a systematic literature review of information …€¦ · a systematic literature review of...
TRANSCRIPT
1
A Systematic Literature Review
of Information Systems Auditing in Developing Countries
Eugen Munteanu
Department of Computer and Systems Sciences
Degree project: 30 HE credits
Degree subject: IT Project Management
Degree project at the master level
Spring term 2016
Supervisor: Stewart Kowalski
Reviewer: Paul Johanesson
A Systematic Literature Review of
Information Systems Auditing in
Developing Countries
Eugen Munteanu
Abstract
Problem; with its main focus on ensuring the security, reliability, integrity, and privacy of the
information, the Information Systems Auditing plays a critical role in the health of any organization
from the developing countries. The recent business failures increased the interest of researchers on the
topic of information systems auditing. While some research exists, it focuses on particular cases from the
developing countries. Yet the academia lacks a comprehensive overview of the information systems
auditing in the context of developing countries. Research question; in this light, the perceived gap in the
existing literature raised the following research question: What are the current difficulties, issues and
challenges which are experienced by the developing countries in terms of Information Systems Auditing?.
Method; to facilitate answering the research question, the systematic literature review for information
systems research was undertaken in conjunction with the grounded theory-based rigorous approach to
systematic reviews. Result; the review analyzed a number of 23 articles spread over a period of ten year
and selected from six literature databases. By using the means of grounded theory, a number of six main
categories related to challenges, difficulties and issues were identified. Conclusion; this comprehensive
literature review shows that the developing countries are facing various challenges, difficulties and issues
with regards to Information Systems Audit, ranging from legislation, policies and standards to education
and cultural aspects. Originality and Significance; this study fills the gap in the body of knowledge
related to Information Systems Audit in developing countries. Based on the outcomes, this thesis suggests
a number of potential research directions which were found as not being previously researched.
Keywords
Systematic Literature Review, Grounded Theory, Information Systems Audit, Developing Countries.
Table of Contents 1. Introduction ......................................................................................... 1
1.1 Introduction to the researched topic ................................................................. 1
1.2 Research problem ........................................................................................... 2
1.3 Research question .......................................................................................... 3
1.4 Research aim ................................................................................................. 3
1.4.1 Scope and delimitation .............................................................................. 3
1.4.2 Organization of findings ............................................................................. 3
1.5 Limitations ..................................................................................................... 4
1.6 Research Contribution/Significance (Anticipated Contribution) .............................. 4
1.7 Thesis Structure ............................................................................................. 4
2. Extended background ........................................................................... 6
2.1 The Concept of Auditing .................................................................................. 6
2.2 Information Systems ....................................................................................... 7
2.3 Information Systems Auditing .......................................................................... 7
2.4 Developing countries ....................................................................................... 8
3. Methodology ....................................................................................... 10
3.1 Reasoning for choosing the Systematic Literature Review as research strategy..... 10
3.1.1 Alternatives to the chosen research strategy .............................................. 11
3.1.2 Research Ethics ...................................................................................... 11
3.2 Research Design ........................................................................................... 12
3.3 Applying the Systematic Literature Review method ........................................... 14
3.3.1 Literature Search (S3) ............................................................................. 15
3.3.2 Practical Screening (S4) .......................................................................... 17
3.3.3 Quality Appraisal (S5) ............................................................................. 19
3.3.4 Data Collection/ Extraction (S6) ............................................................... 21
3.3.5 Data Analysis/Analysis of Findings (S7) ..................................................... 22
3.3.6 Writing the Review (S8) .......................................................................... 24
3.4 Validity and reliability .................................................................................... 25
4. Literature Overview ........................................................................... 27
5. Analysis and Results .......................................................................... 29
5.1 Analysis of the articles by means of Grounded Theory (open, axial and selective
coding) ............................................................................................................. 30
5.1.1 Open Coding .......................................................................................... 30
5.1.2 Axial Coding ........................................................................................... 30
5.1.3 Selective Coding ..................................................................................... 31
5.2 State the identified codes (concepts) explicitly ................................................. 31
5.2.1 The codes explicitly stated ....................................................................... 32
5.2.2 The categories and sub-categories explicitly stated ..................................... 33
5.3 Present the results through concept matrices ................................................... 33
5.4 Identify strengths, weaknesses and gaps in the literature .................................. 35
5.4.1 Legislation ............................................................................................. 35
5.4.2 Policies and Standards ............................................................................. 36
5.4.3 Organizational ........................................................................................ 38
5.4.4 Human Resources ................................................................................... 41
5.4.5 Education .............................................................................................. 44
5.4.6 Cultural ................................................................................................. 47
6. Discussion .......................................................................................... 48
6.1 Alignment with the research aim .................................................................... 48
6.2 Refection on the research carried out .............................................................. 49
6.2.1 Reflections on the steps of SLR ................................................................. 50
6.2.2 Reflections on the analysis of data by means of Grounded Theory ................. 51
6.2.3 Final reflections on the research carried out ............................................... 51
6.3 The originality and the practical and theoretical significance of the contributions .. 52
6.4 Limitations of the study ................................................................................. 53
6.4.1 Ethical and social aspects ........................................................................ 54
6.5 Suggested areas for future research ............................................................... 54
7. Conclusion .......................................................................................... 56
References ............................................................................................. 57
List of appendices .................................................................................. 62
Appendix A ........................................................................................................ 62
Appendix B ........................................................................................................ 69
Appendix C ........................................................................................................ 77
List of Figures
Figure 1: The work system framework (Alter, 2008) ....................................................... 7
Figure 2: Systematic Literature Review (Source: Okoli and Schabram, 2010) .................. 14
Figure 3: Research methods ...................................................................................... 27
Figure 4: Highlighting the type of publications ............................................................. 27
Figure 5: Clarifying the time of publication .................................................................. 28
Figure 6: Geographical distribution of articles per continents ......................................... 28
Figure 7: The Diagram of the Main Categories ............................................................. 34
List of Tables
Table 1: Search Results (Hits) ................................................................................... 16
Table 2: Screening for Inclusion Questions .................................................................. 18
Table 3: Screening For Exclusion Questions ................................................................. 20
Table 4: Highlighting the Emerged Sub-Categories ....................................................... 33
Table 5: The final Main Categories .............................................................................. 33
Table 6: The classification of categories and sub-categories ........................................... 33
Table 7: Type of publications ..................................................................................... 62
Table 8: Methodology of chosen articles ...................................................................... 62
Table 9: Distribution of articles per continents ............................................................. 62
Table 10: Years of Publication for the chosen articles .................................................... 63
Table 11: Appendix A - Summary of articles filtered for data analysis ............................. 63
Table 12: The identified open codes............................................................................ 69
Table 13: Mapping of the Open Codes to the articles .................................................... 70
Table 14: The complete matrix of the concepts ............................................................ 77
Abbreviations
ASQ – American Society for Quality
GNP - Gross National Product
IEC – International Electrotechnical Commission
IMF - International Monetary Fund
IS – Information Systems
ISO – International Organization for Standardization
IT – Information Technology
MS - Microsoft
SLR – Systematic Literature Review
1. Introduction
This is the introductory chapter of this thesis aiming at providing an overview of the research conducted
in this thesis. Firstly, the research topic is introduced to the reader. Then, the problem is stated. Further,
the research aim and research question which drive the research work are presented. Finally, the
perceived limitations are briefly mentioned, the anticipated contribution is drawn and the structure of this
thesis is highlighted.
1.1 Introduction to the researched topic
Nowadays, most organizations, acting either in the private or public sector, recognize the strategic
importance of the information. They rely on the information systems to process the information produced
internally or retrieved from outside of the organization (Prakash and Sivamukar, 2014). Hence, the
information is seen as a core asset which must be protected if the organizations want to survive in their
area of business.
Recent major business failures, such as Enron, WorldCom, and Global Crossing, as well as the terrorist
incidents like “September 11, 2001”, showed that ensuring the integrity of the information systems plays
a crucial role (Lovaas and Wagner, 2012).
Moreover, the misconduct of business executives in some renown fraud cases like “Ponzi scheme” of
Bernie Madoff or falsification of financial statements of American International Group, led to situations
when the financial records were altered using the means of information systems (Cannon, 2011).
Therefore, the need for a strict control and audit of the information systems in use in the organizations
became critical in the last years. Also, there has been a lot of pressure put on the governments and
subsidiary regulatory bodies from the businesses, in order for them to have a clear, up-to-date legislation
framework and policies with a focus on information systems auditing (Lovaas and Wagner, 2012).
An audit of an organization’s information system (IS) is a review of the past records. The information
systems auditor is expected to proceed by following a clearly defined audit process, set up audit criteria,
collect the meaningful evidence and write a report on the findings in an objective and independent
manner. Further, this report is presented to the management of the organization. If the management agrees
with the results of the IS audit, then a mitigation plan is compiled and applied in order to avoid any IS-
related risk which may further jeopardize the existence of the business(Cannon, 2011).
Therefore, the information systems audit helps the organizations to closely monitor how they do business.
The information systems audit is also beneficial for the managers, employees, investors and other
stakeholders, because they are protected against any potential fraud or illegal activity. Additionally, they
can validate the security, reliability and privacy of the information systems implemented in the
organization (Lovaas and Wagner, 2012). Also, IS Audit is beneficial for the companies because has a
critical role in discovering the potential areas where a company could lack IS controls to avoid any
2
business disruption such as data corruption, data leaks, whistleblowing, and successful hacking attack
(Merhout and Havelka, 2008).
Furthermore, from the practical and technical perspective, the information systems audit relies on
information systems controls. These controls comprise the rules, policies and procedures adopted by the
management to ensure that the information systems are efficient and effective in order to reach the
business goals of the organization (Soltani, 2007). Hence, the purpose of the information systems audit is
to assess and document the performance of the information systems controls to safeguard the resources,
applications, data, critical systems and the infrastructure of the existing information systems of the target
organization (Aida Lope Abdul Rahman et. al., 2015).
The developing countries are hosting the majority of the world’s population and become progressively
more important in the context of increasingly interconnectivity and globalization (Walsham and Sahay,
2006). This is one of the reasons why the auditing of the information systems has to be taken very
seriously by businesses and governments from the developing countries.
The examples provided in the opening of this chapter are about corporate failures from United States of
America (Enron, WorldCom) and Europe(Ahold, Parmalat) (El-Sayed Ebaid, 2011). Also, media outlets
revealed stories about governments from the advanced countries affected by leaks of information
(WikiLeaks) or information systems compromised by weak controls. Such embarrassing situations would
have been avoided by putting in place and enforcing a proper audit of the information systems (Carlin and
Gallegos, 2007; Henry, 2010).
As it happened in the case of the advanced countries, the adoption and usage of the information
technology in the developing countries brings not only benefits and advantages. This process is also
accompanied by all the associated threats: fraudulent activities or cybercrime (Gercke, 2009).
Given the increasing trend toward global business, global outsourcing and globalization (Walsham and
Sahay, 2006), it is important to prevent similar situations, as the one already mentioned, to occur in the
developing countries through a proper identification of the current obstacles in using information systems
auditing. In such a manner, the developing countries could improve their future development in the field
of IS Auditing.
1.2 Research problem
Yearly, a huge amount of research is produced by the academic world (Siddaway, 2014). In the particular
case of Information Systems Auditing, the online resources of Stockholm University Library retrieved a
considerable amount of articles focusing on this topic.
However, the initial review of the existing literature on the topic of Information Systems Auditing
indicated that up to the moment when this research was started, there was no literature review covering
the overall status of the Information Systems Auditing in the developing countries with regards to current
barriers experienced by companies from these countries.
3
Therefore, the perceived problem that this thesis addresses is the lack of research in the academic body of
knowledge regarding a deeper and more comprehensive understanding of the current difficulties, issues
and challenges of Information Systems Auditing in the developing countries.
1.3 Research question
To address the above formulated problem, the research question driving this thesis is:
What are the current difficulties, issues and challenges that are experienced by the developing
countries in terms of Information Systems Auditing?
By answering to this research question, this research work will attempt to fill in the identified gap in the
existing academic literature.
1.4 Research aim
Based on the aforementioned problem and the research question, this research aims at retrieving the
current status of Information Systems Auditing in the developing countries in order to understand what
the potential obstacles are in building a robust Information Systems Auditing in the context of developing
countries.
So, the goal of this research is to investigate and capture the aspects connected to the issues, difficulties
and challenges that are related to IS Auditing in developing countries and are revealed by the existing
literature at the moment of this study.
1.4.1 Scope and delimitation
The environmental scope of this research include the private companies and public sector of the
developing countries because it aims at capturing all potential information related to the auditing of
information systems.
Moreover, based on the observations from section 1.1 and given the fact that there is a lack of consensus
on using the right terminology, this thesis will consider the Information Technology Auditing as a subset
of the Information Systems Auditing in order to get all studies which are using these two concepts. The
reasoning around this decision is given in the chapter dedicated to the main concepts used in this thesis
(Chapter 2).
1.4.2 Organization of findings
In order to better organize the findings, it has been found appropriate to use the means of grounded theory
in order to do a literature review in a rigorous manner as is depicted by Wolfswinkel et al. (2013).
Additionally, inspiration from Wolfswinkel et al. (2013) has also been taken regarding technical aspects
on doing a systematic review.
The grounded theory-based analysis is described briefly in the chapter dedicated to the methodology used
in this thesis, as well as in the data analysis chapter.
4
1.5 Limitations
The research is going to search for online articles existing on the Internet. Being a distance student, there
is no intention to use paper based article stored in the library of the University of Stockholm. So, main
sources used for this research will be the Internet resources.
Secondly, this research assumes that all retrieved literature is reflecting properly the difficulties, issues
and challenges in terms of Information Systems Auditing concerning developing countries.
Thirdly, this thesis research work is limited in time and resources. There is only one individual working
on this research. Therefore, this limits the efforts in getting a broader view on the visited sources.
Finally, this thesis is limited research to articles written only in English, produced in the limited
geographical area of the developing countries which may use English in the academic world.
1.6 Research Contribution/Significance
(Anticipated Contribution) Given the fact that a literature review is always a starting point for further research (Siddaway, 2014), the
findings of this research could be used further to inspire or draw new directions of academic research
based on the information retrieved through a comprehensive literature review of such magnitude.
Also, by highlighting the current challenges, difficulties and issues of IS Auditing in the context of
developing countries, this research would also contribute by helping the practitioners(consultants,
managers or IS Auditor) to understand better the information systems auditing landscape of developing
countries.
Lastly, given the fact that the previous research has recognized the high potential of Information Systems’
related research in helping the developing countries reducing the “poverty, inequity, and marginalization”
(Walsham and Sahay, 2006), it is believed that this research work will contribute to the existing body of
knowledge by providing new research directions in order to diminish the gap between developed and
developing countries.
1.7 Thesis Structure The outline of this thesis is as follows.
Next chapter explains and discuss the main concepts used in this research paper. Chapter three discusses
the chosen methodology. Then, the chapter 4 presents the overview of the literature included in this
review.
Chapter 5 focuses on the analysis of the retrieved data and what are the results. Also, the results are
presented by using concepts matrices and the strengths, weaknesses and gap in the literature are identified
and reported.
5
Then, the outcomes of this thesis work are discussed with regards to the research question driving this
study. Also, the contributions are discussed and potential research avenues are suggested.
Finally, the conclusions are drawn by highlighting the fundamentals of this thesis.
6
2. Extended background
This chapter explains the main concepts used in this thesis. The main concepts are discussed from the
perspective of the existing literature on the researched topic and a reasoning why these concepts were
employed in this thesis.
2.1 The Concept of Auditing
Historically, the auditing practices were traced back by historians to about 4000 B. C. (Ramamoorti,
2003). Closer to our times, the Roman Empire, Ancient Greek or Babylonia were in need to audit their
financial situation of the public system (Ramamoorti, 2003). Perhaps, this might be a reason why the
word “audit” evolved from Latin “audire”, which could be translated in “to hear” (Teck-Heang and Ali,
2008).
Previous research on the history of audit quoted the accounting historian Richard Brown, who believed
that the origin of auditing is rooted in the needs of the development of civilization to have a proper
verification of the record keeping systems (Ramamoorti, 2003; Nkwe, 2011).
Taking this information further, traditionally, the purpose of the auditing was to focus mainly on the
financial part of the business. In the existing literature, it has been observed that the process of auditing
aims at ensuring that the information reported in the existing financial records are reliable (Soltani, 2007).
Therefore, the auditing is defined as being a systematic process of gathering and assessing the existing
information in order to make sure that there is a level of consistency between what has been found and a
set of established criteria (Soltani, 2007).
Another perspective on the above-mentioned definition is stressing out about the fact that the auditing has
to be defined as being a systematic process done in an objective manner (Krogstad, 1977).
In the last decades, the audit function has evolved by providing value-added services on top of what the
auditing has traditionally done: to endorse the trustworthiness of the financial statements of a given
business. So, nowadays the auditing is expected to help the business with details on suspicious activities,
potential risks and to contribute with meaningful advice for the management regarding the internal control
(Teck-Heang and Ali, 2008).
Moreover, confronted with the situations of conflicts of interests between different business stakeholders
(the owners and managers), it became more often for the business to have a way to address the issue of
independence of the auditors (Salehi, 2009).
Currently, there are two major approaches of auditing: external auditing and internal auditing. Even
though one may think that these two approaches are excluding each other, they may coexist and
complement each other in order to provide a better input for the business decisions. Therefore, depending
on the view of the management, the external auditors could help the internal auditors by compensating the
lack of time or resource to do a particular task (Nagy and Cenker, 2002).
7
2.2 Information Systems
Describing the term “Information Systems” seems to be a difficult and challenging effort. This difficulty
is associated with the fact that the academic world could not agree on a clear definition of “Information
Systems” (Alter, 2008).
The research conducted in this master thesis will rely on the definition of Information Systems as being a
special instance of a working system. A working system is seen as a system aiming at producing
particular products or services using machines which are handled by humans or they are working on their
own (Alter, 2008).
Therefore, an Information System is perceived as a specific case of a working system and is defined as a
system where individuals are using machines, or other means to produce informational products (Alter,
2008). The elements of such system may include the following: the infrastructure, technologies,
processes, customers and so on (See figure below).
Figure 1: The work system framework (Alter, 2008)
2.3 Information Systems Auditing
Having in mind the definition of Information Systems (IS) mentioned in the previous section, the
Information Technology (IT) could be seen as a subset of IS. The IT Auditing is considered as being a
quite new discipline. Despite this fact, it has an important role in the life of a business due to its critical
support in improving the control of the information produced inside of an organization (Lovaas and
Wagner, 2012; Carlin and Gallegos, 2007).
8
To cope with the fact that is new, Information Technology Auditing based it’s grown on the framework
already existing in the organizations in terms of controls and information systems management (Lovaas
and Wagner, 2012). This has evolved to IS Auditing which has the aim of investigating the various
elements/components of the information systems (Hingarh and Ahmed, 2012).
As part of IS Auditing, the IT Audit is also considered as a systematic method of documenting any found
evidence in order to prevent, detect and correct abnormalities, errors or illegal activities related to the
systems implemented in an organization (Carlin and Gallegos, 2007).
Therefore, the major ambition of Information Systems Auditing is to analyze and provide feedback, to
make statements to relieve any doubts and finally to suggest what actions could be done in order to help
the business to perform more securely (Lovaas and Wagner, 2012). Also, IS Auditing ensures that the
organization’s computerized activities are conform to all legal requirements (Hingarh and Ahmed, 2012).
Up to this moment, the IT industry related standards are using similar definitions for Information Systems
Audit. For instance, the well-known standard on “Systems and software engineering – Software life cycle
processes” is informing us that the audit in the context of “Systems and software engineering” means an
“independent assessment of software products and processes conducted by an authorized person in order
to assess compliance with the requirements” (ISO/IEC 12207:2008, 2008)
Therefore, the scope of IS Auditing is to focus on the components of the information systems, owned or
in use by the organization. This is extended also to the managers, employees and contractors (Hingarh and
Ahmed, 2012), in order to cover all aspects of the definition of Information Systems given by Alter
(2008).
2.4 Developing countries
The World Bank defines a developing country based on the country’s Gross National Product (GNP).
Hence, if a country has a low or a medium level of GNP, the World Bank categorize the country as being
a developing country.
On the other side, the World Bank is considering a country as being a developing country if the majority
of its citizens are living on far less money than the people living in a developed country (WorldBank.org,
2016).
The International Monetary Fund (IMF) publishes twice a year a report which is reflecting the current
classification of world economies based on three criteria. These criteria rely on the level of income per
citizen, the level of diversification of the country’s export and the level of integration of the country
economy in the global financial system (IMF.org, 2016). The report published by the IMF is called World
Economic Outlook and usually includes the list of developing countries at the publishing date (WEO
IMF.org, 2016).
On the opposite, the World Trade Organization is avoiding using the term of “developing country” and is
proposing another term, such as “least developed countries” (WTO.org, 2016). Moreover, the United
Nations is using also “small island developing states” and “landlocked developing countries” to
9
categorize countries which are falling under the developed country paradigm (Library Of Congress,
2008).
The reason for this situation is due to the fact that drawing a line between what is a developing country
compared to a developed country is “not obvious” (Nielsen, 2011)
Given the fact that there is no clear agreement on the definition of what means a “developing country”,
this master thesis will use the categorization of the IMF and the list provided by the World Economic
Outlook published on April 2015 as a basis for this research work.
10
3. Methodology
This chapter is dedicated to the methodology used in carrying out the research in this thesis. The
reasoning for choosing the methodology, the methodology itself, as well as data collection and data
analysis are extensively presented so that the scientific rigor is guaranteed.
