THE EFFECT OF USING IT TOOLS ON THE EFFICIENCY OF INTERNAL CONTROL AS PERCEIVED BY THE INTERNAL AUDITOR
1,2,3Public Authority for Applied Education and Training (PAAET),Kuwait
ABSTRACT
This study aims to Identifying the concept of internal control efficiency related to control environment under the usage of IT tools, and Identifying the role of risk assessment increasing the internal control efficiency through the optional use of IT tools. The study community consists of internal auditors in the Islamic banks in the State of Kuwait. The study tool consisted of preparing a questionnaire that takes into account the objectives and variables of the study. Most results: The internal auditor has a role in assessing the information security policies which depend on It tools and preventing their penetration or the modification of the accounting programs and their contents illegally, and The ability of the internal a uditor to assess the monetary value of the risks that face the bank and which are resulted from using IT tools; and consequently, the financial statements express truly the monetary events that occur in the bank. Most recommendations: The information technology tools are double-edged for the internal auditor. The first edge represents the risks related to penetrating or modifying the financial statements as well as the unauthorized access. The second edge represents the advantages that the auditor can utilize from using IT tools represented in the speed and accuracy in exchanging accounting data and information, and Holding seminars and conferences specialized in audit information technology whose axes focus on using various IT tools in the internal auditing process and functions.
Keywords:Internal control Internal auditing Information system internal Auditor Auditors Efficiency Kuwait.
ARTICLE HISTORY: Received:17 August 2017, Revised:2 March 2018, Accepted:5 March 2018, Published:8 March 2018.
Contribution/ Originality:: The study provides empirical testing to identifying the concept of internal control efficiency related to control environment under the usage of IT tools, and Identifying the role of risk assessment increasing the internal control efficiency through the optional use of IT tools in a new environmental context of country, time and industry. This is expected to enhance our understanding and adds a new dimension to the current body of the literature.
Information technology has become a reality with which we have to coexist. It has become part of all sciences and applications in all scientific and non-scientific domains whereby it projected its shadow over the financial applications in general and the accounting applications in particular due to the privileges it provides to the implementation of accounting, auditing and control objectives in general. Moreover, internal control is a scientific data base for all divisions at any establishment, whether merchandise or service. In addition, the use of the modern technology was accompanied by some risks represented in penetrating and modifying the data from inside or outside the establishment. This use of technology was also escorted by merits or opportunities that can be invested to realize the strategic goals of a specific establishment. The actualization of the internal control efficacy requires safe technology which contributes in maintaining the secrecy of the financial and non-financial data of information. Thus, this study was intended to investigate the role of using the IT tools in increasing the efficiency of internal control as perceived by the internal auditors.
The problem of the study lies in answering the following question: "What is the role of IT tools in increasing the internal control efficiency?" From this question stem the following:
The importance of this study comes from the following:
The study is attempting to achieve the following objectives:
Based on the problem of the study, the following hypotheses may be coined:
The population of the study consisted of the Libyan banks owned by the state counting 4 banks. A questionnaire was designed in a way that observes the variables of the study and was distributed on the computer and internal control departments in those banks. The study counted on using the arithmetic mean, the standard deviation and the one sample t-test. Of the most important results of the study: There is a good level of adaptation of the internal control systems with the requirements of IT environment as a result of development of the Libyan banks. Of the most important recommendations of the study is the necessity of establishing or appointing control entities that place the needed legislations to develop and improve the credibility of the financial statements (Alshaibi, 2011).
The importance of internal control springs from the following (Al-Shamma, 2007)
An effective internal control system should have the following characteristics (Sheikh Salem, 2007)
An effective control system must fulfill the following terms (Al-Juwaifel, 2011)
These standards are defined as "The minimum level of the required quality for the internal control systems in companies in general and in the shareholding companies in particular". These standards present a foundation in comparison with which the internal control system can be assessed. Said standards are applicable in all work domains of companies like programming and financial fields. Each standard is going to be offered using a simple and accurate expression as follows: Al-Hosban (2009)
The positive control environment is the basis of all standards as it presents a system that affects the quality of control systems. Many factors affect the system of which:
Internal control systems give way to assess the risks encountered by the company from internal or external effects. Placing fixed and clear goals for the company is a basic condition to assess the risks. Therefore, risk assessment means identifying and analyzing the relevant risks which are connected to achieving the goals specified in the long-term performance plans.
