Managers’ Perception on the IT Audit Recommendations: The Effect of Risk Significance, Ease of Implementation and Added Value on Implementation of Recommendations

Armend Salihu^1,* and Hamdi Hoti²

¹Faculty of Contemporary Science and Technology, South East European University (SEEU), Tetovo, Republic of North Macedonia
²Faculty of Economic, University of Prizren “Ukshin HOTI”, Prizren, Republic of Kosovo
E-mail: ar.salihu@gmail.com; hamdi.hoti@uni-prizren.com
*Corresponding Author

Received 30 December 2020; Accepted 07 November 2021; Publication 06 May 2022

Abstract

The purpose of this study is to analyse the impact of the risk significance of audit results, the quality of the recommendations given on how easy it is to implement them, and the added benefit to the organization in implementing the recommendations. After a comprehensive literature review, the study provides a statistical analysis through a questionnaire that has been distributed to investigate the effect of Risk Significance, Ease of Implementation, and the Added Value on the implementation of the recommendations within organizations. Regarding the results obtained from the questionnaire, all Cronbach’s Alpha values are within the acceptable level, whereas the first three variables (Implementation of Recommendations, Risk Significance and Ease of Implementation) have a strong positive correlation between each other. There is a weak positive correlation between Added Value of Recommendations with other variables. In the regression analysis was found that all independent variables have a positive effect on the depended variable.

Keywords: IT audit recommendations, management perception, ease of implementation, risk significance, quality of recommendations.

1 Introduction

Recently, IT, given its use in all sectors of the economy, has become one of the main drivers of growth in the economy.

Many organizations are increasingly relying on IT to manage and monitor information through less paperwork. As a result, the level of precision and effective time control in organizations has improved by increasing the speed at which information processing takes place. This provides a competitive mechanism that the company’s processes are effective because of low costs and reduced human error [1]. However, there are also some threats arising from the implementation of information technology into organizations. Some of the main threats include: privacy breaches as information may fall into the wrong hands; inaccurate data storage in the event of failures in data collection; risk of destruction of computing assets; operational threats like loss of data by hacking and system malware; lack of the competitive resources used to implement inadequate IT systems in an organization; and a general business disruption [2]. System controls that use IT in their operations, combine both automated and manual processes, thus monitoring the activities of IT can be limited and the automatic checks cannot be easily managed. Therefore, recently organizations are investing a lot in IT Audits since almost all of the work processes are based on technological tools.

2 Literature Review

The rapid growth of information and communication technologies has brought numerous improvements to nearly every area of life. In several various sectors, new technological advances have been enhanced. Information technology has become a fact in which we coexist. The position of IT is responsible for planning, implementing, and retaining several controls over the company’s business processes [3].

Porter (1988) defined technology as one of the five factors driving market growth [4]. To maximize consumer efficiency and become an industry leader, various companies have turned their goods and activities into a digital world [5]. IT has now become one of the main tools in the growing market [6].

The increasing need for executives to validate and protect value-generating systems in both – private and public sectors, and the sophistication of the design and infrastructure of IT, demands improved corporate knowledge and IT governance. IT governance is described by the Information Technology Governance Institute as “leadership, organization, and processes that ensure that the company IT retains and extends the organization’s strategies and objectives” [7].

In the technological development period, risks of IT are the key focus of high management, especially in making the business decisions [8]. That’s because the existing IT risk not only affects the IT ecosystem but may also lead the organization to lose its general business [6]. Poor understanding of IT by top management makes it impossible for them to assess the efficacy of IT deployment in their business [9].

The growing use of information technology has brought stability, privacy, efficiency, and data protection benefits. However, the use of information technology has also brought many new challenges, therefore the IT audit is important [10]. The senior management has recognized that IT audit is becoming increasingly critical in assisting management in reviewing the application of IT [11] increasingly as to reduce unnecessary threats to organizations from IT deployment [12]. To avoid potential errors and risks, and also to measure the company’s efficiency of the information system, an information system audit is expected to perform a systematic, thorough, and detailed investigation [13].

The business will pursue rapid technological development. This makes IT audit more involved to the point that it is a core of the IT assessment within the organization. To make a meaningful difference to the business, technology development has opened up new possibilities in IT auditing. Technology development not only offers incentives for IT auditing but often poses challenges for IT auditing activities, in particular for the quality and efficacy of IT audit [14], and often separates IT auditing priorities from company expectations [15]. Technology development offers an outstanding way to make IT audits more constructive and lead to company growth and organizational progress. The concept of IT audit universe and IT audit features becomes a key element in driving IT audit’s evolving position to become more important, future and risk oriented. Furthermore, high demand for trained IT auditors would be an important topic for more study as well as the need to change to current IT-audit process frameworks to improve the performance of new IT-audit in the era of digital transformation [16].

