THE EFFECT OF USING IT TOOLS ON THE EFFICIENCY OF INTERNAL CONTROL AS PERCEIVED BY THE INTERNAL AUDITOR

Nabi Alduwaila1+----Mohammad H J Almarri2----Hussein Shabab Aldaihani3

1,2,3Public Authority for Applied Education and Training (PAAET),Kuwait

ABSTRACT

This study aims to Identifying the concept of internal control efficiency related to control environment under the usage of IT tools, and Identifying the role of risk assessment increasing the internal control efficiency through the optional use of IT tools. The study community consists of internal auditors in the Islamic banks in the State of Kuwait. The study tool consisted of preparing a questionnaire that takes into account the objectives and variables of the study. Most results: The internal auditor has a role in assessing the information security policies which depend on It tools and preventing their penetration or the modification of the accounting programs and their contents illegally, and The ability of the internal a uditor to assess the monetary value of the risks that face the bank and which are resulted from using IT tools; and consequently, the financial statements express truly the monetary events that occur in the bank. Most recommendations: The information technology tools are double-edged for the internal auditor. The first edge represents the risks related to penetrating or modifying the financial statements as well as the unauthorized access. The second edge represents the advantages that the auditor can utilize from using IT tools represented in the speed and accuracy in exchanging accounting data and information, and Holding seminars and conferences specialized in audit information technology whose axes focus on using various IT tools in the internal auditing process and functions.

Keywords:Internal control Internal auditing Information system internal Auditor Auditors Efficiency Kuwait.

ARTICLE HISTORY: Received:17 August 2017, Revised:2 March 2018, Accepted:5 March 2018, Published:8 March 2018.

Contribution/ Originality:: The study provides empirical testing to identifying the concept of internal control efficiency related to control environment under the usage of IT tools, and Identifying the role of risk assessment increasing the internal control efficiency through the optional use of IT tools in a new environmental context of country, time and industry. This is expected to enhance our understanding and adds a new dimension to the current body of the literature.

1. INTRODUCTION

Information technology has become a reality with which we have to coexist. It has become part of all sciences and applications in all scientific and non-scientific domains whereby it projected its shadow over the financial applications in general and the accounting applications in particular due to the privileges it provides to the implementation of accounting, auditing and control objectives in general. Moreover, internal control is a scientific data base for all divisions at any establishment, whether merchandise or service. In addition, the use of the modern technology was accompanied by some risks represented in penetrating and modifying the data from inside or outside the establishment. This use of technology was also escorted by merits or opportunities that can be invested to realize the strategic goals of a specific establishment. The actualization of the internal control efficacy requires safe technology which contributes in maintaining the secrecy of the financial and non-financial data of information. Thus, this study was intended to investigate the role of using the IT tools in increasing the efficiency of internal control as perceived by the internal auditors.

1.1. Problem of the Study

The problem of the study lies in answering the following question: "What is the role of IT tools in increasing the internal control efficiency?" From this question stem the following:

  1. What is the role of IT tools in realizing the control environment efficiency in the internal control system?
  2. What is the role of IT tools in realizing the risk assessment efficiency in the internal control system?

1.2. Importance of the Study

The importance of this study comes from the following:

  1. The internal control is the data base and the information base for all the divisions and branches of any establishment and this necessitate paying attention to its development together with employing the needed competencies to make it able to perform its assigned tasks.
  2. Using modern technology tools is a double-edged sword where the first side represents the risks to which the financial statements of a certain establishment may be exposed while the second side represents the opportunities that should be utilized from the IT tools embodied in the safety and credibility of the financial statements and the value added of the financial statements' fixity. This means the necessity to control the use of the IT tools and to employ them to increase the efficiency of the internal control system.
  3. The fast successive development in information technology by using electronic computers affected the administrative and accounting systems of firms and companies and this led to a substantial change in the methodology and methods of internal control.
  4. The computerized system in the internal control which leads to accurate management and fast presentation of reports much better than the manual system.

1.3. Objectives of the Study

The study is attempting to achieve the following objectives:

  1. Identifying the concept of internal control efficiency related to control environment under the usage of IT tools.
  2. Identifying the role of risk assessment increasing the internal control efficiency through the optional use of IT tools.

1.4. Hypotheses of the Study

Based on the problem of the study, the following hypotheses may be coined:

  1. There is no role for the IT tools in achieving the control environment efficiency in the internal control system.
  2. There is no role for the IT tools in achieving the risk assessment efficiency in the internal control system.

