to Figure 1, the percentage of these responses is shown in Figure 2 below: Questions Total Respondents Strongly disagree Disagree Neutral Agree Strongly agree Total Question 1 58 9% 3% 47% 24% 17% 100% Question 2 58 2% 5% 15% 40% 38% 100% Question 3 58 2% 3% 14% 34% 47% 100% Question 4 58 5% 12% 26% 29% 28% 100% Question 5 58 0% 2% 8% 52% 38% 100% Question 6 58 0% 2% 5% 57% 36% 100% Figure 2: percentage of responses regarding the role of internal audit with skills required and capabilities passed information technology application 46
From Figure 2 above, there have 58 auditors as well as managers sent answers to my e-mail. The percentage of people answered the questions expressed through 5 levels. Each question has different rate of answers. In the first question, the percentage of people chooses Neutral accounted for 47% out of 100%. The auditors and managers think that technology features affect large internal audit with usefulness and easy to use at moderate level. Besides, the percentage of Agree and Strongly Agree accounted higher at 24% and 17% while Disagree and Strongly Disagree was 3% and 9%. The second question asked about assumes of auditors and managers that the CAATs can be used by internal auditors in financial performance to achieve efficiency, effectiveness and quality of the audit. It is more difficult to answer because it requires auditors and managers think carefully. In Figure 2, the percentage of Agree and Strongly Agree is higher at 40% and 38%. Average accounted for 15%. The percentage of Disagree and Strongly Disagree only made up 5% and 2%. It means that the CAATs have been used very much for auditors' benefits. Moreover, the implementation brought effectiveness and get auditors' appreciation. In the third question, it mentioned benefits which CAATs can bring to organization. The question is do you think CAATs can assist internal auditors in making consulting and supporting services, benefits for the organization. The percentage of Agree and Strongly Agree accounted for very high was 34% and 47%. Neutral was at 14%. Total percentage of Disagree and Strongly Disagree only made up 5%. In the fourth question, it related to an auditor when using electronic mail and file transfer software which are tools to transmit information, share data and get in touch with businesses. 47
The percentage of Disagree and Strongly Disagree accounted for small rate was 12% and 5%. It means they do not believe in effectiveness. It can due to power outages, cut cable, wireless lost or error in electronic mailbox. On the other hand, the total percentage rate of Agree and Strongly Agree accounted for 57%. The result at average is 26%. It means that the auditors and the managers of AASC companies use e-mail software helpful and effective. In the fifth question, the question mentioned to the auditors and managers can assess the ability to automate paperwork and allow auditors to manage, organize, link and locate documents, spreadsheet, and graph easily. It is proved through the result that the total percentage of Agree and Strongly Agree accounted for 90% while the percentage of Disagree and Strongly Disagree were 2% and 0%. Besides, Neutral is only 8%. The last question shows the percentage of people believe in the effectiveness of control internal audit through the Internet, LAN, WAN, intranet and wireless network connections. Neutral is 5%. Total percentage of Disagree and Strongly Disagree is 2%. On the other hand, the percentage of Agree and Strongly Agree accounted for 57% and 36%. It means that more and more people believe in the effectiveness of control internal audit. 4.2.1 Discussion of software and hardware tools to support the audit process through the application of IT to internal audit The result of the experts needed software to support growing the internal audit is by the software. Audit tools are becoming more influential and complex. It is also developing a more simply to understand and apply. On the other hand, the audit tools are required to account for the complex and constantly changing environment. The features software testing and software features are 48
create a conflict on the computer and the network as well. Therefore, the auditing tools must be carefully managed. Auditors can use the software with the features and services that provide direct a lot of system resources such as memory, processor cycles, communication bandwidth and storage. 4.2.1.1 The application of CAATs The Elliott in 1994 said that the way within the organization and function of interacting with external organizations significantly altered by the application of IT. According to Anderson (ROIA, 2003, p. 115), the IT changes required to increase the information security, computer systems with security, quality assurance activities, and control of the privacy of data. Moreover, fierce competition in market leads to increased productivity cost effectiveness, and other requirements. In the expectation and pressure, the internal auditors are required to provide a wide range of detection risk for the organization. To meet these requirements, internal auditors can use to increase the CATTs audit activities with effectively and efficiently. 4.2.1.2 Audit electronic reporting Provide automated auditing tools to connect job performed in auditors assessments of the information collected and the information used in audit report. Through the use of audit tools, audit reports can present the information to be made by individual auditors. It supports the auditor to monitor the situation does not get out of the full project audit. These reports allow supervisor to focus on the process of auditing that the problem and the resources for the department in the following schedule. The audit report has links to spreadsheets, documents, graphs, and other documents will be updated automatically when data changes. 49
