One Team or Two? Investigating Relationship Quality between Auditors and IT
Specialists: Implications for Audit Team Identity and the Audit Process
Tim Bauer*
University of Illinois at Urbana-Champaign
[email protected]
Cassandra Estep
Emory University
[email protected]
September 2016
*Corresponding author
Address: 204 Wohlers Hall, 1206 S. Sixth Street, Champaign, IL 61820
Phone: 217-333-9409
Fax: 217-244-0902
We thank Elizabeth Altiero and Susan McCracken for feedback on our interview materials, and Clara Chen, Sally
Gunz, Greg Northcraft, and Mark Peecher for counsel on research design and direction. We appreciate the helpful
comments and suggestions from Chris Agoglia, two anonymous reviewers, Elizabeth Altiero, Anthony Bucaro,
Richard Crowley, Susan Curtis, Keith Czerney, Paul Demere, Brooke Elliott, Brent Garza, Shawn Gordon,
Stephanie Grant, Emily Griffith, Christie Hayne, Gary Hecht, Sean Hillison, Kris Hoang, Elena Klevsky, Jeremy
Lill, James Long, Pankaj Nagpal, Steve Salterio, Andrew Trotman, and participants at a doctoral seminar at the
University of Florida and workshops at the 2013 ABO Research Conference, 2015 EAA Annual Congress, 2015
CAAA Annual Conference, 2015 International Symposium on Audit Research, 2015 AAA Annual Meeting and the
universities of Illinois and Sao Paulo. Thank you to the interview respondents themselves. Approval has been
obtained for this study from the Institutional Review Board of the University of Illinois.
One Team or Two? Investigating Relationship Quality between Auditors and IT
Specialists: Implications for Audit Team Identity and the Audit Process
Abstract
While prior research focuses on the hierarchical audit team comprised of auditors, we focus on
the collective audit team comprised of auditors and information technology (IT) specialists. The
motivation for understanding this collective audit team comes from complex systems in today’s
audits and concerns from researchers and regulators regarding ineffective communication and
coordination between the two specializations. Specifically, we investigate how relationships
between auditors and IT specialists are perceived and what these relationships mean for the
audit. Results of interviews conducted with Big 4 audit and IT practitioners provide evidence
that relationship quality between the two is perceived to primarily depend on communication and
mutual trust and respect. Auditors assert a one-team view of the collective audit team that
includes IT specialists but IT specialists feel auditors see them as a separate team and a
“necessary evil.” The audit process vastly differs between relationships perceived as difficult and
good. Difficult relationships appear to have less widespread IT specialist involvement and less
collaboration when modifying audit procedures given unexpected IT issues. These findings
imply audit teams with difficult relationships may be at risk of poor integration, insufficient
testing, and unsupported reliance on IT functions, shedding light on recurring threats to audit
quality identified by PCAOB inspections. In good relationships, auditors and IT specialists
appear motivated to interact often and work together to reduce knowledge gaps and complete the
audit. Inferences gleaned from good relationships allow us to highlight potential prescriptions for
audit firms to improve the effectiveness of collective audit teams.
Keywords: audit team integration; IT specialists; relationship quality; collective team identity.
1. Introduction
Specialists have become vital contributors on audit engagements due to complex systems
and transactions in the modern day audit, especially with respect to the information technology
(IT) function (Brynjolfsson and McAfee 2011; EY 2012; PwC 2015). Thus, it is important for IT
specialists and auditors to work well together. A failure to jointly coordinate and communicate
can jeopardize audit quality as audit teams may rely on IT controls, system-generated audit
evidence, and IT specialist conclusions without sufficient testing or understanding therein
(Curtis, Jenkins, Bedard, and Deis 2009; PCAOB 2012a). Such undue reliance increases the risk
of failing to identify a material misstatement because audit teams may improperly assess control
and misstatement risk or heavily rely on client data that is incomplete and/or inaccurate and thus,
unreliable. Presently, prior research and the PCAOB identify communication and coordination
between auditors and IT specialists as generally lacking or ineffective (Danos, Eichenseher, and
Holt 1989, PCAOB 2012a), with such failures identified as potential root causes of IT-related
audit deficiencies in internal controls over financial reporting (ICFR) (PCAOB 2012a).
We seek to move beyond the premise that auditor and IT specialist coordination and
communication is generally deficient by providing insight into when these areas are particularly
worrisome or effective. Intergroup theory suggests relationship quality can shape team behavior
and interactions (Szulanski 1996, 2000), and ultimately how the audit is carried out. Thus, for
audit teams comprised of auditors and IT specialists, our goal is to investigate how relationships
between the two are perceived and what these relationships mean for the audit.
Prior research involving audit teams, though limited, informs our understanding of the
audit team comprised of auditors (Trotman, Bauer, and Humphreys 2015). Such teams are
hierarchical with increasing levels of knowledge (e.g., from senior to manager to partner) that
1
drives assignment of tasks, which members prepare versus review workpapers, etc. (Solomon
1987; Rich, Solomon, and Trotman 1997; Nelson and Tan 2005). This hierarchical framework,
however, less suitably characterizes a collective audit team comprised of auditors and IT
specialists. IT specialists on a collective audit team have their own hierarchy, but coordination
across the two specializations (financial statement audit and IT) may not follow the rank
hierarchy due to possession of specialized knowledge. For example, an audit senior, with
knowledge of in-scope accounts and processes, may assign tasks to a higher rank IT manager.
Moreover, it is unclear if the collective audit team is in fact a team. The few studies that consider
interactions of auditors and IT specialists tend to view IT specialists as consultants to the auditor
(Danos et al. 1989) or as consultants sometimes and as team members at other times (Curtis et al.
2009; Boritz, Kochetova-Kozloski, Robinson, and Wong 2015). In practice, how IT specialists
are described varies from consultants who support the auditors (PwC 2015) to part of a broader
or collective audit team (EY 2012). In any case, evidence suggests the perceived value of IT
specialist expertise to the audit is mixed and relationships between auditors and IT specialists are
at times strained (Vendrzyk and Bagranoff 2003; Boritz et al. 2015).
We extend prior research on audit teams and specialists by examining the interplay of
relationships between auditors and IT specialists, identification with a collective audit team, and
the audit process. Our insights are gained from interviews with 16 auditors and 17 IT specialists
from the Big 4 accounting firms where we asked them to describe two audit examples; one when
the working relationship with the other specialization was good and one when it was difficult.
We rely on Social Identity Theory and theory on intergroup processes to analyze our interview
content to understand whether auditors and IT specialists commonly identify their relationship as
one collective team or two distinct groups and how such views are intertwined with perceptions
2
of difficult and good relationships. We further leverage our theory to examine how the audit
transpires when the relationship between specializations is a) difficult and b) good, and whether
findings for the former provide insight into problems identified in PCAOB inspections. Given
findings for the latter, we also offer potential prescriptions for effective audit team practice.
We find auditors and IT specialists disagree in their views of the collective audit team. In
general, auditor respondents espouse a one-team view that includes IT specialists (but believe IT
specialists do not include themselves) whereas IT specialist respondents see themselves as part
of the audit team (but think auditors hold a two-team view). This implies that auditors and IT
specialists do not always approach their joint audit as a team. However, respondents’ specific
examples of good and difficult relationships with the other specialization depict a more nuanced
story. Good relationships are perceived to be built on mutual value and respect, characteristics
that typically define teams with a strong one-team view or collective team identity (Dovidio,
Gaertner, and Validzic 1998). Difficult relationships are perceived to have a “two team
mentality”, with IT specialists often seen as a “necessary evil”, and reflect a weaker audit team
identity than good relationships. Unlike the highly internalized and strong professional identity,
these perceptions imply the collective audit team identity is somewhat fleeting but can still be
strong in certain situations (Rousseau 1998; Bauer 2015).
Further, the audit process differs considerably for audit examples perceived to have a
difficult, versus good, relationship between auditors and IT specialists. Difficult situations are
fraught with poor communication; coordination between the two specializations are typically
infrequent, untimely, and/or non-existent such that they are merely “throwing things over the
fence.” In addition, IT specialists are not heavily involved in planning or scoping and there is
little evidence of collaboration to resolve IT issues or determine changes to audit procedures
3
(given unexpected IT results). Our respondents indicate these communication and coordination
issues can arise from auditors who do not want to listen, IT specialists who do not want to talk,
or one side not having enough time or knowledge to understand the other. These issues may also
shed light on why certain negative inspection findings recur in PCAOB reports, such as failing to
test IT general controls for critical systems (PCAOB 2011a, 2011b, 2012b, 2012d, 2015b). If IT
specialists are not involved in planning and scoping, auditors may not fully grasp all of the key
systems that require testing or IT specialists may be unaware which systems or controls the
auditors are relying on them to test.
Our findings also extend prior research that indicates auditors feel they have insufficient
knowledge to understand specialist areas or specialists are reluctant to heavily interact with
auditors to complete the audit (Boritz et al. 2015; Griffith 2016). Importantly, auditors and IT
specialists push beyond these tendencies when their relationships are good. In such situations
they communicate early and often, try harder to help the other understand their work and reduce
knowledge gaps, and work together to respond to issues and achieve timely audit completion. IT
specialists also tend to be heavily involved in planning and scoping, utilized in a wider array of
tests, and frequently review the work of auditors. This last finding highlights one activity that we
suggest audit firms consider as a formal requirement. While audit standards prescribe auditors to
review the work of specialists (PCAOB 2010), IT specialists’ review of auditor work appears to
improve collective audit team effectiveness, via a more thorough assessment of whether the audit
plan has been adjusted in light of IT results or which IT controls are in scope to ensure they are
tested. Having IT specialists review auditors’ work is likely a source of good practice.
Section 2 discusses theoretical foundations for our research. Sections 3 and 4 detail our
research methodology and results. Section 5 provides conclusions.
4
2. Context and Theory Development
Existing literature on audit teams and specialists
Prior research on audit teams is somewhat sparse (Nelson and Tan 2005; Trotman et al.
2015). Within this literature, the focus largely centers on the review process and accountability
of audit teams comprised of auditors (Bobek, Daugherty, and Radtke 2012). The hierarchical
nature of such teams typically results in members with higher levels of experience performing
more complex tasks and reviewing workpapers of more basic tasks prepared by members with
less experience (Solomon 1987; Libby and Trotman 1993; Rich et al. 1997; Nelson and Tan
2005), particularly when the audit process is highly structured (Prawitt 1995). Further, the higher
the risk in an audit area, the more members with higher experience will be involved in reviewing
the work and ensuring appropriate conclusions are reached (Rich et al. 1997). A trend emerged
in the 1990’s, changing task assignment and review, where reviewers now work in tandem and
routinely communicate with preparers (rather than when workpapers are completed), and direct
preparers’ efforts upfront (Rich et al. 1997).1
One implication from Rich et al. (1997) is that audit team working relationships and the
audit process have evolved to be more collaborative and proactive; other observations from
practice indicate much audit work, particularly control work, remains individually performed and
reviewed (Leech 2000). And yet, whether in review, in brainstorming, or in general, prior audit
team research indicates superior team performance is more often produced by aggregating the
decisions of individual members in the hierarchy without interacting (Trotman, Yetton, and
Zimmer 1983; Owhoso, Messier, and Lynch 2002; Chen, Trotman, and Zhou 2015). This can
1
Accordingly, audit research also emerged to examine the different outcomes resulting from real-time, delayed,
face-to-face, or electronic reviews or reviews with and without discussion (e.g., Ismail and Trotman 1995; Gibbins
and Trotman 2002; Brazel, Agoglia, and Hatfield 2004; for a review see Trotman et al. 2015).
5
result from interacting members believing another member will do the work (overreliance) or
failing to give more weight to experts’ input in their area of expertise (improper integration).
Thus, even within the prevailing hierarchical framework, important questions remain about
whether or when working as a team produces more effective outcomes and little research has
focused on whether and when such audit teams actually interact.2 For aspects of the audit team or
process that do not fit this framework, our understanding is even more impoverished.