The function of the IT audit is generally performed by a conventional approach. The conventional approach is an IT audit directed to enforcement that relies on the review and disclosure of prior procedures [11, 12, 15, 17]. However, this conventional method has now been discontinued and has begun to shift to modern IT auditing. A new solution is an IT audit targeted at risk-based changes in company performance [11]. In other words, the auditor perceives the position of IT audits as “correct,” which will improve the audited organization’s efficiency constantly [18] and reflect on the future [17]. The function of the IT audit should, therefore, begin to concentrate on IT risks for enterprises. Furthermore, the IT audit should also begin to consider how it can make a beneficial impact on the company. In recent years, the impact of IT on companies has increasingly grown, the audit cycle is improved and auditors have more challenges and problems [19]. Auditors need to follow up on changing technological developments and their effect on their organization’s information processing infrastructure and their auditing processes more quickly as IT changes [20]. In general, the technological transformation [21] poses several challenges and issues in the IT audit: Increased data storage volume. The problems generated by the growing amount of data are data quality, data reliability, accuracy and data protection; rapid growth of new technologies.

Regarding the audit findings, in general, there are five attributes that an audit finding must have [22]: Condition; Criteria; Cause; Effect; and Recommendation.

The recommendation is one of the most important parts of the audit finding, therefore the focus of this study is to find the effects regarding the rate of the implementation of recommendations.

The conclusions and recommendations made by the auditor reflect a significant contribution to effective governance that will quickly and effectively guide organizations to address weaknesses and vulnerabilities found [23]. To enhance efficiency, auditors shall make practical and achievable audit recommendations for audited to implement easily [24].

Following education and technical preparation, Adams (1994) notes that an audit committee can better understand the internal management process and conduct reliable fieldwork by planning and implementing a comprehensive audit test and presenting Added Value recommendations that promote adoption and implementation [25]. Wilkins (1995) said that the quality of the report depends on the assessment of how the audit recommendations are achieved [26]. Also, a recommendation that is not compelling it will not be implemented. A recommendation that does not address the root cause of the condition may not produce the desired outcome [27]. Van Gansberghe (2005) claimed in his analysis that the implementation of audit recommendations is very important to the outcome of the audit [28].

There has been concluded that management’s commitment to the use of audit recommendations and encouragement for the improvement of the audit is essential to audit effectiveness [29]. The management’s attention to enforcing audit recommendations enhances the operation of the audited, as a result of which the quality of the audited will enhance the quality of the audit. Therefore, audit conclusions and recommendations will not have any benefit until the management is committed to enforcing them [30].

Effective and timely implementation of the recommendations agreed upon by the management of the company is an essential part of achieving the full value of the audit. However, the consistency of the audit recommendations, the management engagement, the evaluation and follow-up of the audit recommendations is one of the key factors in the lack or failure of timely implementation of the recommendations. Cohen (2014) suggest that the recommendations made by the auditors must be of high quality to be implemented [31]. Audit recommendations should be clear, convincing, and always provide a feasible basis for their implementation. Hoos (2018) concluded that performing audit research under audit criteria is a major contribution to audit performance [32].

Ashouri (2015) suggest that management is responsible for developing and enforcing an efficient system of internal control and the auditor is responsible for performing an independent review to determine the effectiveness of the system of internal controls to put this issue together with recommendations for change if internal control is not successful [33]. The implementation of the audit recommendation is also examined in close relation to the reduction of security incidents [34]. D’onza and the other authors suggested that the inability to enforce audit recommendations could result in management attempting to manipulate the company by incorrect processing of financial reports [35].

Regarding the Added Value of the audit and recommendations, based on the official definition of the audit, the ultimate goal is to contribute to the creation of added value to the organization [36]. The studies in [37] and [38] define the concept of “value tracking” as the cost savings and/or revenue enhancements because of audit activities. The cost-benefit approach used by these two analyses is to control and measure the profit that audit gives to the enterprise. The importance of the audit results or conclusions may also be used to assess the audit’s efficacy. Shu also controls the costs and efficiencies of noncompliance [39]. In keeping with this, the data in the study of Bota-Avram, (2010) also show that some organizations use the cost-benefit metric to measure audit performance [40].

2.1 International Standards to Improve Quality of IT Audit

The demand for IT audit has increased with additional high expectation on quality of IT audit. There are several international standards that can be used to improve the quality of recommendations in IT Audits.

