Audit Technology Tools and Business Process Assurance: Assessment of Auditors’ Perspective in Nigeria

The purpose of this paper is to assess the perception of compliance personnel over audit technology tools implementation in Nigeria. The study provides an empirical analysis of input supplied by a sample of 173 professional auditors across 67 companies from 5 major sectors of the Nigerian Stock Exchange. Subjects were tested of their perception on the application of audit technology tools in automated controls monitoring of financial transactions processing and assurance reporting. Although audit technology tools have been accessible for over a decade, the outcome of the study suggested that internal auditors and audit departments in Nigerian companies are not making substantial use of available tools. Internal auditors mostly have adopted audit software on an ad hoc basis with some repetitive use. In addition, most internal audit departments and units do not have formal strategies and plans for integrating technology in their internal audit processes with the exclusion of the financial services sector. The study also discovered that the most significant factors inhibiting the use of technology tools in other sectors were audit software inaccessibility and training costs alongside lack of senior management support from additional comments obtained from survey instrument. Respondents relatively share inconsistent views about the applicability and reliance on the underlying tools.


Introduction
The role of IT now hold ace in contemporary business around the world. From sole proprietorship to the desk of the corporate executive IT has completely taken the place or satisfactorily complimented manual data processing. Organizations now rely on Computerized Information Systems (CIS) with its resultant concerns and challenges. Transactions efficiency has also increased and there is amplified cost savings from operational adeptness. Companies now consider IT as business enabler through which they obtain competitive superiority in the market place over and above their competitors (Ahmad, 2006) [1]. The increasing dependent on IT however portend significant risk for auditors as financial transactions on which they provide assurance services now run parallel on IT operations. If auditors must express independent opinion on the true and fair status of financial statements which reflects underlying business process transactions processed through IT applications then these professionals must be conscious of the functionality, operation and level of reliance to be placed on IT-based processes. Without doubt they must not only possess working knowledge of audit technology tools but also endeavour to demonstrate requisite skills and attitude required of professionals in this respect. Due to enormous risks associated with the use of computer applications amongst which are loss of information assets, errors and irregularities in financial transactions processing, fraudulent activities, security vulnerabilities, loss of data, violation of privacy rights and likelihood of discontinuity of business owing from disaster, it has become imperative that assurance professionals are in a position to vouch for reliability of controls placed within IT applications ( (Warren et al., 1998) [35]. Enterprises are becoming overly dependent on IT systems. Most often these solutions immediately inspire reengineering of traditional business processes within the entity and between it and its customers and suppliers with ready to use implementations designed to fulfil robust transactions processes such as billing (invoice generation), accounts content management, personnel, finance, website design, training or content management. The need for professional auditors' proficiency in IT and auditing 94 Audit Technology Tools and Business Process Assurance: Assessment of Auditors' Perspective in Nigeria becomes increasingly rapidly in ensuring integrity of automated systems. Wartney and Turney (2002) [44] opined that the challenges posed by the adoption of computer information systems has direct implications for auditing of processes as a result of the residence of business data and programs storage inside computerized applications, data and programs being subjected to manipulations, possible elimination of audit trail and the rapid development of artificial intelligence solutions. Over-time, the need for auditor's manual audit file would diminish and the use of electronic work papers would replace this (Bedard et al., 2003) [5]. Even though the primary objectives of auditing remain fairly unaffected the processes and procedures adopted in auditing information systems would never be the same with manual processes (Ahmed, 2003) [2]. The integration of two professions in one was enunciated by Pathak (2004) [34] when he opined that auditing and IT are being unified as a distinct profession evolving from Information Technology and auditing. This concept progressed from organizations increase use of information systems and the disquiets raised by its attendant implications by accountants in the audit profession. This emerging Information System and Control profession has arisen and the foundation is to rely on the knowledge, skills and experience of both IT and audit. Auditors now have to consider technology infrastructure, IS strategic plan, role of IT organization structure, IT strategy committees, IT oversees responsible, familiarity with IT governance and others in selecting appropriate audit strategy (Iliescu, 2010) [25]. The era of IT has made audit to involve consciousness about organization data touching across multiple business groups and IT systems on its way from preliminary transactions and ultimately to the generation of financial statements to which senior management must attest.
In an earlier study by Kutsikos and Bekiaris (2007) [28], verifying the correctness of data requires placing reliance on accounting systems and procedure and in providing answer to this and similar problems control frameworks have played substantial role. The most popular is the business control model, the Committee of Sponsoring Organization (Internal Control-Integrated) Framework published in 1992 and the IT Control Objective for Information and Related Technologies (COBIT) first published in 1996 [11]. Although both models have assisted significantly in areas of IT controls they however do not provide guidance on how controls on IT security should be achieved but rather what should be done hence organizations must find ways of achieving reliance on their IT security standards and auditors must be a part of this process. Their job involves providing assurance on control system and the transparency of audit findings depend largely on the transparency of the audit process. In spite of the importance of IT controls tools and techniques on internal audit, there appears to be paucity of research in this area in Nigeria. Hence the study seeks to address an empirical approach of the perception of internal auditors.