The collective audit team comprised of auditors and IT specialists is one area where the
hierarchical framework of the audit team appears less suitable, which begs the question of what
the working relationships and audit processes look like for such teams. On a collective audit
team, both auditors and IT specialists have their own rank-based hierarchy based on experience
(e.g., from senior to manager to partner) within their area of specialization (financial statement
audit and IT). While assignment and review of work within each specialization likely follows the
typical hierarchical flow, auditors typically identify what audit work each specialization is
responsible for. We believe this follows from Auditing Standard (AS) 10, which prescribes that
the audit partner is ultimately responsible for the audit and should dictate and review the work of
other parties (e.g., IT specialists) who assist the audit (PCAOB 2010).3 Thus, an audit senior who
possesses less IT-specific knowledge may assign IT-related audit tasks to the higher rank IT
specialist. This can be appropriate in cases where the audit senior has a richer understanding of
the client’s business and more direct knowledge of in-scope processes. However, the IT
manager’s superior expertise in systems and controls, particularly for complex systems (Brazel
and Agoglia 2007) can lead to cases where s/he better understands what systems are critical or
not to financial reporting. Further, there are areas where both auditors and IT specialists have
2
3
A notable exception is that audit team members collaborate when facing audit challenges (Bobek et al. 2012).
Under the reorganized standards effective December 31, 2016, AS 10 will become AS 1201.
6
expertise, such as business process control work. Historically, auditors have done much of this
work (O’Donnell, Arnold, and Sutton 2000), but given that IT specialists have expertise in
controls – within IT, but also in general (Brazel and Agoglia 2007) – it is unclear how division of
responsibilities should occur. We are unaware of literature that indicates when, who (auditors or
IT specialists), and how audit work is assigned and divided between the two specializations.
Perhaps more fundamental to understanding how members of a collective audit team
work together and carry out an audit is whether it can be considered a team at all. Early literature
refers to IT (and other) specialists as individuals outside the audit team who auditors consult with
somewhat infrequently in order to obtain information and reduce uncertainty in auditor decisions
(Danos et al. 1989; Rudolph and Welker 1998). Consultations tend to occur when difficult issues
arise and vary in the extent to which the conclusions of consultants or specialists are binding
(Gibbins and Emby 1985; Salterio and Denham 1997; Gold, Knechel, and Wallage 2012).
However, given the dramatic changes and complexity in IT underlying businesses of audit clients
over the last 25 years, IT specialists are routinely involved in audits and IT testing is a major
component of most audits (O’Donnell et al. 2000; Brazel and Agoglia 2007). Thus,
characterizing specialists as consultants on difficult issues only no longer seems accurate.
Recent research and pronouncements from practice do little to clarify whether IT
specialists are part of the audit team or outside specialists enlisted to help the audit team when
needed. Bobek et al. (2012) refer to technical specialists as firm members outside the audit team
and appear to only have auditors in their sample of audit team members. Curtis et al. (2009) and
Boritz et al. (2015) refer to IT specialists as consultants sometimes and audit team members at
other times. Audit firm descriptions of IT (and other) specialists vary from consultants who
support the auditors (PwC 2015) to members of a broader or collective audit team (EY 2012).
7
One-team versus two-team view of the audit team
Whether auditors and IT specialists see their relationship as one collective team or two
separate teams is likely important as research suggests the extent to which individuals view
themselves as one team, or not, can influence the way they work together and complete joint or
inter-connected tasks (Kane, Argote and Levine 2005; Kane 2010; Dovidio et al. 1998).
Individuals who see themselves as one collective team are said to share a common in-group
identity (Dovidio et al. 1998); this “social identity is a characteristic of the relationship between
units” (Kane 2010, 644). A social identity is part of an individual’s sense of self, which is gained
from feeling a sense of belonging to a social group (or distance from another social group) and
shapes the individual’s attitudes and behavior (Tajfel 1978).4 In a relationship such as an audit
team, when members of two distinct specializations (auditors and IT specialists) perceive they
share one collective (audit) team identity they tend to have more positive feelings toward each
other and treat each other more favorably than if they saw each specialization and its members as
a separate team (Dovidio et al. 1998; Kane 2010).5
More generally, auditors and IT specialists may perceive their relationship with each
other as one collective audit team because they share a common goal or fate – to issue an opinion
on the reliability of financial statements and/or internal control over financial reporting (ICFR).
Sharing common goals or fate can increase the extent to which individuals view themselves as
one team with a common identity (Rousseau 1998; Bauer 2015). Conversely, because they are
from two different functional units, auditors and IT specialists may focus on their dissimilarities
(Kane et al. 2005; Kane 2010) and see their relationship as two distinct teams. A two team view
4
Theory on intergroup processes is rooted in social identity and social categorization but more generally examines
how members of groups behave and relate to members of other groups (Hogg 2003).
5
Social identities are often viewed as a continuum in terms of strength. For team identity, a one-team view can be
described as a stronger team identity, while a two-team view can be characterized as a weaker team identity.
8
that lacks a common identity can occur when individuals do not have mutual value or respect for
each other or do not see each other as equal status (Dovidio et al. 1998). Thus, a collective audit
team identity may be lacking given 1) IT specialists perform both audit and non-audit services
and may be seen as “hired guns” for the audit, 2) auditors, at times, dispute the value of IT
specialists to the audit (Vendrzyk and Bagranoff 2003; Curtis et al. 2009), and 3) auditors and IT
(and other) specialists have conflicting views on how to conduct an audit (Boritz et al. 2015).
These reasons plus the differences in functional backgrounds, routine tasks, and jargon
between the two specializations may influence relationship quality, which has been linked to
team identity perceptions. Research on social identity suggests auditors and IT specialists who
have a more harmonious (good) relationship more likely identify as one audit team (and vice
versa) and are more likely to be cooperative (Dovidio et al. 1998; Kane et al. 2005). Good team
relationships have an “intimacy” to them, perhaps reflected by the strong ties between members
(Hansen 1999; Szulanski 2000, 11). Alternatively, auditors and IT specialists who have a more
difficult relationship more likely see themselves as two distinct teams – either auditors or IT
specialists – and are more likely to experience conflict and coordinate (or share information)
with each other in a cursory manner (Dovidio et al. 1998; Kane 2010). Difficult or “arduous”
relationships tend to be distant (Szulanski 1996, 28) with poorer communication than good
relationships (Szulanski 1996, 2000).
Relationship quality and the audit process
Research and regulators identify coordination and communication between auditors and
IT specialists as an area of significant concern. Specialized knowledge and differences in
background and jargon lower the frequency of interaction between the two specializations and
the ability of each to incorporate shared information into judgments and decisions (Danos et al.
9
1989; Brazel and Agoglia 2007; Curtis et al. 2009). Further, a large number of IT-related
deficiencies in internal control over financial reporting (ICFR) have been noted in PCAOB
inspection reports.6 The PCAOB has identified ineffective coordination and communication
between auditors and IT specialists as a root cause of these deficiencies (PCAOB 2012a).
We investigate the relationships between auditors and IT specialists as a means to
understand when these concerns are particularly worrisome, but also when coordination and
communication are highly effective. The interpersonal and team focus of performing audit work
suggest relationships between auditors and IT specialists likely play a critical role in the
effectiveness of their interactions. Vera-Munoz, Ho, and Chow (2006, 146) state “Team based
structures foster development of personal relationships, which in turn may raise auditors’
motivation to cooperate and share knowledge.” However, as indicated previously, the quality of
the relationships between auditors and IT specialists likely matters for whether motivation to
cooperate and share knowledge increases, or decreases (Szulanski 1996, 2000). In the broader
team literature, functionally-diverse teams vary considerably in how well they relate to each
other and how they work together to perform their duties (van Knippenberg and Schippers 2007).
In the audit literature, because of firm methodology/guidance and audit/professional
standards, the audit process is routine, standardized, and structured (Westermann, Bedard, and
Earley 2015). Further, audits are performed by professionals who strive to conduct their work in
a “business-like manner” (Anderson-Gough, Grey, and Robson 2001, 102). This rigor helps
legitimize the audit work papers, process, and profession (Curtis and Turley 2007) and may
reduce effects of relationship quality on how audits are performed. For example, Grey (1998)
6
One author coded all Big 4 PCAOB inspection reports issued through July 31, 2016 to identify ICFR and ITrelated deficiencies. Of all deficiencies, 43 percent are ICFR-related, and 43 of the 48 reports issued (90 percent)
contain at least one IT-related deficiency. Of all deficiencies, 23 percent relate to IT controls or insufficient
validation of the underlying system-generated data that is used in testing and reliance for audit procedures.
10
notes how auditors discussing performance evaluations state that being professional means trying
to be unbiased and fair, and to rise above or learn from experiences of being treated unfairly.
Similarly, professionals on an audit team likely strive to not allow their relationships with other
team members, whether good or difficult, to cloud their judgment or impact their audit decisions.
However, given prior research showing stronger team relationships produce superior
team processes and outcomes in work contexts (Szulanski 1996, 2000; Kane et al. 2005; Kane
2010), relationship quality is likely important to how audits transpire. Information integration
between workgroups is a difficult, effortful process and difficult relationships can increase effort
needed to navigate the onerous integration process (Szulanski 2000). Szulanski (1996, 2000)
finds arduous relationships between members of different groups are one of three major barriers
to information integration that leads to time delays, budget overruns, and satisfaction gaps. In
part, relationship quality influences the “recipient’s ability to acquire knowledge when needed”
(Szulanski 1996, 36) or how receptive they are to integrating information provided by a member
of another workgroup. For example, either group may not be available or make themselves
available when their relationship is weak, and thus say things like “it would have been faster to
do it ourselves” (Hansen 1999, 88).
If relationship quality matters to how audits are performed then audit teams with more
difficult relationships are more likely to exhibit the overreliance and integration problems that
regulators and researchers worry may diminish audit quality (e.g., Curtis et al. 2009; PCAOB
2012a). An ineffective audit of the IT function could result in misassessment of control risk and
insufficient substantive testing, thereby increasing the risk the audit team fails to identify a
material misstatement or inappropriately provides a clean audit opinion on the effectiveness of
ICFR or the financial statements as a whole (PCAOB 2012a). Better relationships, on the other
11
hand, may be able to avoid these issues. If so, they can provide insight into best practices and
ways to avoid the pitfalls of poor team-based work product.
Thus, the purpose of this paper is to understand how relationships between auditors and
IT specialists are perceived and what these relationships mean for the audit. We use a field study
approach, which is well suited for this purpose as it allows us to more fully examine contextual
features of relationship dynamics (Chatman, Polzer, Barsade, and Neale 1998) between auditors
and IT specialists, and determine whether our theories of interest (intergroup processes and SIT)
provide a means to explain what we observe in our interviews (Malsch and Salterio 2016).
3. Method
Participants and interviews
We interviewed 33 practitioners, 16 auditors and 17 IT specialists, from multiple offices
of each of the Big Four audit firms between January 2013 and August 2014.7 Within each firm
we targeted individuals ranking from senior to partner, who we identified through our personal
professional networks, assistance from firm personnel, and references from other interviewees.
Our auditor (IT specialist) respondents’ experience ranges from four (four) to 28 (23) years
within a variety of industry specializations, with an average of 11 (10) years. See Table 1 for
respondents’ demographic information.
Interviews were semi-structured (e.g., Hirst and Koonce 1996; McCracken, Salterio, and
Gibbins 2008), averaged 50 minutes in length, and were recorded.8 We conducted 12 interviews
jointly and one researcher, who was present for all interviews, transcribed each interview. We
The number of auditor and IT specialist respondents from each firm is as follows: Firm 1 – six audit, eight IT; Firm
2 – five audit, three IT; Firm 3 – three audit, four IT; and Firm 4 – two audit, two IT. Prior research uses various
terms to refer to IT practitioners, both auditor versus specialist and IT versus other names (e.g., computer assurance
auditors, accounting information systems specialists). In the paper we use the term IT specialist but we consider the
terms interchangeable. We mostly used the terms financial auditors and IT auditors to differentiate between the two
groups throughout the interviews.
8
Four interviews were conducted via phone and all others were conducted face-to-face.
7
12
developed our instrument based on prior literature on social identity and teams (e.g., Mael and
Ashforth 1992; Van der Vegt and Bunderson 2005; Bamber and Iyer 2007), prior interviewbased accounting studies (e.g., McCracken et al. 2008), our own experience, and discussions
with practitioners and a regulatory inspector. We solicited feedback from academic colleagues
and former audit practitioners and revised our protocol, as necessary.
