The Effect of Internal Auditors ’ Information Technology Knowledge on Integrated Internal Audits

While the relationship between Information Technology (IT) knowledge and integrated internal auditing has been acknowledged, there is a limited understanding of the process by which IT knowledge enables the integrated approach. Furthermore, research has not yet identified which specific types of IT knowledge are most salient for facilitating the integrated approach. Addressing these issues, the purpose of this article is to investigate the effect of internal auditors’ IT knowledge on integrated internal audits. The data used to test the research model were acquired from the Institute of Internal Auditors (IIA), through their Global Audit Information Network (GAIN) Annual Benchmarking Study (ABS) database for the years 2007 through 2009. Results suggest that knowledge of key IT risks and application controls have a significant impact on the level of integrated internal audits. Based on these results, internal audit managers should allocate training budgets toward increasing knowledge of IT risks and application controls. From a theoretical perspective, the results extend the generalizability of shared mental models theory to the internal auditing domain.


Introduction
As organizational Information Technology (IT) architecture has evolved, business processes have become increasingly wired into the underlying IT infrastructure of the firm, resulting in a complex tie between business processes and IT (Ross, 2003;Venkatesh, 2006).Responding to this trend, researchers in the internal audit domain argue that, rather than conducting separate and isolated business and information technology (IT) audits (referred to hereafter as the segregated approach), IT audit and business audit activities should be integrated and executed as a single business/IT audit (referred to hereafter as the integrated approach) (Chaney & Kim, 2007;Rehage Hunt & Nikitin, 2008;Helpert & Lazarine, 2009).Since the integrated approach simultaneously considers business processes and IT, as well as the interdependency between manual and technology-based controls, it is more likely to identify material risks and provide more comprehensive solutions (Chaney & Kim, 2007;Helpert & Lazarine, 2009;Brand & Sagett, 2011).In addition, the integrated approach offers the potential to increase audit efficiency, as audits of IT-driven processes can be conducted together with fewer auditors (Chaney & Kim, 2007;Helpert & Lazarine, 2009;Brand & Sagett 2011).
Despite the changing landscape of business/IT architecture and the purported benefits of integration however, internal audit departments typically do not use the integrated approach (Chaney & Kim, 2007;Helpert & Lazarine, 2009;KPMG, 2009).Rather, the segregated approach, in which separate business and IT audits are conducted and then combined during the reporting phase (Helpert & Lazarine, 2009) remains the dominant approach globally (KPMG, 2009).One potential reason for the limited use of the integrated approach is that internal business auditors (Note 1) lack the requisite IT knowledge (Baker, 2007;Scharf, 2007;Helpert & Lazarine, 2009), as the IT knowledge possessed by business auditors can provide the necessary foundation for executing the integrated approach (Chaney & Kim, 2007).
While the relationship between IT knowledge and the integrated approach is acknowledged, the knowledge base is limited regarding why business auditors' IT knowledge enables the integrated approach.Moreover, prior research has not identified which specific types of IT knowledge business auditors should have in order for internal audit organizations to use the integrated approach.Addressing these issues, the current study contributes to the academic literature by examining the relationship between business auditors' IT knowledge and organizational use of the integrated approach.Leveraging absorptive capacity theory and shared mental models theory, this article provides theoretical rationale explaining why business auditors' IT knowledge positively impacts use of the integrated approach (Cohen & Levinthal, 1990;Roberts Galluch Dinger & Grover, 2012).The research model positions encouragement to learn IT as a driver of four distinct IT knowledge types (IT risk knowledge, IT application controls knowledge, IT audit software productivity knowledge, and IT general controls knowledge), which are then positioned as direct antecedents of the integrated approach.Empirical testing of the research model, which involved analysis of 584 responses to survey data acquired from the Institute of Internal Auditors' (IIA) Global Audit Information Network (GAIN) Annual Benchmarking Study (ABS) database, suggests that business auditors need IT risk and IT application controls knowledge even when IT auditors are present.
The results hold important implications for researchers as well as practitioners across the globe interested in implementing the integrated approach.From a practical perspective, by empirically demonstrating the link between IT knowledge and integrated audits, this article validates the importance of IT knowledge for business auditors in order for internal audit organizations to use the integrated approach.In addition, this paper extends academic research by providing theoretical rationale explaining why business auditors need IT knowledge as a prerequisite for implementing the integrated approach.

