Article Preview
TopIntroduction
Internal audit functions of organisations have to provide independent assurance over the effectiveness and adequacy of organisational governance, control and risk management processes (The Institute of Internal Auditors Australia, 2016; The Institute of Internal Auditors & IIA, 2016). Even though the overarching objective of the internal audit function remained largely unchanged, the manner in which internal audit functions conduct their work changed quite significantly over the past few decades. Sun and Vasarhelyi (2017) explain that due to the business environment changing from largely manual processes to data-intensive technologies, vast amounts of data are being produced and maintained. These massive amounts of data are almost entirely offered in electronic format – an occurrence that is generally referred to as “big data” (Issa, 2013). Literature pose various definitions for big data, but most commonly, big data is explained as having four distinct characteristics. Volume refers to the absolute size of the dataset, velocity to the swiftness of data generation, veracity to the legitimacy of the data, and variety to the diversity of data sources (Cao, Chychyla, & Stewart, 2015; Zhang, Yang, & Appelbaum, 2015). Big data offers an unprecedented level of potential for businesses (Picciano, 2014; Warren, Moffitt, & Byrnes, 2015). Voluminous datasets contain vital business information, including data on the effectiveness of risk management and control practices, regulatory compliance and financial matters, which can be revealed by means of sophisticated analysis (De Boer, Eimers, & Elsas, 2014; Ragsdale, 2015). Despite its numerous advantages, big data also brings about additional challenges to businesses, relating to storing, computation, safeguarding and managing the data, to name but a few (Cao et al., 2015).
As far as could be determined, no academic research has yet explored the use of GAS and/or assessed the purpose of its use by internal auditors in internal audit functions associated with the IIA-Australia. This study therefore contributes to the existing body of knowledge on the purpose of the use of GAS that is employed by internal auditors from a theoretical perspective. From a practical perspective, the research findings could assist CAEs to make better-informed decisions regarding the use of GAS, as it is intended that the results of this study can be used as a benchmark that will enable CAEs to identify whether they are staying abreast of current best practice in the area of technology-based tools and techniques for tests of controls. In addition, the Standards do not as yet contain guidelines regarding the use of GAS by internal auditors. This study can thus be seen as providing impetus for the IIA to formulate definitive guidelines regarding the use of GAS by internal auditors. In addition, the results of this study may also be useful for the Information Systems and Control Association (ISACA), an internationally recognised body that sets standards and that governs the professional execution of information systems audits (Information Systems Audit and Control Association, 2020). This study’s findings may be a useful reference point from which to expand their guidance on the use of CAATs (Performance guidance, Evidence (Information Systems Audit and Control Association, 2014)), which includes GAS, to formally include the internal audit sphere.