Doctoral Degrees (School of Accountancy)

Permanent URI for this collection

http://hdl.handle.net/11660/149

Browse

Browsing Doctoral Degrees (School of Accountancy) by Subject "Auditing, Internal"

Now showing 1 - 2 of 2
  • Thumbnail Image
    ItemOpen Access
    A maturity level assessment of the use of generalised audit software by internal audit functions in the South African banking industry
    (University of the Free State, 2016-12) Smidt, Lodewicus Adriaan (Louis); Van der Nest, D. P.; Lubbe, D. S.
    English: Today’s business practices are characterised by accelerating growth in the use of technology and “big data”. It is almost unthinkable now for any organisation to function successfully without relying on its underlying information technology infrastructure: this is especially pertinent within the banking industry. Banking practices are no longer restricted to one country or jurisdiction but are characterised by cross-border transactions in multiple countries under a plethora of different legal and regulatory frameworks. For this reason, banks are reliant on a global network of data processing and information management systems to provide their core banking services and to enable them to effectively manage the macroeconomic elements of their industry. This cross-border interaction between international banks increases the systemic nature of risk in that in the event that an unwanted incident occurs it will almost inevitably affect more than just a single branch or company. The global financial crisis that occurred in 2007 was evidence of the systemic nature of risk to which the financial industry was (and remains) exposed. It further provided proof that no organisation or bank is too big or too powerful to escape unaffected. It further emphasised that excessive risk taking can be detrimental to the existence of an organisation, which in turn validated the necessity for organisations, and especially banks, to make use of reliable and independent assurance functions. As a consequence of the crisis, the banking industry continues to face ongoing and intense scrutiny by investors, the public and the banking industry’s own supervisors. In addition, increased reliance has been placed on the value that an internal audit function can contribute by enhancing a bank’s internal control environment. Internal audit, as one of an organisation’s independent assurance providers, is tasked with the important responsibility of providing an opinion regarding the effectiveness of governance, risk management and the internal controls of an organisation. However, the internal audit function today has to conduct its duties in control environments that are dominated by information technology and big data. In the same way that organisations’ and especially banks’ business models have been transformed as a result of the increased use of technology and the ever growing generation of and reliance on big data, it has equally impacted the manner in which internal audit is practiced today. This study is therefore motivated by the interest in understanding the use of technology-based tools (more specifically the use of GAS) by internal audit functions in the locally controlled South African banks. This study comprises a literature review and an empirical investigation. The literature review was undertaken to gain insight into the extent and applicability of the use of GAS by the internal audit profession, and more specifically the internal audit functions of the locally controlled South African banks. The literature review indicates that the use of GAS by internal audit functions is still at a relatively low level of maturity, despite the accelerating adoption of information technology and generation of big data within organisations. The literature review was then followed by empirical research. The results of this empirical study also confirm that the maturity of the use of GAS by the internal auditors employed by locally controlled South African banks is still lower than expected, given that we are now fully immersed in a technological-driven business environment. The empirical research component was conducted using a structured questionnaire. The structured questionnaire was developed to collect data regarding the use of GAS by the internal auditors employed by locally controlled South African banks, and specifically to address the following objectives: (1) To measure the existing practices of internal audit functions in the locally controlled South African banking industry regarding the use of GAS, against a benchmark developed from recognised data analytic maturity models, in order to assess the current maturity levels of the locally controlled South African banks in the use of this software for tests of controls; (2) To explore and identify the purposes for which GAS is presently being used by these internal audit functions; and (3) To develop recommendations that may assist internal audit functions in the locally controlled South African banking industry to reach their desired maturity levels. Opinions and perceptions were obtained from 9 of the 10 heads of internal audit departments that comprise the locally controlled segment of South Africa’s banking industry. This high response rate enabled the researcher to reach meaningful conclusions and make recommendations regarding the current preferences and applications of GAS employed by these internal audit functions. In addition, the results of this study have provided a deeper understanding of the current level of maturity of the use of GAS by the internal auditors employed by locally controlled South African banks. In addition, the results provide useful insights for internal audit practitioners, GAS vendors, professional auditing bodies (such as the IIA and ISACA), academia and researchers.
  • Thumbnail Image
    ItemOpen Access
    A risk-based audit model for internal audit engagements
    (University of the Free State, 2010-11) Coetzee, Georgina Phillipina (Philna); Lubbe, D. S.
    English: Many factors have played and are still playing contributing roles as to why internal auditors need to perform internal audit engagements more effectively and efficiently. The internal audit profession finds itself within a rapidly changing environment. The external factors affecting the profession include the various pieces of new guidance and legislation that are constantly being issued, the current global financial crisis, the occurrence of corporate and public scandals and the increased globalisation of the business environment, to name but a few. Internal factors within the organisation include management’s increased demand for internal auditing to add value, the enhancement of coordination between all the various assurance providers, such as the external and internal auditors, and the increased role of internal auditing in assisting with the management of risks that threaten the achievement of the organisation’s objectives. Within this environment the internal audit profession is growing at a tremendous rate, but at the same time it is reported that there is still a scarcity of competent internal auditors, especially in the fields of information technology and risk management. The Institute of Internal Auditors, as the governing body of the profession, is attempting to address this need by continuously issuing new professional guidance and performing research studies to provide its members with information and direction. This study investigates the evolution of the internal audit profession as well as the concepts of corporate governance and risk management, and the role of internal auditing within these fields. It specifically focuses on how internal auditors can incorporate risk in the execution of an internal audit engagement to improve their methodology; thus performing engagements more effectively and efficiently. A comprehensive literature review was conducted on these topics and a preliminary risk-based internal audit engagement model was developed based on the literature. Thereafter, organisations in both the private and the public sectors in South Africa were examined via a maturity scorecard to determine which organisations were risk mature. The top five risk mature organisations in each sector were included in the second empirical study, with the main objective of obtaining input from their chief audit executives to refine the initial risk-based engagement model. Lastly, the model was tested in a practical scenario, using a case study approach, to determine whether there may be improvements in the execution of the internal audit engagement. The results of the three empirical studies were then used to finalise the model. The study concludes that the risk-based internal audit model can be used during the planning phase of an assurance engagement, improving the process as follows: • Areas with medium to high operational risks are included in the planning of the internal audit engagement. • Low-risk areas are not included in the planning phase other than on a surprise basis according to the internal auditor’s professional judgement. • High-risk areas (inherent risk) that remain high after appropriate controls have been implemented (residual risk) are reported to management on a timely basis. The use of this model will ensure that internal auditors focus on the areas that need urgent attention and not waste time on areas that are comparatively insignificant. This will mean that scarce internal audit resources can be allocated to areas where they will add the most value to the organisation. Although it was not a main objective of this study, it was found that the risk management framework and processes, and to a lesser extent the role of internal auditing regarding risk-related aspects within the public sector, need improvement to be in line with legislation, other guidance and best practices.