Information Systems Risk and Audit Planning by Jean C. Bedard, Lynford Graham and Cynthia Jackson. International Journal of Auditing. Int. J. Audit. 9: 147–163 (2005)
The purpose of the above research article is to provide empirical evidence on the nature and frequency of client characteristics affecting audit planning relevant to systems risk, and to assess the association of these characteristics with auditors’ systems risk assessments and audit planning decisions.
From Wikipedia: The word research derives from Middle French; its literal meaning is ‘to investigate thoroughly’. Research is often described as an active, diligent, and systematic process of inquiry aimed at discovering, interpreting, and revising facts. This intellectual investigation produces a greater understanding of events, behaviors, or theories, and makes practical applications through laws and theories. The term research is also used to describe a collection of information about a particular subject, and is usually associated withscienceand the scientific method.
Keeping the above definitions of research in mind the article “ Information Systems Risk and Audit Planning” by Jean C. Bedard, Lynford Graham and Cynthia Jackson can be categorized as a research article as the writers seem to have followed the basic structure and completed the investigative requirements. The researchers have attempted to provide empirical evidence on the consideration of information systems risk in afinancial statementaudit. This is a key issue because the importance of information systems to businesses has increased steadily over the past decade, as has the importance of internal control to companies and to their auditors.
The writers have used empirical research to approach this topic as also identified in the article itself. The basic aim of the article was to provide empirical evidence on the consideration of information systems risk in a financial statement audit. To perform the study, they described the types of client characteristics identified by the auditors as being relevant to planning, and relate those characteristics to systems risk assessments and testing plans. Generally, empirical research is any research that bases its findings on direct or indirectobservationas its test of reality. In this research initially focus groups consisting of partners and managers of the participating organization were employed which helped to determine the research task. This seems to be an appropriate method espcially when specific statements from the firm’s decision aid for risk identification and assessment had to be identified. In ranking risk areas on appropriateness for the study, the focus groups considered such factors as the importance of the risk area in audit planning, its application to a broad range of clients, and its potential for differentiating more from less risky clients. Among these issues are the two systems risk areas considered in this study, previously described: (1) whether top management sufficiently oversees and addresses the risks related to data security and EDP system security for critical information systems; and (2) whether there are weaknesses in the relevance, completeness, timeliness and reliability of management information used by the company to monitor enterprise activity.
Finally, data for this study were collected from auditors serving on engagement teams for various clients of two accounting firms (now among the Big 4), in the presence of one of the authors. Selection and scheduling of participants were accomplished with the assistance of a contact person at each firm, who was only aware that the study concerned audit planning. Due to client confidentiality concerns, the authors were unaware of the identity of the clients on which the participants were responding. Participants responded to a questionnaire about characteristics of one of their actual clients, which was selected in advance of the research session.
Research Questions and their Effectiveness
In the article three research questions have been formulated to acquire understanding of the research problem:
1. What is the nature of systems risk factors identified by auditors as important in engagement planning?
2. Which types of client characteristics are associated with differences in risk assessments?
3. Which types of risk factors are associated with planning specific types of audit tests?
The first research question concerns the nature of client risk characteristics present in a representative sample of audit clients. The second research question relates to the association of client characteristics and risk assessments within each risk area. Auditing standards note that auditors should respond to engagement risks by increasing their risk assessments and altering the nature, timing, and extent of audit procedures. The third and final research question considers the role of system risk factors in planning audit tests. As noted previously, auditing standards indicate that auditors should adjust the audit plan to reflect client risk factors.
The above research questions seem satisfactory to warrant an answer and also are inline with the research objective specified at the start of the article: “ To provide empirical evidence on the consideration of information systems risk in a financial statement audit.” This has been stated since the first question instigates an answer which covers the initial planning phase when risk assessment for any client is being done and also the identification of client characteristics to understand the differences is being carried out in the second question and finally the understanding of risk factors which may be related to EDP or Management information quality risk assessment.
The rationale for the study has been effectively incorporated in the Background section with the research questions which forms a basis for their justification. As the reader goes through the research paper it can be appreciated that the authors have clearly specified their objective initially and they have also clearly mentioned the research questions and their importance to the study and how each ofthe three questionshelps to solve the research task.
Implications and Key Limitations of the Research
One of the major limitations of this type of research is the confidential nature of information with which the researchers deal with and the obvious reluctance being shown by the managers and partners participant organization to share such information.
Another limitation is that the researchers examined the auditors’memoriesof client conditions – essentially, the researchers studied how auditors assess risk and plan tests in light of conditions that they identify. Thus, in contrast to behavioral experiments, the design of this study could not assess memory accuracy. An alternative means of addressing the questions studied is through an archival study of audit workpapers. In contrast to this study of individual responses, audit workpapers capture the end product of group decisions. Further research should address whether the results of this study hold using behavioral and/or archival approaches.
Despite the key role of information systems in corporate control and in financial statement audits, the authors could not find any research which could provide evidence on the nature of risk characteristics commonly present in business systems, and the implications of such risks for audit planning. This study addressed this research gap by examining two crucial areas of information systems risk: EDP security and management information quality. These risk-areas encompass the physical and electronic integrity of client systems, and the appropriateness of information contained in those systems, respectively.
Identification of Research Conclusions and Results
The conclusions and results of the study have been mentioned twice which informs the reader about researchers’ intentions and the level of achievement of research objectives. Initially the article summary informs the reader about the main findings and finally their description can be found in the Discussion section.
The main findings of the study encompass two major aspects. The first is the lack of significant association between risk factors and risk assessments in the EDP security risk area, while strong associations were found in management information quality. The second is that controlenvironmentfactors affect planning in management information quality, but not in EDP security. The recent high-profile cases of corporate fraud, featuring possible management override of controls, emphasize that auditors must react appropriately to issues of information system security and management style/competence. Thus, the results support the recent emphasis on internal controls in US and international auditing standards.
This study addresses this research gap by examining two crucial areas of information systems risk: EDP security and management information quality. To address this issue, the researchers asked participating auditors to document the frequency of specific client characteristics in these two risk areas, which they consider when planning for an actual client engagement. The researchers also asked that they provide a risk assessment within each risk area, and to plan audit procedures to address the identified risks. Results show that auditors predominately identified client characteristics that would increase systems risk (i. e., negative characteristics, commonly termed risk factors), although some positive characteristics that would decrease systems risk were also identified. The most frequent risk factors identified in the area of EDP security are related to system security controls, outdated systems, and management style/attitude. In the management information area, the most frequently identified risk factors relate to the nature of information produced by client systems, followed by factors relating to management style/attitude and management competence.
Areas of Further Research
As mentioned in the article that in contrast to behavioral experiments, the design of this study could not assess memory accuracy. An alternative means of addressing the questions studied is through an archival study of audit workpapers. In contrast to this study of individual responses, audit workpapers capture the end product of group decisions. Further research should address whether the results of this study hold using behavioral and/or archival approaches.
Overall Effectiveness of the Exercise
This exercise proved to be a tremendouslearning experienceas far as understanding of research articles and the way they should be approached is concerned. To write a critique on a research article requires a thorough understanding of the basics of writing a research article, various research methods to use and how to conduct the research itself with an appropriate research design.
Jean C. Bedard, Lynford Graham & Cynthia Jackson. (2005) Information Systems Risk and Audit Planning. International Journal of Auditing. Int. J. Audit. 9: 147–163 (2005)