The relationship between the stability of computerized accounting applications, computer audit strategy and audit risk

This study investigated the relationship between the stability of computerized accounting applications, computer audit strategy and audit risk. Unstable applications were defined as those that have recently been implemented, have frequent changes to their program modules, and are not well documented. Stable applications are those that have been in place for a few years, have only occasional changes to their program modules, and are well documented. A computer audit strategy model was developed based on research in software engineering and information systems. The model suggested that the appropriate audit strategy in the environment of stable computerized applications is to rely more on computer-based controls, use sophisticated computer audit techniques to a greater extent primarily for the purpose of testing computer controls, and test the system less extensively than in the environment of unstable computerized applications. The model also suggested that stable applications would be associated with lower audit risk than unstable ones.;The empirical test of the model, using a sample of expert computer auditors from four of the "Big 8" accounting firms, confirmed many of the hypotheses relating to computer audit strategy and audit risk assessments. The participants in the study relied more on computer controls, used more sophisticated computer audit techniques, and assessed audit risk as being lower for stable applications than for unstable ones. However, there was little difference in the purpose for which computer audit techniques were used and no difference in the extent of testing between unstable and stable applications. Since most of the hypotheses have empirical support, the model can be used by practicing auditors to determine an appropriate strategy in the environment of computerized applications as a function of their stability.;The research also investigated the impact of certain audit firm differences on computer audit strategy and audit risk assessments. The effect of structure in firms' audit methodologies and the effect of differences in the organizational location of the computer auditor were the two firm differences investigated. There was insufficient evidence to support the hypotheses that these two firm differences had a systematic effect on computer audit strategy or audit risk assessments.