1.5. Previous Studies

  1. The study of Abu (2017) aimed at identifying the effect of the inputs and outputs risks and the accounting system's operations on achieving the efficiency of accounting control, administrative control and internal control in the Jordanian commercial banks. A questionnaire was used as an instrument to collect the preliminary data as it was distributed to the internal auditors and the financial managers. Statistical methods were also used like the standard deviation, the means, Cronbach's Alpha test and one sample t-test. Of the most important recommendations of the study: Studying the components of the accounting system as one unit concerning the inputs, outputs, feedback or the accounting system's operations to specify its impact on the internal control efficiency, and the necessity of holding scientific conferences the axes of which concentrate on the overall systems' risks upon the efficiency of the internal control (Abu, 2017).
  2. The study of  Bo Hayek (2015) aimed at showing the impact of an effective accounting system in achieving the required efficiency of the internal control through its application on the Algerian General Petroleum Company. The study relied on distributing a questionnaire to the study population which consisted of the financial managers, internal auditors and internal control employees. Arithmetic means, frequencies and percentages were also used. Of the most important results: The system of the organization measures the power of its internal control system through the existence of an information system that enjoys a true representation of the financial events. The company can also realize the desired benefit from using the electronic work environment in achieving the internal control efficiency. Of the recommendations: The necessity of applying the primary and secondary qualitative characteristics so that the accounting information would be of high credibility, and the exigency of recognizing the role of human resource as an investment in the organization, increasing its competency and qualifying it to the required level to achieve the internal control (Bo Hayek, 2015).
  3. The study of Al-Sawaf (2011) aimed at identifying and measuring the power of the internal control system in reducing the risks that appear during the daily operational works in banks. It also aimed at assuring the important role of the internal control and auditing in protecting banks and their continuity through specifying the impact of internal control and auditing in stunning the operational risks. The study depended on distributing questionnaires on the study sample's members which are represented by the employees of the internal control in banks, and to mention some of the results: The majority of the sample's members agreed on the importance of the internal control and auditing in preventing the operational risks and recognizes the presence of an incorporeal correlation between the risk management in the bank and the types operational risks. This, in turn, shows the role of internal control and auditing in supporting risk management. Of the most important recommendations: The necessity of predetermining the control risks for the purpose of dealing with them in the future and the requirement of issuing special legislations to deal with risks especial concerning banks (Al-Sawaf, 2011).
  4. The study of Samukri (2015) purpose was to exhibit the influence of an effective internal control system and the impact of implementing a financial accounting information system on the quality of accounting information and its role in decision making. The study suggested a model that combines the requirements of the internal control systems efficiency and the requirements of financial accounting information systems in order to construct a suggested model for the quality of financial accounting information and connecting it with the qualitative characteristics of the counting information to be valid foe taking decisions by the stakeholders. Of the most important results: Theoretical studies are the corner stone in building any anticipated theory, and the fusion of internal control with the actual implementation of the accounting information systems has a fundamental role in attaining accounting information that has predicative value and helps in increasing the credibility of this information. Of the most significant recommendations of the study: The importance of stakeholders in any organization to participate in determining the accounting information properties to be of relevance to take their decisions. The properties of the accounting information are to be the foundation of specifying the use of accounting information for present or future invertors (Samukri, 2015).
  5. The study of Alshaibi (2011) aimed at showing the importance of the internal control systems to adapt with using the rearrangements of IT tools in the auditing process and its reflection upon the credibility of the financial statements.

The population of the study consisted of the Libyan banks owned by the state counting 4 banks. A questionnaire was designed in a way that observes the variables of the study and was distributed on the computer and internal control departments in those banks. The study counted on using the arithmetic mean, the standard deviation and the one sample t-test. Of the most important results of the study: There is a good level of adaptation of the internal control systems with the requirements of IT environment as a result of development of the Libyan banks. Of the most important recommendations of the study is the necessity of establishing or appointing control entities that place the needed legislations to develop and improve the credibility of the financial statements (Alshaibi, 2011).

  1. AL-Sharairi et al. (2018) the study aimed at determining the impact of the risks of the input of the accounting information systems on the accounting control, administrative control, and internal control. The questionnaire was used to obtain the study data. The study community consisted of internal auditors in commercial banks. Statistical methods were used such as: arithmetic mean, standard deviation, and Kronbach Alpha test. The most important results of the study: the impact of the risks of accounting information systems on administrative control and accounting control and internal control. One of the most important recommendations: the need to document all the data of the accounting system, and the need to train staff on how to reduce the risks of accounting information systems in general (AL-Sharairi et al., 2018).
  2.    Alhosban and Al-Sharairi (2017) the aim of the study was to identify Role of internal auditor in dealing with computer networks technology - Applied study in Islamic banks in Jordan -. The objectives were to identify the role of the computer networks that are installed for the first time in addition to the role of the auditor in the physical components of computer networks and maintenance. The study community consists of internal auditors in Islamic banks or financial institutions, a total of 101 questionnaires were distributed and 89 questionnaires were retrieved for statistical analysis. A single sample test was used to test the hypotheses of the study. The arithmetic mean and the alpha test were used to find the internal consistency rate of the study sample. The most important results of the study: the presence of the impact of computer networks on the internal audit work environment both in the installation of the computer for the first time or provide the physical components of computer networks. The most important recommendations: The need to hold seminars and conferences using technology tools and their effects on the environment of internal auditing or external auditing or accounting environment in general (Alhosban and Al-Sharairi, 2017).

