Bridging IT auditors and AI auditing: Understanding pathways to effective IT audits of AI-driven processes

This concept paper examines the integration of Agile methodologies into IT audit processes to enhance effectiveness and efficiency. In today's dynamic and rapidly evolving technological landscape, traditional audit approaches often struggle to keep pace with the speed and complexity of IT environments. Agile methodologies, originating from software development, offer a flexible and iterative framework that can revolutionize IT audit practices. The paper begins by highlighting the limitations of traditional audit methodologies in addressing the challenges posed by modern IT systems. It then introduces Agile principles and practices, explaining how they can be adapted and applied within the context of IT audits. By embracing Agile, auditors can shift from rigid, linear audit processes to iterative, collaborative approaches that promote adaptability, responsiveness, and continuous improvement. Key components of Agile methodologies, such as sprints, stand-up meetings, and user stories, are explored in the context of IT audits, demonstrating how they can streamline audit planning, execution, and reporting. The paper also discusses the cultural shift required for successful Agile adoption within audit teams and organizations, emphasizing the importance of communication, collaboration, and a mindset focused on delivering value. Through case studies and real-world examples, the paper illustrates the tangible benefits of applying Agile methodologies to IT audits. These include increased audit coverage, faster identification of risks and issues, enhanced stakeholder engagement, and improved alignment with business objectives. Additionally, Agile practices enable auditors to adapt to changing priorities and emerging risks more effectively, ensuring audit activities remain relevant and impactful in dynamic environments. Despite its potential benefits, Agile adoption in IT audits presents challenges such as cultural resistance, skill gaps, and the need for organizational support and buy-in. The paper addresses these challenges and proposes strategies for overcoming them, including training and development initiatives, stakeholder engagement, and pilot projects. In conclusion, the paper advocates for the integration of Agile methodologies into IT audit practices as a means to enhance effectiveness, responsiveness, and value delivery. By embracing Agile principles and practices, auditors can better meet the demands of today's digital landscape, driving continuous improvement and innovation in audit processes. In this concept paper, I analyze how the adoption of Agile methodologies, particularly Scrum, can revolutionize IT audits. I explore how these methodologies improve collaboration, adaptability, and overall audit effectiveness, supported by practical examples and insights from my professional experience. Keywords: Enhancing, IT, Audit Effectiveness, Agile Methodologies, Conceptual Exploration.

Business performance, value and success are more and more depending on information technology governance and on the related IT risk management efficiency. To completely accomplish the main objectives of Auditing, internally or externally sourced, in this era, the introduction of an additional professional tool, the IT Audit, is being increasingly considered as an absolute and indispensable need.This paper aims to treat and emphasize, through comparison and analysis, the necessity and relevance of IT Audit, in both public and private enterprises. IT Audit, as a new important field and strong risk assessment tool of Auditing, drives to a higher level of efficiency and ensures that the enterprise system is getting the maximum business value / performance for itself and for all stakeholders too. Highlighting the evidenced advantages of an effective IT Audit through best practices, the paper’s purpose is to strongly motivate and encourage other organization as well to introduce the IT Audit in their org chart.

This study investigates the moderation role of e-invoicing in national trade, specifically examining how IT auditing impacts electronic accounting information systems (EAIS) at Jordanian customs points. The primary aim is to analyze how effective IT auditing enhances EAIS effectiveness and explores the implications for operational efficiency and compliance within Jordan’s customs operations. A survey methodology was employed, gathering primary data from 322 employees across various customs points through distributed questionnaires. We utilized partial least squares structural equation modeling (PLS-SEM) to ensure methodological rigor in our analysis. The findings indicate that effective IT auditing significantly enhances EAIS effectiveness, with e-invoicing acting as a moderator that amplifies this effect. This underscores the critical role of auditing practices in improving operational dynamics at customs points, facilitating smoother national trade processes. The study offers actionable insights for industry professionals and policymakers, emphasizing the importance of integrating robust IT auditing practices with e-invoicing systems. By doing so, stakeholders can promote greater efficiency and compliance in national trade operations at Jordanian customs points, ultimately contributing to the optimization of trade processes and regulatory adherence. This research highlights the significance of strengthening auditing frameworks and leveraging technological advancements like e-invoicing to enhance operational effectiveness within Jordan’s customs environment.

In digital transformation, modernization IT risk universe plays a major role in planning an effective IT audit program. This paper describes a new requirement in IT audit practices and suggests an IT risk universe framework for the development of IT risk universe toward a more modern (digital transformation setting). This paper concludes with research prospects that can support and intensify research for modernizing IT risk universe in modern IT audit.

Today, IT audit become one of the top two topics that discussed amongst internal auditor professionals and has grown to become an important issue for modern organizations. IT audit concepts have changed over time, although significant changes have been made in early 2000, toward modern IT audit. This paper examines current issues in IT audit. The motivation was to identify the current trends and issues in IT audit. This paper reviews the literature on IT audit that published during the period 2008-2017. The literature review identified 46 papers that presented an issue in IT audit practices. The study results suggest that the current issues in IT audit can be classified into 5 main issues, there are benefits of IT audit, IT audit guidance, IT audit object, IT audit process, and issue of IT auditor. This paper has presented how these issues emerged during the past 10 years, along with the development trends. This study results can be used by researchers to conduct further research in the field of modern IT audit. This paper also presents the research directions based on the 5 main issues.