To establish a rapport, we began our interviews with questions regarding the process for
involving IT specialists; we then requested respondents to think of specific examples from their
own experience (Gibbins and Trotman 2002; McCracken et al. 2008). We asked respondents to
describe an audit engagement example of both a good and a difficult working relationship with
the other specialization (herein referred to as Good and Difficult) to identify variation in
relationship quality.9 By discussing specific examples, we can investigate details about how
audits differ between relationship types without requiring respondents to generalize their
experiences. We requested each example to involve working through an IT-related audit issue
and asked respondents to describe the factors they perceive to contribute to these Good or
Difficult relationships. We then asked respondents to describe the audit process – including
planning, division of responsibilities, issue resolution, and completion – and to complete scaleresponse questions about relationship quality and audit client characteristics.10 We repeated this
process for the opposite example type (Good or Difficult); to enable comparison, respondents
received an identical set of scale-response questions in each example.11 Last, we posed general
9
The order of prompting and discussing good and difficult examples was varied across respondents. Four auditor
respondents were unable to think of a difficult example.
10
Some detailed questions may not have been applicable to examples provided, and consequently, not all questions
were asked to all participants. For example, some respondents selected on-going audits to discuss, thus final audit
outcomes and issue resolution had not yet been determined. We reviewed coded responses and verified no questions
were systematically left out due to interviewer error and no questions key to results or implications went unasked.
11
We chose to have respondents complete the scale-response questions after each example to avoid, especially in the
first example, leading the respondent to only bring up and discuss those topics included in the scale questions. While
13
questions about the audit team environment and allowed respondents to comment on anything
important regarding the relationship between auditors and IT specialists not yet addressed.
We used the broad descriptors good and difficult to avoid more loaded terms (e.g., “bad”,
“strong team identity”). Further, using theory-laden terms or a specific set of criteria would have
required detailed definitions and instructions and made it very demanding for our respondents to
describe examples that met those terms; or worse, led them down paths that they would not have
gone down themselves. Using broad descriptors of the working relationship could, however,
influence respondents’ recall of the audit process. For example, it may lead them to recall the
process more positively or negatively than what occurred in reality but in a manner consistent
with the descriptor. Still, advantages of our method reduce concerns about recall. By allowing
our respondents to speak freely about their examples, we have rich responses and quotes that
explicitly detail how the relationships and audit process examples were good or poor and lend
credibility to the accuracy of their recall and more general survey responses.12 Also, in the next
section, our results indicate audit teams with good, as opposed to difficult, relationships more
frequently have well-integrated audit processes; but not always. Some examples our respondents
discuss in Good (Difficult) were poorly integrated (well integrated) or had poor (good) processes.
In addition, asking each respondent to describe a good and difficult example allows us to
not only compare responses between the two examples but also to control (to some extent)
individual variation within respondents’ perceptions of the other specialization and audits
involving IT. For example, auditors may view IT specialists’ contribution to the audit as
generally high or low, or controls as more or less important than substantive testing. Had we
this may have resulted in a focus on these topics in the discussion of the second example, we performed procedures,
described earlier, to verify our results are not driven by the second examples.
12
Our assurances of confidentiality coupled with respondents’ candid answers also reduce these potential concerns.
14
asked respondents to choose and describe one recent audit involving IT specialists, our insights
about how auditors and IT specialists work together and how the audit transpires may have been
shaped by individuals’ general predispositions. Instead, regardless of respondents’ attitudes
toward the other specialization and audits involving IT, they describe an example of both a good
and difficult audit team, and we capture their more general views at the end of the interview.
We include in our final set of 33 respondents five auditors and five IT specialists from an
initial round of interviews. As in prior studies (Hirst and Koonce 1996; Griffith, Hammersley,
and Kadous 2015; Westermann et al. 2015), we added questions based on observations from
these earlier interviews. Most notably, we asked respondents to describe certain characteristics
(e.g., size, risk) about the audit examples they provided; see Table 2 for audit example details.13
While Table 2 shows our examples differ in size, audit risk, and IT complexity, qualitative
research such as ours aims to obtain a sample that is congruent across multiple cases, not
necessarily one that represents a larger universe (Yin 2013; Hayne 2015). Further, while these
factors differ between Good and Difficult, they also vary within each type and, with size for
example, most audits are large. In addition, the patterns of results discussed in the next section
are similar if we consider only the largest, riskiest, or most IT-complex audit clients.14 Thus, we
draw conclusions for good relationships that occur whether these factors are big or small and we
draw opposing conclusions for difficult relationships that also transcend these factors. These
analyses and the details in Table 2 give us comfort our interview method and example prompts
13
We did not ask about two potentially relevant characteristics: audits subject to Sarbanes-Oxley (SOX) 404 (U.S.
Congress 2002), and the use of enterprise resource planning (ERP) systems. In reviewing the transcripts, we found
44 percent of all examples fall under 404, 26 percent do not, and it is unclear for 31 percent. Control testing was
performed, however, for all examples given. For 27 percent of the examples discussed the audit client used an ERP
system; the presence of ERP is unclear for the other 73 percent. Given the sharp increase in the use of ERP systems
in recent decades (Costa, Ferreira, Bento, and Aparicio 2016) and all of our participants being Big 4 practitioners
with relatively large audit clients, the actual use of ERP systems is likely much higher than 27 percent.
14
We restrict our analyses based on 1) size by excluding small audit clients or only including large audit clients, or
2) audit risk and IT complexity by, for each, excluding audit clients rated below the scale midpoint or mean.
15
successfully obtained a diverse and informative sample of audits to investigate our research
objectives, which relate to better understanding how auditors and IT specialists coordinate to
complete an audit and whether these coordination efforts vary with relationship quality.
Data analysis
We developed a coding scheme based on prior literature, our own experiences, and
generalized comments and themes mentioned by respondents (Miles and Huberman 1994). We
used Atlas.ti to organize and analyze data. One of the researchers and an independent coder, a
doctoral student with over 15 years of audit experience specializing in IT/controls, coded the
interviews; intercoder agreement was 88.1 percent.15 The two individuals reconciled all items of
disagreement. Each author and the independent coder identified representative and/or poignant
comments, with the authors reviewing these comments to select the final set of quotes.16
Finally, we performed procedures to verify, by firm and overall, that our sample of
respondents reached saturation – the point at which incremental learning is limited from
additional samples (Glaser and Strauss 1967; Malsch and Salterio 2016). We read through the
transcripts multiple times to identify common themes, relevant quotes, and important insights.
This process, and partitioning our coding analysis by interview timing, give comfort saturation
has been achieved because, while we reference quotes from all respondents regardless of
interview timing, the insights referenced from later interviewees were not new at that point in the
interview process and thus no additional interviews are necessary (Malsch and Salterio 2016).17
Cohen’s kappa is 0.64 (p < 0.001, two-tailed) indicating agreement beyond random chance.
When quoting respondents, their type is denoted by “AU” (auditor) or “IT” (IT specialist) and their rank is
denoted by S = senior, M = manager, SM = senior manager or director, or P = partner, principal, or executive
director. We use the terms “almost all” when referring to a percentage of responses greater than 80%, “many”
between 61 and 80%, “about half” between 41 and 60%, “some” between 21 and 40%, and “a few” for less than or
equal to 20%. The Appendix provides IT-related and other audit definitions to help explain respondent quotes.
17
We also verified key coded responses and sentiments are similar across all four firms and that all four firms are
represented in the quotes selected for inclusion in the paper.
15
16
16
Since respondents are aware of our two example types when discussing the second example, and
thus may have, even inadvertently, given “expected” responses, we performed analyses verifying
our results are unchanged whether we examine all, only first, or only second examples elicited.
4. Results
Perceptions of relationships between auditors and IT specialists
General relationship perceptions: One team or two?
Given the lack of prior research on how auditors and IT specialists perceive their
relationships or the team and the importance of collective team perceptions (e.g., Kane et al.
2005; Kane 2010), we sought evidence from our respondents about how auditors and IT
specialists view the typical structure of the audit team. We inquired as to whether they view the
typical audit team as including IT specialists (i.e., a one-team view or a strong collective audit
team identity). IT specialists, more than auditors, feel being a member of the audit team is
reserved for auditors only. Many auditors claim they have a one-team view of the audit team
where IT specialists are “definitely part of the team; when I talk to the client and when I talk
about our specialists I don’t talk about [IT] guys as specialists” (AU14-P). However, many IT
specialists feel auditors do not view them as part of the team (at least not always). These IT
specialists believe auditors understand there is a broader team but still see themselves (auditors)
as the core members and others as merely specialists that may have questionable value to the
overall audit. For example, IT specialists claim “the running joke [is] that we are a budget-suck”
(IT8-SM) and believe auditors “see us as a specialist they have to use” (IT8-SM) but do not
“really appreciate” (IT1-SM) or “truly understand” (IT11-SM) “what value we can bring, how
we can help them reduce their work or challenging scope” (IT2-S). As further illustrated:
[J]ust like tax people, we’re identified as specialists… but [the auditor] sees us as a
different team, and they’re not thinking of us, I mean there are org charts for the client
meeting and they show us as part of the audit team, but… when you talk about who’s on
17
the audit team, I think they’ll rattle off the names of the people in the core financial and
then it’s [the separately existing] tax team and the IT audit team. (IT3-P)
I think that they see us as…I don’t know how to put it…almost like a necessary evil…
it’s like ‘we need to have someone look at the systems because we don’t understand them
and let’s just have them come in for 200 hours and get it done and we own the job, and
it’s our job and we are [Firm X] and we are the financial statement auditors, we are
assurance, this is what [Firm X] does.’ (IT5-SM)
Some auditors echoed this two-team view, stating they view the audit team “as the audit
professionals…only” (AU3-M) or “as the core team” (AU13-S) “that would not include the IT
folks” (AU6-M) and instead view IT specialists (and other specialists) as “more of [the auditors’]
specialist…they’re kind of separate” (AU13-S). Auditors also question, at times, the value IT
specialists bring to the audit, stating “it’s a little bit of a running joke sometimes as far as has
any…IT general control issue… ever impacted an audit opinion?” (AU1-SM) or “I feel like there
is this stigma of them too…I feel like a lot of people probably [say] ‘ugh the IT guys’” (AU11SM). While viewing IT specialists as a separate team could be consistent with a consultation
arrangement, the sentiments focus on separation and not seeing value in IT specialists. Neither
group describes the IT specialist as serving an outside, trusted advisor role that is depicted in
prior research (Danos et al. 1989). Thus, the previously-held notion of a consultative relationship
between auditors and IT specialists does not appear to be an appropriate characterization of the
relationships between auditors and IT specialists in today’s audit environment.
Nevertheless, almost all IT specialists view themselves as being part of the audit team
and believe “what we do is integral so definitely [we’re] part of the engagement team” (IT11SM). Some auditors, however, question whether IT specialists see themselves as part of the audit
team but rather believe IT specialists see themselves as hired guns – “I would say there’s also a
little bit of a mercenary environment” (AU6-M) – because they work on more clients and for a
shorter time compared to auditors. As further illustrated:
18
They [IT specialists] definitely aren’t out there as long as us [auditors]…I see them as
part of the team, but they probably see themselves as a piece of it. (AU11-SM)
I don’t know if they [IT specialists] are thinking about that they’re part of this greater
audit team…they kind of seem involved as coming in and, swooping in, crunch time,
completing the task, jumping out versus we’re there all the time. (AU2-M)
Across respondents, what we typically heard is that IT specialists feel they embrace a
one-team view that auditors fail to reciprocate. Auditors, on the other hand, feel they hold a oneteam view that IT specialists do not want to embrace.18 One reason why we see such divergence
of opinions between auditors and IT specialists could relate to the newness of the collective audit
team and the current state of this team identity. For the auditors and IT specialists who express a
one-team view, a common feeling is that relationships between the two groups have improved
over time. There is also a greater sense of being one team due to a push from firm guidance or
leadership, the younger generation’s grasp of technology and diversity, and/or regulator
inspections and standards that emphasize the value of IT/auditing IT and related controls:
I think that’s probably changed a little bit…I think there has been a big emphasis from
leadership that we’re one [Firm X], it’s been the phrase, you know the moniker…we’re at
the point where our specialists are the audit team. (AU7-M)
I’ve worked with some very, very good [auditors], but they’re normally the younger
[ones], the senior managers that are newer, or people that have come from different
backgrounds. (IT8-SM)
We got our wrists slapped, back five or six years ago for “you don’t just throw things
over the fence, you’re one team…you should go to the client as one team”… we started
doing a much better job…then it got a little bit more gray the past few years, when [the
firm focused on advisory services] but [it’s] starting to ramp back up again this year with
[internal review] comments again. (AU5-SM)
Thus, this one-team view is rather recent and situation-dependent, unlike a professional
identity that tends to be deep-rooted and internalized (Rousseau 1998; Bauer 2015). Situated
identities tend to develop in contexts where group members perceive themselves to share
This was not always the case. For example, some auditors believe “the IT guys would say they’re auditors”
(AU14-P). Also, some IT specialists believe auditors have a one-team view; “we are by definition specialists but
they don’t consider us specialists, so…they do consider us more of a part of their integrated team” (IT15-M).
