Improvements in Audit Risks Related to Information Technology Frauds

In this paper, the authors examine how different types of fraud in most Information Technology (IT) environments affect an audit risk model from 2001 through 2008. Variations in IT fraud are questionable for determining the audit risks that affect audit quality and report. The data sources in this study came from the Computer Crime and Security Survey report (CSI) 2008. By relating different IT fraud to audit risk components through trend analysis in IT fraud improvements from 2001 to 2008, the authors measured declined percentages for control risks, inherent risks, and detection risks. They found that an improvement in control risks has been achieved up to 52.80%, 43% for detection risks, and 14% for inherent risks. An overall improvement in audit risk is 47.5%, which is a considerable development in audit quality. The study shows that progress in detecting IT fraud positively reduced audit risks and has significantly increased the audit quality since 2001. DOI: 10.4018/jeis.2012040104 International Journal of Enterprise Information Systems, 8(2), 52-63, April-June 2012 53 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The ultimate purpose of the legislation would be ideally to produce the most reliable financial information for different user of that information. If auditors are supposed to achieve this goal, they should manage and reduce the audit risk. The lower audit risks inevitably increase audit report quality. Recent corporate collapses and the new guidelines and legislation of Sarbanes-Oxley Act emphasize the importance of audit risks. Risk assessment in an audit environment is one of essential tasks of every external auditor. Adams et al. (2005) argue that “... clients with greater risk of fraud are less likely to engage prospective auditors in competitive bidding, consistent with the theory that these companies seek to limit access to information that might reveal their high-risk status” (p. 417). Audit risks have three components in a classic view including inherent risk, control risk and detection risk. Auditors of the financial statements are practically exposed to minimize audit risk at the actual lowest possible level. If an auditor fails to do this, then not only nature, timing and extent of other substantive procedures will be affected but also it sometimes causes to issue a wrong audit report that indeed bears auditors with heavy legal penalties. As a result, the risk of producing wrong audit reports is high when audit risk is high. According to Chemuturi (2008, p. 6): “Evaluating fraud risk factors is probably the most difficult part of assessing overall audit risk, and owes its complexity to the fact that human behavior cannot be predicted with certainty. A recent study by the Association of Certified Fraud Examiners estimated that US organizations lose approximately 5% of annual revenue to fraud.” The reliability of information is significantly affected by the design of the computerized internal controls systems (Kearns & Baker, 2011). As IT systems prevail all over today business entities’ systems of almost all-type sizes and integrated with the internal control systems in many ways (Fukukawa et al., 2006), therefore auditors should consider their due care and skill for understanding the internal control to perform control tests during audit engagements (ISA 315). IT systems are complex by its natures and detecting any types of risks related to information systems, frauds, crimes and IT attacks causes many financial and non-financial damages to their clients. As a result, IT frauds are complex in nature and auditor expose to higher risks to those IT frauds where those frauds eventually will affect the reliability of financial statement of auditors’ client. Despite how to detect IT frauds, we evaluate how did IT frauds detections audit risks’ components in this study. Although there are recently plenty of research on audit risks and fraud, but effect on a lack of investigation exists on how the IT frauds impact on audit risk model. This research enhances to the previous literature by establishing a contractual framework to analysis IT frauds in audit risk model. Then, we measure arithmetically the frauds in term of either increase or decrease in audit risk components and model. This investigation is innovative by looking at the CSI survey to understand the trend in different IT frauds and integrated them with inherent, detection and control risk to measure the level of improvements in whole audit risk model. This paper relates theoretical and practical issues of audit risks with different IT frauds. The rest of the paper is organized in five sections. First, a discussion is provided about the audit risk and defines the auditors’ responsibilities to understand and have enough knowledge and skills of their client IT environment and IS. Then, IS risks are identified following up the methodology and results of the study. This is followed by the study’s conclusions and limitations.