At the moment of risk identification, it is necessary to analyze them to recognize their potential impact in terms of their importance, possibility of occurrence, methods of their management and the measures that ought to be taken.
The observation activities help to ensure performing the directives of the management. The activities in question have to be effective and efficient in realizing the control objectives of the company. Observation activities are policies, procedures and mechanisms that support the trends of the management. They guarantee conducting the procedures of risk treatment. Of those observation activities: Accreditations, confirmations, performance review, preserving security measures and preserving records in general.
Information has to be registered and delivered to the management and other parties inside the company in a chronological form or frame that may help them perform internal control and other duties. For the company to be able to perform and monitor its operations, it has to conduct proper, trustful and timely communications concerning the internal and external events.
As for communication, it would be effective when including the information flow from top to bottom or vice versa, or in horizontal manner and the management is to verify the existence of appropriate communication with other external parties that may have influence in the company's achievement to its goals as well as the management's need to the information technology which is a critical must to improve and maintain significant, trustworthy and continuous communication for this information.
The internal control systems observation works to assess the performance quality within a given period of time. It ensures that the auditing and reviewing results are directly processed. The internal control systems must be designed to assure the continuity of observation processes as part of the internal operations.
The internal control systems observation must include polices and measures to guarantee that the auditing results are fast performed. The administrators have to:
The management id responsible for replacing and maintaining the internal settings system, and when executing its supervisory responsibilities, it must regularly review the aptness and adequacy of the internal settings elements to ensure the effective application of all the significant controls.
The work field of the internal auditor includes checking and evaluating the adequacy and efficiency of the internal control systems in the company as well as the performance quality in executing the assigned duties.
Therefore, the internal control is regarded as a complementary part of the administrative routine and must work independently whether the internal audit was executed or not. In addition, any effective internal control system cannot replace internal auditing. However, the existence of internal auditing function increases the power of internal control systems.
Information technology can be defined as follows: It depends on using the computer and other developed means in processing the collected data and achieving haste in processing, storing and retrieving said data and transforming it to reliable information to depend on taking timely decisions (Al-Hosban, 2009).
After this concise study to the concept of information technology in general, it is a must to touch upon the information technology related to auditing and internal control. As mentioned before, it is hard to state on accurate definition, but we can place the following definitions to the concept of audit information technology:
1) It is based on using the computer devices and networks to provide the required information to be used as a tool in the auditing process. It also helps to understand the purpose of using the automated accounting systems as well as understanding the environment of modern technology and the necessity of catching up with modern discoveries to be able to deal with Grand (2004)
2) It treats knowledge, skills and ability to review and assess development and operating the components of IT for the internal or external auditor. It also cares for using the computer, communication means, computer networks, data and information in addition to methods of saving and storing them through modern and developed means (IIA, 2004).
3) It depends on using modern techniques of auditing to be used as an auditing tool, and also to help the management of the establishment to comprehend the environment of the company in order to assess the risks and the chances of those modern techniques and their effect in realizing the goals of the company and providing the necessary information to take decisions in the right time (Al-Hosban, 2009)
1.15. The Merits and Demerits of IT in the Internal Control System
First: The merits of IT in the internal control system (Thomas, 2000)
Second: The demerits of IT environment in the internal control system: Thomas (2000)
In order to understand the control environment that affects the e-process of data, the auditor concentrates on the following factors: Taylor (2006)
Information technology relied on reconstructing data processing methods and producing reports. In return, some risks face the organizations which adopt IT, so it must be well controlled to identify the control characteristics that should be applied.
Technology was used and developed in the field of control environment by using electronic methods because the manual methods were not suitable in analyzing, saving and retrieving data and information which represent a large size of business, it couldn't also use the mathematical, statistical and geometrical methods in data analysis. There is no need to the accuracy, trueness and objectivity of the information used in the controlling process and to achieve this end, a set of methods can be used to facilitate the controlling process; from which ara the following: Iliya (2011)
Using the statistical inspection approach in selecting and evaluating samples.
