Abstract

Can information systems (IS) auditors ignore irrelevant information when they assess key risk factors (KRFs)? Irrelevant information is information that is of little or no value to a specific task or predicted future outcome. When assessing a KRF, IS auditors sift through numerous pieces of information to target items that are relevant to understanding the KRF. Some items encountered by IS auditors may be relevant to understanding the KRF, while other items encountered may be irrelevant. IS auditors should ignore irrelevant information when they assess KRFs.

An example of irrelevant information that an IS auditor may encounter during a financial statement audit is obsolete code that was written for an application that was replaced in a previous audit period—the data that were saved in the prior application have been saved in the new application. Although IS auditors are aware that the old code is irrelevant, the old code may still influence IS auditors’ KRF assessments. Irrelevant information may influence IS auditors to reduce their assessments of KRFs when higher assessments would be more appropriate. If IS auditors were exposed to irrelevant information during a financial statement audit and decreased their assessment of KRFs, too few resources may be allocated toward gaining a better understanding of the KRFs. As a result, audit failure could occur.

Thirty-seven IS auditors participated in a repeated-trial experiment in which they all read the same case and responded to the same questions about a multinational, publicly traded bank that provided e-banking services. During the experiment, the participants rated the effectiveness of e-banking KRFs, estimated the risk of material misstatement for e-banking KRFs and suggested revisions to the audit plan for e-banking services KRFs. The participants also completed a knowledge test and provided information about their backgrounds.

The change in the IS auditors’ KRF assessments when irrelevant information is present vs. when the irrelevant information is not present is the dependent variable in this study. The results of this study reveal that IS auditors’ KRF assessments are significantly lower when irrelevant information is present vs. when irrelevant information is not present. This study also presents evidence that knowledge of automated controls can help mitigate the effects of irrelevant information on IS auditors’ KRF assessments.

Document Type

Article

Publication Date

2011

Publisher Statement

Copyright © 2011 ISACA. This article first appeared in ISACA Journal 4 (2011): 1-6.

Please note that downloads of the article are for private/personal use only.

Share

COinS