The introduction of emerging technology offers the business different benefits and risks. Organizations use frameworks of best practice to promote success in developing IT management in compliance with regulatory requirements. COBIT [9] is one of these IT governance frameworks. The new edition of COBIT is COBIT 2019 [41]. However, the framework is still too complex to be managed [11]. Therefore, technology development has changed the way IT audits are conducted [42]. As a part of the technology development, IT audits will continually develop and respond to dynamic environments [43].

In general, the function of IT audit will depend on how the organization determines the universe of IT audit and the characteristics of IT. Based on the Institute of Internal Auditors IT auditing universe can be described in 4 fields: IT Governance; IT Infrastructure; Applications; and other external factors [44].

GUID 5100, published by INTOSAI (International Organization of Supreme Audit Institutions), is the overarching framework for performing information system audits inside the IFPP. The goal of this GUID is to offer auditors with direction on how to conduct Performance and/or Compliance audits on information systems that are part of a wider audit engagement, such as a Financial, Compliance, or Performance audit. Auditors can use the information in this GUID during the planning, conducting, reporting, and follow-up stages of the audit process. This GUID defines the information systems audit as following [45]:

“Audit of Information Systems may be defined as the examination of controls related to IT-driven information systems, in order to identify instances of deviation from criteria, which have in turn been identified based on the type of audit engagement – i.e. Financial Audit, Compliance Audit or Performance Audit.”

The INTOSAI Working Group on IT Audit (WGITA) and the INTOSAI Development Initiative (IDI) collaborated to produce an updated Handbook on IT Audit, with the goal of providing SAI auditors with IT Audit standards and generally recognized best practices. The primary topics that IT auditors may be required to investigate while performing IT audits are covered in detail in this Handbook [46].

This handbook is designed to provide IT auditors with detailed information on many aspects of IT auditing, as well as step-by-step instructions on how to properly prepare these audits. The definition of IT Audit, as well as the scope and goal of IT Audit in public institutions, are covered in the first chapter. It also explains the differences between IT General Controls and Applications Controls, as well as the relationship between the two. Describes the IT auditing process and risk-based assessment technique for selecting IT audits. The chapters that follow provide a detailed description of several IT domains to aid IT auditors in identifying potential auditable areas like: IT Governance, Development & Acquisition, IT Operations, Outsourcing, Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), Information Security, Application Controls, and emerging areas in IT Auditing. At the end of each chapter, IT auditors will find a list of organizational level risk relating to the IT domain, which will aid them in identifying high-risk auditable areas. Depending on the scope and aim of the IT audit being planned, the recommendations provided on each domain will assist IT auditors in preparing their audits, either on a single domain or a group of domains. Each chapter includes step-by-step instructions for creating an audit matrix. The audit matrix covers the most important audit issues, criteria, necessary information, and analysis methodologies [46].

ISACA has developed several standards, guidelines, tools and techniques, including the ITAF: A Professional Practices Framework for IS Audit/Assurance, that is a comprehensive and good-practice-setting reference model that [47, 48]:

– Establishes standards that address IS audit and assurance professional roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements;

– Defines terms and concepts specific to IS assurance;

– Provides guidance and tools and techniques on the planning, design, conduct and reporting of IS audit and assurance assignments.

The last edition of ITIF is fourth edition [49].

This fourth and latest edition of ITAF has been updated to align with the steps of the audit process, including:

– Incorporation of more IT-specific guidance and examples

– Emphasis on risk assessment during the audit planning phase to provide practitioners with guidance that is directly applicable to the audit process

– Updated auditor objectivity content that is more concise and easier to reference

– A format change to make ITAF more user friendly

Other useful standards that can be used in IT Audit process include standards like NIST and ISO Standards.

There are several benefits using NIST framework. Organizations can target eight use cases to benefit from the NIST cybersecurity framework’s deployment. These are examples of how the framework can be used to smoothly integrate with existing cybersecurity rules and procedures. Including:

1. Integrating enterprise and cybersecurity risk management.

2. Evaluating organizational cybersecurity.

3. Reporting cybersecurity risks.

4. Managing cybersecurity requirements.

5. Maintaining a comprehensive understanding of cybersecurity risk.

6. Integrating and aligning cybersecurity and acquisition processes.

7. Managing the cybersecurity program.

8. Informing the tailoring process.

Individuals who can demonstrate their knowledge of the NIST Cybersecurity Framework earn numerous benefits. As the framework’s global adoption develops, being a certified NIST cybersecurity professional (NCSP) is one approach to expand expertise and demonstrate comprehension of the framework to customers and future employers [50].