This master thesis research work is relying on “Systematic Literature Review” methodology as it has been
described in the existing literature related to research guidance (Kitchenham, 2004; Keele, 2007; Okoli
and Schabram, 2010; Denscombe, 2014). The chosen methodology will be properly presented later on in
this chapter.
3.1 Reasoning for choosing the Systematic
Literature Review as research strategy A research strategy helps a researcher to come up with a plan on how to proceed on doing a particular
research (Denscombe, 2014). Given the fact that there is no universally accepted way to conduct a
research, a research strategy has to include (1) a distinct logic of the research and the justification of that
and (2) an action plan and a specific problem which has to drive the research (Denscombe, 2014). While
the last element was addressed in the previous chapter, the first component will be discussed in this part
of the thesis.
Systematic reviews are having the origins in the medical and pharmaceutical studies (Kitchenham, 2004;
Keele, 2007; Denscombe, 2014). Initially, these kinds of reviews were used to reflect the findings of the
clinical research. Therefore, the systematic reviews are associated with solid evidence of a good quality
research (Denscombe, 2014). Hence, this is the reason why systematic reviews are used by researchers,
practitioners and policymakers when there is a need for a reliable and objective overview of the existing
information on a distinct topic (Denscombe, 2014).
A research is suitable for being conducted by using a systematic literature review, if is aiming to:
- Compile the existing, reachable knowledge on an identified topic
- Find out a gap in the current research aiming at proposing further research directions
- Specify a framework to organize the new research on the topic (Kitchenham, 2004).
The research work related to this master thesis started with the gap found in the existing literature
regarding the challenges, difficulties and issues of developing countries in terms of Information Systems
Auditing.
The objective of this research effort is to draw new research opportunities for the academia and to provide
practical insights for the practitioners acting in the field of Information Systems Auditing.
Therefore, employing systematic literature review has been seen as a natural research approach for this
master thesis.
11
3.1.1 Alternatives to the chosen research strategy
In the beginning of this research, alternative research strategies were also taken into consideration. There
are always different ways to reach the goal of a research project and finalize it. Choosing the right option
or alternative is strictly linked to the researcher’s decision and judgment (Denscombe, 2014).
For a small-scale research project with a low budget, Denscombe (2014) propose several research
strategies: surveys, case studies, experiments, ethnography, grounded theory, action research and mixed
methods. Each of them has to be carefully evaluated and analyzed in order to decide if it’s suitable to
answer the research question. After judging them, the big decision has to be made by having in mind all
potential constraints, advantages and disadvantages (Denscombe, 2014).
As mentioned above, this research project is driven by the research question defined in Section 1.3. So,
initially, some research strategies were put on the list of potential and suitable strategies for this research
by constantly asking: how the research question could be answered by using this particular strategy?
Case studies look at one or more particular situations in order to understand what’s happening in that
setting in order to facilitate the comparison between these situations and to come up with some lessons
learned during the research (Denscombe, 2014). In a case study, the researcher builds up the knowledge
through a set of iterative cycles between the parts and the whole, by engaging in a dialog between the data
and theory (Klein and Myers, 1999; Walsham, 1995). Moreover, another benefit of using case studies is
that it contributes to the body of knowledge by exploring and getting insights from complex issues
(Zainal, 2007).
However, to engage case study as strategy is very demanding since the researcher has to have a direct
access to the studied cases and the generalizations could be easily put under discussion (Denscombe,
2014; Zainal, 2007). Given the number of developing countries, this strategy may have worked when
there were several researchers as well as enough time to research all potential cases. This research work is
conducted using only one human resource and the work has to be done in a given time framework.
Therefore, the decision was to drop this strategy.
Surveys are used when there is a need to assess some particular aspects of a trend or social phenomenon.
By gathering such information a theory could be tested (Denscombe, 2014). This thesis aims at evaluating
the current status of information systems and information technology audit and to build a theory regarding
the barriers faced by the developing countries. Therefore, this strategy was also considered as not suitable.
Grounded Theory was also judged. Grounded Theory is aimed at generating theories from the retrieved
data. Although “Systematic Literature Review” was considered as the research strategy, the way how
grounded theory contributes to having a rigorous review (Wolfswinkel et al., 2013) was judged as being
an appropriate way to conduct this research work for this thesis. Therefore, the Grounded Theory was
chosen to be used in conjunction with the Systematic Literature Review, so that, the review will benefit
from the exactness of the Grounded Theory.
3.1.2 Research Ethics
The ethical aspects of a research are employed when the research work has a main focus on individuals
(Denscombe, 2014). In this research there are no human subjects involved.
12
Given the fact that this is a literature review, the main input consists of the online documents found in the
literature databases. Therefore, in order to avoid any ethical issues which may arise from using one’s
academic work it is critical to properly refer the author(s) (Denscombe, 2014). To be in line with this
recommendation, the strategy used for this research work consist of giving credits each time when a paper
is used, by carefully cite the study included in the literature review. Also, a comprehensive list of
references is to be compiled throughout the research work.
Another ethical aspect of this thesis is related to neutrality in presenting the findings in the literature
review report (Chapter 5). Therefore, the review aims at not including the name of the involved countries.
Moreover, no product name or IS Auditing-related framework, standard or policies will be mentioned.
More details on the ethical aspects are included in the discussion chapter.
3.2 Research Design
The difference between a traditional literature review and a systematic literature review (SLR) is the rigor
used in doing the review (Kitchenham, 2004; Keele, 2007). In order to have a systematic literature
review which is methodical, explicit and could be easy to be repeated, it is necessary to employ a
meticulous procedure which can explain how the review has been performed (Okoli and Schabram,
2010).
In order to answer the unique needs of Information Systems researchers, Chitu Okoli and Kira Schabram
came up with a set of eight steps to perform a systematic literature review.
Because the research work of this thesis is a part of Information Systems-related research, using the
guidelines of Okoli and Schabram (2010) seemed to be a legitimate selection.
The eight steps proposed by the guide of Okoli and Schabram (2010) are grouped into four main phases.
Phase 1 (P1) is called “Planning” and has two steps:
- S1: Purpose of the Literature Review – where it has to be defined the intention of the literature
review. So, this step has to summarize the information around the research topic of the systematic
literature review.
- S2: Protocol and Training – is the step when a clear agreement is set in order to follow the same
procedure to guarantee that there is a consistency in the work done. This is applicable to
situations when there is more than one researcher.
Phase 2 (P2) is “Selection” when the existing literature available for the researcher is chosen. This phase
is also made out of two steps:
- S3: Searching the Literature – is the moment when the researcher has to outline in a detailed
manner how the search was performed. To sustain this work, the researcher has to explain and
justify the approach to this step.
- S4: Practical Screen – the output of the above step may include a large number of studies related
in a way or another to the topic of the systematic review. Hence, the reviewer has to explain in
detail how the screening was done to include the most valuable studies. Also, it is important to
13
justify why the other studies were dropped off. This step is also known as “screening for
inclusion”.
The third phase is “Extraction” (P3) when the collected data is evaluated and extracted for further
analysis. Again, two steps are part of this phase:
- S5: Quality Appraisal – is the step which is focusing on “screening for exclusion”. In other
words, this is the moment when the researcher will evaluate which article could be used for data
extraction. The included articles will be categorized based on a scoring system to reflect their
importance and relevance to the topic of the review.
- S6: Data Extraction – the role of this step is to use the articles from S5 in order to extract
systematically the information which could answer the research question of the review.
Finally, the last phase, “Execution” (P4) is the phase when information collected in the previous phase is
synthesized and articulated in a report which will reflect the findings.
- S7: Analysis of Studies – is the step which will put together the findings looking after a link or
sense of the information collected. This step could be approached either in a quantitative or
qualitative way or even in a combination of both.
- S8: Writing the review – is the final stage of the Okoli and Schabram’s guide. This step has to
produce a report of all meaningful findings retrieved during this process. The report has to have
enough information to make the review easy to be reproduced independently.
The steps and phases of this guide are visually depicted in figure 2.
14
Figure 2: Systematic Literature Review (Source: Okoli and Schabram, 2010)
3.3 Applying the Systematic Literature Review
method The Systematic Literature Review’s guidance suggested by Okoli and Schabram is proposing for Data
Extraction/Collection and Data Analysis, a quantitative or qualitative approach or even a combination of
both in the case of Data Analysis stage.
15
Given the aim of this research and the research question used in this thesis work, the qualitative approach
is going to be used for Data Extraction/Collection and Data Analysis. While the steps of SLR enumerated
above will be treated in a more extent in this section, the aspects related to qualitative approach will be
reviewed at the moment of the data analysis.
The first two steps of SLR are out of the scope of this section because they were already done. The
reasoning around this decision is based on the following two aspects.
The first step, “the purpose of the literature review”, has been already detailed in the chapter one as well
as in the introduction of this chapter. Therefore, Step One doesn’t need to be included in this section.
Furthermore, given the fact that the second step, “Protocol and Training”, is necessary when there is more
than one researcher (Okoli and Schabram, 2010), this step was also excluded because this research is
conducted only by one researcher.
3.3.1 Literature Search (S3)
Once the context of the literature search was identified, including research gap, research question and
keywords used for search, the literature search has begun.
An important success factor for a search through the online sources relies on a perfect understanding of
Boolean operators’ usage. This is crucial in the process of getting the most out of the online databases
(Okoli and Schabram, 2010).
Having in mind the above suggestion, the search started using a set of meaningful words for the research
work. Hence, expressions containing combinations of the concepts defined in the first chapter were
employed. For instance it has been used expressions such as “information systems auditing”,
“information technology auditing” combined with “developing countries” or “developing country”. These
expressions are listed in Table 1.
The initial search was done using Google Scholar because it has been perceived as being the most famous
source. The search using Boolean operators in combinations like (Information technology auditing)
AND (developing country) retrieved a lot of information which was discarded due to its insignificance for
this review. Perhaps, this happened due to the way this source is behaving (Wolfswinkel et al., 2013).
However, the usage of AND operator has been more successful in the case of other outlets. This is
reflected in the overall results consolidated in Table 1.
During the search phase, the researcher may need several iterations in order to pick up all studies which
are relevant to the literature review (Wolfswinkel et al., 2013).
Hence, a second search iteration was initiated using “Information technology auditing” “developing
country” or similar combinations based on the initially identified key terms. After this iteration, it was
possible to get a higher number of meaningful articles. The articles found at this stage were noted for
further steps.
Also, given the fact that Google Scholar offers the option to display citations where the searched key
terms are used, an investigation has been done by doing the so-called backward search as well as a
forward citation-based search(Okoli and Schabram, 2010; Wolfswinkel et al., 2013). These types of
16
search are assuming that there are articles cited in the retrieved article. So, the researcher could use the
citations and do an additional search for those articles. By using such method, it was possible to learn
about more useful journal articles which were considered for further screening.
In their guideline, Okoli and Schabram (2010) insist on using specific subject databases to get valuable
information from the most published literature in an electronic format. Hence, the literature search was
extended to the sources offered by Stockholm University Library.
Therefore, the following databases were queried: IEEE Xplore, Emerald Insight, Scopus, EBSCO, Web of
Science and ACM Digital Library. These databases were considered relevant and significant to this
review based on the recommendations made by the guidance of Okoli and Schabram (2010). The list was
amended with Emerald Insight, a database of a personal choice of the reviewer.
Wolfswinkel et al. (2013) are pointing out the fact that the searches, the search terms, sources and the
results have to be documented properly for the “sake of transparency”. Moreover, the literature reviews
must to be reproducible by any other researcher. So, it is very important to show to the reader how the
search for the literature was done (Wolfswinkel et al., 2013).
Therefore, to cope with the above-mentioned requirements of a systematic literature review, the results of
the search through all these sources were summarized in the following table:
Table 1: Search Results (Hits)
Expression(s) Google
Scholar
IEEE
Xplore
Scopus EBSCO Web Of
Science
ACM
Digital
Library
Emerald
Insight
(Information systems
auditing) AND
(developing countries)
218000 12 53 192879 83 92036 11179
(Information systems
auditing) AND
(developing country)
205000 12 53 192913 83 92036 11179
"Information systems
auditing" "developing
countries"
67 2 11 91 0 640 12
"Information systems
auditing" "developing
country"
27 0 11 47 0 640 12
(Information
technology auditing)
AND (developing
country)
164000 7 19 155171 20 72618 7473
(Information
technology auditing)
AND (developing
countries)
160000 7 19 155198 20 72618 7473
"Information
technology auditing"
"developing
45 1 4 35 0 640 6
17
Expression(s) Google
Scholar
IEEE
Xplore
Scopus EBSCO Web Of
Science
ACM
Digital
Library
Emerald
Insight
countries"
"Information
technology auditing"
"developing country"
16 0 4 19 0 640 6
At this stage, it is also crucial to organize and maintain the references of the found articles. This is
important, since the amount of information may become hardly to be managed using traditional methods.
It is also recommended to use a systematic mean for recording and storing the references and storing the
abstracts in order to save time and efforts in the process of literature review (Okoli and Schabram, 2010).
Initially, the software considered for this work was EndNote (http://www.endnote.com). It turned out that
the software is commercial, so, a license has to be paid. Therefore, it was discarded. So, next step was to
look at those programs based on open source. Hence, Zotero from zotero.org was chosen for this work,
because it seemed to be a good alternative.
The installation of Zotero and how to work with, is out of the scope of this thesis. Therefore, this
information is not included here. However, for further information one could search the Internet.
Specifically, YouTube has plenty of videos on how to use Zotero.
Discussion: During this step, it has been observed that the filters and Boolean operator AND used in this
step are behaving differently in the case of the selected databases. This is reflected by comparing the
number of hits per each expression in the context of each literature database.
Moreover, the usage of quotation marks (“<searched text>”) didn’t retrieve any result in the case of Web
Of Science and IEEE Xplore. On the other hand, the usage of quotation marks in the case of Google
Scholar, EBSCO and ACM Digital Library produced a manageable amount of hits. The opposite
situation happened while using AND operator and parenthesis. For the same database, the number of hits
was so high that reached more than 200 000 hits in the case of Google Scholar.
Therefore, the conclusion of this step was that the results are dependable on the experience of the
researcher in building up the search expressions and how familiar is she/he to the behavior of various
databases.
3.3.2 Practical Screening (S4)
The next stage in this endeavor is to screen the found articles using a practical approach. This step is
focusing on finding the most suitable articles for the review. This is the moment when the researcher has
to decide which article must be eliminated, basing his/her decision on two main criteria: firstly, the
article(s) doesn’t answer the research criteria and, secondly, the number of retrieved article has to be
manageable for the next step (Okoli and Schabram, 2010).
18
As a rule of thumb, during this step the reviewer normally reads the abstracts of the article(s) to establish
whether the article is useful for the review or not. To narrow down the articles, the researcher is invited to
use a set of questions based on suggestions given by the existing literature (Okoli and Schabram, 2010).
In the case of this thesis the following criteria were considered as basis for the research work (adapted
after Okoli and Schabram, 2010):
- Content: the literature review has to use those studies which are appropriate to the specific
research question.
- The language of Publication: the literature review has to rely on those studies written in a
language understandable by the reviewer.
- Journals: only those articles published in well-known, renown, high-quality journals have to be
taken in consideration for the literature review.
- Authors: the review has to focus on those authors which are outside of any doubt regarding their
work.
- Date of publication or of data collection: the studies included in the review have to be chosen
from a well-defined time span.
The practical screening is a process which has to balance between two aspects. Firstly, the screening has
to be wide enough to capture all studies which could answer the research question in an adequate manner
and, secondly, the review has to be manageable from the practical point of view, given the resources
involved in this activity (Okoli and Schabram, 2010).
Therefore, the screening is considered by the existing literature on Systematic Literature Review as being
a very subjective component of the review (Okoli and Schabram, 2010).
Given the fact that the IS Auditing field is quite new, the target time interval considered for the reviewed
studies is restricted to the last 10 years or a decade (based on the example of Wolfswinkel et al., 2013).
To sum up, in this master thesis, the criteria used for practical screening (also known as screening for
inclusion) are listed below:
- C1: The abstract of the articles/studies is relevant to review’s research question
- C2: The articles/studies are written in English
- C3: The articles/studies are within a time span of 10 years: 2006 – 2016
- C4: The articles/studies published and available fully online in renown journals/databases
Therefore, a set of questions (screening for inclusion questions - SIQ) was built up using the above-
mentioned criteria:
Table 2: Screening for Inclusion Questions
No. Question Criteria
correspondence
SIQ1 Is the study/article relevant to IS Auditing and developing countries? C1
SIQ2 Is the study/article written in English? C2
SIQ3 What is the year of publication? Is it between 2006 and 2016 C3
SIQ4 Is the study/article fully available online? C4
19
The number of the articles brought forward for the next phase was 42. One may argue that the number of
articles selected might not be sufficient. However, this was expected, given the fact that Information
Systems and Information Technology Auditing is an ongoing developing area in the developing countries.
Discussion: Reading the abstracts to screen all found articles was a tough work. However, this work has
been seen as a learning curve. So, after a number of articles the process was smoother based on the
accumulated experience in doing so.
A special situation arose when an article was spotted as having the same title, but with two different
authors (an empirical study from Saudi Arabia). It turned out that the title of article and the abstract were
somehow misleading and the article didn’t treat any case from Saudi Arabia. Instead, the study was
focused on Egypt. Moreover, it wasn’t related to information systems auditing, but more on accounting
regulations in the case of Egypt.
This sort of situation may consume plenty of time of the reviewer if it’s happening often. So, relying
100% on the accuracy of the databases consulted could be tricky and may pose some pressure on the
reviewer.
One important note about Web of Science is that the search done using the keywords defined previously
in this thesis, retrieved plenty of articles from the field of medicine and associated areas.
These are just two examples which are reflecting the potential “noise” a researcher may face while
searching for the literature. Such kind of “noise” involves a tremendous waste of time and energy to sort
it out, with a direct impact on the research work. So, from this perspective, it is strongly recommended
that the researcher allocates additional time for this step of SLR.
3.3.3 Quality Appraisal (S5)
Also known as “screening for exclusion”, this step aims at evaluating the found articles to judge whether
the articles/studies are valuable for the review (Okoli and Schabram, 2010). So, the quality of the articles
is weighted and the researcher has to decide if the article has enough quality to qualify for the next step of
the systematic review.
Normally, the first screening (“Practical Screening”) would have already helped the reviewer to get an
idea regarding the level of quality of the collected articles (Okoli and Schabram, 2010). So, “Quality
Appraisal” is expected to take this advantage further.
Okoli and Schabram consider this step as being of a major importance for the review of the literature.
Therefore, they suggest as being necessary to define stricter criteria to filter the articles and studies for a
good quality review.
In the case of this thesis, the criteria used for this step were based on a set of questions. These questions
were found appropriate for a proper and stricter filtering of the articles and studies retrieved previously.
So, the set of “screening for exclusion” questions (SEQ) is listed in the following table:
20
Table 3: Screening For Exclusion Questions
No Question
SEQ1 Is the article related to developing counties in general or a particular developing country?
SEQ2 Does the author(s) are talking about Information systems/information technology auditing
SEQ3 Does the author(s) are mentioning any challenges, difficulties and issues faced by developing
countries in terms of information systems auditing?
From the practical point of view, Okoli and Schabram propose to use the suggestion of Fink. They advise
on using a grid-like structure where criteria are answered per each study or article.
For this thesis, the technical and practical approach was to combine the reference tool used in the
“Literature Search” (S3) with the annotation capabilities of MS Word and Adobe Reader. Additionally, it
was used a customized structure of folders and subfolders where all retrieved articles were stored during
the step of practical screening. All this effort was consolidated in a table containing the articles and
studies which qualify for the next step of this endeavor.
At this stage, some inspiration was taken from Wolfswinkel et al. (2013) in terms of how to organize the
work as well as some guidance given by Webster and Watson (2002).
Webster and Watson (2002) suggest using a matrix of concepts where articles and studies are summarized
and, a so-called meta-data is extracted and stored per each study/article. This is somehow in line with the
suggestion of Fink outlined above.
Therefore, the table concluding the results of this step was constructed based on the table used in the
previous step. This table was enriched with the instructions retrieved from the above-mentioned articles in
order to answer to the needs of Quality Appraisal step. For the articles and studies kept for the literature
review, the following meta-data was also stored:
- The title of the paper,
- The year of publication,
- The research approach/method
- The purpose of the paper.
Having these practicalities established, the work has begun with the analysis of each article from the set
of 42 articles brought forward by the previous step-Practical Screening.
At the end of this effort, 23 articles were able to meet the criteria mentioned in the beginning of this step.
In other words, all 23 articles answered with yes to all three “screening for exclusion” questions (SEQ1,
SEQ2 and SEQ3).The excluded 19 articles were related to developing countries (SEQ1), but not to SEQ2
or SEQ3.
Out of 23 selected articles, 17 are journal papers and 6 are conference papers. Also, in terms of the
methodology used, the survey was used as a methodology in 14 articles, 5 articles were using mixed
methods, 3 were using case studies and one was a review paper (this categorization was done by using the
guidance of Denscombe, 2014).
21
So, a number of 23 articles were carried over for the final literature review. A comprehensive list of the
selected articles is provided in Appendix A.
Discussion: For this step, 42 studies were analyzed and screened for inclusion. This step has been done
by carefully reading each study.
Wolfswinkel et al. (2013) suggest that at this stage the reviewer has to read the title, abstract and some
more text. For this thesis, it has been decided to read also the introduction, discussion and conclusion.
Despite the huge amount of information and the fact that the screening for exclusion stage was done by
only one researcher, it has been decided to also read the sections dedicated to research methodology,
because it has been seen as important for this review.
