Information Systems Risk and Audit Planning

17 Pages Posted: 21 Sep 2005

See all articles by Jean C. Bedard

Jean C. Bedard

Bentley University - Department of Accountancy

Lynford E. Graham

Bentley University

Cynthia Jackson

University of Houston - C.T. Bauer College of Business

Abstract

Auditing standard setters worldwide are focusing greater attention on the importance of corporate controls in general, and on information systems in particular. However, there is relatively little research on the nature of specific control risks in actual companies, and on the auditor's response to those risks. In this study, we examine client characteristics identified by external auditors for actual audit clients, which are relevant to two important areas of systems risk: system security and management information quality. To perform the study, we describe the types of client characteristics identified by the auditors as being relevant to planning, and relate those characteristics to systems risk assessments and testing plans. We find that auditors identify both systems risk factors (risk-increasing characteristics) and positive factors (risk-decreasing characteristics), although risk factors predominate. Systems risk factors are identified for a high proportion of clients, even those with relatively low risk assessments. Most frequently identified risk factors relate to system security, management style and competence, and outdated systems. We find that risk assessments increase with the number of identified risk factors for management information quality, but not for EDP security. Categorizing risk factors into COSO categories, we find that audit procedure planning for EDP security is associated with risk factors relating to control activities but not to control environment. For management information quality, audit procedure planning is associated with control environment and information/communication risk factors. The implications of these findings for audit research and practice are discussed.

JEL Classification: M41, M49, G34

Suggested Citation

Bedard, Jean C. and Graham, Lynford E. and Jackson, Cynthia, Information Systems Risk and Audit Planning. International Journal of Auditing, Vol. 9, No. 2, pp. 147-163, July 2005. Available at SSRN: https://ssrn.com/abstract=788999

Jean C. Bedard (Contact Author)

Bentley University - Department of Accountancy ( email )

175 Forest Street
Waltham, MA 02452
United States
781-891-2410 (Phone)
781-891-2896 (Fax)

Lynford E. Graham

Bentley University ( email )

175 Forest Street
Waltham, MA 02145
United States

Cynthia Jackson

University of Houston - C.T. Bauer College of Business ( email )

Houston, TX 77204-6021
United States
713-743-4833 (Phone)
713-433-4828 (Fax)

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
20
Abstract Views
3,266
PlumX Metrics