3 Methodology

3.1 Data Gathering

A standardized questionnaire was used for this study to collect data. A total of 131 questionnaires were sent to CEOs, CIOs and other Professionals in the companies located in South East Europe. From this distribution, there was a total of 51 responses or 38.93%. 52.94% of the respondents were females and 47.06% were males. Regarding the position, 13.73 of responders were CEOs, 25.49% were CIOs, 49.02% were IT Professionals and 11.76% were IT Auditors. This study used the online system to collect responses and was accessed using a 5-point Likert scale with scales for dependent variable: 5-Almost always, 4-Often, 3-Sometimes, 2-Seldom and 1-Almost never, and for independent variables: 5-Very high, 4-High, 3-About the same, 2-Low and 1- Very low.

3.2 Results

This research aims to find the effect of Risk Significance, Ease of Implementation, and the Added Value of Recommendations in the Implementation of Recommendations. Regarding the IT audits, 58.82% of responders declared that the organization they work for, already had responsible staff for the IT Audit. 11.76% of responders declared that the organization they work for, does not do external IT Audits, 25.49% declared that the organization has external IT Audits and 62.75% of responses declared that the organization they work for has IT Audit recommendations included in the annual financial statement audits (statutory audits). On the question asked – which IT Audit (Internal or External) adds more value to the organization, 54.90% said the Internal Audit and 45.10% said the External Audit adds more value with the implementation of their recommendations. While asked why they think that Internal/External IT Audits add more value the major responses were that Internal Audit has more knowledge regarding the business processes, while the respondents who said the External Audit adds more value, the major responses were that they do the cold review. On the question asked regarding which recommendations are harder to implement (those from internal or external IT Audits), 70.59% of responses were that external IT Audit recommendations are harder to implement, and 29.41% think that internal IT Audit recommendations are harder to implement. While asked why they think that internal/external IT Audit recommendations are harder to implement, the responses were that the external IT Audit recommendations are more general and not action-oriented, and the respondents that think that internal IT Audit recommendations are harder to implement, the major responses were that the level of control is deeper than the external IT Audits.

Regarding the Linear Regression analysis, this study’s dependent variable refers to the Implementation of IT Audit Recommendations, including internal and external IT Audit recommendations. While the independent variables of this study are: Risk Significance, conceptualized as the risk that may have the organization if they decide not to implement the IT Audit recommendations; Ease of Implementation of recommendations, conceptualized as the clarification and the quality of recommendations, level of details in the recommendations; and the Added Value, conceptualized as what would be the value if implementing the IT Audit recommendations. Therefore, this study aims to determine the correlations between variables as well as to determine a linear equation to explain the relationship between variables. In this study there are three hypotheses related to the analysis, also, the purpose of this study is to explain the numeric details of relation between the variables:

• Hypothesis 1 – Risk Significance of the finding has a positive effect on the Implementation of Recommendations.

• Hypothesis 2 – The Quality of Recommendations (Action-Oriented/ Detailed Recommendations), have a positive effect on the Implementation of Recommendations.

• Hypothesis 3 – The Value that the implementation of recommendations adds to the organization, have a positive effect on the Implementation of Recommendations.

First, we will find the construct reliability of the responses, the Cronbach’s Alpha is used to determine the construct reliability. Based on the Nunally & Brenstein [51], the Cronbach’s Alpha should be at least 0.7, and as it is presented in Table 1, all Cronbach’s Alpha values of this study are within the acceptable level.

Table 1 Construct reliability

	Cronbach’s Alpha	No. of Items
Implementation of Recommendations	0.877	4
Risk Significance	0.815	2
Ease of Implementation	0.929	4
Added Value of Recommendations	0.922	4
Source: Authors’ source.

The correlation between variables is presented in Table 2. It is suggested that to have a strong positive correlation, the correlation figures should be between 0.5 and 0.7, and based on the results of the correlation analysis presented in Table 2 we can see that the first three variables (Implementation of Recommendations, Risk Significance and Ease of Implementation) have a strong positive correlation between each other, and there is found a weak positive correlation between last variable (Added Value of Recommendations) with other variables.

Table 2 Correlations

		Imp. of	Risk	Ease of	Added Value
		Rec.	Sig.	Imp. Rec.	of Rec.
Pearson Corr.	Imp. of Rec.	1	0.601	0.623	0.377
	Risk Sig.	0.601	1	0.544	0.174
	Ease of Imp.	0.623	0.544	1	0.105
	Added Value of Rec.	0.377	0.174	0.105	1
Source: Authors’ source.

