Factors associated with IT audits by internal audit functions

Responses from a large sample of 1029 chief audit executives (CAEs) from Australia, Canada, New Zealand, the UK/Ireland, and the US are used to estimate the proportion of time spent by the internal audit functions (IAFs) on information technology (IT) audits. The sample is also used to investigate explanatory and control variables that are associated with the extent of IT audits by the IAFs. The results show that the proportion of the IAF time spent on IT audits was only 7.97% in 2003, 10.61% in 2006, and was projected to be 13.40% in 2009, indicating an approximately 1% increase per year. Multivariate regression indicates that four variables; the certified information system auditor (CISA) certification, IAF age, training, and the number of organizational employees are significantly and positively associated with IT audits by the IAFs. Other common certifications such as CIA, CPA, and CMA are not positively associated with the proportion of IT audits. Also, while CAE experience, education level, and the country of residence did not affect the results, an IS/CS (information system/computer science) was significant and positive in two of the four models tested. Implications for additional research and practice are discussed.