4.2.1.3 The use of electronic ecommerce and internet security Electronic ecommerce via internet e-mail is to develop new technologies. In recent years, it has grown faster and faster. Most organizations are adopting Business-to-Business (B2B) and Business-to-Consumer (B2C) the electronic commerce system through internet tools. The opportunity and fierce competition in the business is the driving force for this growth. The faster development of electronic ecommerce may be creating problems. The Internet makes it possible for communication via email. Email became popular in modern life. Its become standard for improving speed. It is also a reaction to most organizations. Equivalent to the Internet, browse this website and also set a standard for organization information. However, the availability also leads to risk. Connection information can be generated. The Internet, public networks and other organizations related to customers, suppliers, and business partners. As a result, the connection information risks appear outside. Information technology deals with the organization became a part of the information infrastructure in the global modern day life. The organizations are obliged to assemble information infrastructure to high standard. There are weakness existing components in the infrastructure. Therefore, it can be placed at risk the organization. Accordingly, the involvement of auditors situation provides security and operating system information associated with the internet. The electronic commerce tools auditor is emerging tools. Thus, almost auditors apply the tools and information professional security and system administrators to assess the development of security features through the operating system, virus protection system, firewalls, intrusion detection systems, and many more under development. 50
The electronic commerce tools, including encryption, the public key infrastructure, and correlates. What could make the release and certification of the encryption keys as well as related services? Another feature of the business activities through the Internet is to get the services of trusted agents while ensuring an applicable agreement and privacy protection. System, network, and operations support for the assessment of major public infrastructure, certification authority concerned, and the third group features beyond the capabilities of most auditors number now. Auditors are required to complete a problem-solving expertise of electronic commerce systems, controllers, and ensuring the security audit. These include the auditor is a leader in the implementation of electronic commerce systems for the internet and working organization. The organization here is the bank and the relevant provider assoc credit card, financial institutions, processing units and large manufacturing organizations. The organizations involved in electronic B2B and B2C, the leading provider of technology and similar institutions in advanced. 4.3 Analysis responses related to role of internal auditor with necessary skills and competencies through the application of IT and discussion In Appendix B, questions mention to role of internal auditor with necessary skills and competencies through applying IT. Based on Figure 3 below, it shows questions' results: Questions Strongly disagree Disagree Neutral Agree Strongly agree Total Respondents Question 1 2 2 8 34 12 58 Question 2 0 0 3 44 11 58 Question 3 2 0 0 30 26 58 Question 4 0 0 2 27 29 58 Figure 3: answers of the respondents regarding the role of the internal auditor with the necessary skills and competencies through the application of IT
51
From the Figure 3, the percentage of responses is calculated in Figure 4 below: Questions Total Respondents Strongly disagree Disagree Neutral Agree Strongly agree Total Question 1 58 3% 3% 14% 59% 21% 100% Question 2 58 0% 0% 5% 76% 19% 100% Question 3 58 3% 0% 0% 52% 45% 100% Question 4 58 0% 0% 3% 47% 50% 100% Figure 4: percentage of responses related to the role of internal audit with the necessary skills and competencies through the application of IT In Appendix B, through the statistics I got, there are 4 questions about reaction analysis for role of internal audit based on necessary skills and efforts through applying IT. In the first question, the questions sent to the auditors and managers to ask their thoughts about problems of internal audit is modified in a positive trend by using network security, e-commerce and email. The numbers of people Strongly Agree and Agree accounted for higher proportion at 21% and 59%. Furthermore, when an auditor may use network security and e-commerce will not only provide benefits and cost time savings but also help to be safe and reliable. Moreover, Neutral is at 14%. That is some people think that it will bring benefits by using network. By thoughts that did not receive benefits when using network, the number of people Strongly Disagree and Disagree only made up 6%. In the second question, this question is a bit more complex towards auditors and managers, it asked their opinion about expanding knowledge and skills to acquire proficiency, efficiency and quality of service is important for internal audit. The numbers of people Agree and Strongly Agree made up highest proportion are 95%. It means that they believe in advanced technology, 52