In the next analysis of this study – the linear regression, it is focused to find a linear equation that describes the relationship between dependent and independent variables. The summary of the regression model is presented in Table 3. Table 3 indicates that the adjusted R square is 0.532 meaning that the independent variables (Risk Significance and Ease of Implementation and Added Value of Recommendations) explain more than 53% of the total effect on the dependent variable (Implementation of Recommendations).

Table 3 Model summary

Model	R	R Square	Adjusted R Square	Std. Error of the Estimate
1	0.748	0.560	0.532	0.50840

Change Statistics
R Square Change	F Change	df1	df2	Sig. F Change	Durbin-Watson
0.560	19.934	3	47	0.000	2.274
Source: Authors’ source.

In Table 4 is presented the ANOVA test, where we can see that the significance of this model, in general, is 0.000, which is acceptable at the 99% confidence level.

Table 4 Model summary

Model		Sum of Squares	df	Mean Square	F	Sig.
1	Regression	15.457	3	5.152	19.934	0.000
	Residual	12.148	47	0.258
	Total	27.605	50
Source: Authors’ source.

As presented in Table 5, since the significance of the variables is: 0.008, 0.007, 0.001, and 0.007, it means that all the independent variables have an acceptable level of 99% confidence level.

Table 5 Model summary

		Unstandardized Coefficients	Standardized Coefficients
Model	B	Std. Error	Beta	t	Sig.
1	(Constant)	1.015	0.367		2.766	0.008
	Risk_Sig	0.267	0.095	0.327	2.808	0.007
	AO_EI	0.315	0.087	0.416	3.610	0.001
	Added Value	0.229	0.081	0.276	2.811	0.007

99.0% Confidence Interval for B	Correlations	Collinearity Statistics
Lower Bound	Upper Bound	Zero-order	Partial	Part	Tolerance	VIF
0.030	2.001
0.012	0.523	0.601	0.379	0.272	0.690	1.448
0.081	0.549	0.623	0.466	0.349	0.704	1.420
0.010	0.448	0.377	0.379	0.272	0.970	1.031
Source: Authors’ source.

Based on the coefficients presented in Table 5, the linear equation from the regression analysis is:

I = 1.015 + 0.267 R S + 0.315 E I + 0.229 A V

Where:

• I – Implementation of Recommendations

• RS – Risk Significance

• EI – Ease of Implementation

• AV – Added Value

The linear equation of this study shows that the IT Auditors should focus more on assessing the risks to the organization, as identifying risky findings and recommending improvements to them affects 26.7% in implementing the recommendation. Also in terms of the quality of the recommendations, the IT Auditors should focus on making the recommendations as accurate and precise as possible, in order to address issues that create barriers to the process, or jeopardize IT systems. By increasing the quality of the recommendations per one unit, the implementation of the recommendations increases by 31.5%. Also, this study suggests that the IT Auditor should consider the added value to the organization by implementing recommendations, as recommendations that do not add value will hardly be implemented. With the identification of issues, providing recommendations that through their implementation improve the quality of the organization and add value to the organization, then the possibility of implementing the recommendations increases by 22.9%.

The assumptions of the regression model also will be checked. The normality, multicollinearity, and autocorrelation are the assumptions of the regression model that will be checked.

3.3 Normality

In Figure 1 is shown the distribution of the dependent variable. From the following figure, can be concluded that the residuals are distributed normally, and there is no problem with the normality of this model.

Figure 1 Normality, authors’ source.

3.4 Multicollinearity

A variance inflation factor (VIF) detects multicollinearity in regression analysis. Multicollinearity is when there’s correlation between predictors (i.e. independent variables) in a model; its presence can adversely affect the regression results. The VIF estimates how much the variance of a regression coefficient is inflated due to multicollinearity in the model [52]. It is suggested that multicollinearity is a potential problem when VIF figures are greater than 4, and is a serious problem when VIF figures are greater than 10, and as presented in Table 5, all the VIF figures are less than 4, means that there is no problem with the multicollinearity.

3.5 Autocorrelation

The Durbin-Watson test statistic tests the null hypothesis H $_{0}$ that the residuals from an ordinary least-squares regression are not auto correlated against the alternative that the residuals follow an autoregressive process. Regarding the autocorrelation assumption, from the application of Durbin Watson table [53], the following results are obtained:

4-du

4-dl

From Durbin Watson table we have:

• dl $=$ 1.245

• du $=$ 1.491

• 4 – du $=$ 2.509

• 4 – dl $=$ 2.755

As can be seen in Table 3, our Durbin Watson value is 2.274, which is between du $=$ 1.491 and 4-du $=$ 2.509 so, we don’t reject H $_{0}$ meaning that there is no autocorrelation problem.