Although the practical setup of tools was seen initially as being “bulletproof”, there was a need to do
some manual verification and double checking to ensure the accuracy of this step. Also, it was necessary
to use an iterative process to exclude the non-relevant articles and to keep the appropriate articles for this
study.
Of course, the set of questions used to screen the articles for exclusion could be considered too broad and,
hence, a target for interpretation. Given the research question which drives this study, it has been
considered necessary to include all articles and studies which positively answered all questions used for
quality appraisal step.
3.3.4 Data Collection/ Extraction (S6)
This step aims at collecting data in a raw format to be used for the next step of this method- Analysis of
Findings (Okoli and Schabram, 2010). Therefore, Data Collection/Extraction step it is seen as a crucial
stage in the whole process (Okoli and Schabram, 2010).
Normally, after finishing the previous two steps (Practical Screening and Quality Appraisal), the reviewer
has got a clear picture of the articles and studies which are going to be included in the review. The list
compiled through these two iterations is going to be the foundation of the review (Okoli and Schabram,
2010).
Data collection/Extraction step is another iteration of reviewing the found articles. The goal of this
iteration is to extract systematically all information from each article in order to use it as input for Data
analysis step (Okoli and Schabram, 2010).
Given the above-mentioned aspects, each article was reviewed again and it was evaluated to ensure that is
valid for the literature review.
Denscombe (2014) is mentioning that a good practice about literature review is to provide a table
tabulating basic information about each article which has been reviewed in a systematic literature review.
Therefore, additional information was extracted during this step and summarized in the table from the
previous step (Appendix A).
Discussion: This step was useful for this review because it helped to get more insight from the selected
articles.
22
From the practical perspective, Okoli and Schabram (2007) strongly advise that the reviewer has to
annotate the extracted raw data in order to provide early evidence related to the studied topic.
Given the fact that all articles retrieved were in PDF format, the annotation was done using the built-in
annotation mechanism of Adobe Reader.
The huge amount of information put a lot of pressure on the ability to process this big volume of articles
and studies. Therefore, a strict timeline was set in order to reach the end of the list of articles included in
the review.
3.3.5 Data Analysis/Analysis of Findings (S7)
This is the step when the reviewer is synthesizing the findings. This synthesis should be of enough good
quality to be used in the last step of this method-Writing the Review (Okoli and Schabram, 2010).
Normally, the inputs of Data Analysis step are the articles which were screened, selected and quality
appraised in the previous steps (Okoli and Schabram, 2010).
From the procedural point of view, the method for literature review developed by Okoli and Schabram
(2010) suggests that this step could be conducted by using an approach which may be qualitative,
quantitative or a combination of both ways. By complementing the descriptive, qualitative analysis with
quantitative synthesis, the data analysis could help in the process of ensuring relevance in presenting the
review (Kitchenham, 2004). However, this kind of combination seems not to be widely used in reviews of
the literature (Kitchenham, 2004).
Therefore, in the case of this thesis, the data analysis for this the literature review has been done in a
qualitative manner. This seemed to be relevant for this review, given the research question defined in the
first chapter.
There are many methods for analysis and synthesis of data. For instance, to qualitatively analyze the
retrieved data some authors are arguing that there are some predominant approaches. The main options of
qualitative data analysis are Conversation Analysis, Content Analysis, Discourse Analysis, Narrative
Analysis and Grounded Theory (Denscombe, 2014).
All these methods were reviewed and weighted by referring to the research question and the goal of this
research. Following this process, it has been decided to use Grounded Theory for this thesis. Also, given
the amount of data retrieved in the previous steps, using Grounded Theory has been seen as a natural
choice.
Therefore, the techniques of grounded theory based data analysis were revisited (using the Denscombe,
2014). Additionally, inspiration was taken from Wolfswinkel et al. (2013) from where the technical
aspects were borrowed and adapted to this research work.
Developed about 50 years ago by Barney Glaser and Anselm Strauss, Grounded Theory became a popular
choice in the research field. Grounded Theory is a way to create theory by the means of empirical
fieldwork (Denscombe, 2014). Moreover, Grounded Theory could be used in those research works where
there is a need to use iterations to analyze the existing evidence by constantly referring to the existing
fieldwork data (Denscombe, 2014).
23
In the last years, Grounded Theory has been seen to be widely used in the research field of Information
Systems due its rigorousness (Wolfswinkel et al., 2013).
Given the recognized fact that the method of systematic literature review is seen as a rigorous approach to
reviewing the existing academic data about a certain topic (Kitchenham, 2004; Keele, 2007), using
grounded theory to analyze data was considered as the most suitable way for this thesis to evaluate the
retrieved articles in the previous steps.
Wolfswinkel et al. (2013) came up with the idea of using Grounded Theory in the literature reviews in
order to get the most valuable information out of the previously retrieved set of articles and studies.
When it comes to analyzing the retrieved information, Wolfswinkel et al. (2013) propose to use the key
ingredients of Grounded Theory:
Open coding
Axial coding and
Selective coding.
Open coding is the first phase in doing data analysis when grounded theory is involved. This coding is
also called initial coding when the reviewer goes through the data and mark the important parts by adding
a descriptive name (Denscombe, 2014; Khandkar, 2009).
In the beginning, the open codes are expected to be quite general and there might be situations when the
reviewer has to link the codes to larger blocks of text (Denscombe, 2014) instead of linking the codes to
words, expressions or sentences. These codes could be seen as temporary, as long as the codes are
revisited and distilled in more conceptualized codes (Denscombe, 2014; Khandkar, 2009). In other words,
during these iterations, the reviewer is supposed to be able to extract meaningful information. This
information could roughly draw the findings of the research, because, at this stage, a relationship between
the codes could be observed (Denscombe, 2014).
From the practical point of view, Wolfswinkel et al. (2013) introduce the concept of the excerpt and
suggest that during the open coding phase the reviewer is expected to build up a “stack of excerpts”.
During an additional iteration, these excerpts are re-visited and carefully read aiming at extracting the
codes.
Wolfswinkel et al. (2013) go further and points out that the open coding is very critical for the whole
process because, at this moment, the reviewer will be able to draft the study’s findings through the
distillation of excerpts in a set of concepts and insights.
As soon as the open coding does not reveal any new code, the reviewer has to move to the next phase:
axial coding.
Axial coding is aiming at grouping codes discovered by open coding and to organize them into categories
and sub-categories (Denscombe, 2014). During the axial coding, the reviewer has to focus mainly on
identification of key categories in order to prepare for the next phase, selective coding.
The selective coding is having as input the codes and, sub-categories and categories derived from these
codes after the previous two phases were finished. Wolfswinkel et al. (2013) recommend that the
24
reviewer has to also look at the relationship between categories, because this will help the reviewer to
further put together all pieces of the puzzle.
The output of this final phase is a set of core concepts. Around these concepts, the reviewer is going to
build up the theories that can explain the phenomenon (Denscombe, 2014).
Also, at the moment of selective coding, it is important to theorize on the main categories in order to build
up a single reasoning around the interrelations between the main categories (Wolfswinkel et al., 2013).
During this process of coding, it is important that the reviewer is engaging in a constant comparison of the
findings. In such a manner, the reviewer will be able to constantly check whether the codes, categories
and sub-categories are up to date and there are no duplicates (Denscombe, 2014; Wolfswinkel et al.,
2013). These duplicates could become noisy for the research process and time-consuming for the
reviewer if there is no real-time comparison of the newly emerged codes, categories and sub-categories to
the existing ones.
As observed above, each of the three phases of coding is, in some sense, an iterative process because the
reviewer has to go back and forth between papers, to double or triple check the codes or excerpts, to
revisit several times the emerged categories and sub-categories in order to keep a discipline of findings
(Wolfswinkel et al., 2013). This is quite sensitive and very important for the final report and could easily
jeopardize the whole research work. Moreover, it is very effort intensive and time-consuming for the
reviewer.
This effort of evaluation and analysis of the selected set of articles and studies actually gives the reviewer
an idea of what may be expected from the remaining texts (Wolfswinkel et al., 2013). In other words, this
is also called theoretical sampling because during this sampling the reviewer is looking for signs which
are leading to concepts. Later on, these concepts are going to be examined how they may vary in different
setups/environments (Denscombe, 2014).
When all papers (studies/articles) were read and no other concepts, categories or links between categories
are emerging, the review work is reaching the theoretical saturation (Wolfswinkel et al., 2013).
In order to have a better reflection of the analysis and due to the needs to have a proper logical
organization of this thesis, it has been decided to present more specific details on how the analysis of the
data was performed in the chapter “Analysis and Results”.
3.3.6 Writing the Review (S8)
This is the final step in the research work based on a Systematic Literature Review. This is going to be
addressed in the chapter dedicated to findings of the research work done in this thesis. The findings, as
well as the conclusion of this work, are part of this last step of Systematic Literature Review as per Okoli
and Schabram (2010).
25
3.4 Validity and reliability
It is crucial for a researcher to ensure that the study achieve an adequate level of scientific quality. This
has to be addressed from the early stages of the research in order to answer any potential critique (Leung,
2015). Like any scientific research, a systematic literature review has to be trustworthy and the output of
the review has to be based on acknowledged practices for good researching (Denscombe, 2014).
Therefore, a researcher has to struggle fulfilling aspects such as validity and reliability (Leung, 2015).
Validity encompasses the appropriateness of the research methodology, data collection, data analysis as
well as the analyzed data, so that the research question can be answered (Leung, 2015). This study
employs the systematic literature review for information systems research proposed by Okoli and
Schabram (2010). This is a process based on eight steps aiming at retrieving the literature in a systematic
and rigorous manner. Using this research methodology was considered to be a good and proper choice
since it was designed for literature reviews in the field of information systems. Also, the process describes
extensively the specific way how to search, include and exclude the retrieved studies, how to assess the
quality and how to write the review.
The literature search was done using more than one literature outlet in order to get as many studies as
possible to sustain a comprehensive coverage of the topic. Choosing six specific subject databases such as
IEEE Xplore, Emerald Insight, Scopus, EBSCO, Web of Science and ACM Digital Library was dictated
by the suggestion made in the guidelines of the systematic literature review and by the fact that they offer
electronic access to the most of the published literature (Okoli and Schabram, 2010). So, the validity of
the retrieved literature is linked to the credibility of the sources used during the research. Since these
sources are well-known academic sources provided by the online library of Stockholm University, this is
considered as being another factor which ensured the validity of this research work.
Additionally, the retrieved studies were analyzed by adopting the method for rigorously reviewing
literature of Wolfswinkel et al. (2013). The retrieved codes were constantly compared in order to comply
with the need of having a “constant comparison” (Leung, 2015) and to be in line with the principle of
“constant comparative analysis” as highlighted by Wolfswinkel et al. (2013). Also, in the process of
coding, the codes were iteratively distilled by engaging the key principles of Grounded Theory
(Wolfswinkel et al., 2013). The Grounded Theory was also used to generate the theory.
Lastly, the validity was ensured by paying attention to how the study reached the theoretical saturation.
Of course, the theoretical saturation is a subject for debate (Wolfswinkel et al., 2013) and is linked to the
resources involved in the research. The theoretical saturation was achieved by combining two aspects.
The first one is related to the basic rule of literature search: the search stops when the articles found
through repeated searches on target literature outlets are duplicates (Okoli and Schabram, 2010). So,
when the search triggered a significant number of duplicates, the search was stopped. The second aspect
is connected to the analysis of the papers. In this respect, the analysis was performed until all papers were
carefully read and until the new codes had the tendency to overlap the existing ones.
In order to ensure the reliability of a systematic literature review, the reviewer has to provide clear
evidence on how such a study could be reproducible (Okoli and Schabram, 2010; Leung, 2015). To cope
with such requirement, the literature review has to document carefully each step, action and decision
taken during the research process (Okoli and Schabram, 2010; Denscombe, 2014). Therefore, significant
26
attention was given to the way how the research was conducted for this master thesis. The steps of the
systematic literature review of Okoli and Schabram (2010) were strictly followed and documented. The
reasoning related to different choices made throughout the research was also documented. The way how
the selected articles were filtered was discussed in depth and the criteria used for filtering were presented
to the reader. Furthermore, all problems faced during the research method application were presented in a
transparent way. Statistical aspects of the literature overview were compiled and presented in a
meaningful way through tables (Leung, 2015) and graphs.
As mentioned above, the data analysis of this thesis was conducted by means of Grounded Theory using
the guidelines of Wolfswinkel et al. (2013). To stay in line with the need of having a reliable research, the
study followed a similar approach as for SLR in terms of reliability. This is reflected in the chapter 5. All
three phases of coding were detailed, including which set of tools was used, how the work was done, what
challenges arose and how they were approached. Also, the retrieved codes were explicitly mentioned and
mapped to the selected articles for the review.
Finally, even though anyone could replicate the research conducted in this study based on the facts listed
in this section, the results might be different. This could be linked to new developments in the area of
Information Systems Auditing (new literature emerge due to the time progress) or could be linked to new
improvements in the searching algorithms used by literature outlets.
27
4. Literature Overview
In this chapter, the reader gets an overview of the characteristics of the articles brought forward from the
previous chapter. Aspects as the research methods used by the selected articles, type of publication as
well as geographical dispersion are visualized through diagrams.
In total, twenty-three articles were reviewed.
From the methodological point of view, these papers were categorized as follows: 14 articles were using
the survey as a research method, five articles were using mixed methods, three were case studies and one
was a review paper. As stated in the previous chapter, the categorization was done by using Denscombe
(2014) as a guideline.
Figure 3: Research methods
As seen in Figure 4, from the publication type perspective, 17 were papers published in various journals
and the rest were conference papers.
Figure 4: Highlighting the type of publications
0
5
10
15
Survey Mixed Methods Case Study Review
Research methods
0
5
10
15
20
Journal Conference Papers
Publication Type
28
This thesis targeted the articles and studies published during a particular decade: 2006 – 2016. The
screening for inclusion/exclusion revealed that the majority of articles were published in 2011(seven
articles). However, there were four years without any published article or study included in this review.
Figure 5: Clarifying the time of publication
This research work is focusing on developing countries. It has been seen suitable to include in the
literature overview also a geographical dispersion of the articles reviewed per continents. In order to do
so, during this work, the information about the country targeted in the reviewed articles was also
collected. Then, each country was associated with a continent based on the info provided by United
Nations Geospatial Information Section Web Site.
As illustrated in Figure 6, from the geographical dispersion perspective, the majority of articles included
in the review are from Asia (18 out 23 articles), then four are from Africa and only one is from Europe.
Figure 6: Geographical distribution of articles per continents
0
1
2
3
4
5
6
7
8
2006 2008 2010 2012 2014 2016
Number of publications per year
0
5
10
15
20
Africa Asia Europe
Geographical dispersion of articles per continents
29
5. Analysis and Results
This chapter reflects how the data retrieved from the literature review were analyzed. Also, it reflects the
open codes, axial and selective codes retrieved using the guidelines of Wolfswinkel et al. (2013) so that
the theory could be built under the scope of grounded theory. Lastly, it presents the findings of the review
in order to fulfill the last step of SLR method developed by Okoli and Schabram (2010).
As previously stated, Okoli and Schabram (2010) are poiting out that the step of “Data Analysis” is one of
the crucial steps of the systematic literature review method. Data analysis is basing its existence on the
properly assessed, screened and qualitatively evaluated list of articles retrieved in the previous steps of
Okoli and Schabram’s method. They also recognize that the synthesis or analysis of the articles and
studies is a complicated stage and the reviewer may face some challenges in finding the way through.
The previous overview on the literature highlighted that an amount of 23 articles and studies was
retrieved at the moment when the Data Analysis step has to start. Given the fact that the analysis is done
by using the suggestion of Wolfswinkel et al. (2013), the coding process has begun. Denscombe (2014)
suggests as a good practice to use dedicated software for qualitative data analysis. In such a way the
researcher can code the retrieved data more easily. Also, this sort of software helps in building up the
categories and concepts out of the fetched codes (Denscombe, 2014).
Therefore, for the need of this thesis, NVivo 10 was employed. This qualitative data analysis tool
developed by QSR International (http://www.qsrinternational.com/product) seemed to be suitable for the
needs of this literature review. However, the tool is not free, being under a commercial license.
Nevertheless, QSR International offers the opportunity to use NVivo 10 in a trial mode for 14 days. Given
the fact that NVivo 10 was not found in the Stockholm University portfolio of software for students, the
14-days trial version was used for coding and the development of the categories and concepts.
NVivo 10 has a quite intuitive interface; however, a period of one week was dedicated to understanding
how it works and to get the most of it, given the short trial period. All 23 articles were imported into the
tool. The excerpts extracted during previous steps of SLR helped to get a baseline before the start of the
data analysis. Also, as previously stated, plenty of annotations were made by using the existing
capabilities of Adobe Reader and Microsoft Word. These annotations were also imported and linked to
the corresponding article or study. These activities were time-consuming and involved plenty of work.
However, there was some manual work before getting used to NVivo. So, some articles were coded using
the old school method: pen and paper. These articles were scanned and revisited to add the info to the
final output.
Having all these practicalities settled the process of open coding, axial coding and selective coding was
perceived as being less complex.
Wolfswinkel et al. (2013) argues that a literature review based on Grounded Theory has to be transparent.
Moreover, a systematic literature review has to be reproducible (Denscombe, 2014). So, because of the
need of this review to be rigorous, reproducible and transparent, the open coding, axial coding and
selective coding are going to be clarified and explained during this chapter.
30
5.1 Analysis of the articles by means of Grounded
Theory (open, axial and selective coding)
5.1.1 Open Coding
Open Coding or initial coding has started by carefully reading each annotation per selected article in order
to identify particular notions or opinions which may help in the coding process. An important task at the
beginning of open coding is to define units or to “unitize” the data (Denscombe, 2014). This could be
done by focusing on words, lines of text, complete sentences, and paragraphs (Denscombe, 2014). Given
the amount of data, this thesis used a combination of the mentioned units. This helped the reviewer to
capture as much information as possible to “codify” the articles.
Little by little, by constantly comparing the findings (as per suggestion of Denscombe, 2014) it was
possible to consolidate same meaning of the codes even though they were present in a different wording
or phrasing in the read articles.
There were situations when the same expressions were found written in different words in several articles.
Therefore, it has been decided to merge in one code in order to keep a consistent approach.
While analyzing the data, the reviewer confronted a situation regarding the way some articles were
written. Therefore, it is important to mention that some articles were having a weird phrasing or the
sentences were structured in such way that the meaning was a bit fuzzy. Perhaps, this could be found
normal since the English language is not the native language of the writers and probably proofreading was
not done properly.
There were situations when in the same article the authors used words or expressions which might be
interpreted in the same note (example: “management pressure”, “management personal influence” and
“management intrusion”). Given the fact that subjectivity of the reviewer might be a target for discussion,
to avoid any inference it was considered appropriate to apply the same code for expressions or words with
the same message or signification. This decision was based on the recommendation of Denscombe(2014)
who is suggesting that the principles of grounded theory have to be applied in a research by using an open
mind. This gives the reviewer some space for maneuvering, so that, the analysis could be done in a
creative manner.
After the first round of open coding, a number of 114 codes were extracted. Given the complexity of
handling such amount of codes, another more in-depth iteration took place by a continuous comparison,
back and forth, of the initial codes (Urquhart et al., 2010; Denscombe, 2014; Wolfswinkel et al., 2013).
After this iteration, from all 23 selected articles, a number of 69 codes were identified. The list with all
these codes is presented in Appendix B.
5.1.2 Axial Coding
After finishing the open coding, the list of codes was revisited and the axial coding stage was begun.
Schlagenhaufer and Amberg (2015) are pointing out that axial coding is a stage when the reviewer has to
proceed in an inductive and a deductive manner so that the previously retrieved codes could be correlated
into categories and subcategories. Also, this has to be done iteratively by continually refining the axial
31
codes and by comparing the already defined categories in order to avoid duplicates or similar categories
(Paagman et al., 2015).
Therefore, the articles were analyzed again and the codes were grouped based on their relationship.
Initially, it was very hard to find a way through. The process of axial coding was giving hard times to the
reviewer because of the difficulty in handling such large amount of information.
Again, the open mind principle of grounded theory was employed and another iteration of the axial
coding has started by using a diagramming tool to better visualize the relationship between the codes.
For this stage of the coding, the diagramming tool chosen was Dia. This tool is free, open source
software, with a quite simplistic interface, but good enough to answer the needs of this research.
According to Wolfswinkel et al. (2013), in the beginning of axial coding, the task of building up the
relationship between codes is more subjective rather than rigorous. To address this situation the articles
have to be carefully read and methodically assessed to see whether there are other ideas which may
emerge. Hence, the articles were reassessed in order to determine whether the already developed sub-
categories have comprised correctly the codes retrieved during the open coding. In the situations when
adjustments were needed, the new emerged sub-category was compared to the existing ones. Then, if
there was clear that it doesn’t overlap or is not a duplicate, the new sub-category was added.
After this stage, a number of 17 subcategories were identified. The listing of these sub-categories is done
in section 5.2, as well as in Appendix C.
5.1.3 Selective Coding
In the last stage, selective coding was engaged to refine and integrate the core concepts of this review
(Wolfswinkel et al., 2013). Also, at this stage, the reviewer has to theorize and abstract the main
categories (core concepts) (Wolfswinkel et al., 2013) by using an iterative conceptualization with a
certain focus on the relationship between categories (Urquhart et al., 2010).
During the “Selective Coding”, the main categories were refined by having in mind the suggestion of
Wolfswinkel et al. (2013): this stage has to be done by looking at the main categories from the
perspective of the research question used in the research or from the viewpoint of the subject of the
review. For this thesis, it was used the research question-based approach in order to refine the main
categories of this review.