social development, changes and improvement are always needed. Besides, Neutral is only 5%. Surprisingly, no one chooses Disagree and Strongly Disagree. In the third question, the question asked knowledge expansion about IT risks, controls and necessary skills can be achieved. The number of people Agree and Strongly Agree made up high proportion are at 52% and 45%. The auditors should have knowledge expansion to solve when they meet problems. Moreover, they will not be confused to solve problems when applying IT. Total people Disagree and Strongly Disagree are only 3%. In the last question, it is a very close question which related to auditors' work, they think that internal auditors need to advance internal controls to help identify weaknesses and expand effective solutions. This is the real question without annotation and notes. The total percentage of people Agree and Strongly Agree accounted for 97%. Neutral is at 3%. No one chooses Disagree and Strongly Disagree. It means that it is important for auditors to develop internal controls. 4.3.1 Discussion role of internal auditor with necessary skills and competencies through the application of IT IIA Standard 1210.A3 proposes that contain is the internal auditors should aware of the general risk of key information technology and control engineering technology-based audit can be achieved. Also, 122.A2 standard stipulates that all internal auditors are required to perform in accordance with the professional care through the use of CAATTs. To accommodate the growing IT environment, change addresses the role of continuous auditing skills and local knowledge is essential. The skills and knowledge of the internal auditor is advanced with the changing demands of the business processes to implement the financial 53
information and audit evidence in electronic forms (Rezaee et al., 2001). To be consistent with the management audit standards in 2030, the internal audit resources suitable, adequate and effective organization to achieve the approved plan. 4.4 Analysis responses related audit tasks and diminish organization risks through the application of IT to internal audit and discussion
In appendix C, I got the results for these questions in Figure 5 below: Questions Strongly disagree Disagree Neutral Agree Strongly agree Total Respondents Question 1 0 0 2 21 35 58 Question 2 0 1 3 31 23 58 Question3 2 2 4 30 20 58 Question 4 0 1 7 25 25 58 Question 5 5 0 8 18 27 58 Figures 5 - answers of the respondents related audit tasks and reduce organizational risk through the application of IT to internal audit From Figure 5, in Figure 6 below shows the percentage of respondents: Questions Total Respondents Strongly disagree Disagree Neutral Agree Strongly agree Total Question 1 58 0% 0% 3% 37% 60% 100% Question 2 58 0% 2% 5% 53% 40% 100% Question3 58 3% 3% 7% 52% 35% 100% Question 4 58 0% 2% 12% 43% 43% 100% Question 5 58 9% 0% 14% 31% 46% 100% Figure 6-response rate audit related tasks and reduce organizational risk through the application of IT to internal audit There are five questions from easy to difficult levels, it stated respondent's opinions about responsibilities of audit organization and reduce risk by applying IT. These questions is easier to 54
answer, but the survey required knowledge as well as experience when they use IT and identify high or low risk that they suggest. In the first questions, the question for auditors and the managers ask their thoughts and assessment for function of internal audit such as fraud investigation, risks determination, advices for risk management and process improvement. The proportion chooses Strongly Agree and Agree accounted for 97%. Neutral made up 3%. No one answers other choices. This leads to auditors' thoughts and assessment are necessary for function of internal audit. In the second question, the internal audit is considered as to identify clearly risk of information systems by computer. The answer is a difficult form and need time to think carefully before choosing. The proportion of respondents Strongly Agree and Agree are 93%. Moreover, 5% of people choose Neutral. Total people choose Disagree and Strongly Disagree are only 2 percent. It means that identifying clearly risk is important for any internal audit. In the third question, the question match with content of the internal audit is to focus on risk capital and controls as well as evaluation of auditors and managers. The total proportion Strongly Agree and Agree are 87%. Percentage of average level made up 7%. Strongly Disagree and Disagree only accounted for small percentage at 6%. In the same as question series, the fourth question asked for auditors should have experience for suitable controls to manage risk in different environments. This question is very easy, therefore the auditors and managers does not take too much time to think. Based on the results, the total percentage of people Strongly Agree and Agree accounted for 76%. At average, the proportion is only at 12 percent and only 2% of people Disagree and Strongly Disagree. 55
One last question, this question asked about internal auditors must understand details about risks related to operations and contribute to assess risk in the field of activity. Through results of survey, the choice of Strongly Agree and Agree are totally 77%. Neutral made up 14%. Only 9% of people choose Strongly Disagree and Disagree. This leads to the auditors need to understand risks and find out solutions to prevent damages in business 4.4.1 Discussion audit tasks and reduce organizational risk through the application of IT to internal audit