Overview of the Integrated Approach
A significant component of internal audit planning is determining the depth of integration between IT and business audit activities.Part of this decision is choosing whether or not the IT audit will be conducted on a stand-alone basis or integrated with the business audit.Internal audit managers can typically choose from three integration scenarios: low integration, partial integration, and high integration (Rehage, Hunt & Nikitin, 2008).In the low integration approach, IT audits are isolated and have their own audit universe and scope.IT audit activities, such as reviewing IT general and application controls, are conducted and planned by a separate IT audit team.In the partially integrated approach, IT auditors and business auditors work together and conduct application reviews together.In the highly integrated approach, IT audit activities are conducted within business audits.IT audit activities planned and executed by an internal audit team possessing both business and IT audit knowledge.Integrated audits are distinguished by a high degree of collaboration and interactivity between business auditors and IT auditors.
Under the integrated approach, audits focus simultaneously on an organization's financial, operational, and IT controls and processes.According to Helpert and Lazarine (2009), ''integrated audits not only save time and money, they also address true business risks in thoroughly integrated findings'' and are more ''likely to identify points of exposure''.The integrated approach generates a comprehensive audit plan in which IT risks are assessed in conjunction with audits of the supported business areas (Marks & Taylor, 2009).As a result, the integrated approach results in more efficient and effective audits, which is especially important during a time of lower budgets (PricewaterhouseCoopers, 2009).By addressing IT and business risks concurrently, integrated audits allow internal audit departments to more holistically consider and evaluate risk and focus audit efforts on high impact areas, thereby enabling a better understanding of the overall system of controls supporting key business processes (Brand & Sagett, 2011).
Case studies in the internal audit domain further substantiate the benefits of the integrated approach.For example, UBS investment bank moved from a traditional segregated approach to an integrated approach (Lierhaus, 2011).The initial segregated approach was characterized by separate IT audit and business audits.This approach resulted in several problems, including less acceptance of the IT audit by business auditors, repetitive coverage of IT risks, longer reporting periods, as well as difficulty scoping IT general controls.Due to these problems, UBS moved from a segregated approach to an integrated approach.The integrated approach adopted by UBS had the following characteristics:  IT audit scope focused on important audit objectives, regardless of whether or not these were business or IT audit objectives. IT auditors and business auditors planned audits together.IT and business auditors attended meetings with business and IT management. IT auditors and business auditors performed walkthroughs together in order to fully understand all aspects of the business and process flow.
 IT auditors and business auditors jointly assessed key audit issues and created combined working papers.
After adopting the integrated approach, the internal audit department at UBS realized several benefits.IT general controls were covered as part of business process reviews, resulting in a greater ability to assess the risk of IT general control weaknesses associated with those business processes.Second, the integrated approach facilitated greater communication between business auditors and IT auditors, resulting in joint planning and testing as well as a better understanding of IT and business processes.Finally, there was a change in the perception of IT issues-IT risks were perceived as business risks, not just IT risks.
Although the integrated approach may represent the optimal scenario, all too often, audit departments are segregated and operate in 'silos' (KPMG, 2009).Segregated audits are not one thoroughly integrated audit, but two separate reviews-a business audit of the organization's financial and operational control processes and another of the organization's IT controls and processes (Chaney & Kim, 2007;Helpert & Lazarine, 2009).In the segregated approach, business auditors and IT auditors typically conduct their own risk assessments and then subsequently staff and perform the audit independently (Brand & Sagett, 2011).Business auditors and IT auditors communicate separately and produce their own separate audit documentation (Brand & Sagett, 2011).The resulting audit documentation is then delivered to different stakeholders, with the business auditor report typically delivered to the manager of the business process (e.g., payroll manager) and the IT auditor report delivered to IT leadership (Brand & Sagett, 2011).As such, audit results may not be shared across business/technology clients (Brand & Sagett, 2011).
Since IT audit activities and business audit activities are conducted separately, segregated audits often fail to account for the relationship between manual and automated controls and may result in the appearance of a disconnected audit team (Chaney & Kim, 2007;Helpert & Lazarine, 2009).Rather than collaboratively evaluating the business risks and providing a holistic perspective on risk, IT auditors and business auditors produce their own findings independently and then combine audit findings in a fragmented manner during the reporting phase.Furthermore, since the audit reports go to different managers, the segregated approach may result in missed opportunities to uncover risks that may have a significant impact when considered holistically for the entire process (Brand & Sagett, 2011).