The work done during the Selective Coding resulted in getting six abstract categories. They are the
drivers which are shaping “the story to be told” (Wolfswinkel et al., 2013).
The six main categories are depicted in Figure 7, in the next section of this chapter.
5.2 State the identified codes (concepts) explicitly
To organize the coding, Wolfswinkel et al. (2013) suggest ways regarding how to document the found
codes from the selected set of articles. These suggestions are more at a general level.
32
Therefore, some inspiration was taken from Yang and Tate (2012), El-Gazzar (2014), Hjalmarsson et al.
(2014), Paagman et al. (2015) and Schlagenhaufer and Amberg (2015). This was seen very appropriate in
the case of this thesis, because the need to have a proper organization of the codes, subcategories,
categories (core concepts) has been seen as being crucial for building up the theory around them.
Moreover, given the difficulties of finding a rigorous way to group the open codes, the grouping was done
during the axial coding by using the method K-J. This method is also known as affinity diagramming and
aims at using a systematic way to assess and agree on a classification (as suggested by Yang and Tate,
2012).
According to the ASQ website (Affinity Diagram - ASQ, 2016), the method K-J is suitable for works
when there is a need to organize a big quantity of information in order to develop their natural
relationship. It could be used when there is a perceived idea of an apparent chaos, when the issues are too
complex and seems to be too wide to be easily followed (Affinity Diagram - ASQ, 2016).
Practically, the method K-J consists of using a certain number of sticky notes and a large work surface
(wall or table). Then, each fact or idea is written on the notes and spread on the work surface in a random
order. Then, notes which look to be related to each other are gathered until nothing remains. Finally, the
reviewer has to reflect on each group and try to find a heading. If it is necessary, the review may consider
regrouping the headings in “super groups” (Affinity Diagram - ASQ, 2016).
Given the amount of information reviewed by this research work and the fact that it was necessary to
organize the codes, it has been found appropriate for this thesis to use this method in order to find the way
through the “Axial Coding” stage.
The affinity diagramming was used during the “Selective Coding” in order to integrate and refine the sub-
categories in the main categories. Also, the suggestion of Yang and Tate (2012) and Schlagenhaufer and
Amberg (2015) was taken further and the main categories were validated against the top level categories
of the classification scheme for keywords identified as being used in the information systems research.
This is a scheme developed and updated by Barki et al (1993).
5.2.1 The codes explicitly stated
Initially, the table with the identified open codes was seen as part of this section. However, due to the
complexity of the matrix it has been decided to include it in a dedicated appendix – Appendix B, where
the open codes were stated explicitly in alphabetical order.
By mapping the articles to the codes, another matrix has been developed. This matrix is included as well
in Appendix B.
33
5.2.2 The categories and sub-categories explicitly stated
The emerged sub categories are:
Table 4: Highlighting the Emerged Sub-Categories
Emerged Sub-Categories
Laws and legal framework
Regulations
IS Audit Policy
IS Audit Standards
Cost
Business characteristics
Management
Technology
Employees perception of IS Audit
IS Audit Job
Academic
IS Professional training and certification
IS Technical knowledge
Job related Skills
Knowledge base
Change Perception
Awareness
And the refined main categories emerged are:
Table 5: The final Main Categories
Main Categories
Legislation
Policy and standards
Organizational
Human Resources
Educational
Cultural
5.3 Present the results through concept matrices
Finally, the consolidated view of the coding is presented here:
Table 6: The classification of categories and sub-categories
Selective Coding Axial Coding Open Coding
Legislation Laws and legal framework Two open codes
Regulations Two open codes
Policy and standards IS Audit Policy Four open codes
IS Audit Standards Two open codes
34
Selective Coding Axial Coding Open Coding
Organizational Cost Three Open Codes
Business characteristics Six Open Codes
Management Seven Open Codes
Technology Four Open Codes
Human Resources Employees perception of IS Audit Four Open Codes
IS Audit Job Six Open Codes
Job related Skills Six Open Codes
Educational Academic Four Open Codes
IS Professional training and certification Five Open Codes
IS Technical knowledge Four Open Codes
Knowledge base Four Open Codes
Cultural Change Perception Three Open Codes
Awareness Three Open Codes
Given the initial complexity of the matrix concepts, it has been chosen to use the above representation.
However, a more comprehensive matrix is included in Annex C. This matrix is also including the number
of articles where the open codes were found. The numbers are represented in parenthesis.
From the perspective of the research question which drives this research and to have a better
visualization, a diagram was built up to present the main categories. This diagram was drawn based on the
recommendations of O’Connor (2012):
Figure 7: The Diagram of the Main Categories
35
5.4 Identify strengths, weaknesses and gaps in the
literature The review of the existing literature concerning the research question revealed that there are many
challenges, difficulties and issues which are experienced by developing countries concerning IS Audit.
They relate to legislation, policies and standards, organization, information systems audit as a whole,
culture and education. As mentioned in the first section of this chapter, these are the core concepts which
are framing the story to be told (Wolfswinkel et al., 2013) and are described more in detail in this section
of this chapter.
Moreover, this part of thesis aims at fulfilling the last step (Step 8 – Writing the Review) of the
systematic literature review method developed by Okoli and Schabram (2010). To do so, the suggestion
of Wolfswinkel et al. (2013) was employed for this step. They recommend that the building of theory has
to involve creativity. Also, the theory could be built up by analyzing the literature and broaden the
existing theoretical model, by using common sense or experience. In this thesis, it has been decided to
combine them in order to come up with a comprehensive view of the reviewed articles.
5.4.1 Legislation
Legislation related challenges, difficulties and issues faced by developing countries from the perspective
of IS Audit comprise of “Laws and legal framework” and “Regulations”.
From the perspective of “Laws and legal framework”, developing countries are encountering various
challenges and issues regarding the clarity of laws or how the government supports the implementation of
laws with regard to IS Audit.
There are multiple pieces of evidence related to the fact that there are some laws, but it is clear that the
existing laws are not enough to sustain the need of the organizations from the developing countries(Maria
and Hariyani, 2011; Nkwe, 2011; Upadhyaya et al., 2012; Wahdan et al., 2008).
Also, confusing and cumbersomeness of the existing laws combined with excessive bureaucracy puts a lot
of pressure on those organizations who are aiming at implementing and using IS Audit (Mahzan and
Veerankutty, 2011; Salehi and Husini, 2011; Upadhyaya et al., 2012; Mozhgani et al., 2014). Hence, the
developing countries need to complete the existing legislation with laws which are simpler and adapted to
the reality from the field or to the local specificity (Nkwe, 2011; Maria and Hariyani, 2011; Upadhyaya
et al., 2012).
The beneficial role of having a clear legislation is recognized as being the foundation of a proper
regulation of the IS Audit at the national level (Mahzan and Veerankutty, 2011; Nkwe, 2011; Upadhyaya
et al., 2012). However, governments don’t have enough expertise or resources in making the legislation
more accessible for the organizations, keeping the confusion at a very high level (Salehi and Husini,
2011; Mahzan and Veerankutty, 2011; Nkwe, 2011; Upadhyaya et al., 2012).
To cope with the inconsistency of legislations shortage of laws, some countries started to adapt to their
needs, laws used by Western countries. However, due to differences at the national legal framework level,
36
this direction added an additional layer of confusing in the adopted legislation concerning IS Audit
(Nkwe, 2011; Upadhyaya et al., 2012; Wahdan et al., 2008).
Of course, the legislation related to IS Audit has to be implemented by the government or delegated
ministries and agencies (Nkwe, 2011; Razi and Madani, 2013; Upadhyaya et al., 2012; Wahdan et al.,
2008). In this context, the government and ministries are urged to take the lead in adopting the right
approach for regulation of IS Audit. Also, the reviewed articles are talking about the need for government
support to promote the IS Audit legislation in order to have a wider awareness on this matter (Bani-
Ahmad and El-Dalabeeh, 2014; Mahzan and Veerankutty, 2011; Mozhgani et al., 2014).
When it comes to regulations, some articles are highlighting the fact that the lack of IS Audit regulations
is a major issue and there is an acute need to address this shortage (Al-Ansi et al., 2013; Mahzan and
Veerankutty, 2011; Nkwe, 2011). Also, the existing literature recognizes the usefulness of having IS
Audit regulations in order to help businesses to cope with the potential IT risks (Nkwe, 2011; Nijaz et al.,
2011). Therefore, it is important for developing countries to adopt a proper framework of regulations
which will reduce the gap between them and the more advanced countries. This has to be done in
concordance with national legislation in order to avoid any potential weaknesses (Al-Ansi et al., 2013;
Mahzan and Veerankutty, 2011; Nijaz et al., 2011).
As it happens in the case of legislation, IS Audit regulations are also perceived as being confusing or even
contradictory (Mahzan and Veerankutty, 2011; Razi and Madani, 2013; Upadhyaya et al.; 2012). This
may happen in the cases when there is a decentralized administration, so that, the country’s highest level
regulations may be contradicted by regulations adopted at a lower level of the administration. On the
other side, when national regulations are lacking consistency or are difficult to be applied, countries are
adopting the rules imposed by the national bank or similar bodies who are filling the regulatory gap
(Nkwe, 2011; Nijaz et al., 2011).
5.4.2 Policies and Standards
“Policies and Standards” are coming to support and complement the “Legislation” and, therefore, are seen
at the same level of importance. The challenges and issues related to “Policies and Standards” consist of
“IS Audit Policy” and “IS Audit Standards”.
In the context of IS Audit Policies, it is important to mention that the lack of the IS Audit policies has an
important impact on how organizations from the developing countries are dealing with IS Audit. The
importance of policies is recognized, given the fact that the policies are promoting a proper regulatory
environment. However, the absence or shortage of IS Audit-related policies has a negative effect on how
organizations are mitigating the potential IT risks (Nkwe, 2011; Upadhyaya et al., 2012).
Moreover, in those countries where the policies already exist, it is admitted by the existing literature the
fact that those policies must be continuously updated to answer to the advancements of information
technology, as well as to the challenges of the new risks associated to an ever changing environment as IT
is perceived (Nkwe, 2011).
Furthermore, in the countries where the IS Audit policies were observed as being in place, it has been
reported that there is a limited compliance with those IS Audit policies (Nkwe, 2011; Nijaz et al., 2011;
Rafiei and Moeinadin, 2014). Perhaps, this is linked to an inadequate implementation of IS Audit. The
37
issue of lacking or poor implementation of IS Audit is happening in those organizations where there is a
weakness in the level of understanding of what are the IS Audit policies for. This is occurring despite the
fact that the importance of these policies it is recognized in the most cases (Al Lawati and Ali, 2015;
Rafiei and Moeinadin, 2014).
Similarly, the reviewed articles are mentioning that there is a lack of best practices in the IS Audit field.
Even though the importance of the IS Audit best practices is out of any discussion, when it comes to
helping an organization to better protect their IT assets(Nkwe, 2011; Bani-Ahmad and El-Dalabeeh,
2014), the developing countries are lacking in using and/or adopting best practices (Bani-Ahmad and El-
Dalabeeh, 2014). Moreover, in the cases where best practices are used, they are in a basic format and
therefore there is a need to align them with the current, internationally recognized best practices (Bani-
Ahmad and El-Dalabeeh, 2014; Purwoko, 2011; Puspasari and Yuwono, 2013).
In line with challenges and issues related to IS Audit Policies, IS Audit Standards are also mentioned as
demanding a lot of efforts and work from the developing countries concerning the IS Audit.
Lacking adoption of standards in the IS Audit field has been reported by a significant number of articles.
While the international standards are quite known in the developing countries, the organizations are
avoiding adopting such standards and they try to use either internally developed procedures or national
standards(if exists)(Abuazza et al., 2015; Nijaz et al., 2011; Salehi and Husini, 2011).
Moreover, the adoption of IS Audit Standards is hindered by the level of understanding of what is an
Information Systems Audit Standard. This is observed amongst IS Audit professionals as well as at the
level of the decision makers (Abuazza et al., 2015; Al Lawati and Ali, 2015; Bani-Ahmad and El-
Dalabeeh, 2014; Maria and Ariyani, 2014; Upadhyaya et al., 2012).
On the other hand, the adoption of IS Audit standards is seen as being in a better shape in the case of
businesses which are in business relations with the companies from the developed countries. In such a
way, those businesses are obliged to adopt international IS Audit Standards in order to comply with the
requirements coming from their business partners (Abuazza et al., 2015; Nijaz et al., 2011). A similar
situation is in the case of businesses which are listed on the stock exchange (Abuazza et al., 2015; Nijaz et
al., 2011; Salehi and Husini, 2011).
Even if the need of having the IS Audit carried in a standardized way is considered as being important
(Nijaz et al., 2011), businesses from the developing countries are having difficulties to adapt to the
international standards due to local regulations.
The reviewed articles were also talking about the poor or partial implementation of IS Audit Standards.
This kind of cases are the ones were some efforts and resources were spent in order to implement an IS
Audit standard. However, issues like deficient communication and collaboration between involved
parties, as well as wrong perception of IS Audit from the management point of view, led to situations
when the implementation of standards was less successful (Al Lawati and Ali, 2015; Bani-Ahmad and El-
Dalabeeh, 2014; Nijaz et al., 2011). As a consequence, the poor implementation led to low performance
and less efficiency of the reported IT risks.
38
5.4.3 Organizational
Organizational related challenges, difficulties and issues consist of “Costs”, “Business Characteristics”,
“Management” and “Technology”.
The cost of IS Audit implementation, as well as the cost of IS Audit execution, are perceived by the
authors of the reviewed articles, as being high enough. Hence, the organizations are avoiding to involve
themselves in an endeavor to have IS Audit in place. Therefore, the IS Audit is relying its existence on the
financial capabilities of the organization. The IS Audit is likely to be implemented in the financial
industry–related businesses rather than other industries (Abu-Musa, 2008; Mahzan and Veerankutty,
2011). Moreover, the organizations are expecting that the IS Audit is executed at low prices and expenses,
which is not always the case (Majdalawieh and Zaghloul, 2009; Mozhgani et al., 2014; Wahdan et al.,
2008). Aditionally, by trying to minimize the cost of an IS Audit it has been observed a very low quality
of the results, as well as on the efficiency and performance of the IS Auditors (Mozhgani et al., 2014;
Wahdan et al., 2008).
Confronted with the perceived high cost of IS Audit implementation and execution, some organizations
are contemplating the alternative to outsourcing the IS Audit in one way or another. However, this is also
costly or is lacking competent companies able to take this load. Additionally, this is perceived as being
risky, with a potential negative impact on the business itself in terms of privacy and business safety
against competitors (Majdalawieh and Zaghloul, 2009; Puspasari and Yuwono, 2013; Upadhyaya et al., 2012).
Another source of challenges and issues are the “Business characteristics”. The size of the organization is
mentioned as having an important influence on the quality of the IS Audit carried in the organization.
This is tightly linked to the availability of resources, either budget related (Mahzan and Veerankutty,
2011; Alkebsi et al., 2014; Maria and Hariyani, 2011; Maria and Ariyani, 2014), human resources or both
(Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Razi and Madani, 2013; Wahdan et al., 2008).
Furthermore, the low level of business competition has as a consequence a reduced pressure on the
business to use IS Audit in order to mitigate potential IT risks in their information systems(Razi and
Madani, 2013; Alkebsi et al., 2014; Wahdan et al., 2008).
In spite of the fact that the reviewed literature acknowledge the benefit of having IS Audit included in the
business process, some of the reviewed articles are highlighting that this is challenging for the
organization due to either lack of knowledge about business process interaction with the IS Audit (Maria
and Ariyani, 2014; Maria and Hariyani, 2011; Mozhgani et al., 2014) or lack of competence in including the IS
Audit into the business process. This is happening at the IS Auditor level as well as at the management
level (Maria and Ariyani, 2014; Mozhgani et al., 2014; Puspasari and Yuwono, 2013; Salehi and Husini, 2011).
Additionally, the unclear, fuzzy or overlapped business demands are adding another layer of issues faced
by developing countries from the IS Audit perspective. This kind of maintaining a blurred view of the
items to be audited doesn’t help the IS Auditor to clearly understand what are the needs. Given the fact
that the ownership of the systems is not precisely defined, the work of the IS Auditor is also challenging
when the findings are to be reported (Al Lawati and Ali, 2015; Majdalawieh and Zaghloul, 2009; Rafiei
and Moeinadin, 2014). These situations lead a poor mitigation of the retrieved findings, or even worst, the
implementation of the counter-measures are simply delayed.
39
It is worthy to remark that the organizational and work culture has been mentioned as a potential
hindering factor for IS Audit usage in some particular developing countries (Majdalawieh and Zaghloul,
2009; Maria and Ariyani, 2014). So, the conclusion was that the way how the IS Audit is implemented or
used is linked to the level of the work rigorousness of the employees.
Lastly, it has been observed that in the developing countries, there is a lower adoption level of IS Audit
(Nkwe, 2011; Razi and Madani, 2013). This could be linked back to the shortage of legislation and
policies in the field of IS Audit as well as the resources at the organizational level.
When it comes to the aspect of “Management”, the analyzed articles are mentioning it as being very
challenging to the developing countries, fueling many issues from the perspective of IS Audit.
For instance, the lack of management support, help or commitment is, by far, the most researched topic
amongst the others, 60 % of the reviewed articles are focusing on it in one way or another. The
management support in implementing IS Audit in an organization is perceived as very important, because
of the budgetary needs and business process changes (Nkwe, 2011; Al Lawati and Ali, 2015). Despite this
aspect, this support wais not widely observed in the reviewed articles.
Also, the management’s ability to understand the benefits of IS Audit (Abuazza et al., 2015; Abu-Musa,
2008; Al Lawati and Ali, 2015) as well as the capability to provide the organizational framework for
adopting, implementing and enforcing the IS Audit (Al Lawati and Ali, 2015; Nkwe, 2011; Alkebsi et al.,
2014; Abu-Musa, 2008; Maria and Ariyani, 2014) are strongly challenging the organizations from the
developing countries.
In addition, it is admitted that the role of the management in supporting the IS Auditors is critical,
especially, when the IS Auditors are confronted with obstructed access or restricted authorization to audit
information systems. Despite this aspect, it is not easy in the case of the organizations from the
developing countries to have a supportive management regarding IS Audit-related matters.(Nkwe, 2011;
Purwoko, 2011; Puspasari and Yuwono, 2013; Rafiei and Moeinadin, 2014; Upadhyaya et al., 2012),
even though the reviewed studies are admitting the fact that the IS Audit helps the management in taking
decisions related to the business (Puspasari and Yuwono, 2013; Rafiei and Moeinadin, 2014; Razi and
Madani, 2013) by identifying the potential risks or weaknesses of the systems used by the organizations.
Another origin of challenges and issues is the fact that the management is using its influence to put
negative pressure on the IS Auditors, with an immediate effect on the trustworthiness and the neutrality of
the audit reports (Abuazza et al., 2015; Wahdan et al., 2008). In addition, despite the fact that the
management should respect the independence of the IS auditor, there is some evidence that the
management is influencing the results of the IS Audit by forcing the auditors to comply with the requests
or wishes from the management. This seems to be rooted in the particularities of the local culture
(Abuazza et al., 2015; Purwoko, 2011; Wahdan et al., 2008).
Additionally, the different agenda of management has a direct impact on the adoption level of IS Audit
(Abu-Musa, 2008; Nkwe, 2011; Alkebsi et al., 2014; Malgharni and Yusoff, 2011). The managers could
be busy with other managerial work, could have less time allocated to mitigate the IS Audit findings or
simply don’t take seriously the reports of the IS Auditors (Abu-Musa, 2008; Majdalawieh and Zaghloul,
2009; Purwoko, 2011; Razi and Madani 2013).
40
Therefore, the management usually delays or even ignore to take action to mitigate the reported IS Risks.
Moreover, the management may overlap in taking decisions with regard to the IS Audit report. This
overlap is emerging from the fuzzy or unclear managerial responsibilities, so that, for instance, one
manager’s decision may be overwritten by another manager, at a similar hierarchical level (Abu-Musa,
2008; Bani-Ahmad and El-Dalabeeh, 2014; Purwoko, 2011). This leads to confusions amongst employees
and, to avoid any confrontation, the findings of the IS Audit are just ignored.
Furthermore, the management’ role in creating a proper working environment is crucial. The way how
employees are made aware of the benefits of IS Audit, as well as the way of motivating the IS Auditors to
deliver efficiency and performance seems to be at a low level in the businesses from developing
countries. As expected, this has a direct, negative impact on how IS Audit is perceived in the
organizations (Ismail and Abidin, 2009; Mozhgani et al., 2014; Salehi and Husini, 2011; Steyn and Plant,
2009; Wahdan et al., 2008).
The whole picture of the challenges and issues from the organizational perspective is completed with the
“Technology”. One of the most researched areas focuses on the high diversity of IT technological
landscape. Almost half of the reviewed articles are highlighting that the IT in developing countries is very
diverse, ranging from chaotic, basic, to heterogeneous and sophisticated (Salehi and Husini, 2011; Abu-
Musa, 2008; Al Lawati and Ali, 2015; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011;
Majdalawieh and Zaghloul, 2009). From the perspective of IS Auditors this is very challenging because it
is necessary to deal with technologies, stacked in several layers (network, operating systems, applications,
database, different level of users’ IT literacy) (Al Lawati and Ali, 2015; Ismail and Abidin, 2009; Mahzan
and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009; Maria and Hariyani, 2011; Maria and Ariyani,
2014; Mozhgani et al., 2014).