Scope and develop audit objectives have been identified to assess areas indicate the greatest risk to the organization. Auditors must risk measurement, risk management and seeks contact with management to ensure reliability of the observed risk when risk management is not an appropriate process management. Measuring risk is an iterative process. Risk measurement results necessary to keep the smooth implementation of the progress of the references and updating of auditors through audit next project. The elements of risk analysis are a list of auditors that risks due to management, the auditors added. The next step requires the evaluation of the probability of exposure derived from the risk and intangible costs. For that reason, auditors uses the tools of information technology as easy as spreadsheets, databases, or prevent more complex systems can be attached to a system of management audit integrated. Risk assessment of audit firms must be connected to whatever management methods and tools used. In addition, risk assessment and management should be a general consensus to provide guarantees on effective communication of goals, priorities, and audit scope. 56
According Allgrini and D' Onza (2003), relating to the internal auditor in assessing risk management organizational structure includes accounts identify risk factors and to verify the level of risk acceptable as part of the organizations risk assessment. 2110.A1 standard that internal audit should examine and evaluate the risk management system of the organization is effective and efficient . 2110. A2 standards, this is an assessment of risks related to the consistency and reliability of information, performance and operational efficiency, ensuring assets, and compliance. Therefore, internal auditors are supposed to understand how important sources of risk that affect IT organizations. Internal Audit is responsible to ensure the level of governance in the management of the Audit Committee and Board of Directors. It understands the acceptable risk management has the potential to transfer to the board members. There are a number of effective governance and management when operating without a clear understanding of risk management within the organization. First, risk decisions can be created at all levels of the organization. It is less satisfactory to understand and to ensure accountability of the potential consequences of risk acceptance. Next, decide the risk may not be appropriate to inform management and executive management. Accordingly, they will not know of the risks that accepted instead of individuals and organizations. Finally, the lack of resources makes managing risk in the important areas of information security by senior management with unawareness of potential outcomes. To access the level of risk in any environment that the internal auditors through the tools necessary to select and control data. The control and data must be checked. Through the control 57
and data, the auditor shall examine, evaluate, and contribute significantly to the management for all the problems. 4.4.2 Evaluate internal controls
Control Self Assessment (CSA) is an accepted method to identify and assess internal controls. It helps to focus on the risks as well as the means to reduce or better control these risks. In general, internal audit, such as the use of CSA support group discussions to identify and evaluate internal control agreement with the strengths and weaknesses of them and look for opportunities of improvement. CSA Technology for links to software and hardware devices to interact face to face meeting for group communication. It claims questioned or involved with a choice of responses that are often proposed on a large screen so that more people can see it. This software makes a graph of the results of response keyboard. Some systems provide answers unstructured text. The answer is unknown to the typical confidence of honest, open and frank. Feedback is immediate basic features of the CSA system. 4.5 Analysis responses related to guidelines available for internal audit best practice through the application of IT and discussion For the part IV the questions in Appendix D, I received the result as below: Questions Strongly disagree Disagree Neutral Agree Strongly agree Total respondents Question 1 0 0 15 23 20 58 Question 2 0 9 2 26 21 58 58
Question 3 0 0 3 30 25 58 Question 4 2 4 7 26 19 58 Question 5 3 6 12 20 17 58 Figure 7 - answers related to available guidelines for internal audit best practices through the application of IT From the figure 7, the percentage of responses related to guidelines available for internal audit best practice through the application of IT is calculated as below: Questions Total Respondents Strongly disagree Disagree Neutral Agree Strongly agree Total Question 1 58 0% 0% 26% 40% 34% 100% Question 2 58 0% 16% 3% 45% 36% 100% Question 3 58 0% 0% 5% 52% 43% 100% Question 4 58 3% 7% 12% 45% 33% 100% Question 5 58 5% 10% 21% 35% 29% 100% Figure 8 percentage of responses related to available guidelines for internal audit best practices through the application of IT In the part IV of the appendix D, the calculated as the percentage of the respondents to these question, I can make a general comment that the auditors in Vietnam always looking for new and better more to improve the risk and improve the