The most important effect of IT on the control environment can be embodied in the following: Mair (2002)
Information technology affects the general control related to the presently applied computer environment and to what have been processed. It affects the efficiency of the organization in general concerning the following issues:
This organizes the company's operations or events and provides authorized access to data. It also completes processing the inputs through treating the outputs. This control over applications is designed to detect, prevent or correct errors according to the following: Jagdish (2002) 1) Preventative control:
It protects the company from the undesired events or operations. IT affects this type of control through the following:
2) Detective control:
I t interested in the errors that take place during the electronic treatment to data which contains warnings and possible exceptions to solve problems. Therefore, and because of the quick discovery of this type of errors, the user is to read the warnings and the expectations extracted from the same system for problem solving. Moreover, as a result of the influence of developments in IT on this type of control, it has to be carefully designed to avoid big mistakes. It also helps to reduce the time consumed in auditing and imposes the persistence of supervision and control.
3) Corrective control
It cares for the error after its occurrence, corrects it and treats its consequences. This demands automated systems for the reason that IT has created information of high quantity and quality, which means the possibility of having undetectable errors that need to be quickly and accurately corrected electronically.
There are seven serial steps that have to be considered when defining IT risk assessment, which are as follows: (Randy (2004))
1) Identifying the information assets
The significant assets of each department must be identified. Those assets include: The computer hardware, programs, systems and relevant services and technology.
2) Collecting and putting priorities for assets
Having accomplished the first step, comes the second step which is ordering the assets which whether they were very sensitive that no job can be achieved without them, or insensitive, the second order is the appropriate information which we can do without for several days or a time span that does not exceed a week. The third and last order of information is the normal expendable information without which the work can be done for a long time.
3) Identifying risks
Here, each department specifies risks whether those problems or threats were limited or unlimited. Risks must be tangible and attributed to one or more assets.
4) Putting priorities for the risks according to their importance
This gives departments an idea about the location of the events that need planning. It also creates sequent steps which make the process of their management easier. The sensitive risks to be placed at the top of priority ladder.
1.18. The Special Rules of Measuring Risk Assessment Under it Environment: Jacobson (2002)
5) Placing a list containing the risks
Here, the members of the assigned team identify the risks and present the supporting explanations and details depending on their knowledge concerning those risks.
6) Referring to the risks according to sensitive assets (sensitive information)
In this step, the work team places a list of the sensitive assets (the most exposed to risks) ordered according to their priority in a separate part of the risk assessment report. This helps departments to suggest suitable solutions for those risks and to implement plans to protect those assets.
7) Presenting the appropriate recommendations to find solutions for those risks
Components of the risk assessment report: Randy (2004)
Recommendations: Specifying a known option to describe he risks according to the cost-benefit method.
The SPSS method was used as a main and the value of Cronbach's Alpha was extracted to measure the degree of the internal consistency of sample's responses to the study tool. Its value was %78 which is higher than the minimum level %70 which is statistically accepted. This indicates the reliability of the sample members' responses which positively reflects on the results and recommendations of the study.
A questionnaire was used as a main tool to collect information from the study sample represented by the Islamic banks in Kuwait. The total number of the internal auditors in the Islamic banks in Kuwait was 75 auditors while the number of banks in Kuwait was 4 Islamic banks. SPSS was used to analyze the questionnaire where the following symbols were given to the choices of the questionnaire's items: strongly agree: 5, agree: 4, neutral: 3, disagree: 2, strongly disagree: 1. Therefore, the higher the item or the hypothesis mean than 3 was the higher was the degree of the influence or acceptance of the sample members to that item or hypothesis. And if the mean was less than 3, this indicates the weak influence or acceptance to the item or hypothesis according to the sample members.
The questionnaires were distributed on the internal auditors in the Islamic banks in Kuwait: 4 Islamic banks. The total number of questionnaires was 58 from which 46 questionnaires were retrieved.
Sources of the study data
Characteristics of the study sample's members
Table-1.The study sample according to years of experience
Description | Number | Percentage |
less than 5 years | 7 | 15% |
5- less than 10 years | 15 | 33% |
10- less than 15 years | 10 | 22% |
15 years and more | 16 | 30% |
Total | 46 | 100% |
Source: Prepared by researchers
The above stated table shows that the study sample's members have proper experience in work wherein the majority are of the 15 years and more category. This means the presence of a positive reflection on the topic of the study as the IT tools depend on experience and practices of work which positively affects the validity and reliability of the study tool.