18
19
common fate or goals (Rousseau 1998). This helps to explain why the circumstances above (e.g.,
firm guidance push) have contributed to a stronger one team view and audit team identity.
Specific relationship perceptions: Good and difficult relationships
Research on situated identity also helps explain why our respondents’ examples of Good
and Difficult working relationships overlap with a stronger and weaker audit team identity,
respectively. In fact, respondents’ reflections often merge the concepts of relationship quality
and a one-team view/collective identity, as captured in the following quote:
I would say two years ago the relationship with audit was more difficult and now it’s
more positive…So in the past we would have said our teams were operating separately,
you felt it was them versus us and now it’s one team. (IT17-S)
For each example discussed, we asked respondents what factors they perceive as
contributing to the (difficult or good) nature of the relationship between auditors and IT
specialists. Many of the factors listed are consistent with social identity theory and having a
weaker (stronger) team identity in Difficult (Good). About half of our respondents in Difficult
mention the other specialization lacks a big picture view or auditors view IT specialists as
providing no value or as a “necessary evil”; some respondents specifically cite a two-team
mentality. IT specialists convey “a lot of times we’re viewed as just a requirement to bring on,
sucking fees, and not really sure how [IT] plays into the overall picture” (IT10-S). Respondents
suggest that auditors do not value or appreciate IT specialists in Difficult due to auditors thinking
IT specialists only identify unimportant or immaterial issues:
It had always been a difficult engagement…the partner [viewed us as a] necessary
evil…the only thing IT could ever do for them was cause problems…I think his mission
in life was to minimize the amount of time we spent. (IT3-P)
I was in an inspection and there was some high level partner who said ‘there’s no way
that I can get a 170 million dollar misstatement out of passwords’…and it’s kind of
funny, because it is tough to quantify how an IT issue would lead to those type of things
so it depends on the audit team and how well they understand the IT controls. (IT15-M)
20
In Good, about half of respondents describe seeing value in the other specialization as a
factor perceived to influence the nature of the relationship. IT specialists mention auditors
“having a better appreciation for the impact of our work” (IT14-SM) is key; “engagement teams
realizing the benefits of having [IT] involved… makes developing and cultivating relationships a
lot easier” (IT1-SM). Further, about half of the respondents cite a high level of trust and
confidence in the other specialization – “It’s a good working relationship now because both our
teams trust one another” (IT17-S) – where key factors include “transparency and honesty” (IT16SM) and “having to gain their trust to make them realize that I do understand what the big
picture is, I do understand what your goals are and I’m here to support” (IT4-SM).
Our scale-response questions provide further support for overlap between relationship
quality and audit team identity strength, and help triangulate the qualitative responses (Jonsen
and Jehn 2009). Specifically, we ask respondents if criticisms of members of the other
specialization feel like personal insults (Bamber and Iyer 2007) and the extent to which they
characterized the relationship as trusting (Haslam and Ellemers 2005); both questions are rated
on a seven-point scale. Consistent with a stronger versus weaker collective audit team identity,
criticism of the other specialization feels more like a personal insult (M = 4.41 vs. M = 3.54) and
the relationship is more trusting (M = 6.32 vs. M = 4.03) in Good versus Difficult, respectively
(both p < 0.05, two-tailed). See Table 3 for scale-response questions.19
This evidence suggests finding ways to increase a one-team view, perhaps through the
perceived value relevance of IT and mutual trust, among others, can help improve relationship
19
We also asked respondents for their views on overlapping versus different goals, culture, and values in Good and
Difficult, as these are common indicators of team identity strength (Ashforth and Mael 1989). Scale-response and
open-ended questions indicate 1) more overlap in Good (M = 6.03) vs. Difficult (M = 4.74), 2) more overlap in
Good (“very interdependent” (IT10-S) and “all very well aligned” (AU7-M)), 3) more differences in Difficult (“it
was like we were two different teams…we had our objectives and they had their objectives, we never crosscommunicated” (AU5-SM)), and 4) qualification of goal overlap in Difficult (“I think the ultimate goals are the
same, they may have some added goals; reducing our time, ha, our involvement, that is a goal of theirs” (IT14-SM)).
21
quality, or at least the perception of relationship quality, between the two specializations.
Respondent comments suggest improvement in teaming between auditors and IT specialists is
already occurring and that a one-team identity is being internalized more. Despite feelings of
improvement, evidence of respondents holding a two-team view is not uncommon, as indicated
in the preceding discussion; almost all IT specialists in our study express feeling at times
underappreciated or unaccepted by auditors, and a few IT specialists believe change is too slow:
[It’s easier to think of] a bad relationship…because there’s so many…it’s surprising that
we’re so far behind…it’s changing, but not changing fast enough, I really don’t think
they view us as a part of the audit. (IT2-S)
It is kind of amazing that we aren’t further along because we’ve seen time and time again
how auditor’s successful stories of wins and where we’re making a difference, all these
situations [where] everyone worked together…we’re one big team and we’re all [Firm X]
and so it’s frustrating this doesn’t resonate with people…I think we’ll get beyond these
differences and these barriers if we start acting like we’re all on the same team. (IT4-SM)
Overall, we believe our results highlight that the audit profession is experiencing a
particularly critical point in the evolution of the audit team, related to views of a one-team,
collective audit team identity between auditors and IT specialists. More progress to internalize
this view in audit teams is likely worthwhile because our results that follow indicate problems
with coordination, communication, and collaboration are more common when auditors and IT
specialists have a difficult relationship that reflects a two-team view. Well-coordinated audits
between auditors and IT specialists, which regulators are calling for, are achieved more often on
audits where the two have a good relationship that reflects a one-team view/collective identity.
The audit process in difficult relationships
Our respondents generally indicate that audits are more likely to be carried out
appropriately when auditors and IT specialists integrate and coordinate on all stages of the audit:
We call it an integrated audit for a reason, from planning to close you should be involved;
if you are making your audit decision, making a decision by yourself, you are probably
making the wrong one…you can’t [substantively] audit your way out…[like you] would
have done on a financial statement audit. (IT8-SM)
22
On one hand, highly standardized audit processes (Westermann et al. 2015) may leave
little room for relationship quality to impact when an audit is performed appropriately. On the
other hand, even the most rigid audit processes are largely organic (Gendron 2001) and
potentially susceptible to relational influences. In this section, we analyze our interview data to
determine what difficult relationships mean for the audit process. Overall, the common theme
emerging from respondent sentiments and descriptions of the audit process is auditors and IT
specialists do not work together when the working relationship between the two is difficult. This
is consistent with Szulanski (2000), who finds more difficult workgroup relationships can make
the challenging integration process even more onerous. Specifically, in Difficult, there is little to
no coordination, communication, and collaboration between the two specializations.
Coordination failures: Operating in a vacuum
In Difficult, about half of respondents refer to adversarial relationships that involve no
coordination and some claim they resolve issues without the other specialization’s help. Failures
in coordination result in the kinds of overreliance problems that regulators and researchers are
most concerned about; audits where “I’ll send you the file and you send the file back” (AU5-SM)
or the two groups are “throwing things over the fence…without really thinking how that supports
the audit opinion” (IT10-S). These responses are reminiscent of the traditional, sequential review
process auditors performed prior to reviewers and preparers routinely communicating throughout
the workpaper preparation process (Rich et al. 1997). It may be that auditors and IT specialists
never move beyond this type of arrangement when difficult relationships exist. However, the
dramatic increase in the involvement of IT specialists on audit engagements began only about 10
years ago so how the two specializations work together may still be evolving, much like the
reviewer-preparer model for auditor work took decades to progress and evolve (Rich et al. 1997).
23
A few respondents claim that in recent years or on other audits, where auditors and IT
specialists did not integrate well, “[it] would have been audit team does this, IT team does this,
tax does this, we just put it all together” (AU8-M) or “there is overreliance on the IT
folks…especially controls that rely on system-generated information…[the auditors] just send it
over to the IT folks and completely punt on any sort of ownership” (AU6-M). Additional
illustrations of coordination issues in Difficult are shown in the quotes below:
They operate in a vacuum, they’re very analytical people, they take offense at what we
say…to our challenging; “we’re the IT folks what do we know?” (IT2-S)
The team doesn’t succeed as well and the client’s not as happy etc…if we’re treating [IT]
as a suborder…because then they’re less apt to [bring up problems] or they’re more apt to
bring the problems but then there’s no solution. (AU4-P)
This tendency for auditors and IT specialists to work on their own develops in the early
stages of the audit. Many respondents indicate IT specialist involvement in planning and
scoping, but of respondents who elaborated, almost all mention light involvement and only a few
specify heavy involvement.20 Respondents indicate IT specialists are involved in planning “to a
minimal extent” (AU15-P) or “at a high level but…corresponding via email…not actually sitting
down face to face to have a dialogue” (AU14-P), and that planning is:
Just always one of those things where they came with what they assumed the answers
would be, they’d tell us whatever they wanted to tell us and then if there was something
we didn’t agree on or added then we would have that conversation so yes, there was
discussion but I wouldn’t say that it was a very open-minded discussion. (IT4-SM)
Given this lack of coordination early on in the audit, it may be unsurprising (but no less
concerning) that little coordination occurs in performing audit procedures, as IT specialists are
typically narrowly involved. We asked respondents how IT specialists’ knowledge and expertise
Heavy involvement in planning and scoping reflects situations where “we go through a very detailed process”
(IT9-P) and the auditors “did a lot of planning with the [IT] team” (AU9-M). Alternatively, light involvement
reflects situations where IT specialists are involved “at a high level but… corresponding via email and not actually
sitting down face to face” (AU14-P) while “scoping drives from the audit[ors]” (IT14-SM) who “basically tell [IT
specialists] this is the kind of stuff we need you guys to do” (AU8-M) or who merely seek IT specialist “feedback on
[if scope] makes sense” (IT14-SM).
20
24
was used on the audit (i.e., responsibilities or procedures tasked to them). Almost all respondents
indicate IT specialists are involved in testing IT general controls but only about half, and some,
mention IT specialists test automated controls and system-generated reports, respectively.
We interpret responses from our practitioners as indicating two potential reasons for this
narrow involvement and lack of coordination between the two specializations.21 First, some
respondents suggest auditors and IT specialists tend to keep to themselves, or leave the other in
the dark, leading to less shared responsibilities. This sentiment is illustrated as follows:
We’ve actually gone through inspection twice on that client and I think generally
speaking the first question is always “why [is] the financial audit team [testing automated
controls]?” but we clearly state in our memo they said they don’t want us doing it;
they’ve never given us any particular reason. (IT14-SM)
Core assurance is expected to lead [walkthroughs] which makes sense but they won’t let
us know that they’re having them…and then come out and say…“you need to test
[reports and automated controls] for us” and…they can’t answer a lot of those questions
[about what systems they belong to] so if I was in there I’d be able to facilitate that and
ask some of those questions and get to a better answer earlier on…rather than get pulled
in January and [be] asked to support it. (IT10-S)
Second, some respondents (almost all of whom are IT specialists) argue IT specialists’
involvement or the IT issue can drive relationship quality. That is, IT specialists working
primarily on IT general controls, which auditors think are unimportant or give rise to issues they
can “explain away” (AU1-SM), can create hostile or opposing views, and difficult relationships:
I think it’s always difficult when we start to say ineffective/not support [for IT general
controls], [it] creates a lot of additional work…so they didn’t want to change, they didn’t
want us to change the conclusion that had been there for several years. (IT8-SM)
Respondents indicate IT specialists can improve trust and value and “build the
relationship…even stronger” (IT1-SM) by tackling areas such as automated controls:
21
Audits where difficult relationships are present may be small, requiring a low level of IT specialist involvement.