1.6. The Difference between the Current Study and the Previous Studies

  1. This study is one of very few studies which have investigated on the role of the role of IT tools in the internal control efficiency.
  2. This study is one of very few studies which have investigated on the role of using the electronic work environment- IT tools- in increasing the efficiency of internal control.
  3. This study is one of very few studies which have investigated on the internal controls tools or elements represented by the control environment and risk assessment due to the vital role of those elements in the assessment of internal control in light of using IT tools.

1.7. The Theoretical Framework of the Study

1.7.1. The Importance of Internal Control

The importance of internal control springs from the following (Al-Shamma, 2007)

  1. It is one of the basic functions of management and constitutes a safety valve to maintain the sources of the establishment.
  2. It consists of integral types which ensure the control over the plans of the establishment.
  3. It basically depends on the human element in terms of the process of designation, implementation or control which brings about the necessity of developing and qualifying the human factor at any establishment to guarantee the sound execution of the establishment's plans.
  4. It helps in achieving competent and effective utilization of the establishment's resources, whether human or physical.

1.8. Characteristics of the Effective Internal Control System

An effective internal control system should have the following characteristics (Sheikh Salem, 2007)

  1. The system must be appropriate and must catch up with the strategic goals of the establishment in terms of providing flexibility or agreeability between the design of the internal control system and goals of the establishment.
  2. There must be an application of the cost and benefit policy where there should be a balance between the cost of designing the internal control system and the proceeds of those costs through applying the feasibility process.
  3. The element of elaboration or clarity must be available to determine the methods and goals of control as well as the deviations and their reasonable grounds.
  4. The flexibility of regulations and instructions in accordance with the rearrangements that occur in the establishment concerning the internal or external environmental developments which affect the objectives of the establishment.
  5. The system is to achieve the expected objectives such as minimizing errors as much as possible and preventing negative deviations before they take place and correcting them through operational auditing.
  6. Providing accurate and proper information when taking decisions on time.
  7. Providing various options to realize the internal control through conducting a performance assessment process every now and then.
  8. Saving and reducing the time and effort needed for the control process without influencing its power in the establishment.

1.9. Terms of an Effective Control System

An effective control system must fulfill the following terms (Al-Juwaifel, 2011)

  1. Accommodation between the nature of the internal control system and that of the activities which are to be controlled. This depends on the size, diversity and subdivision of the establishment's products or services presented to clients.
  2. The system is to present indicators to detect deviations before or on time so that the company management can correct the course of those deviations and temper the negative risks as much as possible.
  3. The presence of flexibility in the design and execution of the internal control system to be changeable according to the rearrangements in the environment of the establishment or the changes that may touch upon its activities.
  4. Warranting the sound accomplishment of the control tasks as planned and insuring the maintenance of the expected costs by the internal control system from applying the balance between costs and benefits in case of deviating from the implementation of any plan.
  5. The system is to be in a harmony with the strategy of the establishment or its organizational environment whereby the internal control system be integrated with other systems with no contradiction or intersection with the other systems.
  6. Considering the qualification level of the employees in the establishment where the design of the system should be easy to understand and apply by the employees.

1.10. The Components (Standards) of the Internal Control System and its Liabilities

These standards are defined as "The minimum level of the required quality for the internal control systems in companies in general and in the shareholding companies in particular". These standards present a foundation in comparison with which the internal control system can be assessed. Said standards are applicable in all work domains of companies like programming and financial fields. Each standard is going to be offered using a simple and accurate expression as follows: Al-Hosban (2009)

First: Control Environment

The positive control environment is the basis of all standards as it presents a system that affects the quality of control systems. Many factors affect the system of which:

  • The integrity of the management and employees and the moral values they maintain.
  • The management's commitment to competency where they maintain a certain level of competence which allows them to perform their duties and to understand the importance of developing and applying effective internal control systems.
  • Philosophy of the management, which means the view of the management to the accounting information systems and personnel management and else.
  • The organizational structure of the company which draws a framework for the management to plan, direct and control operations to achieve the goals of the company.
  • The management style in delegating validities and liabilities.
  • The effective polices of human forces in terms of recruitment and training.
  • The relationships of the owners and the stakeholders to the company.

Second: Risk Management

Internal control systems give way to assess the risks encountered by the company from internal or external effects. Placing fixed and clear goals for the company is a basic condition to assess the risks. Therefore, risk assessment means identifying and analyzing the relevant risks which are connected to achieving the goals specified in the long-term performance plans.

At the moment of risk identification, it is necessary to analyze them to recognize their potential impact in terms of their importance, possibility of occurrence, methods of their management and the measures that ought to be taken.

Third: Observation Activities

The observation activities help to ensure performing the directives of the management. The activities in question have to be effective and efficient in realizing the control objectives of the company. Observation activities are policies, procedures and mechanisms that support the trends of the management. They guarantee conducting the procedures of risk treatment. Of those observation activities: Accreditations, confirmations, performance review, preserving security measures and preserving records in general.