Table-2. The study sample according to academic major
Description | Number | Percentage |
Accounting | 31 | 67% |
administrative sciences | 9 | 20% |
financial and economic sciences | 6 | 13% |
Total | 46 | 100% |
Source: Prepared by researchers
The former table indicates that the majority of the study sample's members are specialized in accounting. The reason for this may be normal, as the study sample is targeted to be form the internal auditors, and this creates a positive reflection upon understanding and comprehending the items of the questionnaire.
Table-3.The study sample according to the academic qualification.
Description | Number | Percentage |
community college | 6 | 13% |
bachelor's degree | 29 | 63% |
post graduate studies | 11 | 24% |
Total | 46 | 100% |
Source: Prepared by researchers
The previous table shows that the study sample's members are academically qualified in a very proper degree. The majority of the sample members have bachelor's degree followed by those of post graduate studies. This gives a degree of reliability and validity to the responses off the sample members.
The discussion of the study hypotheses with the statistical results.
Table-4. The views of the study sample about the variable of control environment
No. | Item | Mean | Standard Deviation | Order |
1 | The internal auditor develops and maintains the systems to change the internal control method. | 4.05 | 0.85 | 4 |
2 | The internal auditor realizes the control over the IT tools to verify the efficiency of the internal control . | 3.42 | 0.49 | 7 |
3 | The internal auditor identifies the assets represented in the computer hardware and the related programs, systems and technology. | 2.48 | 0.73 | 8 |
4 | The internal auditor identifies the risks of using the IT tools and how to reduce those risks. | 4.29 | 1.05 | 2 |
5 | The internal auditor is to check the credibility of IT tools which help the internal control system to cope with the strategic goals of the company. | 3.78 | 0.58 | 5 |
6 | The internal auditor reviews the presence of the element of elaboration in identifying the control methods and their deviations through using the IT tools. | 4.21 | 0.86 | 3 |
7 | The concern of the internal auditor appears through using IT tools by proving the chances that take place in the policies and procedures of internal control. | 2.29 | 0.51 | 9 |
8 | The internal auditor, through using the IT tools, cares for keeping the programs and files which have an effect on the internal control efficiency. | 3.63 | 0.79 | 6 |
9 | The internal auditor, through using the IT tools over control, cares for the possibility of authorized access to the documents and procedures of internal control to prevent penetration. | 4.46 | 0.68 | 1 |
Means | 3.62 |
Source: Prepared by researchers
The previous table shows that the study sample's members assert that the item No. 9 represents the level of the greatest influence with a mean of 4.46. This indicates that the rate of strongly agree are for higher than the rates of disagree and the rates of strongly disagree. This item is embodied in the presence of an influence on the work of the internal auditor to ensure the legal or authorized access to the financial or accounting statements which positively reflects upon the efficiency of internal control in the Islamic banks in the state of Kuwait. This also points out that the role of the internal auditor has expanded to include the soundness of the statements or information stared in the computer programs to guarantee the security and confidentiality of information. It is also noticeable that the standard deviation 0.68 points out that the rates of variance in the study sample's members answers are fairly acceptable and there is no dispersion in the responses of the sample's members. The fourth item represents the second acceptance or influence degree with a mean of 4.28. This item denotes that the internal auditor performs the process of analyzing the risks of using the IT tools on the validity and reliability of the data and the financial statements. This indicates the transaction of the internal auditors in the Islamic banks in Kuwait with any emergency that comes out of using modern technology in addition to placing mechanisms that mitigate the risks of using technology. It is also clear that item 6 represents the third acceptance degree according to the views of the sample's members with a mean of 4.21. This item shows the existence of an effective role to styling the electronic control methods to the financial and accounting statements which may increase the efficiency of the control environment in the Islamic banks in Kuwait. This gives evidence that the internal auditors have positive influence in increasing the internal control efficiency through presenting detailed reports about the reality of control and attempting to define the internal control problems and finding suitable solutions. We also notice that the seventh item represents the lowest acceptance degree according to the sample's members with a mean of 2.29. This means that the rates of disagree are higher than those of agree. This item is represented in the weak role of the internal auditor in describing the changes in the control environment in term of the policies and procedures. This denotes the feeble recognition of the administrative entities to the changes in control methods especially in the IT environment. We also notice that the mean of the hypothesis in general is 3.62 which means that the study sample's members confirm the effect of using It tools on the control environment.