Respondent sentiments are mixed as to whether relationships will be better on bigger clients (e.g., due to more time
spent together) or smaller clients (e.g., due to easier communication on smaller teams). All of our respondents’
examples, in Good or Difficult, are big and/or complex enough to require IT specialist involvement so, regardless of
the nature of the audit, sufficient integration and utilization of IT specialists should be a primary goal.
25
The scenarios where I had the best working relationships with the core team were ones
where we’re doing more than just the IT general controls. (IT7-P)
What we heard from respondents is that there certainly exist audits with coordination and
overreliance problems that regulators and researchers have highlighted; audits where auditors
and IT specialists fail to talk, integrate, or share knowledge to understand how the other
specialization’s work impacts their own part of the audit. Whether auditors do not want to listen,
IT specialists do not want to talk, or either group feels they do not have the knowledge or time to
bother with the other, our respondents claim this occurs often in Difficult and issues that arise are
likely to go unnoticed or be inappropriately addressed. Thus, our respondents seem to indicate
that audit work is not just completed differently than the ideal audit (e.g., with less interaction)
but that audit work can sometimes suffer in terms of quality when relationship quality is absent.
Further evidence of this is discussed in the next two sub-sections.
Communication breakdowns
When describing factors perceived to influence relationship quality, our respondents state
“it really boils down to communication” (IT9-P) and “it all comes down to communication; if
I’ve reached out and I hear radio silence, I freak out” (AU2-M). Many respondents cite a lack of
communication as a key factor in Difficult: “there wasn’t frequent, timely communications and
they kind of threw issues on us towards the end of the audit” (AU10-M). Respondents gave
examples across various points in the audit process when breakdowns in communication occur.
When asked how the budget setting process works, some respondents express that IT specialists
provide the initial numbers and about half indicate auditors set the initial numbers. IT specialists
describe the budget process as “here’s your cut, deal with it” (IT10-S) and having “a lot less
dialogue [than when the relationship is better]. More of no you can’t, too much and ok well we’ll
try to reduce hours” (IT16-SM). This is consistent with research showing that workgroups who
26
receive input from other workgroups are typically less receptive to such input when a more
difficult relationship is present (Kane et al. 2005). However, auditors recall “we gave them a
budget, they ignored it and used their own” (AU10-M) indicating disparate views between
auditors and IT specialists on the source of the communication breakdown.
Some respondents link breakdowns in communication to last minute deadline issues or
pressures:
We’ve had struggles with the audit team coming to us with last minute deadlines…the
crux of the issue is a lack of communication…an email here or there, or just copying
somebody on an email [and] assuming they’ve gotten the message, which wasn’t the
case. (IT1-SM)
If the communication is staggered and difficult and constantly coming in at the last
minute then it becomes a very inefficient process and that is where we find ourselves
sometimes on that particular client. (IT9-P)
Our IT team might not be on-site as often as we are…that is frustrating…a lot of things
would have been a lot easier if they were just on-site and could have talked through
[requests and issues]. They weren’t there, [so] things were coming up at the very last
minute, which happens on audits, but it’s a lot easier when you have a good relationship
with [them] and you’re there and they know you and you can just [talk]. (AU8-M)
Late communication related to identified IT-related audit issues is a common concern.
Almost all of the respondents who mentioned the timeliness of the discovery and resolution of
the IT issue discussed indicate it was untimely, occurring late in the audit process:
We didn’t find out about [the issue] until after year-end because the client was saying
‘we’re working on it’, the financial audit team was saying ‘we’re doing it’…it was
probably the first time that the IT and financial teams had really talked. (IT8-SM)
Untimely issues are more likely to create inefficiencies and result in client, supervisor, or
time pressure to resolve the issue without delaying the audit. This can induce auditors to cut
corners in testing (Coram, Ng, and Woodliff 2004; Lopez and Peters 2012) and highlights, again,
the potential for lower quality on audits where difficult relationships between auditors and IT
specialists are present. Pressure to cut corners is also high as budget overages are likely. Some
state the budget was met, but many indicate the audit went over budget. The issues noted related
27
to untimeliness and budget overruns tie to concerns about not only communication, but also
those noted in the previous subsection about a lack of coordination. The following illustrates an
instance where IT specialists are not involved in planning and communication is sparse:
We went to them at the end and said hey we noticed you had a big overrun, we thought
you were going to do 200 hours, you came in at 300 hours and they came back with nope,
our budget was 295 hours…they [said] ‘sorry we were a couple over’ and [we said] ‘you
were 100 over.’ (AU10-M)
Limited collaboration
Arduous relationships are one of three main barriers to information integration among
workgroups (Szulanski 1996, 2000). A relationship is more arduous when neither group actively
seeks collaboration (Szulanski 1996, 2000). Collaboration is important as the audit opinion(s)
and supporting workpapers are the joint product of auditors and IT (and other) specialists. For
workpaper review, a key area of collaboration among audit participants, standards, and perhaps
firm guidance, appear to be strictly followed, at least for auditors who are “required to” review
the IT specialists’ work (AU15-P). Almost all auditors state that at least the managers and/or
partners reviewed the IT specialists’ workpapers.
Collaboration is limited in other areas of the audit. We asked respondents to describe an
IT-related issue and the resolution process for that issue. Consistent with narrow involvement of
IT specialists noted above, almost all IT issues relate to IT general controls. Only some auditors
and IT specialists collaborated to reach the resolution on these issues. Further, issue resolution is
often unclear due to the lack of collaboration:
The financial audit team did do additional procedures [to address the issue], to what
extent, I don’t know, because they didn’t talk to us. (IT11-SM)
Many respondents indicate more testing is required to resolve the IT issues. Consistent
with little collaboration to resolve these issues, only a few suggest the two specializations work
together to determine changes to audit procedures, audit approach or control risk assessments:
28
If there were exceptions of some of the IT general controls they were testing, they would
just mark them as exceptions…and we wouldn’t have any idea how to document, or
resolve, or do additional testing or what it meant to our overall audit approach, to risk
assessments. (AU5-SM)
Overall, the risk that auditors may place undue reliance on IT controls and testing, or that
the two groups “throw things over the fence”, is punctuated by ineffective coordination,
communication, and collaboration across many aspects of the audit process in Difficult. Audit
firms and regulators place heavy emphasis on a well-conducted audit process; if the process is
done poorly the risk that positive audit outcomes are later discovered to be inappropriate
increases (Knechel, Krishnan, Pevzner, Shefchik, and Velury 2013; DeFond and Zhang 2014).
We examine whether auditors and IT specialists with better relationships typically avoid these
integration pitfalls in the next section.
Insights into PCAOB inspection findings
The PCAOB cites ineffective coordination or communication between auditors and IT
specialists as a root cause of ICFR-related deficiencies noted in inspection reports (PCAOB
2012a). Hence, we reviewed all Big 4 PCAOB inspection reports issued through July 31, 2016 to
identify areas of overlap between reported deficiencies and our insights from the preceding
discussion (on audit engagements where difficult relationships between auditors and IT
specialists are present) to shed light on why certain negative inspection findings recur.22
One recurring issue relates to audit engagement teams failing to test IT general controls
over critical systems (PCAOB 2011a, 2011b, 2012b, 2012d, 2015b). For example, one
deficiency states the “firm excluded the issuer's point-of-sale application from its [IT general
control] testing” (PCAOB 2012b). A lack of coordination between auditors and IT specialists in
Difficult (e.g., not talking to each other or using each other’s expertise) could lead to a failure to
22
We thank an anonymous reviewer for suggesting this analysis.
29
appropriately include all relevant IT systems in testing. We highlight this issue in the previous
section and provide further evidence here:
If you were to go back and pull [the auditors’] files and look at the testing that was done,
there were areas I think where they were implicitly relying on IT without necessarily
having tested things. (IT12-SM)
[If] the audit team’s relying on some data extract or a configured report from the system
to tie out or perform some analysis over, in the past they haven’t understood that if that
report comes out of the system, we have to understand that system. (IT17-S)
[The IT specialists] reviewed some of our work and we were pointing to them for testing.
We had done this work months in advance and then three weeks before sign off they
came in and said ‘no, we’re not doing that.’ If they had done that three months earlier, we
could have done something about it or they could have tested it but they waited until the
end and then we had to scramble. (AU10-M)
Quite a few reports also note deficiencies related to insufficient testing of automated
controls and unsupported assumptions about how IT systems are structured (PCAOB 2013b,
2013c, 2014a, 2014b, 2014c, 2014d, 2015a). In fact, these issues point to specific instances of
inappropriate testing procedures. For example, a deficiency related to the testing of two
automated controls “consisted of inspecting screen prints and invoices for a sample of
transactions, without testing whether these controls were configured to operate over all relevant
transactions” (PCAOB 2015a). Auditors not valuing or understanding the IT side of the audit in
Difficult could contribute to these deficiencies:
[Auditors] understand the financial side of [automated controls], what they are trying to
prove, but once we get a grasp of what they are trying to prove, we’re better at proving it.
(IT6-S)
Electronic audit evidence, they drove that process…in reality they screwed the pooch
essentially…they totally missed the mark on it, they couldn’t define [electronic audit
evidence]. (IT2-S)
Auditors also note the importance in communication for making sure automated
and IT-dependent manual controls are appropriately tested:
I like for the core team to know how the IT team is testing it [an automated or IT
dependent manual control] to make sure that whatever they’re doing is something that is
30
either the same way we would have done it or that we understand what they’re doing is
testing the real risk to the financial statements. (AU1-SM)
Many inspection reports list deficiencies where insufficient procedures were performed
after IT general controls were deemed ineffective, resulting in inappropriate (or over) reliance
(PCAOB 2004, 2011a, 2011b, 2011c, 2012c, 2013a, 2013b, 2014b, 2015a, 2015b). For example,
for deficiencies in controls over access to IT systems classified as significant deficiencies:
“There was no evidence in the audit documentation, and no persuasive other evidence, that the
Firm had obtained the information necessary to understand and evaluate the effects of the access
control deficiencies” (PCAOB 2011c). Another report highlights the specific testing approach
(inquiry) was inappropriate “given that the Firm had determined that [IT general controls],
including change management controls, were ineffective for a portion of the update period and
the Firm had identified a fraud risk related to revenue” (PCAOB 2011b).
The untimely discovery and communication of issues in Difficult, as well as the lack of
collaboration in determining changes to the audit plan due to IT-related issues, tie directly to the
deficiencies noted by the PCAOB. As one of our auditors stated:
There was a lot of uncertainty as to what the issue was…maybe the IT team tried to
resolve it but then it didn’t get communicated or documented appropriately in the audit
workpapers. (AU5-SM)
Determining how to alter the audit program in light of IT issues requires the knowledge
of both specializations, audit and IT. Our analysis for good relationships in the following section
provides insight into when and how this important integration more often occurs.
The audit process in good relationships
In this section, we discuss the audit process that respondents identify as occurring on
audits where the working relationship is good, as well as differences in what auditors and IT
specialists recall. While many respondents mention productive collaboration occurs and about
31
half cite timely updating of the other specialization in such examples, we discuss three themes
that reflect how, where, and when these behaviors unfold in the audit process.
Communicating early and often
Communication is the factor most commonly perceived to influence relationship quality
between auditors and IT specialists. Almost all respondents cite “good communication,
communicating a lot early” (AU6-M) as a necessary condition for good working relationships.
We find this good, early communication (and coordination) starts at planning and scoping, as IT
specialists are almost always involved at the stage of the audit. Of the respondents who elaborate
further on IT specialist involvement in planning and scoping, almost all mention heavy
involvement where IT specialists are “without a doubt” (IT16-SM) “very, very involved in that
process” (AU8-M). Only a few cite light involvement where IT specialists are “involved but I
wouldn’t say they were active participants” (AU16-SM). Moreover, early planning discussions
emerge as a key point of emphasis. Some of our respondents cite planning – “it’s up front…it’s
the planning” (AU15-P) – as the task requiring the most interaction on the audit; planning is also
the most frequently cited task (along with resolving issues). As one respondent noted “the good
relationships are ones where we can have that kind of robust dialogue up front, really come to a
plan, we go out and execute a plan, and everything’s good at the end of the day” (IT9-P).