Fourth: Information and Communication

Information has to be registered and delivered to the management and other parties inside the company in a chronological form or frame that may help them perform internal control and other duties. For the company to be able to perform and monitor its operations, it has to conduct proper, trustful and timely communications concerning the internal and external events.

As for communication, it would be effective when including the information flow from top to bottom or vice versa, or in horizontal manner and the management is to verify the existence of appropriate communication with other external parties that may have influence in the company's achievement to its goals as well as the management's need to the information technology which is a critical must to improve and maintain significant, trustworthy and continuous communication for this information.

Fifth: System Observations

The internal control systems observation works to assess the performance quality within a given period of time. It ensures that the auditing and reviewing results are directly processed. The internal control systems must be designed to assure the continuity of observation processes as part of the internal operations.

The internal control systems observation must include polices and measures to guarantee that the auditing results are fast performed. The administrators have to:

  • Fast assess the results of auditing and reviewing indicating the conceptions and recommendations of the auditors and others in charge of assessing the business of the company.
  • Renew the appropriate measures to respond to the results of auditing and other reviewing acts.
  • Accomplish, within a specific time frame, all the steps that correct or treat the issues referred to by the management.

1.11. Responsibilities towards the Internal Control System

Abdullah, 2012)

  • The Responsibility of Management:

The management id responsible for replacing and maintaining the internal settings system, and when executing its supervisory responsibilities, it must regularly review the aptness and adequacy of the internal settings elements to ensure the effective application of all the significant controls.

  • The Responsibility of the Internal Auditor:

The work field of the internal auditor includes checking and evaluating the adequacy and efficiency of the internal control systems in the company as well as the performance quality in executing the assigned duties.

Therefore, the internal control is regarded as a complementary part of the administrative routine and must work independently whether the internal audit was executed or not. In addition, any effective internal control system cannot replace internal auditing. However, the existence of internal auditing function increases the power of internal control systems.

1.12. Information Technology

Information technology can be defined as follows: It depends on using the computer and other developed means in processing the collected data and achieving haste in processing, storing and retrieving said data and transforming it to reliable information to depend on taking timely decisions (Al-Hosban, 2009).

1.13. The Concept of Audit Information Technology

After this concise study to the concept of information technology in general, it is a must to touch upon the information technology related to auditing and internal control. As mentioned before, it is hard to state on accurate definition, but we can place the following definitions to the concept of audit information technology:

1) It is based on using the computer devices and networks to provide the required information to be used as a tool in the auditing process. It also helps to understand the purpose of using the automated accounting systems as well as understanding the environment of modern technology and the necessity of catching up with modern discoveries to be able to deal with Grand (2004)

2) It treats knowledge, skills and ability to review and assess development and operating the components of IT for the internal or external auditor. It also cares for using the computer, communication means, computer networks, data and information in addition to methods of saving and storing them through modern and developed means (IIA, 2004).

3) It depends on using modern techniques of auditing to be used as an auditing tool, and also to help the management of the establishment to comprehend the environment of the company in order to assess the risks and the chances of those modern techniques and their effect in realizing the goals of the company and providing the necessary information to take decisions in the right time (Al-Hosban, 2009)

1.14. The Objectives of IT in the Internal Control System (Kulk et al., 2009)

  • Obtaining evidence to the effectiveness and form of the electronic operation of data.
  • Describing the effect of IT on the internal control system in a logical style and assessing the risks of control.
  • Describing the benefits of internal control and risks of IT.
  • Describing the evidence which contributes in identifying the required specialized skills to specify the influence of computer treatment on auditing and to design and accomplish the auditing procedures.

1.15. The Merits and Demerits of IT in the Internal Control System
First: The merits of IT in the internal control system (Thomas, 2000)

  • Realizing fixity in the application of grand complicated arithmetic operations from the data which is required to be processed.
  • It increases the timing, appropriation and accuracy of information.
  • It facilitates the extra analyses required from the auditors of accounting and financial information.
  • It increases the ability to supervise the performance of the activities, policies and procedures in the company.
  • It helps reducing the risks of control if it were effective.

Second: The demerits of IT environment in the internal control system: Thomas (2000)

  • It causes errors in processing some data.
  • It destroys data or changes its contents due to unauthorized access.
  • It allows unauthorized changes in programs.
  • It fails in arranging the required changes in the programs that needs to be changed under the technological developments.
  • It bans using manual control and the possibility of utilizing its benefits.
  • It allows the loss of information needed by the company.

1.16. The Effect of IT on the Control Environment

In order to understand the control environment that affects the e-process of data, the auditor concentrates on the following factors: Taylor (2006)

  • The management's philosophy and operation method: It is related to the management's tendencies concerning investments and the benefits of e-processing of data.
  • The organization's structure: This is related to the centralization and decentralization of the electronic processing of data which is of importance to auditors to understand the internal control system.
  • Methods of administrative control: It is related to the auditor's concern of the auditor in the electronic work environment with the attitudes and ideas of the management which revolve around the following:
  • The auditor's verification of the changes that occur in the systems, policies and procedures of the control.
  • Keeping the programs and files by the auditor.
  • The possibility of authorized access to the computer's documents and Records.
  • Policies and procedures related to individuals: They are related to the management's policies and procedures concerning rewarding, training, assessing and compensating the employees for their work with the computer.