4 Discussion and Recommendations

Seeing how technological advancements have influenced the need to verify whether automatic controls are in place and effective has increased the demand for information system audits. However, in order to conduct an adequate audit of information systems, we must rely on international standards and appropriate information technology frameworks. Some appropriate standards and frameworks for conducting an IT audit include, but are not limited to: COBIT, GUID 5100, ITAF: A Professional Practices Framework for IS Audit/Assurance, NIST, ISO Standards, etc.

There are 5 elements of audit findings: Condition; Criteria; Cause; Effect; and Recommendation.

In this study, we looked at the quality of recommendations in the field of IT. For the recommendations to be acceptable and as likely as possible to be implemented by the organization’s management, they should be as qualitative as possible. We identified three factors that may influence the increase in recommendation implementation, which are as follows:

– Risk Significance;

– Ease of Implementation; and

– Added Value of Recommendations.

Therefore, in order to achieve the realization of these factors, during the audit process we must focus on international standards, adequate and implementable frameworks, best practices etc., in order to identify areas of risk and the most appropriate criteria for the institution being audited. Since an adequate criterion based on standards and best practices enables a higher level of control to identify the current condition of the organization being audited as accurately as possible when compared to the criterion we have chosen as a basis. The cause of the identified condition is easily identified from the identified situation, and then the risks and effects of non-implementation of the recommendation are identified. Based on the criteria we have used we can come to the appropriate recommendation, which addresses areas of risk, is easily implemented and adds value to the organization.

5 Conclusion

The purpose of this paper was to identify the factors that may influence the implementation of IT Audit recommendations. The study’s dependent variable is the implementation of IT Audit Recommendations, while the independent variables of this study are: Risk Significance, Ease of Implementation of the recommendation and the value that the implementation of the recommendation adds to the organization.

The results indicate that all of Cronbach’s Alpha values are within an acceptable level. Whereas from the correlation analysis it is found that there is a relatively strong positive correlation between the first three variables (Implementation of Recommendations, Risk Significance and Ease of Implementation) and weak positive correlation between last variable (Added Value of Recommendations) with the other variables. From the regression analysis, the linear equation among dependent and independent is I $=$ 1.015 $+$ 0.267 RS $+$ 0.315 EI $+$ 0.229 AV, and it is seen that the independent variables have a positive effect on the dependent variable.

From the regression analysis, it is found that the independent variables present more than 53% of the total effect in dependent variable which is the implementation of the audit recommendation, also the effect of the independent variables have a positive effect on the dependent variable, meaning that if risk significance that accompanies the recommendation is 1 unit higher, it will increase the implementation of the recommendation for 26.70% or 0.267 units, if recommendations quality and recommendations are more action-oriented and are easier to implement for 1 unit, it will increase the implementation of the recommendation for 31.50% or 0.315 units, also with the increase of the added value that implementation of the recommendation adds to the organization for 1 unit, it will increase the implementation of the recommendation for 22.90% or 0.229 units.

To have a better and clearer IT Audit Recommendations, the auditor should focus on international IT Auditing standards and best practices.

References

[1] J. Warren, L. Edelson, X. Parker and R. Thrun, Handbook of IT Auditing, New York: Warren, Gorham & Lamon, 1998.

[2] B. L. Hadden, F. T. DeZoort and D. R. Hermanson, “IT Risk Oversight: The Roles of Audit Committees, Internal Auditors, and External Auditors,” Internal Auditing, vol. 18, no. 6, pp. 28–31, 2003.

[3] D. M. Cannon and G. A. Crowe, “SOA Compliance: Will IT Sabotage Your Efforts?,” The Journal of Corporate Accounting and Finance, vol. 15, no. 5, pp. 39–53, 2004.

[4] M. E. Porter, Competitive Advantage, New York: Free Press, 1988.

[5] C. Matt, T. Hess and A. Benlian, “Digital Transformation Strategies,” Business Information System Engineering, vol. 57, pp. 339–343, 2015.

[6] C. Juiz and M. Toomey, “To Govern IT, or Not To Govern IT?,” Magazine Communications of the ACM, vol. 58, pp. 58–64, 2015.

[7] IT-Governance-Institute, Board Briefing on IT Governance, 2nd Edition, USA: IT Governance Institute, 2003.