Table-5. The views of the study sample in the variable of risk assessment
No. | Item | Mean | Standard Deviation | Order |
1 | The internal auditor determines the investment risks from IT tools by using the cost-benefit policy. | 3.79 | 0.42 | 4 |
2 | The internal auditor identifies the risks that undermines or disrupt the controlling activities in the establishment. | 2.76 | 0.74 | 6 |
3 | The internal auditor estimates the monetary value of the risks that encounter the company and which are resulted from using IT tools. | 4.37 | 0.61 | 1 |
4 | The internal auditor identifies the frequent risks that affect the internal control efficiency. | 3.37 | 0.86 | 5 |
5 | The internal auditor prepares and suggests a list of the expected risks from using IT tools in realizing internal control. | 4.19 | 0.59 | 2 |
6 | The internal auditor prepares a detailed report of the risks and the degree of their influence on the internal control efficiency. | 3.92 | 0.52 | 3 |
Means | 3.79 |
Source: Prepared by researchers
The above table shows that the study sample's members affirm that the third item represents the highest acceptance or influence degree with a mean of 4.37. This item is embodied in the ability of the internal auditor to identify the monetary value of the risks of using the IT tools. This expresses the validity of representing the financial statements of the events that take place inside the bank which means the existence of qualitative properties of the financial statements. We also notice that the fifth item represents the second degree of acceptance or influence according to the study sample with a mean of 3.92. This item indicates the presence of a report being prepared by the internal auditor about the risks that affect the bank wherein the auditor puts priorities to deal with IT tools which helps in increasing the efficiency of internal control. This also shows the possibility of assessing and defining the internal control risks together with the methods of dealing with them to reduce their effect on the internal control efficiency. It also noticeable that the second item shows the lowest degree off acceptance or influence with a mean of 2.26 and reveals the presence of weakness in locating the risks that have great influence on the internal control efficiency. The mean of the hypothesis was 3.79 which asserts the effect of IT tools on risk assessment in the Islamic banks in Kuwait.
One-sample t-test was used in testing the first hypothesis giving the following results:
Table-6. Results of the first hypothesis test
Calculated T-value | Table T-value | Sig. | Mean | Result of hypothesis |
14.37 | 1.977 | 0 | 3.62 | rejection of null hypothesis |
Source: Prepared by researchers
The decision rule according to t-test, the alternative hypothesis is accepted if the calculated t-value was higher than the table t-value. Therefore, the null hypothesis is rejected and the alternative hypothesis is accepted which indicates the existence of an influence of using IT tools on the control environment to increase the efficiency of internal control.
Results of testing the second hypothesis
Calculated T-value | Table T-value | Sig. | Mean | Result of hypothesis |
9.73 | 1.977 | 0 | 3.79 | rejection of null hypothesis |
Source: Prepared by researchers
Based on the former rule, we reject the null hypothesis and accept the alternative hypothesis which indicates the presence of an influence to the IT tools on risk assessment through the perspective of the internal auditor.
1- The internal auditor has a role in assessing the information security policies which depend on It tools and preventing their penetration or the modification of the accounting programs and their contents illegally.
2- The internal auditor has a role in assessing the risks of using IT tools in auditing and in working to reduce their occurrence or to mitigate their effects on the financial system of the bank for example.
3- The internal auditor in the Kuwait commercial banks has a positive effect in elaborating the risks that may affect the efficiency of the electronic control system through maintaining the security and confidentiality of data and information.
4- The ability of the internal auditor to assess the monetary value of the risks that face the bank and which are resulted from using IT tools; and consequently, the financial statements express truly the monetary events that occur in the bank.
5- The internal auditor prepares reports and recommendations about the potential risks the banks may encounter. Such recommendations are to be supported by evidence.
