Information Systems Risk and Audit Planning by Jean C. Bedard, Lynford Graham and Cynthia Jackson. International Journal of Auditing. Int. J. Audit. 9: 147–163 (2005)
The purpose of the above research article is to provide empirical evidence on the nature and frequency of client characteristics affecting audit planning relevant to systems risk, and to assess the association of these characteristics with auditors’ systems risk assessments and audit planning decisions.
From Wikipedia: The word research derives from Middle French; its literal meaning is ‘to investigate thoroughly’. Research is often described as an active, diligent, and systematic process of inquiry aimed at discovering, interpreting, and revising facts. This intellectual investigation produces a greater understanding of events, behaviors, or theories, and makes practical applications through laws and theories. The term research is also used to describe a collection of information about a particular subject, and is usually associated with science and the scientific method.
Keeping the above definitions of research in mind the article “Information Systems Risk and Audit Planning” by Jean C. Bedard, Lynford Graham and Cynthia Jackson can be categorized as a research article as the writers seem to have followed the basic structure and completed the investigative requirements. The researchers have attempted to provide empirical evidence on the consideration of information systems risk in a financial statement audit. This is a key issue because the importance of information systems to businesses has increased steadily over the past decade, as has the importance of internal control to companies and to their auditors.
The writers have used empirical research to approach this topic as also identified in the article itself. The basic aim of the article was to provide empirical evidence on the consideration of information systems risk in a financial statement audit. To perform the study, they described the types of client characteristics identified by the auditors as being relevant to planning, and relate those characteristics to systems risk assessments and testing plans. Generally, empirical research is any research that bases its findings on direct or indirect observation as its test of reality. In this research initially focus groups consisting of partners and managers of the participating organization were employed which helped to determine the research task. This seems to be an appropriate method espcially when specific statements from the firm’s decision aid for risk identification and assessment had to be identified. In ranking risk areas on appropriateness for the study, the focus groups considered such factors as the importance of the risk area in audit planning, its application to a broad range of clients, and its potential for differentiating more from less risky clients. Among these issues are the two systems risk areas considered in this study, previously described: (1) whether top management sufficiently oversees and addresses the risks related to data security and EDP system security for critical information systems; and (2) whether there are weaknesses in the relevance, completeness, timeliness and reliability of management information used by the company to monitor enterprise activity.
Finally, data for this study were collected from auditors serving on engagement teams for various clients of two accounting firms (now among the Big 4), in the presence of one of the authors. Selection and scheduling of participants were accomplished with the assistance of a contact person at each firm, who was only aware that the study concerned audit planning. Due to client confidentiality concerns, the authors were unaware of the identity of the clients on which the participants were responding. Participants responded to a questionnaire about characteristics of one of their actual clients, which was selected in advance of the research session.
Research Questions and their Effectiveness
In the article three research questions have been formulated to acquire understanding of the research problem:
1. What is the nature of systems risk factors identified by auditors as important in engagement planning?
2. Which types of client characteristics are associated with differences in risk assessments?
3. Which types of risk factors are associated with planning specific types of audit tests?
The first research question concerns the nature of client risk characteristics present in a representative sample of audit clients. The second research question relates to the association of client characteristics and risk assessments within each risk area. Auditing standards note that auditors should respond to engagement risks by increasing their risk assessments and altering the nature, timing, and extent of audit procedures. The third and final research question considers the role of system risk factors in planning audit tests. As noted previously, auditing standards indicate that auditors should adjust the audit plan to reflect client risk factors.
The above research questions seem satisfactory to warrant an answer and also are inline with the research objective specified at the start of the article: “To provide empirical evidence on the consideration of information systems risk in a financial statement audit.” This has been stated since the first question instigates an answer which covers the initial planning phase when risk assessment for any client is being done and also the identification of client characteristics to understand the differences is being carried out in the second question and finally the understanding of risk factors which may be related to EDP or Management information quality risk assessment.