In addition, strong communication and coordination occurs often, not just early, as
responses suggest there are frequent, consistent, timely discussions throughout the audit:
If the audit team comes across an application they’ve never heard of, they are very good
at reaching out to us proactively and saying ‘hey do you know anything about XYZ
application…if not could you set up a call with us…to talk about whether or not this
should be in scope?’; that type of dialogue happens frequently with that team. (IT1-SM)
I would say we worked really closely together…we talk early and often…it wasn’t like
they were off doing their own thing and then come back in January and tell us they had a
problem and we’re supposed to be signing off at the end of the month or something, it
was very timely. (AU12-P)
32
While it may come as little surprise that respondents who believe their good working
relationships were based on strong communication describe early and frequent communication
within the audit, such a result is consistent with the contact hypothesis theorized and tested by
Dovidio and colleagues (Gaertner, Mann, Dovidio, Murrell, and Pomare 1990; Dovidio et al.
1998). That is, interaction and communication can foster a more harmonious one-team view that
leads to more positive feelings toward and treatment of individuals who were previously seen as
from a different team. Moreover, respondents’ descriptions of planning imply auditors and IT
specialists did more than talk openly and give status updates – they worked together – and we
describe additional examples of collaboration and shared tasks in the next two subsections.
Collectively working through the audit
In audits where IT controls are being tested and relied upon to support the audit plan –
whether due to client business complexity, requirements in integrated audits (where both ICFR
and financial statement opinions must be issued), or other reasons (e.g., efficiency) – the results
of this testing have important implications for the audit plan, as the illustrations below explicate:
I think as businesses have grown and become more complicated, we can’t audit from a
substantive-based approach only, we have to audit from a controls-based approach…so
you have to plan and involve your IT team and when things don’t go right it absolutely
does impact the financial statement audit as well as the opinion that we then also have to
give on controls. (AU4-P)
[If we’re] basing our entire audit approach on the testing that IT is doing, if something
came through and we couldn’t rely that would definitely change a lot of our conclusions
and our approach and then for the public jobs we wouldn’t be able to issue our 404
opinion unless we had those final on the IT side. (AU8-M)
Interestingly, these illustrations come from auditor respondents. Thus, despite sentiments
described earlier of auditors who view IT as unimportant and discount IT issues, they at times
express the importance of the impact of IT issues in today’s controls-based audit environment.
Regardless, a key takeaway is that an important part of the audit process is how the audit team
33
updates the (substantive) audit plan as a result of IT testing indicating increases in control risk
assessments. Unlike what our respondents described earlier for Difficult, this part of the audit
process is highly collaborative in Good. Almost all respondents in Good indicate auditors and IT
specialists worked together to resolve the IT issue encountered in their audit example; when an
issue arises “we’re immediately getting on the phone with everybody involved, IT, audit, staff
through partner on the phone trying to trouble shoot” (AU5-SM). Further, some respondents
highlight that the auditors did not fully understand the IT issue but even then, they want to work
with the IT specialists to elevate their knowledge “to get to a 10...they’ll ask a lot of questions…
they want to understand it and get the right answer” (IT14-SM).
Unlike other aspects of the audit process in Good, the discovery and resolution of the IT
issue was not necessarily timely. Of the respondents who discuss timing, about half indicate IT
issue resolution was untimely. However, untimely issue discovery may result from a client who
surprises the audit team with the IT issue late or has a IT breakdown occur late, or it may result
from the IT specialists being slow to uncover the issue or report it to the rest of the audit team.
Yet, even for untimely IT issues that were the fault of the IT specialist (about half of all untimely
issues), respondents spoke of “transparency and honesty…having that open dialogue” (IT16-SM)
and “sitting down [together] and [going] through what it meant [to the audit]” (AU2-M). This
result is consistent with research suggesting that oversights arising earlier in the process can be
compensated through mutual changes, with such changes more likely to occur when two
workgroups have a high quality relationship (Szulanski 2000)
Many respondents also note that more testing was required to resolve the IT issue
encountered and, of those asked (about two-thirds of respondents), almost all stated that changes
to audit procedures, the audit approach, or control risk assessments were required. Again, high
34
collaboration appears to be the norm, as almost all of these respondents indicate the two groups
worked together to determine appropriate changes to audit procedures:
Collectively we worked through the issue, we came to a solution. Yes, it was a painful
position with their IT folk, but [the IT specialists] didn’t leave the audit team high and
dry, they were an integral part of resolving what needed to change in the audit approach
to address the qualification in the [SOC 1 report]. (AU4-P)
It was good as far as this isn’t just our issue or your issue let’s work together and we’ll
write this collaborative memo that explains what the issue is on the IT side but then also
how it’s going to impact the financial statement audit. (AU1-SM)
We talked to them [auditors] about this issue…I think you need to increase your work in
these areas…so the audit team increased their work...and the partner went to the
controller, CFO, explained the issue we had and why we were increasing our hours…and
what else was needed to do right by the audit. (IT15-M)
A final area of the audit process where respondents notably describe collaboration is with
respect to review of workpapers. Consistent with standards (AS 10) and results in Difficult, all
auditors state they review IT specialists’ work. Additionally, almost all IT specialists state their
team reviewed the work of auditors. No clear requirements exist for this latter review, but IT
specialists suggest it happens often in Good because auditors and IT specialists are likely
“coordinating on automated controls testing or key reports testing” (IT9-P) or the auditors are
more likely to ask “if we [IT specialists] could look at their [automated] control testing that
they’re doing to make sure they’re doing the right thing” (IT5-SM). Beyond indicating
collaboration between auditors and IT specialists, IT specialist review of auditor workpapers
suggests that auditors leverage IT specialists’ expertise by giving them a broader set of audit
responsibilities. We investigate this further in the next subsection.
More responsibilities shared with IT specialists
Contrary to results in Difficult, we find IT specialists are used quite broadly in Good.
Almost all respondents indicate IT specialists are involved in testing IT general controls or in
testing automated controls, while about half state IT specialists also test system-generated
35
reports. Despite this typical, broad use of IT specialists, about half of IT specialists and one
auditor criticized the audit they described for not having IT specialists conduct more testing of
automated controls and reports. Consistent with prior research (e.g., Wolfe, Mauldin, and Diaz
2009), these respondents raise concerns with auditors’ expertise in performing such testing since
auditors “zone out when [IT control] comes up” (IT11-SM) and they “just want to...get back to
their evaluation of the accounting standards” (IT3-P), but highlight IT specialists as “risk and
control people that so happens to include IT” (IT7-P) with high levels of IT control expertise:
I think the better audit programs for key reports are the ones that have lots of [IT
specialists] involved with their specialization but with the financial auditors who review
the key report testing. (AU14-P)
A few auditors justified having the auditors perform testing of automated controls and
reports, rather than the IT specialists, because they see value in having the auditors view all
controls for an entire financial process to truly understand how substantive testing should be
carried out. This is a valid argument but it ignores the potential benefit of IT auditor expertise in
these areas (Brazel and Agoglia 2007) and their ability to see things an auditor might not:
[The auditors] might say “we review all these reports and we’re going to scope…the two
key systems” but we’ll say “but this report that you use for this control or for your other
testing came from a data warehouse [that] wasn’t one of those two key systems. (IT17-S)
This argument also ignores the benefit of differing perspectives in developing an
understanding of process controls. For collective teams comprised of multiple specializations,
Carton and Cummings (2012) indicate a balance is needed between having alternative sources of
knowledge and finding a common ground in order to synthesize that knowledge. Also, auditors
are particularly susceptible to management persuasion tactics for IT control deviations (Wolfe et
al. 2009) and IT specialists are less likely to be susceptible to such tactics given their IT expertise
(Shelton 1999; Selby 2010). Thus, having IT specialists perform IT control testing and provide
conclusions to auditors about next steps might be a better approach than having the auditors do
36
such testing to deepen their understanding of controls prior to substantive tests. Future research
could examine which approach produces more effective control and substantive testing, and
whether any differences remain between the two approaches if auditors and IT specialists
collaborated as intensively as they do in examples in Good (e.g., in either approach, they sit
down together to discuss what the IT control results should mean for the rest of the audit).
Overall, our interpretation of practitioner responses emphasizes a highly integrated
process when auditors and IT specialists have a good working relationship. Communication
happens early and continues throughout the audit; much collaboration and coordination occurs,
starting from planning stages and continuing all the way to the review stages. How these audits
transpire in Good is much different – and appears to be much more effective – than in Difficult.
Prescriptions for practice
Reflecting on the patterns of results that emerged in Good, we see several areas where
communication and coordination (and collaboration) appear to be healthy and productive, which
is in contrast to PCAOB inspection concerns (PCAOB 2010) and many patterns that emerged in
Difficult. Using these insights from Good could be helpful to consider ways to improve the audit
process (and audit quality) for collective audit teams comprised of auditors and IT specialists.
First, we encourage audit firms and regulators to consider making review of some auditor
workpapers by IT specialists more formalized. AS 10 (PCAOB 2010) and firm guidance appear
to have helped ensure auditors review the work of IT specialists in the audits described by our
respondents, which can improve quality control over the audit. Leveraging IT specialists’
expertise in testing IT and other controls can improve control risk assessments (O’Donnell et al.
2000). Our interviews imply IT specialist review of auditors’ control work is one way to use this
expertise and can help ensure control testing is sufficiently and appropriately performed. Such
37
review may also help ensure audit plans are adjusted accordingly in light of IT testing results or
all key systems or controls are tested, as our respondents indicated IT specialists may otherwise
not be fully aware of where or how the audit plan intends to rely (and possibly over-rely) on IT
controls, system-generated evidence, or IT specialist conclusions. While some review seems
preferable to none, we are unable to adequately speak to the quality of review performed from
our interview data. It could be that more formal requirements for review on most (or all) audits
dilute the depth and quality of the review. Further, it is an open question whether review is
substantially better if relationship quality is better. Prior audit research suggests lower review
effort and thus, lower quality review, may occur in good relationships due to higher trust
(Gibbins and Trotman 2002). Conversely, the broader team literature suggests more intensive
review and questioning would occur for stronger relationships (Van der Vegt and Bunderson
2005). Future experimental research is well-suited to examine if review quality depends on the
presence of formal requirements and relationship quality between auditors and IT specialists.
Second, we encourage audit firms to make open and real-time communication a priority
or part of the collective audit team culture. Our respondents felt sitting down face-to-face or even
getting team members together on a phone call to talk through issues helps to achieve successful
audits. Informing team members of issues or updates via email or placing workpapers in the
audit file is perceived to create a lot of risk that auditors and IT specialists are not integrating
information to carry out the audit. Issues of real-time versus informal communication are not
unique to the collective audit team; audit research shows concerns over informal or computermediated interaction in the review process and on-the-job learning (Westermann et al. 2015) as
well as communications with audit clients (Bennett and Hatfield 2013). Our results give further
impetus for audit firms to encourage (or not lose) real-time, verbal communication.
38
Finally, involving IT specialists early and intensively in planning and scoping is another
way collective audit teams could ensure control testing will be sufficiently and appropriately
performed, and that all key systems or controls will be tested. Our respondents indicate that
auditors and IT specialists are aware of different aspects of the client’s business from interacting
with different client personnel and performing different tests at interim or in prior years.
Combined with auditor and IT specialist expertise in their given areas and areas (e.g., process
controls) that overlap (Brazel and Agoglia 2007), sitting down together early can ensure that
neither specialization miss something integral to the audit plan. Further, joint planning can
improve efficiency e.g., reduce double-testing), reduce confusion over responsibilities, and avoid
situations of auditor over-reliance on IT systems and IT specialists.
5. Conclusion
Our study investigates how relationships between auditors and IT specialists are
perceived and what those relationships mean for the audit. We conducted interviews with
practicing auditors and IT specialists to examine the quality of relationships between the two
specializations to better understand how (IT) specialists are integrated in the financial statement
audit and why this integration is sometimes substandard. To investigate relationship quality, we
discussed both good and difficult relationship audit examples with our respondents.
We find perceptions differ between auditors and IT specialists as to whether the two
groups comprise one audit team or two. Auditors assert a one-team view of the collective audit
team that includes IT specialists but IT specialists feel auditors see them as a separate team and a
“necessary evil.” Both respondent groups, however, cite recent progress in team relations and an
increase in positive perceptions over time. Further, the good and difficult relationship examples
discussed overlap with stronger and weaker collective audit team identity, respectively. We
39
interpret our findings as indicating a one-audit team identity between auditors and IT specialists
can presently be portrayed as situation-dependent but not yet fully internalized (Bauer 2015).