[8] A. Lawati and S. Ali, “Business perception to learn the art of Operating System auditing: A case of a local bank of Oman,” in Proceedings of the 8th IEEE GCC Conference and Exhibition, 2015.

[9] D. Radonovic, T. Radonovic, L. Dubravka and M. Sarac, “IT audit in accordance with COBIT standard,” in MIPRO, 2010 Proceedings of the 33rd International Convention, IEEE, 2010.

[10] M. Kayrak, “Information Technology Audit and the Practice of the Turkish Court of Accounts,” Turkish Court of Accounts, Turkey, 2014.

[11] P. Lovaas and S. Wagner, “IT Audit Challenges for Small and Medium Sized Financial Institutions,” in Annual Symposium on Information Assurance and Secure Knowledge Management, 2012.

[12] D. C. Chou, “Cloud Computing Risk and Audit Issues,” Computer Standards and Interfaces, vol. 42, pp. 137–142, 2015.

[13] M. Spremić, “Managing IT Risks by implementing Information System Audit Function: Case of Croatian Large Companies,” in 3rd International Workshop in Wireless Security Technologies Proceedings, 2005.

[14] T. Rosário, R. Pereira and M. M. da-Silva, “Formalization of The IT Audit Management Process,” in IEEE 16th International Enterprise Distributed Object Computing Conference, 2012.

[15] T. Li and L. Chen, “The IT Audit Objective Research Based on The Information System Success Model under The Big Data Environment,” in International Symposium on Knowledge Acquisition and Modeling, 2015.

[16] B. R. Aditya, R. Hartanto and L. E. Nugroho, “The Role of IT Audit in the Era of Digital Transformation,” in IOP Conf. Series: Materials Science and Engineering 407, 2018.

[17] P. J. Suk, Y. C. Oh, J. G. Yoo and J. B. Kim, “Study on Audit Information Systems Improved Model based on Public Internal Audit Paradigm Shift,” Advanced Science and Technology Letters, vol. 107, pp. 12–15, 2015.

[18] M. AL-Sharairi, A. Al-Hosban and H. Thnaibat, “The impact of the risks of the input of accounting information systems on managerial control, accounting control and internal control in commercial banks in Jordan,” International Journal of Business and Management, vol. 13, no. 2, pp. 96–107, 2018.

[19] I. Solomon and K. Trotman, “Experimental judgment and decision research in auditing: The first 25 years of AOS,” Accounting, Organizations and Society, vol. 28, pp. 395–412, 2003.

[20] Z. Rezaee and A. Reinstein, “The Impact of Emerging Information Technology on Auditing,” Managerial Auditing Journal, vol. 18, no. 2, pp. 465–471, 1998.

[21] A. C. Dzuranin and I. Mãlãescu, “The Current State and Future Direction of IT Audit: Challenges and Opportunities,” The Journal of Information Systems, vol. 30, pp. 7–20, 2016.

[22] I. Cooke, “The Components of the IT Audit Report,” ISACA Journal, vol. 1, no. 1, 2020.

[23] Institute-of-Internal-Auditors, Role Of Auditing in Public Sector Governance. 2nd Edition, IIA, 2012.

[24] J. Taylor, “What should be the role of the auditor general in the context of managerialist government and new public management?,” Australian Journal of Public Administration, vol. 55, no. 4, pp. 147–156, 1996.

[25] M. B. Adams, “Agency Theory and the Internal Audit,” Managerial Auditing Journal, vol. 9, no. 8, pp. 8–12, 1994.

[26] P. Wilkins, “Performing auditors?: assessing and reporting the performance of national audit offices-a three country comparison,” Australian Journal of Public Administration, vol. 54, no. 4, pp. 421–430, 1995.

[27] K. A. Stephen, “Determinants of Auditee Adoption of Audit Recommendations: local government auditors’ perspectives,” Journal of Public Budgeting, Accounting & Financial Management, vol. 24, no. 2, pp. 195–220, 2012.

[28] C. N. VanGansberghe, “Internal auditing in the public sector: a consultative forum in Nairobi, Kenya, shores up best practices for government audit professionals in developing nations,” 2005.

[29] L. B. Sawyer, “An internal; audit philosophy,” Internal Auditor, pp. 45–55, 1995.

[30] United-States-General-Accounting-Office, “How to Get Action on Audit Recommendations,” GAO, USA, 1991.

[31] A. Cohen and G. Sayag, “The effectiveness of internal auditing,” Australian Accounting Review, vol. 20, no. 54, pp. 45–65, 2014.

[32] F. Hoos, W. F. Messier, J. L. Smith and P. R. Tandy, “An experimental investigation of the interaction effect of management training ground and reporting lines on internal auditors’ objectivity,” International Journal of Auditing, 2018.