Information technology relied on reconstructing data processing methods and producing reports. In return, some risks face the organizations which adopt IT, so it must be well controlled to identify the control characteristics that should be applied.

Technology was used and developed in the field of control environment by using electronic methods because the manual methods were not suitable in analyzing, saving and retrieving data and information which represent a large size of business, it couldn't also use the mathematical, statistical and geometrical methods in data analysis. There is no need to the accuracy, trueness and objectivity of the information used in the controlling process and to achieve this end, a set of methods can be used to facilitate the controlling process; from which ara the following: Iliya (2011)

Using the statistical inspection approach in selecting and evaluating samples.

  • Performing analysis by using developed statistical methods that cannot be used under manual operation.
  • Self-control approach to verify the correctness of data and accounting treatments and the objectivity of the output information.
  • Designing computer programs to highlight the odd numbers in the data to give them more clarification.
  • Following the method of graphical presentation and disclosure in preparing different statements and reports.
  • Using the information feedback style.

The most important effect of IT on the control environment can be embodied in the following: Mair (2002)

First: General Control

Information technology affects the general control related to the presently applied computer environment and to what have been processed. It affects the efficiency of the organization in general concerning the following issues:

  • Providing security.
  • Developing and maintaining the systems and changing the control style.
  • Controlling the computer operations which contain the networks, data bases and planning.

Second: Controlling Applications

This organizes the company's operations or events and provides authorized access to data. It also completes processing the inputs through treating the outputs. This control over applications is designed to detect, prevent or correct errors according to the following:  Jagdish (2002) 1) Preventative control:

It protects the company from the undesired events or operations. IT affects this type of control through the following:

  • It prevents unauthorized access to programs and systems.
  • It determines the required issues and defines the passing word to access data.
  • It restricts the transgressions of the user (like printing paper and storing on disks).
  • Prevents the closure of files and records in case of error.

2) Detective control:

I t interested in the errors that take place during the electronic treatment to data which contains warnings and possible exceptions to solve problems. Therefore, and because of the quick discovery of this type of errors, the user is to read the warnings and the expectations extracted from the same system for problem solving. Moreover, as a result of the influence of developments in IT on this type of control, it has to be carefully designed to avoid big mistakes. It also helps to reduce the time consumed in auditing and imposes the persistence of supervision and control.

3) Corrective control

It cares for the error after its occurrence, corrects it and treats its consequences. This demands automated systems for the reason that IT has created information of high quantity and quality, which means the possibility of having undetectable errors that need to be quickly and accurately corrected electronically.

1.17. The Steps of IT Risk Assessment

There are seven serial steps that have to be considered when defining IT risk assessment, which are as follows: (Randy (2004))

1) Identifying the information assets

The significant assets of each department must be identified. Those assets include: The computer hardware, programs, systems and relevant services and technology.

2) Collecting and putting priorities for assets

Having accomplished the first step, comes the second step which is ordering the assets which whether they were very sensitive that no job can be achieved without them, or insensitive, the second order is the appropriate information which we can do without for several days or a time span that does not exceed a week. The third and last order of information is the normal expendable information without which the work can be done for a long time.

3) Identifying risks

Here, each department specifies risks whether those problems or threats were limited or unlimited. Risks must be tangible and attributed to one or more assets.

4) Putting priorities for the risks according to their importance

This gives departments an idea about the location of the events that need planning. It also creates sequent steps which make the process of their management easier. The sensitive risks to be placed at the top of priority ladder.

1.18. The Special Rules of Measuring Risk Assessment Under it Environment: Jacobson (2002)

  • Identifying the risks which undermine and disrupt the basic activities of the company and the resulting monetary loss.
  • Identifying the possibility of loss (the loss that fits with the risk), including the risks related to the function and assets, and preferably expresses in a monetary form.
  • Specifying the sum of the loss or the weakness which is resulted from the threat (and this is related to the second point).
  • Identifying the threat that results from the possibility of the event repetition (the ratio of the threat), and annually expressed.
  • Identifying the possibility of dealing with the main issues of the risk: The uncertainty circumstances, the manner of specifying those circumstances and what should be done if they happen.
  • Identifying the cost-efficiency by using the rate return on investment or the cost-benefit.

5) Placing a list containing the risks

Here, the members of the assigned team identify the risks and present the supporting explanations and details depending on their knowledge concerning those risks.

6) Referring to the risks according to sensitive assets (sensitive information)

In this step, the work team places a list of the sensitive assets (the most exposed to risks) ordered according to their priority in a separate part of the risk assessment report. This helps departments to suggest suitable solutions for those risks and to implement plans to protect those assets.