The audit process vastly differs across difficult and good examples. Consistent with
theory on intergroup processes (Szulanski 1996, 2000), difficult relationships appear to hurt
integration as there is little to no coordination, interactions and communication are adversarial
and untimely, and IT specialists are typically narrowly involved across the audit. We also see
overlap between problems identified within these difficult relationships and deficiencies noted in
PCAOB inspection reports. Good relationships show evidence of auditors and IT specialists
communicating early and often, and working together to complete the audit, especially during
audit planning and issue resolution. Based on results for good relationships, we provide potential
prescriptions for audit firms to improve the way auditors and IT specialists work together.
Our findings provide valuable insight to accounting researchers about key factors related
to the use of specialists, and useful theories and research design to employ. Examining the IT
audit setting through a lens of relationship quality and collective team identity allows us to
contribute to the limited literature on audit teams (Trotman et al. 2015) and better understand the
coordination and communication problems between auditors and IT specialists of concern to
regulators (PCAOB 2012a). Our results imply that audits where auditors and IT specialists have
a difficult relationship and/or a two-team mentality are at risk of underutilizing IT specialists and
their expertise or failing to identify IT-related issues, which can cause insufficient understanding
of audit risk areas or changes to the audit plan. Future research can examine, for example,
whether auditors’ willingness to update the audit plan depends on the type of IT issue (e.g., IT
general vs. automated controls). Audit firms and regulators will also be interested in our results,
particularly our insights into the PCAOB inspection findings and prescriptions for practice.
40
Appendix
Audit and IT-Related Definitions
Audit approach definitions

Control-based audit approach – Audit approach where the nature, timing and extent of audit
procedures is based on reliance of internal controls; typically allows for a reduction in the
performance of substantive, transactional audit procedures/tests.

Substantive-based audit approach – Audit approach based on substantive testing that
includes obtaining audit evidence on the completeness, accuracy or existence of activities
or transactions during the audit period; typically little to no reliance on internal controls.
(ISACA Glossary)
Control category definitions

Automated controls – The policies, procedures and activities designed to provide
reasonable assurance that objectives relevant to a given automated solution (application)
are achieved. (ISACA Glossary)

IT dependent manual controls – Steps or processes performed by people as part of a control
process, using information provided by an IT application or system. (ISACA 2010) [Within
this paper, we have combined this type of control with report testing]

IT general controls – Controls related to the environment within which computer-based
application systems are developed, maintained and operated. (ISACA Glossary)

Manual controls – Steps or processes performed by people as part of a control process
typically independent of an IT application or system.
Other

Enterprise resource planning (ERP) system – A packaged business software system that
allows an enterprise to automate and integrate the majority of its business processes, share
common data and practices across the entire enterprise, and produce and access information
in a real-time environment. (ISACA Glossary)

Report testing – Validation procedures performed over electronic audit evidence (e.g.,
reports) to ensure completeness and accuracy as part of control and substantive testing.

Service Organization Control 1 (SOC 1) report – Report on controls at a service
organization that are relevant to a user entity’s internal control over financial reporting;
SSAE 16 provides relevant guidance for performance and issuance of SOC 1 reports.
[Previously referred to as SAS 70 report]
41
References
Anderson-Gough, F., C. Grey, and K. Robson. 2001. Tests of time: organizational timereckoning and the making of accountants in two multi-national accounting firms.
Accounting, Organizations and Society 26: 99-122.
Ashforth, B. E. and F. Mael. 1989. Social Identity Theory and the organization. Academy of
Management Review 14 (1): 20-39.
Bamber, E. M. and V. M. Iyer. 2007. Auditors’ identification with their clients and its effect on
auditors’ objectivity. Auditing: A Journal of Practice and Theory 26 (2): 1-24.
Bauer, T. D. 2015. The Effects of Client Identity Strength and Professional Identity Salience on
Auditor Judgments. The Accounting Review 90 (1): 95-114.
Bennett, G. B. and R. Hatfield. 2013. The effect of the social mismatch between staff auditors
and client management on the collection of audit evidence. The Accounting Review 88
(1): 31-50.
Bobek, D., B. Daugherty, and R. Radtke. 2012. Resolving audit engagement challenges through
communication. Auditing: A Journal of Practice & Theory 31 (4): 21-45.
Boritz, J. E., N. Kochetova-Kozloski, L. A. Robinson, and C. Wong. 2015. Auditors’ and
specialists’ views about the use of specialists during an audit. Working paper, University
of Waterloo and Saint Mary’s University.
Brazel, J. and C. Agoglia. 2007. An examination of auditor planning judgments in a complex
accounting information system environment. Contemporary Accounting Research 24 (4):
1059-1083.
Brazel, J., C. Agoglia, and R. Hatfield. 2004. Electronic versus face-to-face review: The effects
of alternative forms of review on auditors’ performance. The Accounting Review 79 (4):
949-966.
Brynjolfsson, E. and A. McAfee. 2011. Race Against the Machine: How the Digital Revolution
is Accelerating Innovation, Driving Productivity, and Irreversibly Employment and the
Economy. Lexington, MA: Digital Frontier Press.
Carton, A. and J. Cummings. 2012. A theory of subgroups in work teams. Academy of
Management Review 37 (3): 441-470.
Chatman, J. A., J. T. Polzer, S. G. Barsade, and M. A. Neale. 1998. Being different yet feeling
similar: The influence of demographic composition and organizational culture on work
processes and outcomes. Administrative Science Quarterly 43 (4): 749-780.
42
Chen, C., K. Trotman, and F. Zhou. 2015. Nominal versus interacting electronic fraud
brainstorming in hierarchical audit teams. The Accounting Review 90 (1): 175-198.
Coram, P., J. Ng, and D. Woodliff. 2004. The effect of risk of misstatement on the propensity to
commit reduced audit quality acts under time budget pressure. Auditing: A Journal of
Practice & Theory 23 (2): 159-167.
Costa, C., E. Ferreira, F. Bento, and M. Aparicio. 2016. Enterprise resource planning adoption and
satisfaction determinants. Computer in Human Behavior 63: 659-671.
Curtis, E. and S. Turley. 2007. The business risk audit – A longitudinal case study of an audit
engagement. Accounting, Organizations and Society 32 (4/5): 439-461.
Curtis, M., J. Jenkins, J. Bedard, and D. Deis. 2009. Auditors’ training and proficiency in
information systems: A research synthesis. Journal of Information Systems 23 (1): 79-96.
Danos, P., J. W. Eichenseher, and D. L. Holt. 1989. Specialized knowledge and its
communication in auditing. Contemporary Accounting Research 6 (1): 91-109.
DeFond, M. and J. Zhang. 2014. A review of archival auditing research. Journal of Accounting
and Economics 58 (2/3): 275-326.
Dovidio, J., S. Gaertner, and A. Validzic. 1998. Intergroup bias: Status, differentiation, and a
common ingroup identity. Journal of Personality and Social Psychology 75 (1): 109-120.
EY UK. 2012. Transparency Report 2012. London, UK: EY.
Gaertner, S., J. Mann, J. Dovidio, A. Murrell, and M. Pomare. 1990. How does cooperation
reduce intergroup bias? Journal of Personality and Social Psychology 59 (4): 692-704.
Gendron, Y. 2001. The difficult client-acceptance decision in Canadian audit firms: a field
investigation. Contemporary Accounting Research 18 (2): 283-310.
Gibbins, M. and K. Trotman. 2002. Audit review: Managers’ interpersonal expectations and
conduct of the review. Contemporary Accounting Research 19 (3): 411-444.
Gibbins, M. and C. Emby. 1985. Evidence on the nature of professional judgment in public
accounting. Auditing Research Symposium 1984, 181–212, Office of Accounting
Research, University of Illinois at Urbana–Champaign.
Glaser, B. and A. Strauss. 1967. The discovery of grounded theory: Strategies of qualitative
research. London, UK: Widenfeld and Nicholson.
Gold, A., W. Knechel, and P. Wallage. 2012. The effect of the strictness of consultation
requirements on fraud consultation. The Accounting Review 87 (3): 925-949.
43
Grey, C. 1998. On being professional in a “Big Six” firm. Accounting, Organizations and
Society 23 (5/6): 569-587.
Griffith, E. E. 2016. Auditors, specialists, and professional jurisdiction in audits of fair values.
Working paper, University of Wisconsin-Madison.
Griffith, E. E., J. S. Hammersley, and K. Kadous. 2015. Audits of complex estimates as
verification of management numbers: How institutional pressures shape practice.
Contemporary Accounting Research 32 (3): 833-863.
Hansen, M. 1999. The search-transfer problem: The role of weak ties in sharing knowledge
across organizational subunits. Administrative Science Quarterly 44: 82-111.
Haslam, S. A. and N. Ellemers. 2005. Social identity in industrial and organizational psychology:
Concepts, controversies and contributions. In International Review of Industrial and
Organizational Psychology, edited by G. P. Hodgkinson and J. K. Ford, 39-118.
Chichester, UK: John Wiley & Sons, Ltd.
Hayne, C. 2015. The effect of continuous and predictable environmental change on the use of
management accounting during organizational decline: A field study. Working paper,
Virginia Tech.
Hirst, D. E., and L. Koonce. 1996. Audit analytical procedures: A field investigation.
Contemporary Accounting Research 13 (2): 457-486.
Hogg, M. A. 2003. Intergroup Relations. In Handbook of Social Psychology, edited by J.
Delamater, 479–501. New York, NY: Kluwer Academic/Plenum.
ISACA. 2010. Monitoring Internal Control Systems and IT. Rolling Meadows, IL: ISACA.
ISACA Glossary. Retrieved from http://www.isaca.org/Pages/Glossary.aspx.
Ismail, Z. and K. Trotman. 1995. The impact of the review process in hypothesis generation
tasks. Accounting, Organizations and Society 20 (5): 345-357.
Jonsen, K. and K. Jehn. 2009. Using triangulation to validate themes in qualitative studies.
Qualitative Research in Organizations and Management 4 (2): 123-150.
Kane, A. 2010. Unlocking knowledge transfer potential: Knowledge demonstrability and
superordinate social identity. Organization Science 21 (3): 643-660.
Kane, A., L. Argote, and J. Levine. 2005. Knowledge transfer between groups via personnel
rotation: Effects of social identity and knowledge quality. Organizational Behavior and
Human Decision Processes 96 (1): 56-71.
44
Knechel, W., G. Krishnan, M. Pevzner, L. Shefchik, and U. Velury. 2013. Audit quality: Insights
from the academic literature. Auditing: A Journal of Practice & Theory 32 (1): 385-421.
Leech, T. 2000. Discussion of “An analysis of the group dynamics surrounding internal control
assessment in information systems audit and assurance domains.” Journal of Information
Systems 14: 123-125.
Libby, R. and K. Trotman. 1993. The review process as a control for differential recall of
evidence in auditor judgments. Accounting, Organizations and Society 18 (6): 559-574.
Lopez, D. and G. Peters. 2012. The effect of workload compression on audit quality. Auditing: A
Journal of Practice & Theory 31 (4): 139-165.
Mael, F. and B. E. Ashforth. 1992. Alumni and their alma mater: A partial test of the
reformulated model of organizational identification. Journal of Organizational Behavior
13: 103-123.
Malsch, B. and S. E. Salterio. 2016. “Doing good field research”: Assessing the quality of audit
field research. Auditing: A Journal of Practice & Theory 35 (1): 1-22.
McCracken, S., S. E. Salterio, and M. Gibbins. 2008. Audit-client management relationships and
roles in negotiating financial reporting. Accounting, Organizations and Society 33: 362383.
Miles, M. B., and A. M. Huberman. 1994. Qualitative Data Analysis: An Expanded Sourcebook.
2nd Edition. Thousand Oaks, CA: Sage Publications.
Nelson, M. and H. Tan. 2005. Judgment and decision making research in auditing: A task,
person, and interpersonal interaction perspective. Auditing: A Journal of Practice and
Theory 24: 41-71.
O’Donnell, E., V. Arnold, and S. Sutton. 2000. An analysis of the group dynamics surrounding
internal control assessment in information systems audit and assurance domains. Journal
of Information Systems 14 (Supplement): 97-116.
