Research conduction and results

As preparation for the interviews, an interview guideline was developed and discussed between the lead researcher and the assistant researcher to have a common understanding about the setup of the interviews and the division of roles (i.e. interview is led by lead researcher, notes are taken by assistant researcher). The interview guideline established the structure for the inter-views and included the three research questions as well as several other elements. The full guideline is provided in appendix 2. A trial run was performed between the lead researcher, the assistant researcher, and a third person (acting as interviewee) before the interviews.

The interviews were conducted over a total time period of nine weeks in accordance with a previously establish time plan. The researchers paid careful attention to using the same wording in all eight interviews in order to prevent distortions. For the same reason, the concept of CA

was not introduced to the interviewees before the interviews. However, a brief introduction about the nature and the intent of the interview was given at the beginning of each interview.

In each of the eight companies, an internal audit function was in place as a separate unit and was headed by one manager acting as CAE. Of these eight companies, three companies claimed to make full or partial use of CA, while the five other companies claimed not to have imple-mented CA. In two cases, the interviews were carried out with the CAE alone and in six cases with the CAE and an additional senior internal auditor.

Responses to the three research questions provided by the interviewees are summarised below:

Responses to QP1: Understanding of CA

The interviews brought to light that CA is understood in very different ways. Although all eight respondents understand it as a form of auditing technique, the provided explanations varied significantly and hardly matched the academic definitions mentioned above. None of the re-spondents was able to summarise the definition of CA in one sentence. Instead, all of them quoted elements of CA (e.g. automated journal entry tests, tool-assisted analyses of authorisa-tions in IT systems, automated status updates of companies’ projects) without explicitly refer-ring to CA as an independent discipline. Five of them (62.5%) also noted that single elements of CA had been known to them or had even been in place in their organisations for several years, but have not been understood as being part of CA. Two respondents (25%) saw CA as part of related meta topics (i.e. big data and digitalisation) and understood the latest growth in popularity of CA as a side effect of the meta topics’ hype.

For six respondents (75%), IT plays an essential role when it comes to the application of CA with four respondents (50%) seeing IT as the central element of the methodology and two re-spondents (25%) understanding IT as a significant, but not yet a mandatory part of CA. One respondent (12.5%) considers CA as “the sum of tools used to analyse data on an ongoing basis”. For this respondent, CA is seen as a means of technical assistance for a given (i.e. tra-ditional) audit methodology. Yet, another respondent (12.5%) sees CA as a means of assisting in gathering information, not so much as sole methodology or combination of tools.

All respondents consider CA as a supplement to their current audit approach. A willingness to fully rely on CA as a one and only audit approach was not shown by any of the respondents.

While six respondents (75%) consider the importance of CA for their organisation to remain at a similar level as today or to even increase over the next five to ten years, two respondents (25%) expect the importance of CA for their company to decrease over the next five to ten years. One of these two respondents considers CA as “a trend which will come and go as many other data-related topics have before”.

Responses to QP2: Audit subjects

Seven respondents (87.5%) consider finance as the primary field of application due to the high importance of this field to their companies. Also, the fields of purchasing, sales, human re-sources and IT are considered suitable for being monitored by CA. The respondents argued that these fields were considered as standardised and thus easy to oversee and/or that they exhibited a broad understanding of these fields from previous audit activities.

Four respondents (50%) think of CA as an approach which assists them in their risk manage-ment-related activities (i.e. identifying risks and input for audit universe, assessing changes to present risks, finding the right response to risks). Three respondents (37.5%) find CA suitable for evaluating the design and/or the proper functioning of controls (i.e. monitoring performance of controls in finance and human resources, assigning responsibility to control owners). Data (i.e. transactions, journal entries, incident tickets, IT authorisations) was mentioned by five re-spondents (62.5%) to be analysed by CA.

Two respondents (25%) also mentioned that they see CA as a means to monitor progress during the implementation of projects within their companies (i.e. status of milestones, completion rate of work activities). One respondent (12.5%) also finds that CA is a useful methodology on a program management level (in this case program is understood as the sum of all corporate pro-jects).

Other CA subjects were not mentioned explicitly. Third parties as another subject was neither mentioned by anyone, nor did respondents confirm this subject’s applicability to CA upon the lead researcher’s explicit request.

Responses to QP3: Internal audit function-specific or company-specific parameters

A range of internal audit function-specific or company-specific parameters were mentioned by the respondents.

Internal audit function-specific parameters

Five respondents (62.5%) claimed that the experience of the internal auditor is of significant importance. Out of these five respondents, three (37.5%) said that internal auditors needed to be knowledgeable about the subject to be analysed by CA, four (50%) said internal auditors needed to have sufficient IT skills, and one (12.5%) said that internal auditors needed to be methodologically strong.

Five respondents (62.5%) see CA as a totally new methodology and assume the introduction of CA to be a very complex undertaking. They emphasised that monetary funds needed to be pro-vided to bring CA into life. Two out of these five respondents (25%) see an additional need for freeing up capacities (i.e. time, personnel resources) within the IA function.

Two respondents (25%) mentioned that the comparably small size of their audit department increased the need for CA, implying that they regard CA as an audit approach which is more efficient than their current one. Contradictorily, two other respondents (25%) made it clear that CA cannot be successfully implemented if the size of the department was too small to guarantee a minimum level of support.

Company-specific parameters

One respondent (12.5%) commented that the size of the companies was a decisive factor. He pointed out that a specific size had to be reached before CA provided any benefits. Smaller companies were too unstable and subject to unforeseen changes too frequently and thus not capable of running a CA system which requires a solid design of organisational structures and processes. Similarly, but without explicit reference to the company’s size, three other respond-ents (37.5%) stated that the internal environment of the company needed to be flexible and supportive. Management needed to assist during the implementation and ongoing maintenance of CA models. Also, corporate structures needed to be stable over time and responsibilities needed to be clearly assigned.

The same respondent (12.5%) also noted that the level of internationalisation triggers the usage of CA. He thereby assumed that companies active in a range of countries with responsibility spread across the globe (in comparison to companies which are active in only one regional market) were more difficult to oversee from an audit perspective. He reasoned that geographical distances were far and cultural difference were large. Thus, CA enabled audit departments to

identify deviations from regulations more easily and to better obtain assurance across several locations. This view was shared by another respondent (12.5%) who said that she intended to use CA for monitoring activities in other subsidiaries due to her limited travel budget.

Two respondents (25%) stressed the importance of IT and noted that the company needed to be positive towards IT. While one respondent reasoned that IT systems needed to be in place to enable CA, the other stated that the company as a whole needed to be culturally open towards IT.

One respondent (12.5%) also mentioned that CA was most appropriate for companies that are subject to increased regulatory requirements as it helps to streamline auditors’ activities during the process of fulfilling requirements imposed by the Sarbanes-Oxley Act, the ISO 31000 norm as well as by other industry-specific regulations (e.g. BAIT).