IT Auditing in Italian Banks: An Explanatory Study

Conference paper
Part of the Lecture Notes in Information Systems and Organisation book series (LNISO, volume 6)


This study analyses the characteristics of IT auditing in banks. Based upon two Italian case studies, the article provides a qualitative assessment of the objectives of the IT audit, the activities performed, the stakeholders served and the critical success factors that influence the capability of IT auditing to add value. The results show that the scope of the IT auditing function has extended; nowadays senior managers expect IT auditors to support them in the evaluation of the IT system and in the assessment of IT security controls. Regarding IT auditing activities, the most commonly performed are risk assessment and information security risk assessment. Considering stakeholders, the interviewees revealed that the main stakeholders are executive managers, while the critical success factors are the characteristics of the control environment, the capacity of the IT auditor to stay in touch with the business, and behavioural skills.


IT auditing Banks Case study 


  1. 1.
    CBOK: Common Body of Knowledge IN Internal Auditing. Project in Progress. The Institute of Internal Auditors, Altamonte Springs, FL (2010)Google Scholar
  2. 2.
    Alkafaji, Y., Hussain, S., Khallaf, A., Majdalawieh, M.: Characteristics of an Internal Audit Activity. The Institute of Internal Auditing Research Foundation, Altamonte Springs (2011)Google Scholar
  3. 3.
    Allegrini, M., D’onza, G., Melville, R., Selim, G., Sarens, G.: What’s the Next for Internal Auditing. The Institute of Internal auditing research foundation, Altamonte Springs (2011)Google Scholar
  4. 4.
    Lacity, M.C., Willcocks, L.P., Feeny, D.F.: IT outsourcing: maximize flexibility and control. Harvard Bus. Rev. 73, 85–93 (1995)Google Scholar
  5. 5.
    Ang, S., Straub, D.W.: Production and transaction economies and IS outsourcing: a study of the U.S. banking industry. MIS Q. 22, 535–552 (1998)CrossRefGoogle Scholar
  6. 6.
    Vasarhelyi M., Romero S., Kuenkaikaew S., Littley, J.: Adopting continuous audit/ continuous monitoring in internal audit. ISACA J. 3, 1−5 (2012) Google Scholar
  7. 7.
    Champlain, J.J.: Auditing Information Systems. Wiley, Hoboken (2003)Google Scholar
  8. 8.
    Weber, R.: EDP Auditing: Conceptual Foundations and Practice. McGraw-Hill, New York (1998)Google Scholar
  9. 9.
    Pathak, J.: Information Technology Auditing: an Evolving Agenda. Springer, Berlin (2005)Google Scholar
  10. 10.
    Buchanan, S., Gibb, F.: The information audit: an integrated approach. Int. J. Inf. Manag. 18, 29–47 (1998)CrossRefGoogle Scholar
  11. 11.
    Senft, S., Gallegos, F.: Information Technology Control and Audit, 3rd edn. Auerbach Publications, Taylor & Francis Group, Auerbach (2009)Google Scholar
  12. 12.
    Wright, C., Freedman, B., Liu, D.: The IT Regulatory and Standards Compliance Handbook: How to Survive an Information Systems Audit and Assessments. Elsevier, Burlington (2008)Google Scholar
  13. 13.
    Omoteso, K., Patel, A., Scott, P.: Information and communications technology and auditing: current implications and future directions. Int. J. Auditing. 14, 147–162 (2010)Google Scholar
  14. 14.
    Moeller, R.R.: IT Audit, Control, and Security. Wiley, Hoboken (2010)Google Scholar
  15. 15.
    IT Governance Institute (ITGI): Cobit 4.0, Rolling Meadows, USA (2005)Google Scholar
  16. 16.
    IT Governance Institute (ITGI): IT control objectives for Sarbanes Oxley and board briefing on IT governance. Rolling Meadows, USA (2003)Google Scholar
  17. 17.
    Henderson, J.C., Venkatraman, N.: Strategic alignment: leveraging information technology for transforming organizations. IBM Syst. J. 38, 472–484 (1993)CrossRefGoogle Scholar
  18. 18.
    Adams, P., Cutler, S., McCuaig, B., Rai, S., Roth, J.: Sawyer s Guide for Internal Auditors, 6th edn. The IIA Research Foundation, Altamonte Springs, Florida (2012) Google Scholar
  19. 19.
    Chambers, A., Rand, G.: The Operational Auditing Handbook. Auditing, Business and IT Process, 2nd edn. Wiley, Chichester (2011) Google Scholar
  20. 20.
    Roth, J.: Academic culture, business culture and measuring achievement differences: internal auditing views. Educational policy studies dissertations, digital archive. Georgia State University, Atlanta (2012)Google Scholar
  21. 21.
    Bou-Raad, G.: Internal auditors and a value-added approach: the new business regime. Manag. Auditing J. 15, 182–187 (2000)CrossRefGoogle Scholar
  22. 22.
    MihretD, G., Woldeyohannis, G.Z.: Value-added role of internal audit: an Ethiopian case study. Manag. Auditing J. 23, 567–595 (2008)CrossRefGoogle Scholar
  23. 23.
    Stoel, M.D., Muhanna, W.A.: IT internal control weaknesses and firm performance: an organizational liability lens. Int. J. Acc. Inf. Syst. 12, 280–304 (2011)CrossRefGoogle Scholar
  24. 24.
    Teo, T.S.H., Wong, P.K., Chia, E.H.: Information technology (IT) investment and the role of firm: an explanatory study. Int. J. Inf. Manage. 20, 269–286 (2000)CrossRefGoogle Scholar
  25. 25.
    Sarens, G., De Beelde, I.: Building a research model for internal auditing: insights from literature and theory specification cases. Int. J. Acc. Auditing Perform. Eval. 3, 452–470 (2006)CrossRefGoogle Scholar
  26. 26.
    Yin, R.K.: Case Study Research: Design and Methods. SAGE Publications, London (2003)Google Scholar
  27. 27.
    Miles, M.B., Huberman, A.M.: Qualitative Data Analysis, 2nd edn. Sage Publications, London (1994)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Department of Business AdministrationUniversity of PisaPisaItaly

Personalised recommendations