Owhoso, V., W. Messier, and J. Lynch. 2002. Error detection by industry-specialized teams
during sequential audit review. Journal of Accounting Research 40 (3): 883-900.
Public Company Accounting Oversight Board (PCAOB). 2004. Report on 2003 limited
inspection of Ernst & Young LLP. PCAOB Release No. 104-2004-003. Washington,
D.C.: PCAOB.
PCAOB. 2010. PCAOB Release No. 2010-004. Supervision of the audit engagement. Auditing
Standard No. 10. Washington, D.C.: PCAOB.
45
PCAOB. 2011a. Report on 2010 inspection of Deloitte & Touche LLP. PCAOB Release No.
104-2011-290. Washington, D.C.: PCAOB.
PCAOB. 2011b. Report on 2010 inspection of KPMG LLP. PCAOB Release No. 104-2011-288.
Washington, D.C.: PCAOB.
PCAOB. 2011c. Report on 2010 inspection of PricewaterhouseCoopers LLP. PCAOB Release
No. 104-2011-289. Washington, D.C.: PCAOB.
PCAOB. 2012a. Observations from 2010 inspections of domestic annually inspected firms
regarding deficiencies in audits of internal control over financial reporting. PCAOB
Release No. 2012-006. Washington, DC: PCAOB.
PCAOB. 2012b. Report on 2011 inspection of Deloitte & Touche LLP. PCAOB Release No.
104-2012-271. Washington, D.C.: PCAOB.
PCAOB. 2012c. Report on 2011 inspection of Ernst & Young LLP. PCAOB Release No. 1042012-272. Washington, D.C.: PCAOB.
PCAOB. 2012d. Report on 2011 inspection of KPMG LLP. PCAOB Release No. 104-2012199A. Washington, D.C.: PCAOB.
PCAOB. 2013a. Report on 2012 inspection of Deloitte & Touche LLP. PCAOB Release No.
104-2013-088. Washington, D.C.: PCAOB.
PCAOB. 2013b. Report on 2012 inspection of KPMG LLP. PCAOB Release No. 104-2013-147.
Washington, D.C.: PCAOB.
PCAOB. 2013c. Report on 2012 inspection of PricewaterhouseCoopers LLP. PCAOB Release
No. 104-2013-148. Washington, D.C.: PCAOB.
PCAOB. 2014a. Report on 2013 inspection of Deloitte & Touche LLP. PCAOB Release No.
104-2014-099. Washington, D.C.: PCAOB.
PCAOB. 2014b. Report on 2013 inspection of Ernst & Young LLP. PCAOB Release No. 1042014-143. Washington, D.C.: PCAOB.
PCAOB. 2014c. Report on 2013 inspection of KPMG LLP. PCAOB Release No. 104-2014-167.
Washington, D.C.: PCAOB.
PCAOB. 2014d. Report on 2013 inspection of PricewaterhouseCoopers LLP. PCAOB Release
No. 104-2014-102. Washington, D.C.: PCAOB.
PCAOB. 2015a. Report on 2014 inspection of Ernst & Young LLP. PCAOB Release No. 1042015-121. Washington, D.C.: PCAOB.
46
PCAOB. 2015b. Report on 2014 inspection of KPMG LLP. PCAOB Release No. 104-2015-189.
Washington, D.C.: PCAOB.
Prawitt, D. 1995. Staffing assignments for judgment-oriented audit tasks: The effects of
structured audit technology and environment. The Accounting Review 70 (3): 443-465.
PwC. 2015. Our focus on audit quality. New York, NY: PwC.
Rich, J., I. Solomon, and K. Trotman. 1997. Multi-auditor judgment/decision making research: A
decade later. Journal of Accounting Literature 16: 86-126.
Rousseau, D. 1998. Why workers still identify with organizations. Journal of Organizational
Behavior 19 (3): 217-233.
Rudolph, H. and R. Welker. 1998. The effects of organizational structure on communication
within audit teams. Auditing: A Journal of Practice & Theory 17 (2): 1-14.
Salterio, S. and R. Denham. 1997. Accounting consultation units: An organizational memory
analysis. Contemporary Accounting Research 14 (4): 669-691.
Selby, D. 2010. Do auditors adjust their audit plans accordingly when they encounter material
automated control weaknesses? 7th International Conference on Enterprise Systems,
Accounting and Logistics.
Shelton, S. 1999. The effect of experience on the use of irrelevant evidence in auditor judgment.
The Accounting Review 74 (2): 217-224.
Solomon, I. 1987. Multi-auditor judgment/decision making research. Journal of Accounting
Literature 6: 1-25.
Szulanski, G. 1996. Exploring internal stickiness: Impediments to the transfer of best practice
within the firm. Strategic Management Journal 17: 27-43.
Szulanski, G. 2000. The process of knowledge transfer: A diachronic analysis of stickiness.
Organizational Behavior and Human Decision Processes 82 (1): 9-27.
Tajfel, H. 1978. Social categorization, social identity and social comparison: Studies in the social
psychology of intergroup relations. In Differentiation Between Social Groups, edited by:
H. Tajfel, 61-76. London, UK: Academic Press.
Trotman, K., T. Bauer, and K. Humphreys. 2015. Group judgment and decision making in
auditing: Past and future research. Accounting, Organizations, and Society 47: 56-72.
Trotman, K., P. Yetton, and I. Zimmer. 1983. Individual and group judgments of internal control
systems. Journal of Accounting Research 21 (1): 286-292.
47
U.S. Congress. 2002. The Public Company Accounting Reform and Investor Protection Act of
2002 (The Sarbanes-Oxley Act). Public Law No. 107-204, 116 Statute 745 (July 30).
Washington, D.C.: Government Printing Office.
U.S. Government Accountability Office (GAO). 2008. Audits of Public Companies: Continued
Concentration in Audit Market for Large Public Companies Does Not Call for Immediate
Action. GAO-08-163 (January). Washington, D.C.: GAO.
Van der Vegt, G. and J. S. Bunderson. 2005. Learning and performance in multidisciplinary
teams: The importance of collective team identification. Academy of Management
Journal 48 (3): 532-547.
van Knippenberg, D. and M. C. Schippers. 2007. Work Group Diversity. Annual Review of
Psychology 58: 515-541
Vendrzyk, V. and N. Bagranoff. 2003. The evolving role of IS audit: A field study comparing the
perceptions of IS and financial auditors. Advances in Accounting 20: 141-163.
Vera-Munoz, S., J. Ho, and C. Chow. 2006. Enhancing knowledge sharing in public accounting
firms. Accounting Horizons 20 (2): 133-155.
Westermann, K., J. Bedard, and C. Earley. 2015. Learning the “craft” of auditing: A dynamic
view of auditors’ on-the-job learning. Contemporary Accounting Research 32 (3): 864896.
Wolfe, C., E. Mauldin, and M. Diaz. 2009. Concede or deny: Do management persuasion tactics
affect auditor evaluation of internal control deviations? The Accounting Review 84 (6):
2013-2037.
Yin, R. K. 2013. Case Study Research: Design and Methods. 5th edition. Thousand Oaks, CA:
Sage Publications.
48
TABLE 1
Demographic Information
All
Age
Years of experience
N
Rank
Partner/Executive Director
Senior Manager/Director
Manager
Senior
Certifications:
CPA/CA
CISA
Experience in other domain
None
Less than one year
Five years
Industry a
Fin. Services/Insurance
Govt. Contracting
Healthcare
Manufacturing
Real Estate
Technology/media/comm.
Utilities
Other b
None
Other specialization a
ERP
IFRS
SOC reporting
Other b
None
a
IT Specialists
33
Auditors
Mean (Std. Dev.)
33.3
(7.2)
10.7
(7.6)
Frequencies
16
7
12
8
6
4
4
7
1
3
8
1
5
24
13
16
0
8
13
25
7
1
15
1
0
10
6
1
11
3
6
3
3
5
2
8
5
5
2
2
1
2
3
0
7
1
6
1
4
2
1
2
2
1
4
6
3
3
7
16
0
3
0
1
12
6
0
3
6
4
33.0
(6.4)
10.4
(6.6)
32.8
(5.9)
10.2
(5.6)
17
Some respondents had more than one industry or specialization.
Other industries include auto, higher ed, pharmaceuticals, retail. Other specializations include A133 audits,
cyber-security, data analytics, FISMA, internal audit,49
operating systems, security program management.
b
TABLE 2
Audit Examples
Frequencies
Total number provided
Number provided for questions below
ab
Size
Large
Mid-size
Small
Industry a
Fin. Services/Insurance
Healthcare
Higher ed./Non-profit
Manufacturing
Retail/Gaming
Technology
Telecom
Other c
IT hours as percentage of total budget a
Less than 10%
10 - 20%
More than 20%
All
33
Good Example
Auditors IT Special.
16
17
All
29
Difficult Example
Auditors IT Special.
12
17
23
11
12
20
8
12
17
5
1
9
2
0
8
3
1
10
5
5
4
3
1
6
2
4
9
3
1
2
1
2
2
3
4
1
1
1
1
0
1
2
5
2
0
1
0
2
1
1
5
3
4
1
3
2
0
2
2
1
2
0
2
0
0
1
3
2
2
1
1
2
0
1
9
9
2
5
4
1
4
5
1
3
11
1
1
6
1
2
5
0
50
TABLE 2 (continued)
Audit Examples
Good Example
All
Auditors IT Special.
(n=23)
(n=11)
(n=12)
I felt the IT (financial) team was competent ad
Mean
6.53
Std. Dev.
(0.59)
ae
Please rate the level of audit risk for this client
Mean
4.17
Std. Dev.
(1.13)
Please rate the level of IT complexity for this client af
Mean
5.21
Std. Dev.
(1.43)
Difficult Example
All
Auditors IT Special.
(n=20)
(n=8)
(n=12)
6.39
(0.68)
6.67
(0.49)
5.74
(0.99)
5.09
(1.02)
6.17
(0.72)
4.17
(1.03)
4.17
(1.25)
4.66
(1.33)
4.41
(1.03)
4.83
(1.51)
4.98
(1.46)
5.42
(1.43)
4.44
(1.50)
4.28
(1.29)
4.54
(1.67)
a
Audit example demographic information was elicited after an initial round of interviews, from 23 of 33 respondents. Three auditor respondents in this
group only had an example for Good . For eight additional examples, respondents were unable to recall detailed budget information giving a total n of
20 (15) for IT hours as a percentage of total budget in Good (Difficult ).
b
We elicited size information via revenues and total assets. Respondents provided quantitative values (rather than qualitative categorization) for 10
(7) Good (Difficult ) examples. We used the following ranges to categorize revenue: Small – less than $100M, Mid-size – $100M to $500M, and Large –
greater than $500M (U.S. GAO 2008). For five examples (two in Good and three in Difficult ) where only total assets was quantitatively provided, we
compared the reported value to other examples with similar values where revenue was also reported to appropriately categorize.
c
One respondent provided an example in the following industries: for Good , Automotive, Professional Services, and Utilities; for Difficult ,
Advertising and Government Contracting.
d
Scale range: 1 – Strongly disagree, 7 – Strongly agree
e
f
Scale range: 1 – Low risk, 7 – High risk
Scale range: 1 – Low complexity, 7 – High complexity
51
TABLE 3
Scale Responses to Examples of Relationship Quality
Good Example
Difficult Example
All
Auditors IT Special.
All
Auditors IT Special.
(n=33)
(n=16)
(n=17)
(n=29)
(n=12)
(n=17)
a
When someone criticizes members of the IT (financial) team it feels like a personal insult
Mean
4.41
4.40
4.41
3.54
3.25
3.76
Std. Dev.
(1.56)
(1.18)
(1.88)
(1.56)
(1.41)
(1.68)
b
To what extent did the ultimate goals of the financial and IT teams overlap?
Mean
6.03
5.75
6.29
4.74
4.79
4.71
Std. Dev.
(0.78)
(0.80)
(0.69)
(1.44)
(1.57)
(1.38)
c
How would you characterize the working relationship between the financial and IT auditors?
Mean
6.32
6.15
6.47
4.03
3.98
4.06
Std. Dev.
(0.51)
(0.50)
(0.48)
(1.27)
(1.12)
(1.40)
a
Scale range: 1 – Strongly disagree, 7 – Strongly agree
Scale range: 1 – No overlap, 7 – Completely overlap
c
Scale range: 1 – Tense and mistrustful, 7 – Amicable and trusting
b
52