[33] R. E. Ashouri, “Internal Auditors-integral to good governance,” International Journal of Auditing, vol. 1, no. 1, pp. 44–49, 2015.

[34] A. Salihu and X. Berisha-Hoti, “The Effect Of IT Audit On Security Incidents,” International Journal of Scientific & Technology Research, vol. 8, no. 8, pp. 1342–1347, 2019.

[35] G. D’onza, M. Georges and S. A. M. R. M., “A study on internal audit perception of the functions ability to add value,” International Journal of Auditing, vol. 19, no. 3, pp. 67–76, 2015.

[36] H. Dellai, M. Ali and B. Omri, “Factors affecting the internal audit effectiveness in Tunisian organizations,” Research Journal of Finance and Accounting, vol. 7, no. 16, 2016.

[37] A. A. M. Al-Twaijry, J. A. Brierley and D. R. Gwilliam, “The development of internal audit in Saudi Arabia: an institutional theory perspective,” Critical Perspectives on Accounting, vol. 14, no. 5, pp. 507–531, 2003.

[38] D. S. B. Soh and N. Martinov-Bennie, “The internal audit function: perceptions of internal audit roles, effectiveness and evaluation,” Managerial Auditing Journal, vol. 26, no. 7, pp. 605–622, 2011.

[39] F. Shu, Q. Li, Q. Wang and H. Zhang, “Measurement and analysis of process audit: a case study,” International Conference on Software Process, pp. 285–296, 2010.

[40] C. Bota-Avram, I. Popa and C. Stefanescu, “Methods of measuring the performance of internal audit,” The Annals of the “Stefan Cel Mare” University of Suceava, vol. 10, pp. 137–146, 2010.

[41] ISACA, COBIT 2019 Framework: Introduction & Methodology, USA: ISACA, 2019.

[42] A. Rahman, A. Al-Nemrat and D. S. Preston, “Sustainability in Information Systems Auditing,” European Scientific Journal, vol. 3, pp. 458–472, 2014.

[43] D. H. Kim, D. S. Kim, C. Koh and H. W. Kim, “An Information System Audit Model for Project Quality Improvement by The Agile Methodology,” International Journal of Information and Education Technology, vol. 3, pp. 259–299, 2016.

[44] Institute-of-Internal-Auditors, “Global Technology Audit Guide 4 – Management of IT Auditing 2nd Edition,” The Institute of Internal Auditors, 2013.

[45] INTOSAI, “GUID 5100 – Guidance on Audit of Information Systems,” 06 2019. [Online]. Available: https://www.issai.org/wp-content/uploads/2019/09/Guid-5100-Guidance-on-Audit-of-Information-Systems.pdf. [Accessed 05 2021].

[46] INTOSAI-IDI, “WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions,” INTOSAI-IDI, Beijing, China, 2014.

[47] ISACA, “Standards, Guidelines, Tools and Techniques,” ISACA JOURNAL, vol. 1, p. 59, 2020.

[48] ISACA, “ITAF: A Professional Practices Framework for IS Audit/ Assurance,” ISACA, 2014.

[49] ISACA, “ISACA Updates IT Audit Framework (ITAF),” ISACA, 2020.

[50] S. Cockcroft, “What is the NIST Framework?,” ITNOW, vol. 62, no. 4, pp. 48–49, 2020.

[51] J. C. Nunnally and I. H. Bernstein, Psychometric theory, New York: McGraw-Hill, 1994.

[52] S. Glen, “Variance Inflation Factor,” [Online]. Available: https://www.statisticshowto.com/variance-inflation-factor/.

[53] E. Savin and K. J. White, “The Durbin-Watson Test for Serial Correlation with Extreme Sample Sizes or Many Regressors,” Econometrica, vol. 45, no. 8, pp. 1989–1996, 1977.

Biographies

Armend Salihu works as IT Auditor at National Audit Office – Republic of Kosovo, also he is engaged as Teaching Assistant at the University of Prishtina, Faculty of Mathematics – Natural Sciences. Currently, he is pursuing a PhD in Computer Science at the South-East European University. His research interests are: IT Audits, Information System Audit, Theoretical Computer Science, Security, Technology and Simulations.

Hamdi Hoti received his Ph.D. at the University of Tirana. He is an Associate Professor at the Faculty of Economics, University “Ukshin HOTI” Prizren. His research interests include Corporate Governance, Change Management, Human Resource Management, Scientific Research Methods, and Project Management. He is Vice Dean in the same faculty.