Of course, the perceived complexity of information systems audited implies also a certain amount skilled
human resources to perform the required information systems audit. However, this seems to be very
challenging for developing countries (Majdalawieh and Zaghloul, 2009; Maria and Hariyani, 2011;
Purwoko, 2011; Salehi and Husini, 2011). Therefore, the organizations tend to focus only on minimum or
basic IS audit with a direct effect on the efficiency of the found risks. On the other hand, some
organizations with complex information systems are using the services of external companies highly
specialized in doing IS Audit. Besides the fact that this involves additional costs, the highly specialized
companies are not present in many of the developing countries (Al Lawati and Ali, 2015; Salehi and
Husini, 2011).
On the contrary of the cases with complex information systems, there are situations when the
technological landscape is less complicated and is focusing only on the basic function of the IT. In such
situations, there is less IS Audit and the auditors are not interested in doing rigorous IS Audits, in such
way some potential risks are overlooked with the associated consequences (Ismail and Abidin, 2009;
Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009).
Moreover, it has been observed that the continuous change of the IT landscape makes the IS Audit more
challenging for the organizations. Additionally, the decision of buying particular technologies is not
backed by the involvement of IS Auditors in the decision-making process. This is combined with the lack
of communication between the IS Auditors and the IT department when a new technology is deployed
leading to an increase the chances of having difficulties in the approaching and auditing such type of
41
information system (Al Lawati and Ali, 2015; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011;
Majdalawieh and Zaghloul, 2009; Maria and Hariyani, 2011; Maria and Ariyani, 2014; Mozhgani et al.,
2014).
Therefore, the reviewed literature is insisting on the need of having a minimum standardization or, at
least, a consistency of the IT technological environment at the national level. This has to be adapted to the
specific characteristics of the local business, different management style compared to developed countries
and specific laws and regulations (Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009;
Mozhgani et al., 2014).
On top of the challenges and issues related to diversified IT landscape, the cumbersomeness of IS Audit
implementation is adding another layer of frustration amongst organizations from the developing
countries. It has been observed that the implementation of IS Audit doesn’t match always the need of the
organization. Therefore, those implementations are too complicated, with various parts completely useless
or without any added-value to the IS Audit (Al Lawati and Ali, 2015; Maria and Hariyani, 2011; Razi and
Madani, 2013; Salehi and Husini, 2011).
Additionally, the tools which are coming with the implemented IS Audit are either too complex or are not
supported in the local language, even though their intention is to automate the manual tasks and to
improve the efficiency and performance of the IS Auditor (Mahzan and Veerankutty, 2011; Maria and
Ariyani, 2014; Puspasari and Yuwono, 2013; Salehi and Husini, 2011). Therefore, the general impression
is that it is difficult to adjust the Western technologies to local needs, creating again a negative perception
of IS Audit (Al Lawati and Ali, 2015; Mahzan and Veerankutty, 2011; Malgharni and Yusoff, 2011;
Nkwe, 2011; Razi and Madani, 2013).
5.4.4 Human Resources
The challenges, difficulties and issues related to this category are threefold “Employees perception of IS
Audit”, “IS Audit Job” and “Job Related Skills”.
For instance, the IS Audit seems to be misunderstood in terms of what is the role, what are the benefits
and what is the scope of it. Even though the role of IS Audit is perceived as being an important part of the
organization aiming at helping the business to achieve its strategic objectives (Abuazza et al., 2015; Maria
and Hariyani, 2011; Nkwe, 2011; Puspasari and Yuwono, 2013), the lack of understanding of the role of
IS Audit is still high and there is a tremendous need to clarify its role at the level of the management and
the organizations(Nkwe, 2011; Purwoko, 2011; Puspasari and Yuwono, 2013; Rafiei and Moeinadin,
2014).
Also, the benefits of IS audit seems to be well known and recognized, but the reality of the field looks
differently in the developing countries. Perhaps, this is emerging from the lack of understanding of IS
Audit as a whole (Maria and Hariyani, 2011; Nkwe, 2011; Puspasari and Yuwono, 2013). Moreover, it
has been observed in the cases where the IS Audit is used that there is a continuous change in the scope of
IS Audit with a direct effect on efficiency and effectiveness.
Also, the lack of understanding of the scope of IS Audit provoke an endless modification of the scope.
Hence, the immediate effect of this continuous changes in the scope of IS Audit is to generate a huge
confusion on what has to be audited. This situation has a bad influence on the motivation of the IS
42
Auditor, because the outlook on the IS Audit is blurred and fuzzy, making the IS Auditor feeling under a
false pressure (Abuazza et al., 2015; Ismail and Abidin, 2009; Majdalawieh and Zaghloul, 2009; Nkwe,
2011; Puspasari and Yuwono, 2013; Rafiei and Moeinadin, 2014).
It has been reported that the IS Auditor is perceived as a verifier or a cop (Salehi and Husini, 2011),
inspector or controller (Abu-Musa, 2008). This seems to be a reason for the organizations, the
management and the employees to obstruct the work of IS Auditors. Of course, such attitude means that
the IS Auditors are treated with caution and their access to information systems is difficult (Al Lawati and
Ali, 2015; Maria and Ariyani, 2014; Nkwe, 2011). This way of hindering the work of the IS Auditors,
leads to low efficiency, incomplete reports and low effectiveness of the actions taken to mitigate the risks
associated with information systems(Abu-Musa, 2008; Al Lawati and Ali, 2015; Maria and Ariyani,
2014; Purwoko, 2011; Salehi and Husini, 2011).
Additionally, another challenge faced by developing countries from the IS Audit perspective is related to
little or no cooperation or collaboration with the stakeholders. This comprises communication or
collaboration with the internal IT department (Al Lawati and Ali, 2015; Abuazza et al., 2015), the IT
management or higher management (Alkebsi et al., 2014; Maria and Ariyani, 2014). This communication
or collaboration is even worst in the case when the IT department is outsourced and the information
gathering on audited information systems is very slow, jeopardizing the whole process of IS Audit (Al
Lawati and Ali, 2015; Alkebsi et al., 2014; Maria and Ariyani, 2014; Mozhgani et al., 2014; Nkwe, 2011;
Rafiei and Moeinadin, 2014).
Further, it has been reported the fact that the business processes are changing relatively often without
having the IS Auditors informed or involved. To cope with such lack of communication, the IS Auditors
have to use their knowledge and ability to deliver meaningful reports. Additionally, this involves more
resources to adapt to the new requirements (Mahzan and Veerankutty, 2011; Puspasari and Yuwono,
2013). In the case of the developing countries, this situation seems not to be easily to be fixed,
challenging their capability to manage such sort of situation.
When it comes to “IS Audit Job”, there are several aspects mostly researched. Firstly, lack of human or
budget resources is mentioned as being an important challenge for an organization acting in the
developing countries because there is a constant shortage of human resources as well as money for
implementation and execution of the IS Audit or mitigation of the reported risks (Abu-Musa, 2008; Al
Lawati and Ali, 2015; Al-Ansi et al., 2013; Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul,
2009). The lacking of budgetary resources goes as low as not having money to buy basic IS Audit tools,
forcing the IS Auditors to use the so-called “manual approach”. Given the fact that doing the manual
audit is boring and not challenging at all (Nkwe, 2011), the lack of IS Audit tools has a high impact on
efficiency and performance (Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Salehi and Husini,
2011),
Also, it has been found that there is a high pressure on IS Auditor independence, objectivity or identity
(Majdalawieh and Zaghloul, 2009; Abu-Musa, 2008; Purwoko, 2011; Rafiei and Moeinadin, 2014;
Wahdan et al., 2008). These types of pressure seem to be linked to the different management style
compared to developed countries. Perhaps, this is also connected to the negative understanding of the role
of IS Audit and its benefits (Abu-Musa, 2008; Bani-Ahmad and El-Dalabeeh, 2014; Mahzan and
Veerankutty, 2011; Majdalawieh and Zaghloul, 2009). Hence, it is required a change in the organizational
43
culture and skills across organizational elements (the employees and the management) (Wahdan et al.,
2008; Rafiei and Moeinadin, 2014; Abuazza et al., 2015).
Despite the fact that in some developing countries the IS Auditor profession reached its maturity
(Majdalawieh and Zaghloul, 2009), there are many pieces of evidence that support the contrary. Some of
the reviewed articles are mentioning the lack of qualified and competent IS Audit staff (Mahzan and
Veerankutty, 2011; Purwoko, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012). This is challenging
for organizations since it is not easy to find experienced IS Auditors at the national level as well is not
feasible to bring talented IS Audit staff from more advanced countries due to scarce budgetary resources
(Abu-Musa, 2008; Alkebsi et al., 2014; Mahzan and Veerankutty, 2011; Purwoko, 2011; Steyn and Plant,
2009; Upadhyaya et al., 2012).
A noticeable attention is accorded to the need for a code of conduct and professional ethics of the IS
Auditors in the developing countries. It is clearly recognized that lacking a code of conduct of the IS
Auditors has large implications on trustworthiness, integrity and authenticity of the reported risks (Maria
and Ariyani, 2014; Rafiei and Moeinadin, 2014; Razi and Madani, 2013; Wahdan et al., 2008). This
weakness of the IS Auditor profession has its own strong and challenging pressure on the organizations
from the developing countries, because the usage of IS Audit is questionable and the results are not taken
seriously (Wahdan et al., 2008; Abuazza et al., 2015; Bani-Ahmad and El-Dalabeeh, 2014).
Furthermore, the IS Auditor profession suffers also from the unclear job description. The confusion of the
mission of an IS Auditor in an organization is kept through wrong management’s misunderstanding of IS
Audit role in an organization (Ismail and Abidin, 2009; Majdalawieh and Zaghloul, 2009; Maria and
Ariyani, 2014). This is complemented by the fact that the standards and policies are confusing or
contradictory. Therefore, the blurring job requirements of the IS Auditor as well as the unclear role of the
IS Auditor in the Organigram of an organization adds another layer of issues to the organizations from the
developing countries (Ismail and Abidin, 2009; Puspasari and Yuwono, 2013; Upadhyaya et al., 2012;
Wahdan et al., 2008).
In regard to IS Audit Job related challenges and issues, it is important to mention the IS Auditor’s
motivation factors. This consists of salary level, workplace environment, and benefits package. Of course,
this is impacting the ability of an organization to find skilled and competent IS Auditors (Maria and
Ariyani, 2014; Steyn and Plant, 2009; Wahdan et al., 2008) due to direct influence on IS Auditor’s
decision whether to join or not an organization. Even though this is observed by the reviewed articles, the
budgetary constraints are preventing the organizations to deal with this issue in order to provide more
attractive motivation factors.
Job Related Skills are also claimed as being a cornerstone for an IS Auditor. From this perspective, the
experience as IS Auditor and capability to properly report the findings make the difference and add the
value to any IS Audit report. However, finding an IS Auditor with such skills is challenging for
organizations from the developing countries (Alkebsi et al., 2014; Mozhgani et al., 2014; Wahdan et al.
(2008).
Moreover, it has been found that the developing countries are lacking skilled IS Auditors with IT modern
experience and expertise (Al-Ansi et al., 2013; Mahzan and Veerankutty, 2011; Malgharni and Yusoff,
2011; Purwoko, 2011; Wahdan et al., 2008). Also, the reviewed articles observe that some IS Auditors are
44
showing low or no interest in using information technology in performing IS Audit (Al-Ansi et al., 2013;
Alkebsi et al., 2014; Malgharni and Yusoff, 2011; Mozhgani et al., 2014).
Moreover, there is a low attraction amongst IS Auditors to develop the ability to understand what are the
IS risks with a potential impact on the audited organization (Abuazza et al., 2015; Alkebsi et al., 2014;
Bani-Ahmad and El-Dalabeeh, 2014; Mahzan and Veerankutty, 2011; Malgharni and Yusoff, 2011;
Maria and Ariyani, 2014; Nkwe, 2011; Razi and Madani, 2013). This has the consequence of not being
able to implement the IS Audit in a proper manner in order to reduce the potential risks related to
information systems (Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009; Maria and
Hariyani, 2011).
Nowadays, there is a constantly increasing demand of IS Auditors able to audit highly complex and
sophisticated information systems. However, it is said that it is difficult to find locally, IS Auditors with
such ability of understanding complex information systems (Abu-Musa, 2008; Ismail and Abidin, 2009;
Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009; Majdalawieh and Zaghloul, 2009;
Maria and Hariyani, 2011; Maria and Ariyani, 2014; Rafiei and Moeinadin, 2014; Salehi and Husini,
2011). Therefore, the IS Audit is poorly implemented, focusing on basic aspects of the information
systems.
5.4.5 Education
The challenges, difficulties and issues related to “Education” consist of “Academic” related matters, “IS
Professional training and certification”, “IS Technical knowledge” and “Knowledge base”.
Despite the fact that it is widely recognized the importance of academic research in the field of IS Audit,
the reviewed material is claiming that in the developing countries the academic research in the field of IS
Audit is, by far, insufficient. The local universities don’t present enough interest in promoting and
focusing on IS Audit research. This is presented as challenging because without the research in this area,
the organizations have to adapt studies from outside of the country to the local specificities. This is time-
consuming and may imply controversies in the used terms, frameworks, techniques and legal implications
(Abuazza et al., 2015; Al-Ansi et al., 2013; Nkwe, 2011; Upadhyaya et al., 2012).
Also, there is a stringent need to adapt the university curricula (Al-Ansi et al., 2013; Alkebsi et al., 2014;
Nkwe, 2011; Upadhyaya et al., 2012; Wahdan et al., 2008) to the need of having a more specialized
education at the university level in the field of IS Audit(Al-Ansi et al., 2013; Alkebsi et al., 2014; Mahzan
and Veerankutty, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012; Wahdan et al., 2008).
Moreover, it has been observed that it is very important to increase the quality of Information systems’
related education in order to produce a more qualified workforce. This is seen as a fundamental need for
the organizations from the developing countries to cope with the increasing need for specialized IT staff
able to understand properly the requirements of IS Audit. Further, by having more qualified IS graduates
there are higher chances to fill in the gaps related to the profession of IS Auditor with IS graduates
interested in becoming an IS Auditor. This is understandable, given the fact that an IS Auditor is more
effective if she/he has an extensive IT Knowledge (Al-Ansi et al., 2013; Alkebsi et al., 2014; Mahzan and
Veerankutty, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012).
45
Complementary to academic education, the “IS Professional training and certification” represents another
important and researched topic in the reviewed articles.
It has been reported that the lack of training in the new IT technologies has a huge impact on the IS
auditors because they are facing issues when they have to audit information systems which include new
technologies (Al-Ansi et al., 2013; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011;
Majdalawieh and Zaghloul, 2009; Upadhyaya et al., 2012; Wahdan et al., 2008). A study advocates that
the learning and training have to be continuously done in order to cope with the rapidly changing
technological landscape of the IT (Ismail and Abidin, 2009). Also, the training has to be tailored to the
auditors needs so that the time spent grasping new developments in IT should not take too long (Al-Ansi
et al., 2013; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011) with a positive effect on the
efficiency and motivation of the IS Auditors.
Similarly, the continuous training has to concern also the IS Audit field as well. Lacking continuous
training in the IS Audit is preventing the IS Auditors from developing countries to learn and get familiar
with the new techniques, the new standards internationally used or the practices from the developed
countries (Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Steyn and Plant, 2009; Al-Ansi et
al., 2013). There is an agreement amongst researchers that this issue leads to situations when the IS
auditors can’t deal with new, complex systems with an immediate effect on the perception of the
professionalism of the IS Auditors (Al-Ansi et al., 2013; Ismail and Abidin, 2009; Mahzan and
Veerankutty, 2011; Maria and Ariyani, 2014; Steyn and Plant, 2009; Upadhyaya et al., 2012; Wahdan et
al., 2008). Although some efforts were already made, the reviewed articles are recognizing that there is a
huge room for improvement.
Also, there is a shortage of opportunities for training on the IS Audit tools. Even though, their usefulness
is recognized, there are not too many options for the IS Auditors to train on how to use or how to get the
most of the IS Audit tools, with a tremendous impact on the performance, efficiency and motivation of
the IS Auditor (Al-Ansi et al., 2013; Ismail and Abidin, 2009; Maria and Ariyani, 2014; Nkwe, 2011;
Salehi and Husini, 2011).
It has been speculated that one possible reason linked to lacking training could be rooted in the reluctance
of management to train staff (Salehi and Husini, 2011; Steyn and Plant, 2009).
Furthermore, the lack of professional bodies at the national level from some developing countries is
claimed as being a challenge for all the parties involved in the IS Audit field. Some evidence points out
that there is a high need to have more active IS Audit-related professional institutions at the national level.
This is necessary in order to support and build up a favorable environment to the development of the IS
Audit profession (Nkwe, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012). In line with this, the
benefits of having a strong IS Audit professional body would help organizations to address their concerns
regarding the IS Audit (Al Lawati and Ali, 2015; Al-Ansi et al., 2013; Bani-Ahmad and El-Dalabeeh,
2014; Nkwe, 2011).
“Information Systems Technical Knowledge” comprises challenges and issues related to information
technology in general and to new technologies that make their way to the market and are included in one
way or another in the information systems from the developing countries.
46
Typically, the information technology is an ever changing environment and even the developed countries
are having difficulties to keep up with the new technologies. Therefore, is not surprising that the
developing countries are lagging behind.
In the case of the reviewed articles, it has been observed that the digital gap seems to be too wide and, as
a consequence, there is a huge lack of knowledge amongst the IS Auditors from the developing countries
regarding highly specialized information technologies (Ismail and Abidin, 2009; Majdalawieh and
Zaghloul, 2009) or even in the case of less demanding IT-related technologies (Abuazza et al., 2015;
Wahdan et al., 2008).
Perhaps, this situation has its roots in the lack of IT knowledge at a more generalized level. For instance,
it is claimed that an IS Auditor must have good knowledge of IT in order to be able to understand the
audited information system. In the case of the reviewed articles, it has been observed that this basic
requirement for an IS Auditor is not fulfilled in many situations. This has a negative impact on the
accuracy of findings and how the IS Auditor is perceived in the audited organization (Abu-Musa, 2008;
Al-Ansi et al., 2013; Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Mozhgani et al., 2014).
Therefore, it is crucial to develop amongst the IS Auditors from the developing countries, the culture of
continuous update of the IT technical knowledge in order to keep up with the related challenges (Abu-
Musa, 2008; Al-Ansi et al., 2013; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011). Also, it has
been recognized that this should be linked to academic and professional training and education. However,
this is still under consideration of the decision-makers from the developing countries.
Sharing the knowledge and the imperative need to have a knowledge base at the national level seems to
be another challenge for developing countries from the IS Audit perspective. The benefits of a knowledge
base are out of any discussion. However, this is obstructed by various factors. For instance, in order to
bridge the knowledge gap, developing countries are using pieces of information from the developed
countries. The issue is that the most of the information is in English. On the other hand, the observed
unsatisfactory level of English amongst IS Audit professionals is hindering the transfer of IS Audit know-
how into the local language (Mozhgani et al., 2014; Nijaz et al., 2011; Nkwe, 2011). Hence, building a
knowledge base related to IS Audit in the local language is very challenging and troublesome (Al-Ansi et
al., 2013 ; Alkebsi et al., 2014; Bani-Ahmad and El-Dalabeeh, 2014; Nkwe, 2011; Wahdan et al., 2008).
It has been suggested that one way to cope with the hindering causes to build a national IS Audit
knowledge base is to develop cooperation between countries which are sharing the same language, such
as Arabic language(Alkebsi et al., 2014; Bani-Ahmad and El-Dalabeeh, 2014; Nkwe, 2011; Wahdan et
al., 2008). In such a manner, many countries sharing Arabic language would benefit from the usage of an
Arabic-based knowledge base. However, this is still difficult and needs a significant and larger
coordination between countries. Perhaps, a regional or intergovernmental organization may regulate this
aspect of having a pan-Arabic IS Audit knowledge base.
Moreover, the required IS Audit knowledge base would benefit also from documentation of successful
projects in the field of IS Audit. Despite this fact, it has been reported that there is a lack of such
documentation regarding successfully finalized IS Audit projects in the organizations from the developing
countries (Majdalawieh and Zaghloul, 2009; Nkwe 2011). Likewise, the professional networking amongst
IS auditors is lacking adherence, making the spread of knowledge and information about IS Audit to be
47
very challenging (Mozhgani et al., 2014; Bani-Ahmad and El-Dalabeeh, 2014; Steyn and Plant, 2009;
Upadhyaya et al., 2012).
5.4.6 Cultural
Cultural related challenges, difficulties and issues reported by the reviewed is twofold: “Change
Perception” and “Awareness”.
Adopting new technology, new techniques or new regulations involves a certain amount of change. The
change perception with regards to IS Audit in developing countries consists of several aspects. It has been
observed a resistance to change of employees when the organization used or implemented IS Audit
having a direct impact on how the employees perceived the IS Auditor and IS Audit, in general (Bani-
Ahmad and El-Dalabeeh, 2014; Steyn and Plant, 2009; Wahdan et al., 2008). This might be linked to the
local culture (Majdalawieh and Zaghloul, 2009; Maria and Ariyani, 2014; Razi and Madani, 2013; Salehi
and Husini, 2011; Wahdan et al., 2008) as well as how management is communicating with the
employees and how much support is employed with regards to IS Audit (Razi and Madani, 2013; Wahdan
et al., 2008). Also, difficulties may arise from the management style from some developing countries,
which is different compared to the developed countries (Al Lawati and Ali, 2015; Razi and Madani, 2013;
Wahdan et al., 2008).