The Post Office Horizon scandal is possibly the most serious corporate failure in the United Kingdom in living memory, and possibly for more than a century. This is because of its disastrous consequences for hundreds (perhaps thousands) of individuals who were wrongly prosecuted by the Post Office and who lost their livelihoods, and often their homes, on the basis of incomplete and misleading evidence from its Horizon computerized accounting system. That corporate failure has given rise to the most extensive miscarriage of justice in English legal history, with an unprecedented number of wrongful convictions now in the process of being reversed.The Post Office Horizon scandal had many features and causes, but a significant contributory failure was that of corporate governance. There were many warning signs over the years, which should have been acted upon by Post Office Internal Audit and in particular, by specialist IT auditors. The evidence is clear that the Post Office failed to live up to its commitment to corporate governance, and that this failure was neither detected nor acted upon by the government, if civil servants and ministers were aware of the failure, until too late. An effective IT audit function would have contributed significantly to a prevention of the scandal.
 Index words: Post Office, Horizon, Fujitsu, IT audit, internal audit, corporate governance, Three Lines of Defence, Institute of Internal Auditors, IIA, AICPA, IAASB, SSAE 16, SSAE 18, ISAE 3402, SAS 70, ISAE 3000, SOC-1, SOC-2, SOC-3, Trust Services Criteria, processing integrity, Justice for Subpostmasters Alliance, Ernst & Young

IT plays a critical role in the production of financial statements, and thus, audits over financial statements. However, audit standards provide limited guidance related to the reliance on IT and use of IT auditors; academic literature is sparse on these topics as well. We seek to fill this gap by gaining an understanding of the IT auditor function on financial statement and integrated audits in today’s environment, especially in light of recent PCAOB concerns over undue reliance on IT as a root cause of ICFR-related audit deficiencies. We analyze data obtained from 33 interviews with practicing financial and IT auditors using a research question framework highlighting key points in the audit process. We posit a number of interesting implications including 1) involvement of IT auditors in audits is a relatively subjective process and thus social and behavioral forces could have a significant influence on the way the two teams work together, 2) while IT auditors are typically involved in planning, the extent can vary and there is likely room for increased involvement, especially around fraud-related procedures, and 3) financial and IT auditors have contrasting views on whether increased involvement of IT auditors on business process-related work is needed, but both groups cited the need for mutual respect and knowledge in both domains. Our findings provide a foundation for academic researchers to identify important research issues, develop theory-based predictions, and design experiments (or other models and instruments) to address these issues. Our study also has broad implications for future research in other audit specialist areas, such as tax and valuation.

The use of IT in the financial and accounting processes is growing fast and this leads to an increase in the research and professional concerns about the risks, control and audit of Accounting Information Systems (AIS). In this context, the risk and control of AIS approach is a central component of processes for IT audit, financial audit and IT Governance. Recent studies in the literature on the concepts of risk, control and auditing of AIS outline two approaches: (1) a professional approach in which we can fit ISA, COBIT, IT Risk, COSO and SOX, and (2) a research oriented approach in which we emphasize research on continuous auditing and fraud using information technology. Starting from the limits of existing approaches, our study is aimed to developing and testing an Integrated Approach Model of Risk, Control and Auditing of AIS on three cycles of business processes: purchases cycle, sales cycle and cash cycle in order to improve the efficiency of IT Governance, as well as ensuring integrity, reality, accuracy and availability of financial statements.Keywords: Risk, Control, Audit, IT Governance, Accounting Information Systems1 IntroductionThe high level of using the information technology in financial and accounting processes in organizations [1] results in an increase in research and professional concerns about the risks, control and audit of Accounting Information Systems (AIS).The risks and vulnerabilities of Accounting Information Systems may lead to material misstatements in financial reporting. Most times these risks have negative impact on the integrity, accuracy, reality and availability of financial reports [2]; [3]; [4]. In this context, risk and AIS control approach is central to both financial and IT audit processes and IT governance processes within the organization.In this study, researching financial and IT audit process relations, and using the concepts of risk and control, we developed and applied an integrated approach model of risk, control and auditing of AIS. The purpose of this model is the integration approach of risk, control and AIS audit in the IT audit processes and financial audit processes in order to improve the efficiency of IT Governance, as well as ensuring integrity, reality, accuracy and availability of financial statements.The paper is structured in four parts. In the introduction we presented the current research regarding the integrated approach of risk, control and auditing in the IT auditor's perception, as well as the financial auditor's perception and we showed the need to develop a model. In the second part, we presented the research methodology. In the third part, we presented the model development and we discussed the findings of applying the model. Finally, we presented our conclusions regarding the research.2 Literature ReviewRecent studies in the literature on the concepts of risk, control and auditing of AIS outline two approaches: (1) a professional approach in which we can fit ISA, COBIT, IT Risk, COSO and SOX [5]; [6]; [7]; [8]; [9]; [10], and (2) a research oriented approach in which we emphasize research on continuous auditing and fraud using information technology [11]; [12]; [13].According to IFAC-ISA 315 financial auditors must understand and analyze AIS, which can affect financial reporting particularly on: significant transactions systems for financial statements; automatic or manual control pro- cedures through which transactions are recorded, stored and processed in the general ledger, and reported in the Financial Statements; the process of obtaining and presenting the financial reports from the AIS [5].Also in the professional approach of the risk management process and ensuring the control of AIS, we noticed the COBIT 5 framework [6]. According to ISACA, COBIT 5 is the only business framework for the governance and management of enterprise IT. Analyzing the objectives and the content of COBIT 5, we can say that starting with this version, ISACA has an integrated approach model of the risk, control and auditing of AIS. …