features of IT in their work. The final part in this part 4 is the questions referred to the problem of questionnaire on the instructions available for internal audit best practices through the application of IT. In the first question, I want to know who thought of that I think the survey in the implementation of internal audit. The best practice from diverse experience and sills of auditors participate in professional training. Some people choose strongly agree and agree relatively high proportion, which is 34% and 40%. Another people choose the neutral for their suitable answer is 26%. Nobody answered disagree and strongly disagree; In the second question, the question of the thinking of auditors and the managers of a real internal audit function should best be concentrated risk. In these answer, some people agree and 59
strongly agree accounted for 45% and 36%. Besides, some people choose the neutral to think that internal audit is not necessarily the best risk focused. Also, some people disagree is 16%. There is no one answer choice of strongly disagree; In the third question, the question of an actual internal audit function should be the best source of advice on governance, risk and control. In this question, the number of people agree and strongly agree are 52% and 43%. Besides, I get the results in a 6% neutral option in addition to not pick anyone disagree and strongly disagree; In the fourth question, the question is quite easy for auditors and managers is the best way of the internal audit function should have sufficient resources to be effective. In this question, the numbers of people who are agreed and strongly agree are the percentage accounted for 45% and 33%. In addition, there are 22% is allocated to the 3 mixed opinions as neutral is 12%, 7% of disagree and 3% of strongly disagree; The last question, as well as questions for the end of my questionnaire in this research is the attention give of the auditor and the management of internal audit best practices is done by using software to automate the process of implementing closed impressive results from the internal audit program. In this question, the answer choices people agree and strongly agree that the percentage accounted for 35 % and 29 %. Besides the selection of neutrals also quite similar quantities is 21 %. Also, some people disagree and strongly disagree proportion is 15 %.
60
4.5.1 Discussion guides are available for internal audit best practices through the application of IT
Through allow transaction processing in real time and facilitates relationships with global customers and investors, information technology have increased the efficiency, effectiveness and productivity of operations business. Perform internal audits, best practices from diverse experience and skills of audit staff is professionally trained to participate. Leading companies take advantage of the professionalism of internal audit staff in the company's activities to develop skills in identifying and minimizing risks. In addition, the audit function of the company is to provide smart and competent resources defined in the audit charter established by the board, senior management and the audit committee to accomplish the task of department effectively. In this way, best practices for internal auditors in collaboration with the department of information technology to minimize the risk of information technology.
61
CHAPTER V: CONCLUSION AND RECOMMENDATION 5.1 In conclusions
In the present day, IT has become a resource which is necessary for everyone in the world. It also affects internal audit areas. Therefore, internal auditors needed to promote the importance of technological knowledge to assess IT based on processes and controls. The role of internal audit has changed by the development of IT environment. Internal auditors are expected to influence in skills and knowledge of technological environment to match with expectation of audit committee and top management. From modifying traditional documents on paper of audit to applying IT on processes and transactions, information technology has altered type of business process. On point of view, the role of internal audit modified to implement responsibilities, assurance commitments and consultant services. However, because the complexity of IT environment increased, internal audit staff's skills, identifying the result of complete their responsibilities are limited. Internal auditors with knowledge and intellectual skills to carry out their duties to contribute consultant services and assurance objectives through applying information technology play basic role to support the expectation of top management and audit committee in the future. IT environment changes will lead to change the issues of role functions of internal auditor. Internal audit function exists due to the result of providing capability to assess objectively and effectively. It means that basic consultancy of internal auditor depends on knowledge and intellectual skills of technological development. Internal auditors must have abilities to grasp clearly as well as to analyze businesss needs and find out recommendations about carrying out 62