To cope with the changes related to IS Audit, the organizations or the authorities can make use of a proper
communication of the changes. This may include awareness programs. In such a manner, the employees
and the organization as a whole can deal with the change in a more acceptable approach, by preparing
plans for change implementation.
Implementing IS audit in an organization is a challenge which involves employees, the IT department,
management and even the authorities. This is the reason why it is necessary to have programs which are
focused on increasing the awareness of IS Audit at the employee level (Alkebsi et al., 2014; Majdalawieh
and Zaghloul, 2009; Purwoko, 2011; Upadhyaya et al., 2012). The reviewed articles are advocates that
having employees aware of the benefits of IS Audit, the fear of being controlled may become lower and
the wrong perception of IS Audit as well as obstruction of IS Auditors will decrease (Abu-Musa, 2008; Al
Lawati and Ali, 2015; Al-Ansi et al., 2013; Alkebsi et al., 2014; Majdalawieh and Zaghloul, 2009;
Purwoko, 2011; Upadhyaya et al., 2012).
Furthermore, there is a harsh demand on having the IT departments aware of the benefits of IS Audit in
order to reduce their reluctance in cooperation and communication with the IS Auditors (Al Lawati and
Ali, 2015; Al-Ansi et al., 2013; Upadhyaya et al., 2012).
Lastly, it is very important to see more IS Audit-related awareness at the national authority level or
government because it has been observed that the developing countries don’t recognize the value of IS
Audit (Majdalawieh and Zaghloul, 2009; Nkwe, 2011.).
Cultural related aspects are forming the last piece which completes the puzzle that depicts the challenges,
difficulties and issues faced by developing countries from the perspective of IS Audit.
48
6. Discussion
This chapter gives extensive insights about how the research was carried out, reflects the results from the
research question perspective, highlights the originality and contributions of this research work,
proposes some potential research avenues and depicts the limitations of this thesis.
6.1 Alignment with the research aim
Based on the findings of the analysis done in the previous chapter, this section depicts how these findings
are answering the research question and how it aligns to the research aims of this thesis.
The aim of this research was to retrieve the current status of Information Systems Auditing in the
developing countries in order to understand what the potential obstacles are in building a robust IS Audit
in the context of the developing countries. Hence, the goal was to capture aspects related to issues,
difficulties and challenges related to the IS Audit in the developing countries, which are revealed by the
currently existing literature.
The research carried out in respect to the above-mentioned aim has disclosed that the current challenges,
difficulties and issues are related to six main categories.
Firstly, the legislation related to the IS Audit is lacking proper laws and legal framework. In the cases
where the laws exist the organizations are having issues in understanding the laws, because they are
perceived to be cumbersome and confusing. In addition, there is a huge need for having supportive
governmental agencies in order to help with implementation. Moreover, the regulations are either
confusing or contradictory or they do not exist at all.
Secondly, even though the IS Audit-related policies and standards might exist in some countries they are
either implemented partially or overlooked. Of course, the existing literature is highlighting that in some
cases there is a pronounced shortage of policies and standards (probably because they are not considered
as being important for the business).
Thirdly, from the organizational point of view, the most researched topic which is listed as a challenge is
the lack of management support, help or commitment to implement and use the IS Audit. This seems to
become a major issue since is linked to different management style in developing countries. It is also
worthy to mention that the lack of understanding of the benefits of IS Audit by the management is
negatively influencing the adoption of IS Audit. Therefore, low budget is allocated to IS Audit and related
activities (training, tools, and awareness programs). Additionally, the developing countries are facing a
very diverse IT technological landscape. This landscape is either too sophisticated or is simply chaotic.
Hence, the IS Audit implementations are perceived as being too cumbersome compared to the level of
technical sophistication.
Challenges and issues related to the Human Resources are ranging from the wrong perception of IS Audit
to lack of human resources. IS Auditors are perceived as cops, inspectors, verifiers or controllers.
Consequently, they are either treated with caution or their access to the audited information systems is
49
obstructed or, even more, they don’t get the authorization from the management. There are issues when
the IS Auditors are facing complex, sophisticated information systems where new technologies are used.
Hence, they need to have enough knowledge to approach such systems. Otherwise, the observed behavior
is just doing the minimum of IS Audit with negative consequences for the efficiency, performance, and
effectiveness of the IS Audit. Of course, to cope with such situations the reviewed literature is stressing
out about the need for a proper educational system.
Even though it is recognized that the education is a driver for a healthy development of the IS Audit in the
developing countries, the fact that the IS Audit is under-researched in the local universities, the low level
of qualification of the IS graduates and poor professional training in IS Audit are factors which are
challenging the adoption, implementation and usage of the IS Audit.
Moreover, there seems to be a huge need to have an IS Audit knowledge base where the IS Audit
professionals could share information or could find help for their IS Audit projects. Also, the reviewed
articles mention the urgency of having a national knowledge base in the local language and the necessity
of having the know-how transfer facilitated by the government in cooperation with national professional
bodies.
Further, lack of a knowledge base is observed in the inconsistency of terms used in the reviewed articles,
even though that the meaning of the used terms seems to be the same (a so-called “jungle of terms”).
Likewise, it seems that there is a huge need to have the IS Audit related documentation translated from
English in the local language and it is believed that in such a way more IS professionals will embrace the
IS Auditor profession in the future.
Finally, it has been observed that the awareness of the IS Audit is at a low level amongst the employees,
IT professionals, and national authorities. Hence, awareness programs have to be employed to increase
the IS Audit awareness level aiming at improving the perception on IS Audit and to understand that IS
Audit helps the business to stay away from potential IS risks. Cultural related challenges and issues
include also the resistance to change of the employees or the organization where the IS Audit is
implemented or used. However, addressing such a wide matter is hard to be done and depends on the
characteristics and specificity of each developing country.
To sum up, the above-presented challenges, difficulties and issues are answering the research question
which drove this research.
6.2 Refection on the research carried out
This section’s goal is to reflect on how the research was done and what were the main lessons learned
from it.
This thesis aimed at answering the research question defined in the first chapter and to find what are the
current challenges, difficulties and issues that the developing countries are encountering from IS Audit
perspective. To respond to such demanding investigation, it has been used the Grounded Theory to build
up a rigorous, systematic literature review using the method of Okoli and Schabram (2010) in conjunction
with guidelines of Wolfswinkel et al. (2011).
50
Some discussion was done during the work; however this will be summarized here with the intention to
give the reader a big picture overview of it.
6.2.1 Reflections on the steps of SLR
This review includes twenty-three articles selected by using the steps of Okoli and Schabram’s systematic
literature review method in a rigorous manner.
The work performed during the initial literature search of the articles was done by carefully looking after
the articles using well-defined searching terms in combination with Boolean operators. This was done in
order to capture the studies which potentially could be selected for the final review. However, it was
necessary to use personal experience in building up the right search expression to cope with the different
behavior of the databases interrogated for the review. Moreover, it was imperatively needed to find a way
to keep the records of all retrieved articles. So, specialized software was employed to keep up with the
huge amount of the data retrieved.
Then, for the next stage, certain criteria were used to screen the articles. Additionally, the screening
involved reading the abstract of each article. This was a very tough work involving plenty of time, energy,
and effort. However, some noise due to unexpected behavior of Web of Science hindered the process of
screening for inclusion. Despite the fact that it has been used same search expressions as for the other
databases, the Web of Science retrieved many articles and studies from the field of medicine and
associated fields. This sort of situation consumed a lot of time to sort out this kind of results. So, relying
100% on the accuracy of the databases consulted could be tricky and may pose huge pressure on the
reviewer.
Next, 42 articles were screened for exclusion. The guidelines of Wolfswinkel et al. (2013) were
suggesting reading the title, abstract and some more text. For this thesis, it has been decided to read also
the introduction, discussion, and conclusion. Additionally, the methodology section was also read to get
an overview of what kind of research approach was used in order to get a clear picture of the existing
literature on the IS Audit in the developing countries.
Again, there was an acute need of having a set of tools to keep the notes, observations and to capture
emerging ideas after reading each article. Therefore, it has been used the creativity of the reviewer to find
a way to cope with all information retrieved during this step and to be ready for more, upcoming
information in the next steps. Initially, the notes were kept by using the old school method (pen and
paper) and electronic annotations of the articles using capabilities of Adobe Acrobat. But, this became too
hard to be managed. So, a logbook and a memo were set. Additionally, MS Excel workbook was used in
combination with MS Word tables to organize the work better. After this tremendous effort, for data
analysis a number of 23 articles were put forward for data analysis.
It is also important to mention that several iterations took place in each of the following steps: practical
screening, quality appraisal and Data collection/extraction. This was seen as a very critical process
because there was the concern about losing important aspects reflected by the existing research.
The huge amount of information put a lot of pressure on the ability to process this big volume of articles
and studies. This was foreseen from the beginning of this thesis project. Therefore, a strict timeline was
set in order to reach the end of the list of articles included in the review.
51
6.2.2 Reflections on the analysis of data by means of Grounded Theory
Wolfswinkel et al. (2011) have proposed a rigorous approach to writing a systematic literature review by
means of Grounded Theory. The data analysis using open, axial and selective coding involved another set
of iterations, as happened while applying the SLR.
For the reviewer, challenges arose at each stage of coding. The iterations involved reading carefully
several times the articles in order to capture the codes while looking back and forth to avoid any
duplication of the codes. Slowly, during this process of continuous comparison between what has been
found, a list of codes was created. It was necessary to do again, another, more in depth iteration to distil
these codes in the final list. Also, during the coding process, there were challenging situations when there
was a strong need to consolidate same meaning of the codes despite the fact that they were differently
worded or phrased.
The extraction of categories and subcategories involved another reassessment of the articles in order to
avoid any redundancy of them. When adjustments of categories and subcategories were necessary
(Wolfswinkel et al., 2011), another cycle of comparison was performed to avoid overlapping or
duplicates.
Finally, the selective coding was carried out by having in mind the suggestion of Wolfswinkel et al.
(2011) to refine the categories from the perspective of the research question.
Diagramming, MS Word and Excel, Adobe annotations as well as “pen and paper” method were
extensively used to cope with the massive amount of information.
6.2.3 Final reflections on the research carried out
As a personal observation regarding the research, the review of existing literature is an intensive, time-
consuming, with a lot of energy and efforts invested to successfully finalize the work. Therefore, it is
crucial to have a proper planning of the activities and the work and, most important, to stick to this plan.
Otherwise, it is quite easy to get off the track and any derailing from the plan could jeopardize the whole
work.
Another personal observation regarding using the systematic literature review as the research method is
that the reflections were noted for each stage of the SLR. It has been done in such a manner because the
intention was to capture as much as possible information related to the research work conducted.
Alternatively, it could have been also possible to do at the end, but it has been foreseen that it may happen
that some crucial aspects would have been lost. Hence, it has been decided to reflect and write the
reflection(s) during the course of the thesis work.
This research relied heavily on choosing the right searching terms in the stage S3- Literature Search.
Having years of experience with internet-based search techniques acquired throughout 18 years of
professional IT career, it has been easier to define a set of search strings to get the most out of searches
inside of databases made available online by Stockholm University Library. Therefore, it is very
important to reflect in advance, based on the research question of the study, what are the right search
terms or expressions to be used in order to capture as much as possible from the existing literature on the
studied topic.
52
From the perspective of “what went wrong?”, it is worthy to mention that the whole research work was
perceived as a learning curve. There were many dead ends and obstacles which were overcome by a
continuous back and forth to stay in line with the requirements of the research methodology or when
unclear situations arose regarding to how to proceed further with the thesis work. At such moments, the
existing literature on the employed methods (Denscombe, 2014; Okoli and Schabram, 2010; Wolfswinkel
et al., 2011; Webster and Watson, 2002) was consulted in order to find a way through.
Furthermore, there were situations during the literature search step when some article showed up in the
result list due to an inadequate tagging or keyword usage. Perhaps, to avoid such struggling for future
reviewers, it is necessary to have generally recognized scheme for key wording. In such way, the search
of articles would be easier and the results retrieved would be more meaningful for the future research
works.
Finally, one last reflection on the research carried out is that the research topic driving this thesis work
emerged from the professional development needs of the reviewer. Being interested in the information
systems auditing topic, it came naturally to exploit this opportunity and to get the insight of the existing
academic records in order to provide a systematic review on this topic focusing particularly on the
developing countries.
6.3 The originality and the practical and theoretical
significance of the contributions First of all, the originality of this research work consists of the fact that, from the methodological
perspective, it has combined the method of systematic literature review of Okoli and Schabram (2010)
with the rigorousness brought by Grounded Theory as it is outlined by Wolfswinkel et al. (2011) in order
to capture the most important hindering factors affecting the IS Audit in the developing countries.
Secondly, this thesis emerged from the perceived gap of knowledge in the information systems audit
literature regarding the challenges, difficulties and issues faced by the developing countries. The findings
of this thesis aim at bridging the gap given the fact that there were no previous comprehensive attempts to
review the existing literature on the researched field. Moreover, the findings of this research work
contribute to the body of knowledge by helping the practitioners to understand better the hindering factors
related to the IS Audit as well as the decision makers (government, governmental agencies) and
lawmakers from the developing countries to start adjusting the existing landscape in order to facilitate the
adoption, implementation, and usage of the IS Audit at the organizational level.
Thirdly, the thesis used Grounded Theory. This helped the reviewer to ensure that the results of the
research work are not affected by a predefined mindset and, due to the open-mind principle of Grounded
Theory, the research was more a voyage of discovery (Denscombe, 2014) by following an undefined and
undiscovered trail. In such a way, the creativity played an important role in putting out of any doubt and
discussion the authenticity and usefulness of the findings.
Lastly, the significance consists of potential research avenues which may be used by the academic
community from the developing countries to explore more the IS Audit from their countries in order to
build up a robust research with the goal of diminishing the gap between the developed and developing
53
countries. Also, the findings of this review contribute to the general understanding of reasons why the IS
Audit is less accepted in the organizations and how this situation could be changed in order to increase the
IS Audit presence in the developing countries. Therefore, the review has both practical and theoretical
significance for the IS Audit field.
6.4 Limitations of the study
This study is limited by several aspects.
Firstly, the work was carried out as one single person, non-English native speaker. During the research
work, it has been observed that the work would have been more efficient and beneficial if there were at
least two reviewers. This aspect was mainly noticed during the coding process when a collaborative work
with a partner would have helped to synthesize faster and better the retrieved codes.
Secondly, the research was done using six databases, excluding potential helpful studies from other
literature databases. Also, the literature search was limited only to academic papers published in
internationally recognized journals without using magazine articles, technical papers, white papers and
independent blogs. Also, this study is limited only to the online published articles, so other sources like
books, either printed or electronic version, were not consulted. This would have helped at grabbing more
insights about IS Audit in the developing countries leaving potential other challenges, difficulties and
issues undiscovered.
Furthermore, this research was based solely on the retrieved articles available to students in the searched
databases. The studies non-published or not available to the students were not captured. Likewise, the
search was based on a narrow set of expressions and keywords. This limitation was seen in the cases
when the keywords of the articles didn’t mention expression(s) used in the search(for instance, the article
was using the name of the country instead of developing country or the usage of “developing country”
was avoided because of different understanding what a developing country/economy is).
Thirdly, the research was conducted focusing on a particular time span, a decade from 2006 to 2016 (as
suggested by Okoli and Schabram, 2010 and Wolfswinkel et al., 2013). Therefore, this study is limited to
the articles published during this period of time.
Fourthly, this research is limited with regards to the geographical distribution of the retrieved articles.
While the literature search was carried over with a focus on developing countries, the selected articles are
mainly from Asia and Africa. So, no article was retrieved from Latin America. The same limitation is
linked to the absence of articles from large countries such as China or Russia. Perhaps, this limitation is
linked to another limitation: the fact that the study was targeting only articles written in English. Possibly,
a study using Spanish, Russian or Chinese as the language would have captured more articles.
Finally, this study has assumed that all retrieved literature is reflecting properly the difficulties, issues and
challenges in terms of Information Systems Auditing concerning developing countries. So, is relying on
the found literature “as is”.
54
6.4.1 Ethical and social aspects
This research around this thesis didn’t involve any person since there were no participants. The whole
work was done based on the existing literature published and publicly available in the consulted literature
outlets.
The research was conducted by strictly following the guidelines of the research methods chosen. One may
argue that the reviewer could subjectively influence the research. This might be seen as an issue, but the
fact that the analysis of the data was done by using Grounded Theory helped the reviewer to minimize the
impact of subjectivity. However, the open mind was used to approach this research as per suggestion of
Denscombe (2014). In such a manner the articles were analyzed and the theory emerged smoothly and
gradually based on the findings of each step of the research. In addition, the personal and professional
experience was used to reach the end of the research project.
Also, giving credits and properly referencing the articles included in this study was crucial to produce a
high-quality literature review. Especially during the presentation of the findings, the referencing was done
in such a manner that the red thread of the story was not affected.
Finally, the literature review was written without pointing out the name of the countries mentioned in the
reviewed articles in order to keep the neutrality of the thesis. For the same reason, it was avoided to
mention any IS Auditing-related frameworks, standards or commercial products.
6.5 Suggested areas for future research
Based on the study carried on, some suggestions for future research could be made.
Firstly, a potential research avenue would be to use these findings of this study to develop a set of
recommendations or guidelines that can help the developing countries to reduce the perceived gap
regarding IS Audit. Also, the outcomes of this research could be used as a base for developing a
framework for future academic research in the field of IS Audit.
Secondly, the found set of challenges, difficulties and issues could be used in a multiple-cases study from
a group of countries which are sharing the same local language (for instance, Golf countries) in order to
validate the findings of this research. Even more, perhaps more case studies in English, documented and
available in the academic journals would help developing countries to learn from each other.
In the diagram of the main categories depicted in Figure 7, there is no weight between the categories.
Therefore, it is suggested to have a future study that would aim at weighting these categories, in order to
find out which one is the most important in implementing and using the IS Auditing in the developing
countries.
Based on one of the limitations mentioned in section 6.4, this research could be extended by using another
language which covers multiple countries such as Spanish, Arabic, French or Russian (covering also post-
Soviet countries). In such a way the developments in other languages could be added to this study and the
developing countries could learn from each other’s experience.
55
Further, this study used Grounded Theory for exposing the challenges, difficulties and issues regarding IS
Audit in developing countries. Perhaps, a suggestion of a future research would be to use another
methodological approach to widening the findings of this research.
Finally, future studies could also focus on particular aspects revealed by this thesis: such as having a
common language of the IS Audit related terms in order to avoid a “jungle of IS Audit terms” or to have
an automated translation of English studies in the local language to extend the knowledge base
56
7. Conclusion
The final chapter of this thesis is summing up the research work through some concluding remarks.
This research work focused on reviewing the existing literature on the IS Audit. Therefore, the following
research question was asked: “What are the current difficulties, issues and challenges which are
experienced by the developing countries in terms of Information Systems Auditing?”
To answer the research question driving this thesis, two research methods were combined to capture from
the existing academic literature all aspects related to IS Audit in the developing countries. That is, the
method of systematic literature review in information systems research of Okoli and Schabram (2010)
was employed in conjunction with the Grounded Theory approach for systematic reviews of Wolfswinkel
et al. (2013).
Initially, a number of 42 articles were found as being relevant for this research. These articles were
further analyzed and 23 articles were selected for the review. The selected articles were spanning
throughout a period of 10 years and were found in six distinct literature databases. By using the Grounded
Theory approach, a number of six main categories of challenges, difficulties and issues were identified.
They relate to legislation, policy and standards, organization, human resources, education and culture.
Based on these findings and identified limitations, further research was suggested.
As a concluding remark, this thesis has an undeniable contribution to the body of knowledge by
providing a better understating of current challenges, difficulties and issues of IS Auditing in the context
of developing countries. Therefore, it is believed that the findings of this thesis will play a major role in
opening new research directions to diminish the gap in the IS Audit field between the developing and
developed countries.
57
References
Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015). The perceived scope of internal audit
function in Libyan public enterprises. Managerial Auditing Journal, 30(6/7), 560-581.
Abu-Musa, A. A. (2008). Information technology and its implications for internal auditing: An empirical
study of Saudi organizations. Managerial Auditing Journal, 23(5), 438-466.
Affinity Diagram - ASQ. (2016). Asq.org. Retrieved 14 March 2016, from http://asq.org/learn-about-
quality/idea-creation-tools/overview/affinity.html
Aida Lope Abdul Rahman, A., Islam, S., & Al-Nemrat, A. (2015). Measuring sustainability for an
effective Information System audit from public organization perspective. In Research Challenges in
Information Science (RCIS), 2015 IEEE 9th International Conference on (pp. 42-51). IEEE.
Al Lawati, A., & Ali, S. (2015). Business perception to learn the art of Operating System auditing: A case
of a local bank of Oman. In GCC Conference and Exhibition (GCCCE), 2015 IEEE 8th (pp. 1-6).
IEEE.
Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013). The Effect of IT knowledge and IT Training
on the IT Utilization among External Auditors: Evidence from Yemen. Asian Social Science, 9(10),
307.
Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014). The Relationship between
Information Technology Usage, Top Management Support and Internal Audit Effectiveness. In
International Management Accounting Conference VII.
Alter, S. (2008). Defining information systems as work systems: implications for the IS field. European
Journal of Information Systems, 17(5), 448-469.
Avgerou, C. (2000). Recognising alternative rationalities in the deployment of information systems. The
Electronic Journal of Information Systems in Developing Countries, 3.
Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014). The Effect of Applying the Information Technology
Audit Standard# 21 on the Risk Related To ERP System in the Jordanian Companies. Global Journal
of Management And Business Research, 14(1).