Aim and Objectives of the Study
The aim of this study is to examine the perception of internal auditors' use of technology tools in providing assurance on financial transactions and business process reporting requirements in Nigeria by investigating the hands-on experience of selected respondents. To achieve this, the study seeks to: i. investigate the extent of use of technology tools by internal audit departments in Nigerian companies; ii.
investigate the extent of reliance on audit tools in providing effective audit assurance; iii.
identify ways to reduce perceived gaps existing in the use of audit technology tools.

Research Questions
In order to achieve the objectives as stated it is aimed that answers be provided to the following questions: i.
To what extent are internal auditors making use of technology tools in discharging their duties? ii.
What level of assurance is provided on business processes by audit technology tools? iii.
To what extent do internal auditors rely on audit tools in carrying out effective audit?

Research Hypotheses
The following null hypotheses were tested in order to provide answers to the research questions: H 01 : there is no significant difference amongst auditors in the use of technology tools. H 02 : there is no significant difference in the perception of respondent groups over the impact of audit technology tools on business processes assurance. H 03 : there is no significant difference in the perception of internal auditors over reliance placed on technology tools in carrying out effective audit.

Significance of study
The role of auditors has changed significantly with the deployment of IT resources in business processes hence this experiential investigation on audit technology tools constitute significant contribution to existing literature. Furthermore the study provide evidence on the extent to which applications gap exist in the use of technology tools by internal auditors in Nigeria and the likely variance across practicing auditors in the use of these tools in reporting on business process assurance. This study therefore examined the extent of technology adoption by internal auditors, whether there are significant perceptions amongst auditors in the use of applicable tools and also weather internal auditors' place substantial reliance on business processes audited by technology applications. In addition the study attempted to provide guidance on how companies could maximize the capabilities of available tools in providing reasonable business process assurance. The outcome of this study would serve as reference point for further research in contemporary Information Systems audit in Nigeria. The study is the first of its kind to examine auditing technology tools and techniques adoption amongst information systems auditors in Nigerian companies

Scope of study
This study is inspired by the uninterrupted transformation in IT and its attendant implications for the audit profession. As IT on which business processes thrive auditors must be able to provide reasonable assurance that the output generated by IT driven processes and procedures are well represented in the financial statements generated therefrom. For this reason the perceptions of selected professionals were sought in providing answers to the questions raised in earlier section. The scope of the research is defined in accordance with the internal audit duties and responsibilities as provided by Schedule 6 of the Companies and Allied Matters Act (CAMA) 1990 [12] and subsequently limited to internal auditors of selected companies in Nigeria with the exclusion of "members in public practice" acting in external auditors capacity.