IT Knowledge Requirements for Business Auditors
IT auditors concentrate audit efforts on the technical aspects of an organization's information systems and are responsible for reviewing the efficiency and effectiveness of computer-based controls, compliance with policies and regulations, and the organization's use of IT (Merhout & Buchman, 2007).On the other hand, business auditors generally focus on financial concerns, improving operational performance or compliance issues (Merhout & Buchman, 2007).These role differences naturally imply that business auditors and IT auditors have different knowledge structures (Curtis & Viator, 2000;Hunton, Wright, &Wright, 2004).For example, since IT auditors focus on auditing the technical aspects of an organization's information systems, they need "category 3" knowledge (Richards et al., 2005), including deep knowledge of application controls, IT risks, IT general controls and IT audit productivity software.On the contrary, business auditors typically develop expertise in generally accepted accounting principles (GAAP) and generally accepted auditing standards (GAAS).
Although IT auditors are expected to possess a more thorough understanding of IT controls and processes, IT competency remains a critical element of the business auditor's skill set (Richards et al., 2005).Richards et al. (2005) maintain that business auditors need "category 1" knowledge, which encompasses the following: 1) Basic IT knowledge, such as understanding differences in application software; knowledge of operating systems, systems software, and networks.
2) Knowledge of IT risks and basic IT security and control components such as perimeter defenses, intrusion detection, authentication, and application system controls.
3) Knowledge of business controls and assurance objectives, which can be impacted by vulnerabilities in business operations and the related and supporting systems, networks, and data components.
Analysis of these statements from Richards et al. (2005) suggests that while business auditors do not need extensive IT knowledge ("category 3" knowledge), they still need knowledge of IT general controls, such as intrusion detection systems, knowledge of application controls, and knowledge of IT risks.As such, these "category 1" knowledge requirements form the basis for classifying the types of IT knowledge needed by business auditors-IT general controls knowledge, IT application controls knowledge, IT risk knowledge, and IT audit productivity software knowledge.This four-factor classification is based on the recommended IT knowledge for business auditors (Richards et al., 2005).Table 1 provides a mapping from the "category 1"knowledge statements provided by Richards et al. (2005) to the four-factor IT knowledge classification used in this research.
IT general controls knowledge applies to knowledge of systems components, processes, and data for a given organization or systems environment (Hall, 2011).Examples of IT general controls knowledge includes knowledge of controls over operating systems, systems software, and networks (Hall, 2011).IT general controls knowledge also encompasses knowledge of IT security and control components such as perimeter defenses, intrusion detection, and authentication (Richards et al., 2005;Bellino et al., 2007;Hall, 2011).IT application controls knowledge, on the other hand, pertains to knowledge of the controls within the application.Specific examples of IT application controls knowledge include knowledge of input controls (data validation checks), processing controls (e.g., batch controls), and output controls (Bellino et al., 2007).Business auditors also need to possess knowledge of IT risks to complete IT risk assessments as well as an understanding how IT risks impact business operations (Richards et al., 2005;Bellino et al., 2007).
In addition to the "category 1" knowledge suggested by Richards et al. (2005), business auditors also need the ability to use IT as a resource in the performance of audit work (Richards et al., 2005, Juergens et al., 2006).Business auditors need to understand how to use two types of software designed to increase the efficiency of the audit: audit facilitators and testing accelerators (Juergens et al., 2006).Audit facilitators help support the overall management of the audits, and include specific applications such as Microsoft Excel and Microsoft Word.Testing accelerators are tools that automate the performance of audit tests, such as data analysis software or security analysis tools.By using testing accelerators, business auditors can quickly analyze relevant records and files, and analyze stored data and check its validity to ensure the continuous, reliable operation of internal controls.Testing accelerators are especially useful during fraud investigations as this software typically provides additional analytical capabilities, such as Benford's Law, useful for detecting certain irregularities (Askelson et al., 2009).(Hall, 2011).IT infrastructure includes operating systems, systems software, and networks (Hall, 2011).As such, knowledge of controls over IT infrastructure (e.g., controls over operating systems, systems software, and networks) relates to knowledge of IT general controls (Hall, 2011).
Business auditors need knowledge of IT risks and basic IT security and control components such as perimeter defenses, intrusion detection, authentication, and application system controls (Richards et al., 2005).