electronic applications in all operations match with expectation of top management. The business processes modifies related to carrying out audit evidences and financial IT are internal auditors need to get more knowledge and advance skills. Based on information technology, internal auditors core activities related to reviewing development of new system expectations. The competence of internal auditor is to understand more about implication of IS quality. It creates conditions for internal auditor to review risk management as well as internal control procedures. If information has lower quality, it will not be detected and solved timely in process system. It means that management decisions can be unsecured of entities are existing. In systems to evaluate internal control, poor function of internal audit in objective assurance has reflected confusion in detecting and preventing from risk of information security. Thus, to carry out role of internal audit in reporting consistently and timely and supporting, internal auditors are required to get more understanding about IT's knowledge and skills. To have efficient and effective internal control is risk elements in consistent system security and quality information are recognized. 5.2 Recommendation This thesis only provides information related to applying IT of auditors. It means that no general model for technological tools match with all businesses. To support and complete for all audit's activities, it is required to realize base on technological development. Topic about technological form based on the proportion of the incremental and professional skills and auditors knowledge. The importance related to succeed of audit activity is the use of technological tools effectively. However, it is only movement to understand more about changes in technology which implement 63
in audit profession and business. To foster and develop the efforts of providers' system, important role towards professional auditors is reducing new technologies performance to advance the examination and assurance features of systems which is no in their views as process or as elements. The auditors' important role is to understand and modify of technology. Besides, they also give explanations to others for these. The importance of interpersonal contact in audit the same as email and keyboard is certain that it cannot substitute to the need of interpersonal skills. 5.3 Limitations The study just uses conventional approach. It is not proactive method as well as deeply research to provide any practical suggestions to auditors. It does not have general model for technological tools match with all companies. It is important to realize the technological reliance to support and complete for audit's activities is increasing. In the benchmarking literature, the research emphasized limitations. This research has some difficulties which related to problems of how to integrate new technological risks to determine business controls, audit techniques and approaches. Moreover, the survey's results through questionnaires may be inaccurate because some respondents do not read carefully and no think too much when they answer. 5.4 Further Research
Further research is important to complete the researchs limitations. Further research is possible to find out the impact of IT in complexity on internal audit role is increasing. Further research would become important to approach into development of internal auditor role for whom take part in information technology of audit. Further research in the same studies contribute 64
opportunities to make information become available useful to internal audit profession which design to be simple in awareness of the role development of internal audit match with the impact of information systems and IT development.
65
REFERENCES
1. Abu-Musa, A. Ahmad (2008), Information technology and Its Implications for Internal Auditing. assessed on 1 st September, 2013 https://docs.google.com/viewer?a=v&q=cache:k01QONigZAMJ:www1.kku.edu.sa/Conf erences/SSEFP/Researches/Dr%2520%2520Abu-Musa%2520paper- MAJ.doc+the+impact+of+information+technology+on+the+internal+audit+role&hl=en& gl=vn&pid=bl&srcid=ADGEESjeMPTRTb8lELnnDkJRjID0VDf5DfqMLMWCGG6eX q18pfefmQP- LIzPL96BkFn9p4wShv_zfco45jJqxsaT6cKeNbiJOFZMHzsROUufBpSR9PsvAYWAPf F-vasFkm1eN8qct9iq&sig=AHIEtbTj_QR9yj0d4WW0H0ui0HvO_DVh7Q
2. Allegrini, M. and DOnza, G. (2003), Internal auditing and risk assessment in large Italian companies: an empirical survey, International Journal of Auditing, Vol. 7, pp.191-208. assessed on 5 th September, 2013
3. Elliott, R.K., Confronting the Future: Choices for the Attest Function, Accounting Horizons, September 1994, pp. 106-124. assessed on 5 th September, 2013
4. Hermanson, D. R.; M. C. Hill; and D. M. Ivancevich, (2000) Information Technology- Related Activities of Internal Auditors, J ournal of I nformation Systems, (Supplement, Vol. 14, Issue 1), pp. 39-53. assessed on 7 th September, 2013
5. The relationship between the internal audit and the external audit. assessed on 9 th
10. The information about COSO. assessed on 10 th September, 2013
http://www.coso.org/
11. Hany B. Ahmed - MSc Accounting & Finance; Information Systems Development and the Changing Role of Internal Audit. assessed on 10 th September, 2013
12. Institute of Internal Auditing (IIA) (2000), Definition of internal auditing, [Online] www.theiia.org/guidance/standards-and-practices/professional-practices-framework/
13. Institute of Internal Auditors (IIA) (2004), Understanding the revised standards, [Online] www.theiia.org/download.cfm?file=1340
14. Management Audit Circular No : DM.107- Guidelines for Internal Auditing in a Computerized Information System (CIS) Environment
15. Meredith M.; and M. D. Akers (2003), "Internal audit's role in systems development: The CEO's perspective", I nternal Auditing, Boston, Jan / Feb Vol. 18, Iss. 1, pp. 35 39.
