Information Technology-Related Activities of Internal Auditors
R. Hermanson and Mary Callahan Hill
Advances in information technology (IT) present important new organizational risks, and the assessment and management of these risks may involve a variety of groups, including internal auditors, external auditors, in-house IT experts, and outside consultants. To begin to understand how organizations are addressing their IT risks, this exploratory study examines the IT-related activities of one group -- internal auditors.
Information gathered from over 100 internal audit directors indicates that internal auditors focus primarily on traditional IT risks and controls, such as IT asset safeguarding, application processing, and data integrity, privacy and security. Much less work is done on system development and acquisition issues. Several factors are associated with internal auditors' performance of IT evaluations, including the nature of the audit objective, the prevalence of computer audit specialists on the internal audit staff, and the existence of new computerized systems. To supplement these results, we encourage further research on the efforts of other groups in addressing IT risks.
Key Words: Information technology, Information systems, Internal auditing.
Availability: Please contact the first author regarding the availability
of the survey data.