 IT risk knowledge
 IT general controls knowledge  IT application controls knowledge  Knowledge of IT risk directly relates to IT risk knowledge.
 Basic IT security and control components are classified as IT general controls (Hall, 2011).As such, knowledge of specific IT security controls such as perimeter defenses, intrusion detection, and authentication relate to IT general controls (Hall, 2011). Controls over the application are classified as application controls (Hall, 2011).As such, knowledge of application system controls is classified as IT application controls knowledge (Hall, 2011).
Business auditors need knowledge of business controls and assurance objectives, which can be impacted by vulnerabilities in business operations and the related and supporting systems, networks, and data components (Richards et al., 2005).While past work has established the benefits of the integrated approach and has extolled the importance of business auditors' IT knowledge, there is no research to our knowledge that investigates the role of business auditors' IT knowledge in progressing toward the integrated approach.In the following section we establish a theoretically grounded research model explaining how and why business auditors' IT knowledge impacts the integrated approach.In doing so, we consider the four IT knowledge types to be direct antecedents of adopting the integrated approach.

Theoretical Background and Hypothesis Development
Absorptive capacity is considered one of the most important concepts to emerge in organizational research in recent years (Lane et al., 2006).Originally introduced by Cohen and Levinthal (1989), the concept refers to the ability of an organization or sub-unit to identify valuable external knowledge, assimilate that knowledge into its existing knowledge base, and apply that knowledge through innovation and action (Roberts et al., 2012).The theoretical tenets of absorptive capacity argue that enhancing absorptive capacity necessarily involves encouraging exposure to new knowledge through formal and/or informal structures (Cohen & Levinthal, 1990).According to absorptive capacity theory, the development of IT knowledge is considered a path-dependent and socially-complex process (Ray, Barney, & Muhanna, 2004), and the individual's professional social network is identified as a key aspect of his/her exploratory learning environment (Rhee, 2004;Skerlavaj, Dimovski, & Desouza, 2010).By signaling future benefits for learning new innovations (Rousseau, 2004), organizational encouragement to learn IT can have a pronounced impact on learning outcomes.Consistent with this line of reasoning, past research in the human resources and management disciplines maintains that encouragement to learn has a direct influence on organizational members' subsequent knowledge development across knowledge types (e.g., Ellstrom, 2001;Antonacopoulou, 2002).Applying these findings to the internal audit domain suggests that business auditors who are encouraged to learn IT will possess greater IT knowledge.Accordingly, we expect that encouragement to learn IT will positively influence the presence of the four different types of IT knowledge under examination and hypothesize: H1a: Encouragement to learn IT will have a positive impact on IT general controls knowledge.
H1b: Encouragement to learn IT will have a positive impact on IT application controls knowledge.
H1c: Encouragement to learn IT will have a positive impact on IT audit productivity software knowledge.
H1d: Encouragement to learn IT will have a positive impact on IT risk knowledge.
Internal audit teams can implement the integrated approach in several ways.The first path involves providing extensive IT controls training to business auditors in order to create hybrid internal auditors who possess both IT control and business process competencies (Chaney & Kim, 2007;Helpert & Lazarine, 2009).In this scenario, the need for business auditors to possess extensive IT competency is obvious as business auditors without such knowledge would be unable to assess IT controls and IT risk.Relating this line of reasoning to absorptive capacity theory indicates that business auditors must possess the requisite IT competencies in order to assess IT controls and risk (Roberts et al., 2012).Further, the IT knowledge underpinning internal business auditors' absorptive capacity should enable the reconfiguration of business and IT audits into an integrated audit (Roberts et al., 2012).Since they have the requisite IT knowledge, business auditors possessing both IT controls and business process knowledge will be better able to evaluate IT-based controls in a single integrated audit (Chaney & Kim, 2007;Helpert & Lazarine, 2009).
Another approach to implement the integrated approach would be to include IT auditors on the internal audit team either through a co-sourcing arrangement or by including a guest IT auditor on the team (Brand & Sagett, 2011).By including an IT auditor on the internal audit team, the internal audit manager can increase the IT knowledge of the team as the IT auditor would presumably possess the requisite IT knowledge in order to evaluate IT controls and IT risk.In this scenario, business auditors and IT auditors work together on the same team and assess risk holistically.