7) Presenting the appropriate recommendations to find solutions for those risks

Components of the risk assessment report: Randy (2004)

  • Title of the paper: Contains the name of the department and the names of the team assigned to risk assessment.
  • General information: Refer to the department manager, team leader and dates of analysis.
  • Interests (general suggestions): Interested in the suggestions of the specific department.
  • Assets information: places the sensitive assets of each department according to priority.
  • Placing risk priorities: Risks are presented according to their importance with suitable definition to their risks.

Recommendations: Specifying a known option to describe he risks according to the cost-benefit method.

2. STATISTICAL ANALYSIS

2.1. Validity and Reliability Test

The SPSS method was used as a main and the value of Cronbach's Alpha was extracted to measure the degree of the internal consistency of sample's responses to the study tool. Its value was %78 which is higher than the minimum level %70 which is statistically accepted. This indicates the reliability of the sample members' responses which positively reflects on the results and recommendations of the study.

3. DATA ANALYSIS

A questionnaire was used as a main tool to collect information from the study sample represented by the Islamic banks in Kuwait. The total number of the internal auditors in the Islamic banks in Kuwait was 75 auditors while the number of banks in Kuwait was 4 Islamic banks. SPSS was used to analyze the questionnaire where the following symbols were given to the choices of the questionnaire's items: strongly agree: 5, agree: 4, neutral: 3, disagree: 2, strongly disagree: 1. Therefore, the higher the item or the hypothesis mean than 3 was the higher was the degree of the influence or acceptance of the sample members to that item or hypothesis. And if the mean was less than 3, this indicates the weak influence or acceptance to the item or hypothesis according to the sample members.

4. DATA COLLECTION METHOD

The questionnaires were distributed on the internal auditors in the Islamic banks in Kuwait: 4 Islamic banks. The total number of questionnaires was 58 from which 46 questionnaires were retrieved.

Sources of the study data

  1. Secondary sources: represented in the books, references and scientific researches of relevance to the subject matter of the study for the purpose of accomplishing the theoretical framework of the study.
  2. Primary sources: represented in preparing a questionnaire that contains the variables and hypotheses of the study in order to produce the results and recommendations of the study.

Characteristics of the study sample's members

Table-1.The study sample according to years of experience

Description Number Percentage
less than 5 years 7 15%
5- less than 10 years 15 33%
10- less than 15 years 10 22%
15 years and more 16 30%
Total 46 100%

Source: Prepared by researchers

The above stated table shows that the study sample's members have proper experience in work wherein the majority are of the 15 years and more category. This means the presence of a positive reflection on the topic of the study as the IT tools depend on experience and practices of work which positively affects the validity and reliability of the study tool.

Table-2. The study sample according to academic major

Description Number Percentage
Accounting 31 67%
administrative sciences 9 20%
financial and economic sciences 6 13%
Total 46 100%

Source: Prepared by researchers

The former table indicates that the majority of the study sample's members are specialized in accounting. The reason for this may be normal, as the study sample is targeted to be form the internal auditors, and this creates a positive reflection upon understanding and comprehending the items of the questionnaire.

Table-3.The study sample according to the academic qualification.

Description Number Percentage
community college 6 13%
bachelor's degree 29 63%
post graduate studies 11 24%
Total 46 100%

Source: Prepared by researchers

The previous table shows that the study sample's members are academically qualified in a very proper degree. The majority of the sample members have bachelor's degree followed by those of post graduate studies. This gives a degree of reliability and validity to the responses off the sample members.

The discussion of the study hypotheses with the statistical results.

Table-4. The views of the study sample about the variable of control environment

No. Item Mean Standard Deviation Order
1 The internal auditor develops and maintains the systems to change the internal control method. 4.05 0.85 4
2 The internal auditor realizes the control over the IT tools to verify the efficiency of the internal control . 3.42 0.49 7
3 The internal auditor identifies the assets represented in the computer hardware and the related programs, systems and technology. 2.48 0.73 8
4 The internal auditor identifies the risks of using the IT tools and how to reduce those risks. 4.29 1.05 2
  5 The internal auditor is to check the credibility of IT tools which help the internal control system to cope with the strategic goals of the company.   3.78   0.58   5
  6 The internal auditor reviews the presence of the element of elaboration in identifying the control methods and their deviations through using the IT tools.   4.21   0.86   3
  7 The concern of the internal auditor appears through using IT tools by proving the chances that take place in the policies and procedures of internal control.   2.29   0.51   9
  8 The internal auditor, through using the IT tools, cares for keeping the programs and files which have an effect on the internal control efficiency.   3.63   0.79   6
  9 The internal auditor, through using the IT tools over control, cares for the possibility of authorized access to the documents and procedures of internal control to prevent penetration.   4.46   0.68   1
Means 3.62