Performing Effective IT Audits

This review explores the integration of predictive analytics in IT audit planning, emphasizing its transformative potential in enhancing the efficiency and effectiveness of audit processes. Predictive analytics, which involves the use of machine learning, data mining, and statistical modeling to forecast future events based on historical data, has seen widespread adoption across various industries. In the context of IT audit planning, its application can significantly improve risk assessment, resource allocation, and overall audit execution. The study begins by defining predictive analytics and outlining its key techniques. It then provides an overview of the traditional IT audit planning process, highlighting its critical steps and inherent challenges, such as limited risk visibility and inefficient resource use. By integrating predictive analytics, organizations can address these challenges by leveraging data-driven insights to identify emerging risks, prioritize audit areas, and optimize audit schedules. The integration process involves several stages, including data collection and preparation, model development, and implementation. The review discusses the importance of selecting appropriate data sources, cleaning and preprocessing data, and choosing the right predictive models. It also covers the deployment of these models within existing IT audit frameworks, emphasizing the role of advanced tools and technologies. The benefits of integrated predictive analytics are manifold. Enhanced risk assessment allows auditors to proactively identify and mitigate potential issues, while improved resource allocation ensures that audit efforts are focused on the most critical areas. Additionally, predictive analytics can detect anomalies and patterns that might go unnoticed in traditional audits, thereby increasing audit effectiveness. Case studies of successful implementations in various organizations are presented to illustrate the practical benefits and outcomes of integrating predictive analytics into IT audit planning. The review also addresses potential challenges, such as data quality issues, model accuracy, and organizational resistance, offering strategies to overcome these hurdles. The integration of predictive analytics in IT audit planning represents a significant advancement in audit practices. By adopting these techniques, organizations can enhance their audit capabilities, leading to more proactive and effective risk management. The review provides recommendations for implementation and highlights future trends in predictive analytics and IT auditing. Keywords: Integrated, Predictive Analytics, IT, Aduit Planning.

Technologies and Methods for Auditing Databases

In recent years, IT governance has been a subject of discussion among academics and practitioners. The concern has been on the need to implement governance mechanisms and ensure the right balance of these mechanisms. However, the audit of IT governance mechanisms has received very little attention. This paper aims to analyse the overall impact of IT governance audits on the maturity and coherence of governance mechanisms. Guided by the configurational theory, the researchers argue that when governance mechanisms operate coherently and are regularly audited, there will be improvement in IT governance and the performance of financial institutions. In this study, seven financial services companies in Ghana were reviewed, and their IT governance maturity was assessed after seven months of auditing with a COBIT 5‐driven IT audit framework. Two surveys were conducted, one before and one after the auditing. The findings of the study confirm the claim that regular auditing improves IT governance maturity and coherence. Several governance mechanisms within the case organizations improved to one higher level of maturity on the Capability Maturity Model. This improvement was after seven months of auditing. Regular auditing also improved IT roles and responsibilities, empowered IT personnel and improved the IT budgetary control and architecture of the entities. This study has implications for practice. It emphasizes the importance of independent regular IT auditing and the need to ensure coherence among IT governance mechanisms if effective IT governance is to be achieved in financial institutions.

Chapter 8 - IT Audit Processes

Recently, there has been increased interest in using Agile methodologies in auditing to improve efficiency and adaptability. This study examines whether Bank XYZ in Indonesia is ready to adopt Agile for IT auditing, marking a first for the country's banks. The need for Agile is driven by a significant reduction in audit staff, increased demands from management, and higher fraud risks, all of which call for a more effective and responsive audit process. The research employed both surveys based on the CA Agile Framework and qualitative analysis. It found that Bank XYZ is moderately ready to adopt Agile, showing strengths in commitment to user research, organizational culture, and training support. However, challenges such as utilizing past Agile experiences and enhancing governance must be addressed. The study recommends a gradual adoption of Agile, focusing on building a supportive Agile culture, enhancing training for auditors, and improving governance structures. This step-by-step approach will help Bank XYZ effectively integrate Agile into its IT auditing practices to better meet management's expectations for more business-focused auditing.

Chapter 3 - Internal Auditing