Since internal audit managers could include an IT auditor on the internal audit team in order to implement the integrated approach, why do internal business auditors still need IT knowledge?Shared mental models theory provides valuable insight into this question.Shared mental models represent a common knowledge base shared by team members (Cannon-Bowers, Salas, & Converse, 1993;Klimoski & Mohammed, 1994;Mohammed, Klimoski, & Rentsch, 2000;Mathieu, Goodwin, Heffner, Salas & Cannon-Bowers 2000;Mathieu, Goodwin, Heffner, Salas & Cannon-Bowers 2005).Sharedness of mental models refers to the extent to which team members' mental models are consistent with one another.Shared mental models create overlapping knowledge structures which serve as a basis for diverse groups to communicate with one another (Davis, Kettinger, & Kunev, 2009).As a result of their shared mental models, team members with diverse backgrounds can work together more efficiently and therefore boost team performance (Stout, Cannon-Bowers, Salas, & Milanovich, 1995;Marks, Zaccaro, & Mathieu, 2000;Mathieu et al., 2000;Marks, Sabella, Burke, & Zaccaro, 2002;Mathieu et. al, 2005).
With regard to the relationship between business auditors' IT knowledge and the integrated approach, the differences between IT auditors' and business auditors' knowledge structures may result in communication problems (Curtis & Viator, 2000;Hunton et al., 2004), thereby making use of the integrated approach problematic.These differences in knowledge structures may not only lead to communication problems, but could also make it more difficult for business auditors to incorporate IT control deficiencies and risks into their planning judgments.Brazel and Agoglia (2007) find that business auditors with more IT knowledge can assess the expertise of the IT auditor and appropriately adjust his or her reliance on that auditor.Similarly, O'Donnell, Arnold, and Sutton (2000) examined group decision making with internal control risk assessments in computerized environments.They found common information-sampling bias, in which the group focuses on information shared by most in the group and focuses less attention on information known by only one group member.This finding suggests that an IT auditor's advice and recommendations may be ignored by the group, if the IT auditor is the only one who possesses the IT knowledge.These problems may make it harder for IT auditors and business auditors to work together, and thereby introduce problems with using the integrated approach.
Greater overlap in knowledge structures, on the other hand, could enable the integrated approach by forming the foundation for a shared vocabulary, ultimately resulting in more effective communication and coordination (Preston, 2004).Business auditors with greater IT competency will be able to better communicate with IT auditors, as they will not only be able to understand technical jargon, but also be better able to understand the implications of IT risks and control deficiencies.Further, business auditors' IT knowledge mayimprove the relationship between business auditors and IT auditors.In order for different groups to effectively communicate and work together, each group needs to possess a basic level of knowledge about the domain of the other groups (Huber & Lewis, 2010); lack of such fundamental knowledge can lead to communication problems and misunderstanding (Cronin & Weingart, 2007).On the contrary, constructive opinions about a group's knowledge can foster positive emotions towards that group, thereby leading to better communication and collaboration (Bradach & Eccles, 1989;Sundaramurthy & Lewis, 2003;Lindenberg & Foss, 2011).
Chatterjee, Grewal, and Sambamurthy (2012) maintain that shared knowledge is an important factor underlying the differential success enjoyed by firms in technology assimilation; without shared knowledge, firms are unlikely to successfully use new innovations.Applying these findings to the link between shared knowledge and integrated audits indicates that business auditors' IT knowledge can lead to a common knowledge base with IT auditors, which can then lead to higher levels of communication and coordination.Since knowledge overlap and information exchanges are related to an organization's ability to use new innovations (Boynton, Zmud, Jacobs, 1994;Chatterjee et al., 2012), higher levels of shared knowledge between IT auditors and business auditors can lead to greater use of new innovations, such as the integrated approach (Boynton et al., 1994;Chatterjee et al., 2002).
Overall, shared mental models theory coupled with prior research on IT auditor and business auditor interactions suggests that increasing the IT competency of business auditors should reduce communication problems between IT and business auditors and improve the overall effectiveness of the audit.Higher levels of coordination between IT auditors and business auditors can lead to higher assimilation of new innovations, such as the integrated approach (Boynton et al., 1994;Chatterjee et al., 2002).Based on this body of research, the following hypotheses are provided: H2a: IT general controls knowledge will have a positive impact on the level of IT integration.
H2b: IT application controls knowledge will have a positive impact on the level of IT integration.
H2c: IT audit productivity software knowledge will have a positive impact on the level of IT integration.
H2d: IT risk knowledge will have a positive impact on the level of IT integration.