Barki, H., Rivard, S., & Talbot, J. (1993). A keyword classification scheme for IS research literature: an
update. Mis Quarterly, 209-226.
Buchanan, S., & Gibb, F. (2007). The information audit: Role and scope. International journal of
information management, 27(3), 159-172.
Cannon, D. L. (2011). CISA Certified Information Systems Auditor Study Guide, Third Edition. John
Wiley & Sons.
Carlin, A., & Gallegos, F. (2007). IT audit: A critical business process. Computer, 40(7), 87-89. doi:
10.1109/MC.2007.246
Denscombe, M. (2014). The good research guide: for small scale social research projects. 5th Ed.
Paperback. Maidenhead: McGraw-Hill Open University Press.
58
Earl, M. J. (2000). In D. A. Marchand, T. H. Davenport, & T. Dickson (Eds.), Mastering information
management (pp. 16–22).
El-Gazzar, R. F. (2014). A literature review on cloud computing adoption issues in enterprises. In
Creating Value for All Through IT (pp. 214-242). Springer Berlin Heidelberg.
El-Sayed Ebaid, I. (2011). Internal audit function: an exploratory study from Egyptian listed firms.
International Journal of Law and Management, 53(2), 108 - 128.
Gercke, M. (2009). Understanding cybercrime: a guide for developing countries. International
Telecommunication Union (Draft), 89, 93.
Henry, J. (2010). Reducing the Threat of State-to-State Cyber Attack against Critical Infrastructure
through International Norms and Agreements.
Hingarh, V., & Ahmed, A. (eds) (2012) Overview of Systems Audit, in Understanding and Conducting
Information Systems Auditing, John Wiley & Sons, Inc., Hoboken, NJ, USA.
Hjalmarsson, A., Johannesson, P., Jüll-Skielse, G., & Rudmark, D. (2014). Beyond innovation contests: A
framework of barriers to open innovation of digital services. ECIS 2014 Proceedings
Hsieh, H. F., & Shannon, S. E. (2005). Three approaches to qualitative content analysis. Qualitative health
research, 15(9), 1277-1288.
Imf.org,. (2016). World Economic Outlook - Frequently Asked Questions. Retrieved 28 January 2016, from
http://www.imf.org/external/pubs/ft/weo/faq.htm
Ismail, N. A., & Abidin, A. Z. (2009). Perception towards the importance and knowledge of information
technology among auditors in Malaysia. Journal of Accounting and Taxation, 1(4), 61.
ISO/IEC 12207:2008,. (2008). ISO/IEC 12207:2008 - Systems and software engineering -- Software life
cycle processes. ISO. Retrieved from https://www.iso.org/obp/ui/#iso:std:iso-iec:12207:ed-2:v1:en
Keele, S. (2007). Guidelines for performing systematic literature reviews in software engineering. In
Technical report, Ver. 2.3 EBSE Technical Report. EBSE.
Kitchenham, B. (2004). Procedures for performing systematic reviews. Keele, UK, Keele University,
33(2004), 1-26.
Khandkar, S. H. (2009). Open coding. Paper presented at University of Calgary, October 23, 2009.
Klein, H. K., & Myers, M. D. (1999). A set of principles for conducting and evaluating interpretive field
studies in information systems. MIS quarterly, 67-93.
Krogstad, J. L. (1977). Toward A Methodology For Auditing. Transactions of the Nebraska Academy of
Sciences and Affiliated Societies. Paper 457.
Leung, L. (2015). Validity, reliability, and generalizability in qualitative research. Journal of Family
Medicine and Primary Care, 4(3), 324–327.
Lovaas, P., & Wagner, S. (2012). IT Audit Challenges for Small and Medium-Sized Financial Institutions.
Retrieved from http://www.albany.edu/iasymposium/proceedings/2012/7-Lovaas%26Wagner.pdf
Library Of Congress,. (2008). LIBRARY OF CONGRESS COLLEC TIONS POLICY STATEMENTS.
Retrieved from https://www.loc.gov/acq/devpol/devcountry.pdf
Mahzan, N., & Veerankutty, F. (2011). IT auditing activities of public sector auditors in Malaysia. African
Journal of Business Management, 5(5), 1551.
Majdalawieh, M., & Zaghloul, I. (2009). Paradigm shift in information systems auditing. Managerial
Auditing Journal, 24(4), 352-367.
59
Malgharni, A. M., & Yusoff, W. F. W. (2011). Review and Recognition of Auditing Applied Computer
Systems at Islamic Azad University (Sanandaj Branch Evidence). Interdisciplinary Journal of
Contemporary Research In Business, 2(12), 135.
Maria, E., & Ariyani, Y. (2014). E-Commerce Impact: The Impact Of E-Audit Implementation On The
Auditor's Performance (Empirical Study Of The Public Accountant Firms In Semarang, Indonesia).
Indian Journal of Commerce and Management Studies, 5(3), 1.
Maria, E., & Haryani, E. (2011). Audit Model Development Of Academic Information System: Case
Study On Academic Information System Of Satya Wacana. Researchers World, 2(2), 12-24.
Merhout, J. W., & Havelka, D. (2008). Information technology auditing: A value-added IT governance
partnership between IT management and audit. Communications of the Association for Information
Systems, 23(1), 26. Retrieved from
http://aisel.aisnet.org/cgi/viewcontent.cgi?article=3386&context=cais
Millichamp, A. H., & Taylor, J., (2002). Introduction To Auditing – The Why Of Auditing, in Auditing,
Tenth Edition. Cengage Learning EMEA. Retrieved from
http://www.cengagebrain.co.uk/content/9781408070086.pdf
Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014). Identification and ranking of virtual audit executive
impediments in Iran. Advances in Environmental Biology, 277-285. Retrieved from
http://www.aensiweb.com/old/aeb/Special%2015/277-284.pdf
Nagy, A. L., & Cenker, W. J. (2002). An assessment of the newly defined internal audit function.
Managerial Auditing Journal, 17(3), 130-137.
Nielsen, L. (2011). Classifications of countries based on their level of development: How it is done and
how it could be done. IMF Working Papers, 1-45.
Nijaz, B., Mario, S. & Lejla, T. (2011). Implementation of the IT governance standards through business
continuity management: Cases from Croatia and Bosnia-Herzegovina. In Information Technology
Interfaces (ITI), Proceedings of the ITI 2011 33rd International Conference on , vol., no., pp.43-50,
27-30 June 2011.
Nkwe, N. (2011). State of information technology auditing in Botswana. Asian Journal of Finance &
Accounting, 3(1).
O’Connor, R. (2012). Using grounded theory coding mechanisms to analyze case study and focus group
data in the context of software process research. Research methodologies, innovations and
philosophies in software systems engineering and information systems, 1627-1645.
Okoli, C., & Schabram, K. (2010). "A Guide to Conducting a Systematic Literature Review of Information
Systems Research,". Sprouts: Working Papers on Information Systems, 10(26).
Paagman, A., Tate, M., Furtmueller, E., & de Bloom, J. (2015). An integrative literature review and
empirical validation of motives for introducing shared services in government organizations.
International journal of information management, 35(1), 110-123.
Prakash, M., & Sivakumar, D. (2014). Information systems auditing and electronic commerce.
International Journal of Advanced Research in Management and Social Sciences, 3(2), 106-119.)
Purwoko, P. (2011). Auditing Information System: Delivery Product Service. Communication and
Information Technology Journal, 5(1).
Puspasari, D., & Yuwono, B. (2013). Implementing integrated internal control life cycle at Telecom
Company. In Advanced Computer Science and Information Systems (ICACSIS), 2013 International
Conference on (pp. 249-254). IEEE.
60
Rafiei, G. H., & Moeinadin, M. (2014). Identification of factors affecting the quality of auditing in
information technology (IT). Advances in Environmental Biology, 239-245. Retrieved from
http://www.aensiweb.com/old/aeb/Special%2015/239-244.pdf
Razi, M. A., & Madani, H. H. (2013). An analysis of attributes that impact adoption of audit software: An
empirical study in Saudi Arabia. International Journal of Accounting & Information Management,
21(2), 170-188.
Ramamoorti, S. (2003). Internal auditing: history, evolution, and prospects. The Institute of Internal
Auditors Research Foundation. Retrieved from https://na.theiia.org/iiarf/Public Documents/Chapter 1
Internal Auditing History Evolution and Prospects.pdf
Salehi, M. (2009). In the Name of Independence: with Regard to Practicing Non-Audit Service by
External Auditors. International Business Research, 2(2), p137.
Salehi, M., & Husini, R. (2011). A study of the effect of information technology on internal auditing:
Some Iranian evidence. African Journal of Business Management, 5(15), 6168.
Schlagenhaufer, C., & Amberg, M. (2015) A Descriptive Literature Review and Classification Framework
for Gamification in Information Systems. ECIS 2015 Completed Research Papers. Paper 161.
Siddaway, A. P. (2014). What is a systematic literature review and how do I do one? Retrieved from
https://www.stir.ac.uk/media/schools/management/documents/centregradresearch/How to do a
systematic literature review and meta-analysis.pdf
Soltani, B. (2007). An Introduction to Auditing and Assurance, in Auditing: An international approach.
Pearson Education.
Steyn, B., & Plant, K. (2009). Education and training considerations applicable to internal auditors in
South Africa. African Journal of Business Management, 3(13), 989-997.
Teck-Heang, L., & Ali, A. M. (2008). The evolution of auditing: An analysis of the historical
development. Journal of Modern Accounting and Auditing, 4(12), 1-8.
United Nations Geospatial Information Section Web Site. (2016). Un.org. Retrieved 8 March 2016, from
http://www.un.org/Depts/Cartographic/english/htmain.htm
Upadhyaya, P., Shakya, S., & Pokharel, M. (2012). E-government security readiness assessment for
developing countries: Case study: Nepal Govt. organizations. In Internet (AH-ICI), 2012 Third Asian
Himalayas International Conference on (pp. 1-5). IEEE.
Urquhart, C., Lehmann, H., & Myers, M. D. (2010). Putting the ‘theory’ back into grounded theory:
guidelines for grounded theory studies in information systems. Information systems journal, 20(4),
357-381.
Yang, H., & Tate, M. (2012). A descriptive literature review and classification of cloud computing
research. Communications of the Association for Information Systems, 31(2), 35-60.
Zainal, Z. (2007). Case study as a research method. Jurnal Kemanusiaan, 9.
Walsham, G. (1995). Interpretive case studies in IS research: nature and method. European Journal of
information systems, 4(2), 74-81.
Walsham, G., & Sahay, S. (2006). Research on information systems in developing countries: Current
landscape and future prospects. Information technology for development, 12(1), 7-24.
Wahdan, M.A. , Spronck, P. , Ali, H. F. , Vaassen, E. , Herik, H.J. van den. (2008). Auditors and IT
support in Egypt. The Proceeding of the Congress 17th International Management Development
Association. Suriname, 56-64
61
Webster, J., & Watson, R.T. (2002). Analyzing the past to prepare for the future: Writing a literature
review. Management Information Systems Quarterly, 26(2), p.3.
WEO Imf.org. (2016). World Economic Outlook Database April 2015 -- WEO Groups and Aggregates
Information. Retrieved from http://www.imf.org/external/pubs/ft/weo/2015/01/weodata/groups.htm
Worldbank.org. (2016). DEPweb: Beyond Economic Growth, Glossary. Retrieved from
http://www.worldbank.org/depweb/english/beyond/global/glossary.html
Wolfswinkel, J. F., Furtmueller, E., & Wilderom, C. P. M. (2013). Using grounded theory as a method for
rigorously reviewing literature. Eur J Inf Syst, 22(1), 45–55.
Wto.org,. (2016). WTO | Development - Who are the developing countries in the WTO?. Retrieved from
https://www.wto.org/english/tratop_e/devel_e/d1who_e.htm
List of appendices
Appendix A Total Number of Papers: 23
Table 7: Type of publications
Publication Type # of papers
Journal 17
Conference Papers 6
Total 23
Table 8: Methodology of chosen articles
Table 9: Distribution of articles per continents
Methodology # of papers
Survey 14
Mixed Methods 5
Case Study 3
Review 1
Total 23
Continent # of papers
Africa 4
Asia 18
63
Table 10: Years of Publication for the chosen articles
Table 11: Appendix A - Summary of articles filtered for data analysis
No
.
Author(s) and Title
Yea
r
Met
ho
do
logy
Type
Purpose
(Context/Comments)
Dev
elo
pin
g
Co
un
try
?
Country &
Continent
IS a
ud
itin
g?
IT a
ud
itin
g?
Ch
all
eng
es,
Dif
ficu
ltie
s,
Issu
es?
1 Majdalawieh, M., & Zaghloul,
I. (2009) - Paradigm shift in
information systems auditing
2009 Survey Journal A survey in the UAE context
focusing on change factors of
the IS Auditing and the
implication of these factors
Y United Arab
Emirates,
Asia
Y Y
Europe 1
Total 23
Year of publication # of papers
2008 2
2009 3
2011 7
2012 1
2013 3
2014 5
2015 2
Total 23
64
No.
Author(s) and Title
Yea
r
Met
hod
olo
gy
Type
Purpose
(Context/Comments)
Dev
elop
ing
Cou
ntr
y?
Country &
Continent
IS a
ud
itin
g?
IT a
ud
itin
g?
Ch
all
enges
,
Dif
ficu
ltie
s,
Issu
es?
on the IS Audit.
2 Razi, M. A., & Madani, H. H.
(2013) - An analysis of
attributes that impact adoption
of audit software: An
empirical study in Saudi
Arabia
2013 Survey Journal A study of the current
challenges faced by
organizations from Saudi
Arabia in adopting the
auditing software.
Y Saudi Arabia,
Asia
Y Y
3 Wahdan, M.A. , Spronck, P. ,
Ali, H. F. , Vaassen, E. ,
Herik, H.J. van den. (2008) -
Auditors and IT support in
Egypt
2008 Survey Conference
paper
A research addressing the
current challenges faced by
IT auditor in Egypt by
proposing a training system.
Y Egypt, Africa Y Y
4 Upadhyaya, P., Shakya, S., &
Pokharel, M. (2012) - E-
government security readiness
assessment for developing
countries: Case study: Nepal
Govt. organizations
2012 Mixed
Methods
Conference
Paper
Assess the current status of IS
audit in the case of Nepal
governmental organizations.
Y Nepal. Asia Y Y
5 Maria, E., & Haryani, E.
(2011) - Audit Model
Development Of Academic
Information System: Case
Study On Academic
Information System Of Satya
Wacana
2011 Mixed
Methods
Journal Development of a basic
framework to audit the
information systems in the
academic world in the context
of Indonesia.
Y Indonesia, Asia Y Y
6 Bani-Ahmad, A., & El-
Dalabeeh, A. E. R. K. (2014) -
The Effect of Applying the
Information Technology
2014 Mixed
Methods
Journal A paper on the beneficial
effects of using an
Information Technology
Audit standard to reduce the
Y Jordan, Asia Y Y
65
No.
Author(s) and Title
Yea
r
Met
hod
olo
gy
Type
Purpose
(Context/Comments)
Dev
elop
ing
Cou
ntr
y?
Country &
Continent
IS a
ud
itin
g?
IT a
ud
itin
g?
Ch
all
enges
,
Dif
ficu
ltie
s,
Issu
es?
Audit Standard# 21 on the
Risk Related To ERP System
in the Jordanian Companies
risks of business-related
information systems.
7 Maria, E., & Ariyani, Y.
(2014) - E-Commerce Impact:
The Impact Of E-Audit
Implementation On The
Auditor's Performance
(Empirical Study Of The
Public Accountant Firms In
Semarang, Indonesia).
2014 Survey Journal A study of the factors which
may have an impact on the
performance of IT auditors in
the case of a public auditing
company.
Y Indonesia, Asia Y Y
8 Nkwe, N. (2011) - State of
information technology
auditing in Botswana
2011 Review Journal A study which summarized
the current situation of
information technology
auditing in the case of an
African country.
Y Botswana,
Africa
Y Y
9 Abu-Musa, A. A. (2008) -
Information technology and
its implications for internal
auditing: An empirical study
of Saudi organizations
2008 Survey Journal An empirical study of Saudi
organizations regarding the
impact of information
technology on auditing
activities.
Y Saudi Arabia,
Asia
Y Y
10 Purwoko, P. (2011) - Auditing
Information System: Delivery
Product Service
2011 Mixed
Study
Journal A paper studying the case of
an Indonesian company
aiming at implementing
better controls in their
information systems.
Y Indonesia, Asia Y Y
11 Mahzan, N., & Veerankutty,
F. (2011) - IT auditing
activities of public sector
2011 Survey Journal In the context of public sector
of Malaysia, the study reveals
the challenges faced by the IT
Y Malaysia, Asia Y Y
66
No.
Author(s) and Title
Yea
r
Met
hod
olo
gy
Type
Purpose
(Context/Comments)
Dev
elop
ing
Cou
ntr
y?
Country &
Continent
IS a
ud
itin
g?
IT a
ud
itin
g?
Ch
all
enges
,
Dif
ficu
ltie
s,
Issu
es?
auditors in Malaysia auditors in achieving their
goals.
12 Malgharni, A. M., & Yusoff,
W. F. W. (2011) - Review and
Recognition of Auditing
Applied Computer Systems at
Islamic Azad University
(Sanandaj Branch Evidence)
2011 Mixed
Methods
Journal A study on the perceived
need to have a centralized
approach in dealing with the
information systems audit in
the case of a university from
Iran.
Y Iran, Asia Y Y
13 Salehi, M., & Husini, R.
(2011) - A study of the effect
of information technology on
internal auditing: Some
Iranian evidence
2011 Survey Journal The paper is studying the
impact on performance of
information technology
auditors who are confronting
lack of resources.
Y Iran, Asia Y Y
14 Al-Ansi, A. A., Ismail, N. A.
B., & Al-Swidi, A. K. (2013)
- The Effect of IT knowledge
and IT Training on the IT
Utilization among External
Auditors: Evidence from
Yemen
2013 Survey Journal An article which surveys the
practitioners from Yemen
regarding the potential impact
of training on performance of
IT auditors.
Y Yemen, Asia Y Y
15 Al Lawati, A., & Ali, S.
(2015) - Business perception
to learn the art of Operating
System auditing: A case of a
local bank of Oman
2015 Case
Study
Conference
Paper
A paper on the case of a bank
from Oman regarding the
need for continuous
improvement of Information
Systems Auditing.
Y Oman, Asia Y Y
16 Nijaz, B., Mario, S. & Lejla,
T. (2011) - Implementation of
the IT governance standards
through business continuity
2011 Case
Study
Conference
Paper
A study on the legal and
technical obligations to
reduce the downtime and risk
in organizations
Y Croatia
Bosnia-
Herzegovina,
Europe
Y Y
67
No.
Author(s) and Title
Yea
r
Met
hod
olo
gy
Type
Purpose
(Context/Comments)
Dev
elop
ing
Cou
ntr
y?
Country &
Continent
IS a
ud
itin
g?
IT a
ud
itin
g?
Ch
all
enges
,
Dif
ficu
ltie
s,
Issu
es?
management: Cases from
Croatia and Bosnia-
Herzegovina
17 Puspasari, D., & Yuwono, B.
(2013) - Implementing
integrated internal control life
cycle at Telecom Company
2013 Case
Study
Conference
Paper
Two case studies on the
challenges and issues of
implementation of
information technology
regulations in two companies
from Indonesia.
Y Indonesia, Asia Y Y
18 Mozhgani, F., Heirany, F., &
Ardakani, S. S. (2014) -
Identification and ranking of
virtual audit executive
impediments in Iran
2014 Survey Journal A study which surveys the IT
audit experts from Iran
regarding the challenges in
the field of information
technology audit.
Y Iran, Asia Y Y
19 Alkebsi, M. A. A., Aziz, K.
A., Mohammed, Z. M., &
Dhaifallah, B. (2014) - The
Relationship between
Information Technology
Usage, Top Management
Support and Internal Audit
Effectiveness
2014 Survey Conference
Paper
A survey of practitioners
concerning the effectiveness
of information technology
audit practices in the case of
Yemen’s private sector.
Y Yemen,
Asia
Y Y
20 Abuazza, W. O., Mihret, D.
G., James, K., & Best, P.
(2015) - The perceived scope
of internal audit function in
Libyan public enterprises
2015 Survey Journal A survey of Libyan public
sector companies which
highlights the need to clarify
the role of IT Auditors.
Y Libya, Africa Y Y
21 Rafiei, G. H., & Moeinadin,
M. (2014) - Identification of
2014 Survey Journal Another survey of
practitioners from Iran on the
Y Iran, Asia Y Y
68
No.
Author(s) and Title
Yea
r
Met
hod
olo
gy
Type
Purpose
(Context/Comments)
Dev
elop
ing
Cou
ntr
y?
Country &
Continent
IS a
ud
itin
g?
IT a
ud
itin
g?
Ch
all
enges
,
Dif
ficu
ltie
s,
Issu
es?
factors affecting the quality of
auditing in information
technology (IT)
issues linked to Information
Technology Audit’s quality
22 Ismail, N. A., & Abidin, A. Z.
(2009) - Perception towards
the importance and
knowledge of information
technology among auditors in
Malaysia
2009 Survey Journal The article is surveying a
number of Information
Technology Auditors from
Malaysian companies on the
value of IT technical
knowledge in performance of
information technology
audits.
Y Malaysia, Asia Y Y
23 Steyn, B., & Plant, K. (2009) -
Education and training
considerations applicable to
internal auditors in South
Africa
2009 Survey Journal A survey on the training
needs for professionals acting
in Information Technology
Audit area
Y South Africa,
Africa
Y Y
69
Appendix B
This appendix includes the open codes identified during the Open Coding stage as well as the mapping between the open codes and articles were
they were found.