Source: Prepared by researchers

The previous table shows that the study sample's members assert that the item No. 9 represents the level of the greatest influence with a mean of 4.46. This indicates that the rate of strongly agree are for higher than the rates of disagree and the rates of strongly disagree. This item is embodied in the presence of an influence on the work of the internal auditor to ensure the legal or authorized access to the financial or accounting statements which positively reflects upon the efficiency of internal control in the Islamic banks in the state of Kuwait. This also points out that the role of the internal auditor has expanded to include the soundness of the statements or information stared in the computer programs to guarantee the security and confidentiality of information. It is also noticeable that the standard deviation 0.68 points out that the rates of variance in the study sample's members answers are fairly acceptable and there is no dispersion in the responses of the sample's members. The fourth item represents the second acceptance or influence degree with a mean of 4.28. This item denotes that the internal auditor performs the process of analyzing the risks of using the IT tools on the validity and reliability of the data and the financial statements. This indicates the transaction of the internal auditors in the Islamic banks in Kuwait with any emergency that comes out of using modern technology in addition to placing mechanisms that mitigate the risks of using technology. It is also clear that item 6 represents the third acceptance degree according to the views of the sample's members with a mean of 4.21. This item shows the existence of an effective role to styling the electronic control methods to the financial and accounting statements which may increase the efficiency of the control environment in the Islamic banks in Kuwait. This gives evidence that the internal auditors have positive influence in increasing the internal control efficiency through presenting detailed reports about the reality of control and attempting to define the internal control problems and finding suitable solutions. We also notice that the seventh item represents the lowest acceptance degree according to the sample's members with a mean of 2.29. This means that the rates of disagree are higher than those of agree. This item is represented in the weak role of the internal auditor in describing the changes in the control environment in term of the policies and procedures. This denotes the feeble recognition of the administrative entities to the changes in control methods especially in the IT environment. We also notice that the mean of the hypothesis in general is 3.62 which means that the study sample's members confirm the effect of using It tools on the control environment.

Table-5. The views of the study sample in the variable of risk assessment

No. Item Mean Standard Deviation Order
1 The internal auditor determines the investment risks from IT tools by using the cost-benefit policy. 3.79 0.42 4
2 The internal auditor identifies the risks that undermines or disrupt the controlling activities in the establishment. 2.76 0.74 6
3 The internal auditor estimates the monetary value of the risks that encounter the company and which are resulted from using IT tools. 4.37 0.61 1
4 The internal auditor identifies the frequent risks that affect the internal control efficiency. 3.37 0.86 5
5 The internal auditor prepares and suggests a list of the expected risks from using IT tools in realizing internal control. 4.19 0.59 2
6 The internal auditor prepares a detailed report of the risks and the degree of their influence on the internal control efficiency. 3.92 0.52 3
Means 3.79

Source: Prepared by researchers

The above table shows that the study sample's members affirm that the third item represents the highest acceptance or influence degree with a mean of 4.37. This item is embodied in the ability of the internal auditor to identify the monetary value of the risks of using the IT tools. This expresses the validity of representing the financial statements of the events that take place inside the bank which means the existence of qualitative properties of the financial statements. We also notice that the fifth item represents the second degree of acceptance or influence according to the study sample with a mean of 3.92. This item indicates the presence of a report being prepared by the internal auditor about the risks that affect the bank wherein the auditor puts priorities to deal with IT tools which helps in increasing the efficiency of internal control. This also shows the possibility of assessing and defining the internal control risks together with the methods of dealing with them to reduce their effect on the internal control efficiency. It also noticeable that the second item shows the lowest degree off acceptance or influence with a mean of 2.26 and reveals the presence of weakness in locating the risks that have great influence on the internal control efficiency. The mean of the hypothesis was 3.79 which asserts the effect of IT tools on risk assessment in the Islamic banks in Kuwait.

4.1. Test of Hypothesis

First Hypothesis

One-sample t-test was used in testing the first hypothesis giving the following results:

Table-6. Results of the first hypothesis test

Calculated T-value Table T-value Sig. Mean Result of hypothesis
14.37 1.977 0 3.62 rejection of null hypothesis

Source: Prepared by researchers

The decision rule according to t-test, the alternative hypothesis is accepted if the calculated t-value was higher than the table t-value. Therefore, the null hypothesis is rejected and the alternative hypothesis is accepted which indicates the existence of an influence of using IT tools on the control environment to increase the efficiency of internal control.

Second Hypothesis

Results of testing the second hypothesis

Calculated T-value Table T-value Sig. Mean Result of hypothesis
9.73 1.977 0 3.79 rejection of null hypothesis

Source: Prepared by researchers

Based on the former rule, we reject the null hypothesis and accept the alternative hypothesis which indicates the presence of an influence to the IT tools on risk assessment through the perspective of the internal auditor.

5. RESULTS AND RECOMMENDATIONS

First: Results

5.1. The Study Revealed the Following.

1- The internal auditor has a role in assessing the information security policies which depend on It tools and preventing their penetration or the modification of the accounting programs and their contents illegally.