16. M. Krishna Moorthy, A. Seetharaman Zulkifflee Mohamed, Meyyappan Gopalan and Lee Har San (2011); The impact of information technology on internal auditing
17. Rezaee, Z. and Reinstein, A. (1998); The impact of emerging information technology on auditing; Managerial Auditing Journal, Vol. 13 No. 8, pp. 465-471
18. Rezaee, Z., Elam, R. and Sharbatoghlie, A. (2001); Continuous auditing: The audit of the future; Managerial Auditing Journal; Vol. 16 No. 3; pp. 150-158
19. Rishel, T. D.; and S. H. Ivancevich (2003), Additional opportunities for Internal auditors in IT implementations, I nternal Auditing, Boston, Mar/Apr, Vol. 18, Iss. 2, pp. 35 - 39.
20. ROIA: Research Opportunities in Internal Auditing. The Institute of Internal Auditors Research Foundation monograph co-edited by Andrew D. Bailey, Audrey A. Gramling and Sridhar Ramamoorti. Individual chapters written by several authors. Referenced as: [Author name(s), ROIA, 2003]
67
APPENDIX A QUESTIONNAIRES
Please respond to the questions below by tick to the appropriate point on the scale. Please answer all questions below: Part I _ questionnaire about software and hardware tools assist to audit process through the application of IT to internal audit
Question Strongly Disagree Disagree Neutral Agree Strongly Agree Do you think features of technology have a great impact in the internal audit profession with usefulness, and ease of use?
Do you think CAATs can used by internal auditors in financial and implementation auditing to attain the efficiency, effectiveness, and quality of the audit?
Do you think CAATs can support for internal auditors in bringing consulting services, facilitation services, and added value for the organization?
Do you think email and file transfer software can help internal auditors without difficulty and fast of sharing data and keep contact?
Do you think automated work- papers allows auditors to easily manage, organize, link and locate text, spreadsheets, graphs?
Do you think the Internet, LANs, WANs, intranets, and wireless network bring the connectivity and efficiency for internal auditors?
68
APPENDIX B QUESTIONNAIRES
Please respond to the questions below by tick to the appropriate number on the scale. Please answer all questions below: Part II_ questionnaire about role of internal auditor with necessary skills and competencies through the application of IT Question Strongly Disagree Disagree Neutral Agree Strongly Agree Do you think task of internal auditor is changed in positive trend through the use of electronic ecommerce and internet security?
Do you think the expansion of IT knowledge and skills to attain proficiency, the effectiveness and quality services are needed to internal auditor?
Do you think internal auditors should have wide-ranging knowledge of main information technology risks as well as controls and obtainable technology-based audit techniques?
Do you think that internal auditor should increase internal control in assisting the company identify weaknesses and expand cost-effective solution to solve those weaknesses?
69
APPENDIX C QUESTIONNAIRE
Please respond to the questions below by tick to the appropriate number on the scale. Please answer all questions below: Part III _ questionnaire about audit tasks and diminish organization risks through the application of IT to internal audit
Question Strongly Disagree Disagree Neutral Agree Strongly Agree Do you think the function of the internal audit includes fraud investigations, identification of organizational risks, and consultations to the senior management related to risk management, process improvement or global operations?
Does the internal auditor obviously identify the risk areas in the Computerized Information System environment?
Do you think internal audit should focus on areas of high inherent risk, high residual risk, and key controls in the organization?
Do you think internal auditor should have extensive experience of appropriate controls to manage risks in a diversity of relevant environments?
Do you think internal auditor must understands the specific risks related to operational activities and is able to contribute to the review of risks in operational areas?
70
APPENDIXE D QUESTIONNAIRE
Please respond to the questions below by tick to the appropriate number on the scale. Please answer all questions below: Part IV_ questionnaire about guidelines available for internal audit best practice through the application of IT Question Strongly Disagree Disagree Neutral Agree Strongly Agree Do you think in performing internal audit, best practices come from varied in experiences and skills of audit staff that are participated in the professional training?
Do you think a best practice internal audit function should be risks focused?
Do you think a best practice internal audit function should be a source of advice on governance, risk and controls?
Do you think a best practice internal audit function should be having sufficient resources to be effective?
Do you think the best practice internal audit is implemented by using software to automate the closed-loop process in realizing impressive results from its internal audit program?