Factors associated with IT audits by the internal audit function

Responses from a large sample of 1,029 chief audit executives (CAEs) from Australia, Canada, New Zealand, the U.K./Ireland, and the U.S. are used to estimate the proportion of time spent by internal audit functions (IAF) on information technology (IT) audits. The sample is also used to investigate explanatory and control variables that are associated with the extent of IT audits by IAFs. The results show that the proportion of IAF time spent on IT audits was only 7.97 percent in 2003, 10.61 percent in 2006, and was projected to be 13.40 percent in 2009, indicating an approximately one percent increase per year. Multivariate regression indicates that four variables; Certified Information System Auditor (CISA) certification, IAF age, training, and the number of organizational employees are significantly and positively associated with IT audits by IAFs. Other common certifications such as CIA, CPA, and CMA are not positively associated with the proportion of IT audits. Also, while CAE experience, education level, and the country of residence did not affect the results, an IS/CS (information system/computer science) was significant and positive in two of the four models tested. Implications for additional research and practice are discussed.