2- The internal auditor has a role in assessing the risks of using IT tools in auditing and in working to reduce their occurrence or to mitigate their effects on the financial system of the bank for example.

3- The internal auditor in the Kuwait commercial banks has a positive effect in elaborating the risks that may affect the efficiency of the electronic control system through maintaining the security and confidentiality of data and information.

4- The ability of the internal auditor to assess the monetary value of the risks that face the bank and which are resulted from using IT tools; and consequently, the financial statements express truly the monetary events that occur in the bank.

5- The internal auditor prepares reports and recommendations about the potential risks the banks may encounter. Such recommendations are to be supported by evidence.

6. RECOMMENDATIONS

Based on the results of the study, the following recommendations may be presented:

1- The information technology tools are double-edged for the internal auditor. The first edge represents the risks related to penetrating or modifying the financial statements as well as the unauthorized access. The second edge represents the advantages that the auditor can utilize from using IT tools represented in the speed and accuracy in exchanging accounting data and information.

2- The necessity of arranging continuous changes especially in using the It tools where the internal auditor changes the auditing program ad its timing with the technology applied in the company.

3- The internal auditor is to set the priorities of dealing with the risks of IT which have a positive effect on increasing the internal control efficiency especially in banks.

4- Holding seminars and conferences specialized in audit information technology whose axes focus on using various IT tools in the internal auditing process and functions.

5-Qualifying auditors through specialized courses about optimal use of  IT tools in the auditing process.

Funding: This study received no specific financial support.
Competing Interests: The authors declare that they have no competing interests.
Contributors/Acknowledgement: All authors contributed equally to the conception and design of the study.

REFERENCES

Abdullah, K., 2012. Auditing and control in banks. Amman, Jordan: Dar Wael Publishing and Distribution.

Abu, D.Y., 2017. The impact of accounting information systems on the effectiveness of the internal control system in Jordanian Commercial Banks. Master Thesis. Al-Bayt University. Jordan. pp: 1.

Al-Hosban, A., 2009. Internal audit and control in an IT environment. Amman, Jordan: Dar Al-Hamed Publishing. pp: 37.

Al-Juwaifel, A., 2011. The role of computerized accounting information systems on effective of internal control on Jordanian islamic bank. Jordan, Amman: Middle East University. pp: 65.

Al-Sawaf, M., 2011. The effect of internal control on the sizing of operational risks in commercial banks. University of Mosul Journal Iraq: 218. Retrieved from www.iasj.net

Al-Shamma, K., 2007. The theory of organization. Amman, Jordan: Dar Al-Sira for Publishing and Distribution. pp: 36.

AL-Sharairi, M., A. Al-Hosban and H. Thnaibat, 2018. The impact of the risks of the input of accounting information systems on managerial control, accounting control and internal control in commercial banks in Jordan. International Journal of Business and Management, 13(2): 96-107. View at Google Scholar | View at Publisher

Alhosban, A.A. and M. Al-Sharairi, 2017. Role of internal auditor in dealing with computer networks technology - Applied study in islamic banks in Jordan. International Business Research, 10(6): 259-269. View at Google Scholar | View at Publisher

Alshaibi, M., 2011. Adapting internal control system with a use of IT and its effect on reliability of financial statements. Jordan, Amman: Middle East University. pp: 1.

Bo Hayek, A., 2015. The role of the accounting information system in the effectiveness of internal control in oil companies in Algeria. Master Thesis. University of Qasidi Marbah, Ouargla. Algeria. pp: 8.

Grand, C., 2004. Information security management element. Audit and Control , IIA, 8: 31.

IIA, 2004. Current impact of IT on internal auditing. Retrieved from http://www.finfarticles.com

Iliya, A., 2011. The development of IT and internal control systems. Master Thesis. Open Arab Academy in Denmark. Faculty of Administration and Economy. Accounting Department. pp: 14.

Jacobson, R., 2002. Quantifying IT risk. IIA, 5(2): 212-231.

Jagdish, P., 2002. IT audit approach, internal control, and audit decisions of an IT auditor. IIA, 3(1): 35-50.

Kulk, G.P., R.J. Peters and C. Verhoef, 2009. Quantifying IT estimation risks. Science of Computer Programming, 74(11-12): 900–933. View at Google Scholar | View at Publisher

Mair, W., 2002. ESAC risk and control environment. IIA, 5(2): 233-248.

Randy, M., 2004. Seven-step IT risk assessment. IIA: 3. Retrieved from www.iia.org,P3 .

Samukri, 2015. Influencing effective internal control system and implementing of financial accounting information system on the quality of information system. Research Journal of Finance and Accounting, 6(11): 256-266.

Sheikh Salem, F., 2007. Modern administrative concepts. Amman. Jordan: Jordan Book Center.

Taylor, D., 2006. Auditing. 6th Edn.: John Wiley. pp: 326.

Thomas, R., 2000. IT and internal control and financial statement audit. CPA Journal, 172(4): 127-148.

Scroll to Top