Overview of Information Systems Audit and Control
The use of computerized audit tools and techniques has existed over a decade ago since the use of IT in business became overly prominent. The debate over auditors use of these tools have also  (Saygili, 2010) and Malaysia (Ismail & Abidin, 2009) [16,21,33,24,39]. The reason for this trend is strongly associated with the strong inclination of IT to business. Auditors continue to play considerable roles in ensuring that internal controls in IT driven financial transactions processing is sufficient to deliver qualitative assurance upon which they are expected to express their opinion over such internal control procedures. Without doubts there are more dependencies on IT systems in business in recent times than ever before. Companies continue to engage technology in providing sophisticated, value added and customer friendly products and services. This application of IT to system processes continue to creates opportunities for increased control as well as enhanced business productivity. However this development in IT exposes business process internal control and audit to significant new risks and concerns which may include but not limited to unauthorized access, software control failure and process termination to mention but a few. This weakness is highly likely to be more pronounced in computerized systems than manual. Auditors are now aware that they no longer have to deal with conventional method of establishing reliance on internal controls and subsequently limiting or expanding substantive controls. Advanced use of IT has rapidly changed the ways these professionals evaluate internal control risk. International Audit standards (Sarbanes-Oxley) suggested that computer related audit procedures may be significantly influenced by control risks. Thus when auditors examine complex systems, it may be ineffective and inadequate to rely on conventional substantive testing alone. The provisions of most countries audit guidelines now call for extensive use of computer related audit procedures when auditors obtain knowledge of internal controls during the audit process.
The emergence of IT has established responsibility for design, implementation and maintenance of controls over companies' processes. This reason is evidence in the application of IT in collecting, processing and storing data which are subsequently summarized and reported in financial statements (Cannon & Crowe, 2004) [8]. The increasing dependent on IT has led to the adoption of fully automated and integrated audit techniques as well as electronic document management (Abu-Musa, 2005) [1]. The enlarged volume and complexity of transactions has subjected auditors to frequent interaction with complicated data structure (Sirikulvadhana, 2002) [40]. IT has revolutionize the audit profession in the 21 st century as technologies now serve significant tool in almost all human endeavours (Ebimobowei & Yadirichukwu, 2011) [19].
Although the use of computerized information does not change the general purpose or sphere of audit engagement nevertheless the presence and use of IT imposes processing, memorizing and communication challenges to financial information as there is increased manifestation and renewal of accounting and internal control systems (Tulvinschi & Socoliuc, 2010) [43].
The aim of most IT audit similar to conventional auditing is to provide management with assurance that its system of automated processes is able to meet business objectives hence, the focus is on management's responsibilities for control on computer-based information processes and assets. As business information becomes privileged assets transactions and procedures must support completeness and verifiability of audit evidences (Stoel et al., 2011) [42]. As transactions processing adopt the use of computer, auditors must consider chances for increased control not inherent in manual accounting systems. Automated systems has the capability to x-ray all transactions, conduct edit and field checks as well as carry out comparisons and reconciliation of cross-systems and resources data, this procedure places great reliance on the reliability of information processing. The challenge on auditors however is that most professionals fail to recognize these associated benefits hence do not consider existence of peculiar weaknesses when assessing 96 Audit Technology Tools and Business Process Assurance: Assessment of Auditors' Perspective in Nigeria information systems control and audit (Bell et al., 2008) [6].

Theoretical Framework
The audit role theory is adopted in providing support for the use of technology tools by the internal audit function. The theory visualized that when people are faced with certain situations, the expectation is that they will enact a "role" to be able to manage the situation. Chell (1995) [9] referred to this as "the situation-act model". According to Chell, persons must act in accordance with existing circumstances and that any particular situation is governed by rules and what behaviour a person exhibits. However, the personality thus adopts a "situation role" to be able to effectively discharge within the boundary of expectations in the situation.
The parts to be played by individuals in fulfilling the requirements of their roles was described by Micheal (2001) [30] as he described this to indicate specific forms of behaviour required to discharge certain functions, tasks and/job position. Ebimobowei and Kereotu (2011) [18] were of the opinion that individual's performance of a role are within organizational context and relates to situation they find themselves (either in professional or personal capacity) as well as their own skills, competences and attitude. Hence, auditors are placed under a "situation-act" model. They must exhibit requisite skills, knowledge, attitude and skills expected of their roles as internal control professional. Executives who hold primary responsibility for financial reporting expects that the internal auditor must be able to carry out his duties and in accordance with changing demand. The challenges positioned by the emergence of computer technologies places the auditor in a "situation-act model" as he is expected to be seen discharging his duties according to changing requests.