Based on the results of the study, the following recommendations may be presented:
1- The information technology tools are double-edged for the internal auditor. The first edge represents the risks related to penetrating or modifying the financial statements as well as the unauthorized access. The second edge represents the advantages that the auditor can utilize from using IT tools represented in the speed and accuracy in exchanging accounting data and information.
2- The necessity of arranging continuous changes especially in using the It tools where the internal auditor changes the auditing program ad its timing with the technology applied in the company.
3- The internal auditor is to set the priorities of dealing with the risks of IT which have a positive effect on increasing the internal control efficiency especially in banks.
4- Holding seminars and conferences specialized in audit information technology whose axes focus on using various IT tools in the internal auditing process and functions.
5-Qualifying auditors through specialized courses about optimal use of IT tools in the auditing process.
Funding: This study received no specific financial support. Competing Interests: The authors declare that they have no competing interests. Contributors/Acknowledgement: All authors contributed equally to the conception and design of the study. |
Abdullah, K., 2012. Auditing and control in banks. Amman, Jordan: Dar Wael Publishing and Distribution.
Abu, D.Y., 2017. The impact of accounting information systems on the effectiveness of the internal control system in Jordanian Commercial Banks. Master Thesis. Al-Bayt University. Jordan. pp: 1.
Al-Hosban, A., 2009. Internal audit and control in an IT environment. Amman, Jordan: Dar Al-Hamed Publishing. pp: 37.
Al-Juwaifel, A., 2011. The role of computerized accounting information systems on effective of internal control on Jordanian islamic bank. Jordan, Amman: Middle East University. pp: 65.
Al-Sawaf, M., 2011. The effect of internal control on the sizing of operational risks in commercial banks. University of Mosul Journal Iraq: 218. Retrieved from www.iasj.net
Al-Shamma, K., 2007. The theory of organization. Amman, Jordan: Dar Al-Sira for Publishing and Distribution. pp: 36.
AL-Sharairi, M., A. Al-Hosban and H. Thnaibat, 2018. The impact of the risks of the input of accounting information systems on managerial control, accounting control and internal control in commercial banks in Jordan. International Journal of Business and Management, 13(2): 96-107. View at Google Scholar | View at Publisher
Alhosban, A.A. and M. Al-Sharairi, 2017. Role of internal auditor in dealing with computer networks technology - Applied study in islamic banks in Jordan. International Business Research, 10(6): 259-269. View at Google Scholar | View at Publisher
Alshaibi, M., 2011. Adapting internal control system with a use of IT and its effect on reliability of financial statements. Jordan, Amman: Middle East University. pp: 1.
Bo Hayek, A., 2015. The role of the accounting information system in the effectiveness of internal control in oil companies in Algeria. Master Thesis. University of Qasidi Marbah, Ouargla. Algeria. pp: 8.
Grand, C., 2004. Information security management element. Audit and Control , IIA, 8: 31.
IIA, 2004. Current impact of IT on internal auditing. Retrieved from http://www.finfarticles.com
Iliya, A., 2011. The development of IT and internal control systems. Master Thesis. Open Arab Academy in Denmark. Faculty of Administration and Economy. Accounting Department. pp: 14.
Jacobson, R., 2002. Quantifying IT risk. IIA, 5(2): 212-231.
Jagdish, P., 2002. IT audit approach, internal control, and audit decisions of an IT auditor. IIA, 3(1): 35-50.
Kulk, G.P., R.J. Peters and C. Verhoef, 2009. Quantifying IT estimation risks. Science of Computer Programming, 74(11-12): 900–933. View at Google Scholar | View at Publisher
Mair, W., 2002. ESAC risk and control environment. IIA, 5(2): 233-248.
Randy, M., 2004. Seven-step IT risk assessment. IIA: 3. Retrieved from www.iia.org,P3 .
Samukri, 2015. Influencing effective internal control system and implementing of financial accounting information system on the quality of information system. Research Journal of Finance and Accounting, 6(11): 256-266.
Sheikh Salem, F., 2007. Modern administrative concepts. Amman. Jordan: Jordan Book Center.
Taylor, D., 2006. Auditing. 6th Edn.: John Wiley. pp: 326.
Thomas, R., 2000. IT and internal control and financial statement audit. CPA Journal, 172(4): 127-148.