Table 12: The identified open codes
Open Codes
1.Awareness at national authorities level
2.Confusing/contradictory IS Audit regulations
3.Confusing/Cumbersome/Lack of laws
4.Costs of IS Audit outsourcing
5.Cultural and Religious barriers
6.Cultural-related hierarchical issues
7.Cumbersomeness of IS audit
implementations
8.Delay/Ignore the mitigation of reported IS
Risks
9.Different agenda of the management
10.Different Management style(Arab countries)
11.Difficulty to adapt the Western technologies
to local needs
12.Employee general awareness of IS Audit
13.Government support to implement/spread
the law
14.High Cost of IS Audit
Implementation/Execution
15.High pressure on IS Auditor
independence/objectivity/identity
16.Human Resource Management
17.Insufficient local academic research in the
field of IS Audit
18.IS Audit is not implemented in the business
Processes
25.Lack of documentation of successful
projects
26.Lack of experience and proper reporting of
findings in IS Audit
27.Lack of general IT Knowledge
28.Lack of human/budget resources
29.Lack of interest in using IT for IS Audit
30.Lack of IS Audit regulations
31.Lack of IS Audit tools and related
automation
32.Lack of IT modern experience and expertise
33.Lack of knowledge to
incorporate/implement the IS audit
34.Lack of management
help/support/commitment
35.Lack of modern/up-to-date knowledge
36.Lack of money to buy IS Audit tools
37.Lack of professional bodies at the national
level
38.Lack of professional ethics/code of conduct
39.Lack of qualified and competent IS audit
staff
40.Lacking Adoption of Standards in the IS
Audit Field
41.Lack of training in IS Audit specific tools
42.Lack of training in the IT/new technologies
49.Low level of knowledge of highly
specialized technologies
50.Low level of quality of the IS graduates
51.Management intrusion/negative pressure on
IS Audit
52.Misunderstanding of IS
Audit(role/benefits/scope)
53.Motivation
factors(Workplace/salary/benefits) for IS
Auditor
54.Need for a Knowledge base at national level
in the local language
55.Need for more specialized education at
university level in IS Audit
56.Not adapted university curricula to
accommodate IS Audit
57.Obsolete/Need for a Continuous update of IS
Audit
58.Obstructed transfer of IS audit Know-how in
the local language
59.Obstruction or wrong perception of IS
auditor(seen as cop/inspector/controller)
60.Organizational and Work Culture
61.Poor or partial implementation of IS Audit
Standards
62.Professional networking
70
Open Codes
19.Lack IS Audit Policies
20.Lack of ability to approach complex
information systems
21.Lack of best practices
22.Lack of business competition
23.Lack of continuous development of the IT
technical knowledge
24.Lack of continuous training in IS Audit
43.Lack of understanding of IS Risks
44.Lacking or poor implementation of IS Audit
policies
45.Limited compliance with IS Audit policies
46.Little or no cooperation/communication
with stakeholders
47.Low adoption level of IS Audit
48.Low interest of management in IS Audit
63.Reluctance of management to train staff
64.Resistance to change of
employees/organization
65.Size of organization
66.Specific Awareness at IT department level
67.Unclear job description
68.Unclear, fuzzy or overlapped Business
demands
69.Very diverse IT technological
landscape(chaotic/basic/heterogeneous/sophistic
ated)
Table 13: Mapping of the Open Codes to the articles
No Open Code Reference
1 Awareness at national authorities level Majdalawieh, M., & Zaghloul, I. (2009); Nkwe, N. (2011).
2 Confusing/contradictory IS Audit regulations Mahzan, N., & Veerankutty, F. (2011); Nijaz, B., Mario, S. & Lejla, T. (2011);
Razi, M. A., & Madani, H. H. (2013); Upadhyaya, P., Shakya, S., & Pokharel, M.
(2012).
3 Confusing/Cumbersome/Lack of laws Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Hariyani, Y. (2011);
Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Nkwe, N. (2011); Salehi, M.,
& Husini, R. (2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan,
M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
4 Costs of IS Audit outsourcing Majdalawieh, M., & Zaghloul, I. (2009); Puspasari, D., & Yuwono, B. (2013);
Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).
5 Cultural and Religious barriers Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., & Ariyani, Y. (2014); Razi, M.
A., & Madani, H. H. (2013); Salehi, M., & Husini, R. (2011); Wahdan, M.A.,
Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
6 Cultural-related hierarchical issues Al Lawati, A., & Ali, S. (2015); Razi, M. A., & Madani, H. H. (2013); Wahdan,
M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
7 Cumbersomeness of IS audit implementations Al Lawati, A., & Ali, S. (2015); Maria, E., & Hariyani, Y. (2011); Razi, M. A., &
71
No Open Code Reference
Madani, H. H. (2013); Salehi, M., & Husini, R. (2011).
8 Delay/Ignore the mitigation of reported IS Risks Abu-Musa, A. A. (2008); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014);
Purwoko, P. (2011).
9 Different agenda of the management Abu-Musa, A. A. (2008); Majdalawieh, M., & Zaghloul, I. (2009); Purwoko, P.
(2011); Razi, M. A., & Madani, H. H. (2013).
10 Different Management style(Arab countries) Razi, M. A., & Madani, H. H. (2013).
11 Difficulty to adapt the Western technologies to local
needs
Al Lawati, A., & Ali, S. (2015); Mahzan, N., & Veerankutty, F. (2011); Malgharni,
A. M., & Yusoff, W. F. W. (2011); Nkwe, N. (2011); Razi, M. A., & Madani, H. H.
(2013).
12 Employee general awareness of IS Audit Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail,
N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z.
M., & Dhaifallah, B. (2014); Majdalawieh, M., & Zaghloul, I. (2009); Purwoko, P.
(2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).
13 Government support to implement/spread the law Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Mahzan, N., & Veerankutty,
F. (2011); Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Nkwe, N. (2011);
Razi, M. A., & Madani, H. H. (2013); Upadhyaya, P., Shakya, S., & Pokharel, M.
(2012); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den.
(2008).
14 High Cost of IS Audit Implementation/Execution Abu-Musa, A. A. (2008); Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M.,
& Zaghloul, I. (2009); Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014);
Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
15 High pressure on IS Auditor
independence/objectivity/identity
Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Abu-Musa, A. A.
(2008); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Mahzan, N., &
Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul, I. (2009); Purwoko, P.
(2011); Rafiei, G. H., & Moeinadin, M. (2014); Wahdan, M.A., Spronck, P., Ali, H.
F., Vaassen, E., Herik, H.J. van den. (2008).
16 Human Resource Management Ismail, N. A., & Abidin, A. Z. (2009); Mozhgani, F., Heirany, F., & Ardakani, S. S.
(2014); Salehi, M., & Husini, R. (2011); Steyn, B., & Plant, K. (2009); Wahdan,
M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
17 Insufficient local academic research in the field of IS
Audit
Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Al-Ansi, A. A.,
Ismail, N. A. B., & Al-Swidi, A. K. (2013); Nkwe, N. (2011); Upadhyaya, P.,
Shakya, S., & Pokharel, M. (2012).
18 IS Audit is not implemented in the business Processes Maria, E., & Hariyani, Y. (2011); Maria, E., & Ariyani, Y. (2014); Mozhgani, F.,
72
No Open Code Reference
Heirany, F., & Ardakani, S. S. (2014); Purwoko, P. (2011); Puspasari, D., &
Yuwono, B. (2013); Salehi, M., & Husini, R. (2011).
19 Lack IS Audit Policies Nkwe, N. (2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).
20 Lack of ability to approach complex information
systems
Abu-Musa, A. A. (2008); Ismail, N. A., & Abidin, A. Z. (2009); Mahzan, N., &
Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul, I. (2009); Majdalawieh, M.,
& Zaghloul, I. (2009); Maria, E., & Hariyani, Y. (2011); Maria, E., & Ariyani, Y.
(2014); Rafiei, G. H., & Moeinadin, M. (2014); Salehi, M., & Husini, R. (2011).
21 Lack of best practices Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Nkwe, N. (2011); Purwoko, P.
(2011); Puspasari, D., & Yuwono, B. (2013).
22 Lack of business competition Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Razi,
M. A., & Madani, H. H. (2013); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen,
E., Herik, H.J. van den. (2008).
23 Lack of continuous development of the IT technical
knowledge
Abu-Musa, A. A. (2008); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.
(2013); Ismail, N. A., & Abidin, A. Z. (2009); Mahzan, N., & Veerankutty, F.
(2011).
24 Lack of continuous training in IS Audit Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Ismail, N. A., &
Abidin, A. Z. (2009); Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani,
Y. (2014); Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., & Pokharel,
M. (2012); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den.
(2008).
25 Lack of documentation of successful projects Majdalawieh, M., & Zaghloul, I. (2009); Nkwe, N. (2011).
26 Lack of experience and proper reporting of findings in
IS Audit
Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014);
Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Wahdan, M.A., Spronck, P.,
Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
27 Lack of general IT Knowledge Abu-Musa, A. A. (2008); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.
(2013); Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani, Y. (2014);
Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014).
28 Lack of human/budget resources Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail,
N. A. B., & Al-Swidi, A. K. (2013); Mahzan, N., & Veerankutty, F. (2011);
Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., & Ariyani, Y. (2014);
Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Razi, M. A., & Madani, H. H.
(2013); Salehi, M., & Husini, R. (2011).
29 Lack of interest in using IT for IS Audit Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,
73
No Open Code Reference
Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Malgharni, A. M., &
Yusoff, W. F. W. (2011); Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014).
30 Lack of IS Audit regulations Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Mahzan, N., &
Veerankutty, F. (2011); Nkwe, N. (2011).
31 Lack of IS Audit tools and related automation Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani, Y. (2014); Puspasari,
D., & Yuwono, B. (2013); Salehi, M., & Husini, R. (2011).
32 Lack of IT modern experience and expertise Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Mahzan, N., &
Veerankutty, F. (2011); Malgharni, A. M., & Yusoff, W. F. W. (2011); Purwoko, P.
(2011); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den.
(2008).
33 Lack of knowledge to incorporate/implement the IS
audit
Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul, I. (2009);
Maria, E., & Hariyani, Y. (2011).
34 Lack of management help/support/commitment Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Abu-Musa, A. A.
(2008); Al Lawati, A., & Ali, S. (2015);Alkebsi, M. A. A., Aziz, K. A.,
Mohammed, Z. M., & Dhaifallah, B. (2014);Maria, E., & Ariyani, Y. (2014); Nkwe,
N. (2011); Purwoko, P. (2011); Puspasari, D., & Yuwono, B. (2013); Rafiei, G. H.,
& Moeinadin, M. (2014); Razi, M. A., & Madani, H. H. (2013); Salehi, M., &
Husini, R. (2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan,
M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
35 Lack of modern/up-to-date knowledge Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Wahdan, M.A.,
Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
36 Lack of money to buy IS Audit tools Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani, Y. (2014); Nkwe, N.
(2011); Salehi, M., & Husini, R. (2011).
37 Lack of professional bodies at the national level Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.
(2013); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Nkwe, N. (2011);
Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).
38 Lack of professional ethics/code of conduct Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Bani-Ahmad, A., &
El-Dalabeeh, A. E. R. K. (2014); Maria, E., & Ariyani, Y. (2014); Rafiei, G. H., &
Moeinadin, M. (2014); Razi, M. A., & Madani, H. H. (2013); Wahdan, M.A.,
Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
39 Lack of qualified and competent IS audit staff Abu-Musa, A. A. (2008); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., &
Dhaifallah, B. (2014); Mahzan, N., & Veerankutty, F. (2011); Purwoko, P. (2011);
Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012);
Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
74
No Open Code Reference
40 Lacking adoption of Standards in the IS Audit Field Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Al Lawati, A., & Ali,
S. (2015); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Maria, E., &
Ariyani, Y. (2014); Nijaz, B., Mario, S. & Lejla, T. (2011); Salehi, M., & Husini, R.
(2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).
41 Lack of training in IS Audit specific tools Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Ismail, N. A., &
Abidin, A. Z. (2009); Maria, E., & Ariyani, Y. (2014); Nkwe, N. (2011); Salehi, M.,
& Husini, R. (2011).
42 Lack of training in the IT/new technologies Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Ismail, N. A., &
Abidin, A. Z. (2009); Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M., &
Zaghloul, I. (2009); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan,
M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
43 Lack of understanding of IS Risks Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Alkebsi, M. A. A.,
Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Bani-Ahmad, A., & El-
Dalabeeh, A. E. R. K. (2014); Mahzan, N., & Veerankutty, F. (2011); Malgharni, A.
M., & Yusoff, W. F. W. (2011); Maria, E., & Ariyani, Y. (2014); Nkwe, N. (2011);
Razi, M. A., & Madani, H. H. (2013);
44 Lacking or poor implementation of IS Audit policies Al Lawati, A., & Ali, S. (2015); Rafiei, G. H., & Moeinadin, M. (2014).
45 Limited compliance with IS Audit policies Nijaz, B., Mario, S. & Lejla, T. (2011); Rafiei, G. H., & Moeinadin, M. (2014).
46 Little or no cooperation/communication with
stakeholders
Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Al Lawati, A., & Ali,
S. (2015); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B.
(2014); Maria, E., & Ariyani, Y. (2014); Mozhgani, F., Heirany, F., & Ardakani, S.
S. (2014); Nkwe, N. (2011); Rafiei, G. H., & Moeinadin, M. (2014).
47 Low adoption level of IS Audit Nkwe, N. (2011); Razi, M. A., & Madani, H. H. (2013).
48 Low interest of management in IS Audit Abu-Musa, A. A. (2008); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., &
Dhaifallah, B. (2014); Malgharni, A. M., & Yusoff, W. F. W. (2011); Nkwe, N.
(2011).
49 Low level of knowledge of highly specialized
technologies
Ismail, N. A., & Abidin, A. Z. (2009); Majdalawieh, M., & Zaghloul, I. (2009).
50 Low level of quality of the IS graduates Mahzan, N., & Veerankutty, F. (2011); Steyn, B., & Plant, K. (2009); Upadhyaya,
P., Shakya, S., & Pokharel, M. (2012).
51 Management intrusion/negative pressure on IS Audit Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Purwoko, P. (2011);
Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
52 Misunderstanding of IS Audit(role/benefits/scope) Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Ismail, N. A., &
75
No Open Code Reference
Abidin, A. Z. (2009); Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., &
Hariyani, Y. (2011); Nkwe, N. (2011); Purwoko, P. (2011); Puspasari, D., &
Yuwono, B. (2013); Rafiei, G. H., & Moeinadin, M. (2014).
53 Motivation factors(workplace/salary/benefits ) for IS
Auditor
Maria, E., & Ariyani, Y. (2014); Steyn, B., & Plant, K. (2009); Wahdan, M.A.,
Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
54 Need for a Knowledge base at national level in the
local language
Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,
Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Bani-Ahmad, A., & El-
Dalabeeh, A. E. R. K. (2014); Nkwe, N. (2011); Wahdan, M.A., Spronck, P., Ali, H.
F., Vaassen, E., Herik, H.J. van den. (2008).
55 Need for more specialized education at university level
in IS Audit
Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,
Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Mahzan, N., &
Veerankutty, F. (2011); Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., &
Pokharel, M. (2012); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik,
H.J. van den. (2008).
56 Not adapted university curricula to accommodate IS
Audit
Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,
Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Nkwe, N. (2011);
Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan, M.A., Spronck, P.,
Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
57 Obsolete/Need for a Continuous update of IS Audit Mahzan, N., & Veerankutty, F. (2011); Puspasari, D., & Yuwono, B. (2013).
58 Obstructed transfer of IS audit Know-how in the local
language
Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Nijaz, B., Mario, S. & Lejla,
T. (2011); Nkwe, N. (2011).
59 Obstruction or wrong perception of IS auditor(seen as
cop/inspector/controller)
Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015); Maria, E., & Ariyani, Y.
(2014); Nkwe, N. (2011); Purwoko, P. (2011); Salehi, M., & Husini, R. (2011).
60 Organizational and Work Culture Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., & Ariyani, Y. (2014).
61 Poor or partial implementation of IS Audit Standards Al Lawati, A., & Ali, S. (2015); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K.
(2014); Nijaz, B., Mario, S. & Lejla, T. (2011).
62 Professional networking Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Mozhgani, F., Heirany, F., &
Ardakani, S. S. (2014); Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., &
Pokharel, M. (2012).
63 Reluctance of management to train staff Salehi, M., & Husini, R. (2011); Steyn, B., & Plant, K. (2009).
64 Resistance to change of employees/organization Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Steyn, B., & Plant, K. (2009);
Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
65 Size of organization Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014);
76
No Open Code Reference
Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Hariyani, Y. (2011); Maria, E.,
& Ariyani, Y. (2014); Razi, M. A., & Madani, H. H. (2013); Wahdan, M.A.,
Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).
66 Specific Awareness at IT department level Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.
(2013); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).
67 Unclear job description Ismail, N. A., & Abidin, A. Z. (2009); Majdalawieh, M., & Zaghloul, I. (2009);
Maria, E., & Ariyani, Y. (2014); Puspasari, D., & Yuwono, B. (2013); Upadhyaya,
P., Shakya, S., & Pokharel, M. (2012); Wahdan, M.A., Spronck, P., Ali, H. F.,
Vaassen, E., Herik, H.J. van den. (2008).
68 Unclear, fuzzy or overlapped Business demands Al Lawati, A., & Ali, S. (2015); Majdalawieh, M., & Zaghloul, I. (2009); Rafiei, G.
H., & Moeinadin, M. (2014).
69 Very diverse IT technological
landscape(chaotic/basic/heterogeneous/sophisticated)
Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015). Ismail, N. A., & Abidin,
A. Z. (2009); Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul,
I. (2009). Maria, E., & Hariyani, Y. (2011); Maria, E., & Ariyani, Y. (2014);
Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Purwoko, P. (2011); Salehi,
M., & Husini, R. (2011).
77
Appendix C
This appendix is including the comprehensive overview of the whole coding process.
Table 14: The complete matrix of the concepts
Selective Coding Axial Coding Open Coding
Legislation Laws and legal framework Confusing/Cumbersome/Lack of laws(7)
Government support to implement/spread the law(7)
Regulations Lack of IS Audit regulations (3)
Confusing/contradictory IS Audit regulations (4)
Policy and standards IS Audit Policy Lack IS Audit Policies (2)
Limited compliance with IS Audit policies (2)
Lacking or poor implementation of IS Audit policies (2)
Lack of best practices (4)
IS Audit Standards Lacking adoption of Standards in the IS Audit Field (7)
Poor or partial implementation of IS Audit Standards (3)
Organizational Cost High Cost of IS Audit Implementation/Execution (6)
Costs of IS Audit outsourcing (3)
Lack of money to buy IS Audit tools (4)
Business characteristics Size of organization (6)
Lack of business competition (3)
IS Audit is not implemented in the business Processes (6)
Low adoption level of IS Audit(2)
Unclear, fuzzy or overlapped Business demands (3)
Organizational and Work Culture (2)
Management Lack of management help/support/commitment (13)
Management intrusion/negative pressure on IS Audit (3)
Low interest of management in IS Audit (4)
Delay/Ignore the mitigation of reported IS Risks (3)
Different Management style(Arab countries) (1)
Different agenda of the management (4)
Human Resource Management (5)
78
Technology Very diverse IT technological
landscape(chaotic/basic/heterogeneous/sophisticated) (10)
Cumbersomeness of IS audit implementations (4)
Difficulty to adapt the Western technologies to local needs (5)
Lack of IS Audit tools and related automation (4)
Human Resources Employees perception of IS
Audit
Obstruction or wrong perception of IS auditor(seen as cop/inspector/controller)
(6)
Misunderstanding of IS Audit(role/benefits/scope) (8)
Little or no cooperation/communication with stakeholders (7)
Obsolete/Need for a Continuous update of IS Audit (2)
IS Audit Job Lack of human/budget resources (9)
Lack of professional ethics/code of conduct (6)
Unclear job description (6)
High pressure on IS Auditor independence/objectivity/identity (8)
Motivation factors(Workplace/salary/benefits) for IS Auditor (4)
Lack of qualified and competent IS audit staff (7)
Job related Skills Lack of experience and proper reporting of findings in IS Audit (3)
Lack of ability to approach complex information systems (9)
Lack of IT modern experience and expertise (5)
Lack of understanding of IS Risks (8)
Lack of knowledge to incorporate/implement the IS audit (3)
Lack of interest in using IT for IS Audit (4)
Educational Academic Insufficient local academic research in the field of IS Audit (4)
Not adapted university curricula to accommodate IS Audit (5)
Need for more specialized education at university level in IS Audit (6)
Low level of quality of the IS graduates (3)
IS Professional training and
certification
Lack of professional bodies at the national level (6)
Lack of continuous training in IS Audit (7)
Lack of training in the IT/new technologies (6)
Lack of training in IS Audit specific tools (5)
Reluctance of management to train staff (2)
IS Technical knowledge Lack of modern/up-to-date knowledge (2)
Low level of knowledge of highly specialized technologies (2)
Lack of general IT Knowledge (5)
Lack of continuous development of the IT technical knowledge (4)
79
Knowledge base Obstructed transfer of IS audit Know-how in the local language (3)
Lack of documentation of successful projects (2)
Need for a Knowledge base at national level in the local language (5)
Professional networking (4)
Cultural Change Perception Resistance to change of employees/organization (3)
Cultural and Religious barriers (5)
Cultural-related hierarchical issues (3)
Awareness Employee general awareness of IS Audit (7)
Specific Awareness at IT department level (3)
Awareness at national authorities level (2)