Empirical Support for Information Systems Control and Audit
Empirical studies in IT audit are widespread and cut across developed and evolving economies. Studies as (Bell et [6,3,17,21,23,24] all made use of survey questionnaire to study the changing roles of auditors in the use of technology tools. In addition, different categories of respondents has also been used in literature to elicit various perceptions, for instance, the ACL user-groups of members of the Institute of Internal Auditors in the UK and Ireland, the IDEA user-group (Mahzan & Lymer, 2008) [29], senior audit executives in six largest public accounting firms in Norway (Austen et al., 2003) [3], partners in charge of audit and assurance services and heads of internal audit departments in U.K accountancy firms and companies respectively   [32], educational institutions in U.K (Steinbart et al., 2009) [41], internal auditors of listed companies in Tehran Stock Exchange in Iran (Salehi & Husini, 2011) [38] and auditors from each of the Big-4 in U.S (Selby, 2011) [37].
One of the these studies was that laid down by Janvrin et al., (2008) [27] in U.S when they made use of data generated across auditors representing Big 4, national, local and regional firms. The research was aimed at determining the extent to which computer-related audit procedures are used and whether control risk assessment and audit firm size, influence the use of computer related audit procedures. One-hundred and eighty-one (181) participants were drawn from these firms across geographically different regions in. With the use of field-based questionnaire to collect data, the results showed that computer related audit procedures are generally used when obtaining an understanding clients' system and business processes and testing computer controls. Greater proportion of the respondents also indicated that reliance on internal controls increases with growth in firm size, conclusively the study raised further question regarding the use of computer-related audit procedures due from this status quo. Daniel (2002) [13] through an investigation which made use of fifty (50) respondent auditors from the Big Four accounting firms in the U.S. and analysing the variables collected with ANOVA using several continuous variables co-variations discovered that financial statement auditors with procedural knowledge of automated controls are able to interpret risk patterns in automated-control evidence, whereas those without procedural knowledge of automated tools do not. The result suggested that audit firms may benefit by allowing their financial statement auditors to gain procedural knowledge of automated-control evidence.
A more comprehensive study was that conducted by Austen et al., (2003) [3] in Norway when they presented information on the causes and detection of misstatements by auditors and the relationship between those misstatements with information technology (IT). Through data collected from six largest public accounting firms on fifty-eight (58) engagements, they found that major causes of misstatements were missing, poorly designed, and improperly applied controls, inadequate methods used to select, train and supervise accounting personnel and an excessive workload for accounting personnel. In addition, they suggested that missing and poorly designed controls, and excessive workload for accounting personnel were more likely to be causes of misstatements in computerized business processes than non-computerized, and the increased use of tests of details over attention directing procedures on audits appears to result from auditors deciding that it is more effective or efficient conducting such tests than relying on IT internal control processes.
Saygili (2010) [39] revealed through a study on the use of specialized computer audit tools such as Computer Assisted Audit Tools and Techniques (CAAT) and Data Extracting and Analysis Systems (DEASs) and its implications for financial audit in a food processing company conducted in Turkey that it is possible to state that these tools greatly improve the efficiency and effectiveness of performance in a Universal Journal of Industrial and Business Management 2(4): 93-102, 2014 97 number of audit tests. DEASs helps improve confidence in decisions made due to its ability to scan and test all relevant information in its entirety without any omissions, elimination of human error in calculations and mechanical accuracy, minimize human errors in every procedure and test applied in addition to allowing for more comprehensive evaluation of internal control structure.
Hamdan and Abzakh (2010) [23] in complementing the findings of Saygili (2010) [39] conducted a survey exploring the use of information technology by the Bahrainis auditors in Dubai, UAE. The study was aimed at studying the effect of e-audit on persuasiveness of audit evidence (i.e. competence, sufficiency, relevance and timeliness). Using seventy (70) questionnaire copies circulated across respondent audit firms through a one-sample t-test, it found that auditors in Bahrain make good use of e-audit at all audit stages hence concluded that there is an (e-audit) impact on the enhancement of the persuasiveness of evidence obtained by the auditor.
Mahzan and Lymer (2008) [29] obtained integrated knowledge through quantitative and qualitative data into the factors that contributes to successful CAATs adoption by internal auditors in the U.K. They revealed that the four dimensions proposed in their model of successful adoption (i.e. motivations for CAATs adoption, best practices for implementation, challenges faced in the adoption process and methods for performance evaluation) were well supported by their findings as well, these factors by their own dimensions can be used as a guidance when discussing issues on CAATs implementation.