The rationale for the study has been effectively incorporated in the Background section with the research questions which forms a basis for their justification. As the reader goes through the research paper it can be appreciated that the authors have clearly specified their objective initially and they have also clearly mentioned the research questions and their importance to the study and how each of the three questions helps to solve the research task.
Implications and Key Limitations of the Research
One of the major limitations of this type of research is the confidential nature of information with which the researchers deal with and the obvious reluctance being shown by the managers and partners participant organization to share such information.
Another limitation is that the researchers examined the auditors’ memories of client conditions – essentially, the researchers studied how auditors assess risk and plan tests in light of conditions that they identify. Thus, in contrast to behavioral experiments, the design of this study could not assess memory accuracy. An alternative means of addressing the questions studied is through an archival study of audit workpapers. In contrast to this study of individual responses, audit workpapers capture the end product of group decisions. Further research should address whether the results of this study hold using behavioral and/or archival approaches.
Despite the key role of information systems in corporate control and in financial statement audits, the authors could not find any research which could provide evidence on the nature of risk characteristics commonly present in business systems, and the implications of such risks for audit planning. This study addressed this research gap by examining two crucial areas of information systems risk: EDP security and management information quality. These risk-areas encompass the physical and electronic integrity of client systems, and the appropriateness of information contained in those systems, respectively.
Identification of Research Conclusions and Results
The conclusions and results of the study have been mentioned twice which informs the reader about researchers’ intentions and the level of achievement of research objectives. Initially the article summary informs the reader about the main findings and finally their description can be found in the Discussion section.
The main findings of the study encompass two major aspects. The first is the lack of significant association between risk factors and risk assessments in the EDP security risk area, while strong associations were found in management information quality. The second is that control environment factors affect planning in management information quality, but not in EDP security. The recent high-profile cases of corporate fraud, featuring possible management override of controls, emphasize that auditors must react appropriately to issues of information system security and management style/competence. Thus, the results support the recent emphasis on internal controls in US and international auditing standards.
This study addresses this research gap by examining two crucial areas of information systems risk: EDP security and management information quality. To address this issue, the researchers asked participating auditors to document the frequency of specific client characteristics in these two risk areas, which they consider when planning for an actual client engagement. The researchers also asked that they provide a risk assessment within each risk area, and to plan audit procedures to address the identified risks. Results show that auditors predominately identified client characteristics that would increase systems risk (i.e., negative characteristics, commonly termed risk factors), although some positive characteristics that would decrease systems risk were also identified. The most frequent risk factors identified in the area of EDP security are related to system security controls, outdated systems, and management style/attitude. In the management information area, the most frequently identified risk factors relate to the nature of information produced by client systems, followed by factors relating to management style/attitude and management competence.
Areas of Further Research
As mentioned in the article that in contrast to behavioral experiments, the design of this study could not assess memory accuracy. An alternative means of addressing the questions studied is through an archival study of audit workpapers. In contrast to this study of individual responses, audit workpapers capture the end product of group decisions. Further research should address whether the results of this study hold using behavioral and/or archival approaches.
Overall Effectiveness of the Exercise
This exercise proved to be a tremendous learning experience as far as understanding of research articles and the way they should be approached is concerned. To write a critique on a research article requires a thorough understanding of the basics of writing a research article, various research methods to use and how to conduct the research itself with an appropriate research design.
Jean C. Bedard, Lynford Graham & Cynthia Jackson. (2005) Information Systems Risk and Audit Planning. International Journal of Auditing. Int. J. Audit. 9: 147–163 (2005)
Why Work with Us
Top Quality and Well-Researched Papers
We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.
Professional and Experienced Academic Writers
We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.
Free Unlimited Revisions
If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.
Prompt Delivery and 100% Money-Back-Guarantee
All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.
Original & Confidential
We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.
24/7 Customer Support
Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.
No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.
Admission Essays & Business Writing Help
An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.
Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.
If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.