Audit Quality Of Outsourced Information Technology Controls Author: Tatiana Mazza, Stefano Azzali and Luca Fornaciari Publisher: Managerial Auditing Journal 2014,Vol 29 Issue 9, pp.837-862 16720838 蒋 欣 怡

Introduction Outsourced IT may increase audit risks and affect the reliability of financial reporting. To lower these risks, public authorities and other institutions provide legislation, auditing standards and frameworks (COSO; Control Objectives for Information and related Technology – [COBIT]; COBIT for SOX) to provide guidance for the auditor when performing audits. The author test for the relation between information technology audit quality (ITAQ) and AQ of outsourced information technology controls (ITC). The model of ITAQ is based on factors derived from phases of the audit cycle as regulated by PCAOB, SEC and COBIT for SOX.

Literature review ITAQ • Carcello et al. (1992) addresses financial AQ in general. It identifies four primary factors to measure AQ: client experience, industry experience, responsive to client needs and compliance with a Generally Accepted Auditing Standard. • Stoel et al. (2012) indicate that “Independence” and “Accounting Knowledge and Audit Skills” are the most important factors for ITAQ. AQ of outsourced ITC • There is very little literature on audit provisions and published papers are mainly non-academic research. However, it’s important to investigate them. • Wigley and Company (2013) point out that audit provisions often don’t get the focus they deserve and show that clever use of audit clauses can give much better results for customers in dispute resolution scenarios.

Purpose This paper aims to test the positive relationship between audit quality (AQ) of outsourced information technology controls (ITC) and information technology audit quality (ITAQ). Method Factor analysis： determine factors that explain ITAQ Ordinary least squares (OLS) regressions and simulations： test the key hypothesis of the research

Hypothesis Hypothesis H: Audit quality (AQ) of outsourced information technology controls (ITC) is positively related to information technology audit quality (ITAQ). Hypothesis The population is the 255 Italian companies listed on the Milan Stock Exchange in 2010 used a sample of 50 of the 255 companies to perform factor analysis to compute the ITAQ factors. Thirty-one of the 50 companies outsource IT, and this subsample was used to perform the OLS regressions.

Model Dependent variable (ITAQ) Building a measurable construct for ITAQ (dependent variable) through factor analysis. Selecting six main variables related to the audit cycle phases. (1) Business Scale and Audit Scope.(dummy variable) (2) Business Process Knowledge .(dummy variable) (3) IT and Controls Knowledge .(dummy variable) (4) Planning and Methodology .(dummy variable) (5) Fieldwork and Audit Procedures.(develop a measure based on compliance with the number of processes, objectives and controls proposed by COBIT for SOX from 0 to 4) (6) Responsiveness based on time frame.(Responsiveness increases if the audit is performed coherently with the intermediate and annual financial statement. To encode it we develop a measure from 0 to 4)

independent variables and control variable Measure the AQ of outsourced ITC 1 2 3 use a 5-point scale with the different types of EVALUATION PROCEDURES based on their efficiency defined by the frameworks 1 assign value 1 to companies which use these provisions in the contract with the service provider, and 0 otherwise 2 3 firm-level (Industry、 Foreign、 Loss、 Firm age）and AQ characteristics（ Governance score、 Audit fees、Audit opinion）

Factor analysis Two principal components (“ITAQ scoping” and “ITAQ planning”) with an eigenvalue higher than 1. “ITAQ Scoping” phase explains 42 per cent of ITAQ. “ITAQ Planning” explain 27 per cent . The two phases, together, explain 69 per cent. This confirms that the percentage of the variance of each item is significant in explaining variance of ITAQ.

Regression results The AQ of outsourced ITC is directly related, at a 0.01 level of significance, to ITAQ in aggregate. This is the case using both the factor score and the simple score, especially for the phase of the audit cycle related to“ITAQ planning” . This paper stresses the importance of the evaluation methodology of outsourced ITC. Don’t find that the audit provisions are significant in explaining ITAQ.

Conclusion improve on previous literature by: • confirming the relevance of some ITAQ items • selecting and summarizing these items to determine useful measures of ITAQ related to audit cycle phases determine two principal components and identify them as “ITAQ Scoping” and “ITAQ Planning”. These two factors explain more than 69 percent of ITAQ and are thus justified as dependent variables of the regression model. The AQ of outsourced ITC is strongly and directly related to ITAQ.

Practical implications Companies and auditors could improve ITAQ through a better organization of the scoping and planning activities; they could also improve the AQ of outsourced ITC using direct evaluation in the service provider location supplemented with service auditor reports. Regulators could refine or change laws and frameworks to take into account the factors of ITAQ and the methodology of evaluation of outsourced ITC.

value limitations Private data collected by questionnaire. The measures of ITAQ and the OLS model could be tested in countries with different frameworks and regulations related to AQ, different weight of outsourced information technology and other characteristics related to clients, service providers and service auditors. limitations Sample size and input items in factor analysis

Thanks