Methods
The research was designed to accommodate respondent auditors' increasingly demanding programs which made it challenging to gain protracted interaction with participating in getting the survey instrument completed. The questionnaire was designed and piloted for validity and reliability and ensure the research input obtained possess adequate quality and objectivity. Thereafter it was redrafted and carefully constructed into two (2) sections. Section one (1) consisted of demographic input, types of audit tools in use by internal auditors, frequency of use as well as delimiters to their use while section two (2) was designed to obtain information about the perception of respondents on the use of audit technology tools.
The population of study comprised all internal auditors (i.e. "members not in practice") of all companies located in Lagos-State. Since the ultimate test of any sample is how well it represents the characteristics of the population (Emory & Cooper, 2003) [20], the study made use of sampled respondents therein. Balian, (1994) and Denscombe, (2003) [4,15] recommended a maximum and minimum practical sample size of not less than thirty (30) for any statistical test hence a sample size of forty (40) was designated for each groups of participant. The questionnaire design was placed on a five-point Likert type scale which required respondents to indicate ratings of their internal audit activity in the use of and appraisal of technology tools on a score of one (1) to five (5). While a score of one (1) represented very-low, a five (5) score was used to depict very high. Data collected were subsequently analyzed using both descriptive and inferential statistics. While the descriptive analysis designated both demography of respondents, types and classifications of audit technology tools in use as well as frequency of use and delimiters to uses, analysis of variance (ANOVA) was used to assess the hypotheses formulated for the study. The analyses were carried out using statistical Packages for social scientists, (SPSS Version 18.0, 2009).

Analysis and Interpretation
Participants were drawn across Banking, Insurance, Consumer-Goods, Pharmaceuticals and Oil & Gas sectors on the Nigerian Stock Exchange. Retrieval rate of the two-hundred copies (200) of questionnaire distributed was eighty-seven (87) percent representing one-hundred and seventy three (173) copies of total distribution. These copies were subsequently used for the analysis as their input provided answers to the questions raised in earlier section. Table 1 provides information on the distribution and responses observed for each class of participants.

98
Audit Technology Tools and Business Process Assurance: Assessment of Auditors' Perspective in Nigeria

Result of Descriptive Statistics
The result presented in Table 2 revealed that the most significant challenge affecting the deployment of audit technology tools were essentially costs associated with initial acquisition, maintenance and staff training.

Test of Research hypotheses
H 01 : There is no significant difference amongst auditors in the use of technology tools in Nigeria.

Presenting results from one-way test between-groups ANOVA with post-hoc tests.
A one-way between-groups analysis of variance was conducted in order to explore the perception of respondents over the use of audit technology tools in Nigeria particularly in areas of automation and assessment. Participants were divided into five (5) groups as identified earlier. Two (2) items from the questionnaire (statements 1 and 7) were associated with this hypothesis and the result is displayed in Table 3. There was a statistically significant difference at the p-values less than 0.05 (.000 on both) levels in scores for the five groups: F (10.777; 27.086). Despite reaching statistical significance, the actual difference in mean scores between the groups resulted from amongst Banking and all other sectors (i.e. Consumer-Goods, Pharmaceuticals and Oil & Gas) as evidenced in the "post-hoc-tests" of multiple comparisons. The magnitude of the difference was however determined using eta-squared effect size calculated as 0.20 (8.243/40.370) and 0.39 (16.276/41.514) respectively for both statements. This is considered a large effect-size as classified by Cohen (1988). Auditors in the banking sector however share similar view with their colleagues in the insurance sector. This is highly likely to be due from their use of similar audit technology tools in these two sectors. H 02 : There is no significant difference in the perception of respondent groups over the impact of audit technology tools on business processes assurance.

Presenting results from one-way test between-groups ANOVA with post-hoc tests.
A one-way between-groups analysis of variance was conducted in order to explore the perception of respondents over the impact of the use of audit technology tools with regard to systems and transactions integrity. Two (2) items from the questionnaire (statements 2 and 8) were associated with this hypothesis and the result is displayed in Table 4. There exist statistically significant differences at the p-values less than 0.05 (.000 & .002) levels in scores for the five groups: F (13.824; 4.448). Despite reaching statistical significance, the actual difference in mean scores between the groups resulted from views differentials amongst Banking and Pharmaceuticals; Pharmaceuticals and Insurance; and Insurance and Oil and Gas as evidenced in the "post-hoc-tests" of multiple comparisons. The magnitude of the difference was however determined using eta-squared effect size calculated as 0.25 (9.622/38.855) and 0.10 (9.622/34.717) respectively for both statements. While the first is considered a large effect because the value is greater than 0.14, the second statement effect differentials has a medium effect (Cohen, 1988). Auditors in the banking sector however still share similar view with those in the insurance sector. This may also align with similar reason suggested above, use of similar technologies. H 03 : There is no significant difference in the perception of internal auditors over reliance placed on technology tools in carrying out effective audit.
Presenting results from one-way test between-groups ANOVA with post-hoc tests.
A one-way between-groups analysis of variance was conducted in order to explore significant difference in the perception of internal auditors over reliance placed on technology tools in carrying out effective audit. Two (2) items from the survey instrument (statements 3 and 5) align with this hypothesis and the result is displayed in Table 5. There is a statistically significant difference at the p-values less than 0.05 i.e.002 for the first statement on process effectiveness while there is no significant difference between respondents' opinions on the second (operational effectiveness) at p = .114 for the five groups: F (4.504; 1.737). Despite reaching statistical significance in the first group, the actual difference in mean scores between the groups resulted from views differentials amongst internal auditors in Pharmaceuticals and banking sector only as evidenced in the "post-hoc-tests" of multiple comparisons. The magnitude of the difference discovered in the first statement was however determined using eta-squared effect size calculated as 0.10 (2.800/28.913). While there is no statistically significant difference associated with the second statement, that of first is considered a medium effect because the value is less than 0.14 100 Audit Technology Tools and Business Process Assurance: Assessment of Auditors' Perspective in Nigeria (Cohen, 1988). On process effectiveness, all auditors in all sectors share similar view with the exception of those between pharmaceuticals and Banking. On operational effectiveness however, all groups of auditors share similar view. Conclusively there exist no significant differences in respondents' views about the role of technologies in assisting auditors in discharging their internal audit functions.

Conclusion and Recommendations
This study through an empirical approach examined the perceived use of audit technology tools by internal audit professionals by assessing their perception on the likely implications for information systems audit and control. It investigated the use of technology tools across various companies by internal auditors. Appraisal was made of the types of tools peculiar to certain sectors as well as their frequency of use. In addition, the insight of respondents was also obtained as to what delimiters restrict or prevent the use of certain audit tools and how the use of these tools enhances their internal audit functions.
The survey found that asides data analytics software which is shared in the banking and insurance sectors, the most prominent of all is the audit resource and scheduling software with its use cutting across all other sectors covered. While the use of these applications is most prominent in the banking sector as most respondents expressed their use virtually all the time, there are more occasional users in consumer goods. Auditors in the insurance sector share similarity between "almost every time" and "every time" usage while usage is very low in oil and gas and pharmaceutical sectors. The study also found that the primary factors responsible for non-continuous deployment and use of audit tools are software cost and staff training. There is also significant contribution by lack of management support for not implementing the technologies. Most internal audit functions have no defined strategy for IT audit implementations neither have they any formal procedures for assessing effect of technologies investments and processes. However, the size of internal audit department does not have seeming implications for maturity level of the usage of the tools. The authors nevertheless wish to emphasize that the results of this study be generalized with caution with regards to the scope of coverage. In addition, other factors such as the result of cognitive distortions or emotional factors which influence the choice of managerial decisions and are capable of resulting into systematic errors have not been considered.
In the light of the foregoing the authors hereby recommend that companies should endeavor to build sustainable case to integrate technologies into their internal audit process. Senior management should exhibit support and commitment to their primary responsibility for IS audit. They have a duty to engage the expertise of skilled information systems audit and control professionals in particular members of the Information Systems and Control Association (ISACA) with hands-on experience. Management should acquire technology tools relevant to peculiar business processes where they are not already in place and where they are, they must set-up an inventory of technology tools creating a matrix aimed at linking tools to business processes. Companies should also review financial resource requirement for audit technologies acquisition, maintenance and training of information systems executives. At the Board level, a strategic committee should be set-up to lead and direct IT audit governance, lead the integration process and supporting plans to develop succession idea for business technology case continuity. There should be strategies at each internal audit phases to integrate technologies with administrative tasks. Internal audit departments should put in place annual audit technology assessment so as to benchmark progress against targeted action-plans. Standardized metrics should also be accepted to determine the impact of deployed technologies audit. These metrics should include outcomes and output measures.