Integration approach
The degree to which IT audit activities are incorporated as part of business process internal audit engagements.(Rehage et al., 2008) Encouragement to learn IT The degree to which business auditors are encouraged to seek IT training.(Cohen and Levinthal, 1990) IT risk knowledge The degree to which business auditors possess knowledge of IT risks.(Richards et al., 2005)

IT application controls knowledge
The degree to which business auditors possess IT application controls knowledge.(Richards et al., 2005) IT general controls knowledge The degree to which business auditors possess IT general controls knowledge.(Richards et al., 2005) IT audit productivity software knowledge The degree to which business auditors possess IT audit productivity software knowledge (e.g., generalized audit software knowledge).(Richards et al., 2005;Juergens et al., 2006)

Sample
Following prior accounting research on issues related to internal auditing (Prawitt, Smith, & Wood, 2009;Lin, Pizzini, Vargus, & Bardhan, 2011), the data used to test the research model were collected by the IIA through their GAIN ABS (https://na.theiia.org/services/gain/pages/gain-benchmarking.aspx)survey for the years 2007 through 2009 (Note 2).The GAIN ABS database consists of Chief Audit Executives' (CAE) responses to a comprehensive survey designed to measure various aspects of an organization's internal audit activities.The annual survey captures information regarding several IT-related topics including IT-related training approaches, possession of IT knowledge, and depth of IT-business audit integration.The GAIN ABS covers a wide range of institutions including publicly traded companies, private companies, educational institutions, as well as governmental institutions and includes participants from 16 industries, over 100 sub-industries, and over 40 countries.The data in GAIN's ABS are submitted to several validation measures including input controls within the questionnaire itself as well as manual procedures and reasonableness tests performed once the data is submitted.Demographic data and organizational information is restricted unless permission is explicitly obtained from the participant (Note 3).The initial dataset contained 1457 records.To err on the side of conservatism, the dataset was cleansed by removing any response set containing a missing value.In addition, any response set without an IT auditor on staff was also removed.This approach resulted in 584 complete and usable remaining responses available for model testing.

Operationalization of Independent and Dependent Variables
As shown in Appendix A, the encouragement to learn construct is operationalized using a single item, EncouragementoLearnIT.ITRiskKnowledge, the IT application controls knowledge construct is operationalized by a single item, ITknowledgeApplication.The dependent variable, level of IT integration (i.e., integration approach), is a reflective construct operationalized with three items: ITemphasis, IntegrationApproach, and UnderlyingConsideredReview.

Conceptual Orientation of Constructs
Jarvis , Mackenzie and Podsakoff (2003) offer the following four criteria for determining the conceptual orientation (i.e., reflective/formative) of a construct: 1) direction of the causality from the construct to the indicators, 2) interchangeability of the indicators, 3) degree of covariation among the indicators, and 4) the nomological net of construct indicators.Application of these rules indicates that each IT general controls knowledge and IT audit productivity software knowledge are formative, whereas level of IT integration is reflective.IT risk knowledge and IT application controls knowledge are measured with a single item (Note 5).
The reflective/formative orientation of each construct is elaborated upon in Appendix B.

Measurement Validation
Partial Least Squares (PLS) was used to assess the measurement and structural models.PLS was chosen because it deals with both reflective and formative indicators and has been used in prior accounting information systems research (Henderson, Sheetz, & Trinkle, 2011;Lee, Petter, Fayard, & Robinson, 2011;Henderson, Sheetz, & Trinkle, 2012).PLS is also useful for our analysis as it makes limited distributional assumptions (Lee et al., 2011) and is useful for exploratory research (Gopal, Bostrom, & Chin, 1992;Gefen, Straub, & Boudreau, 2000;Chin Marcolin & Newsted, 2003;Castro-Lucas, Diallo, Leo, & Phillippe, 2013).This research uses new constructs that could be construed as exploratory as they have never been operationalized or included in prior empirical research.The measurement and structural models were assessed using Smart PLS version 2.0 beta (Ringle, Wende, & Will, 2005).
Following Henderson et al. (2012), the first stage of the analysis concentrated on evaluating the measurement properties of the reflective constructs with more than one item.To ensure adequate convergent validity, all item loadings (outer loadings) should be greater than 0.7, indicating that more than half of the variance is captured by the constructs (Agarwal & Karahanna, 2000;Bassellier & Benbasat, 2004).Accordingly, the following two items were removed from the level of IT integration construct because their respective loadings were below 0.7: INTEG1 (.676) and INTEG3 (0.577) (Note 6).The cross-loadings for all items are shown in Appendix C.
Discriminant validity was evaluated by determining whether each item loads more strongly on its target construct than on any other construct in the model (Fornell & Larcker, 1981).All items meet this requirement.Furthermore, discriminant validity was evaluated via inspection of the latent variable correlations matrix.As shown in Table 3, the correlations among the constructs are relatively low (all correlations are less than .35),suggesting adequate discriminant validity.(Note 7) Multicollinearity was investigated as the final step in the assessment of the measurement model.Variance inflation factors were calculated and since none of them are above 3, multicollinearity is not a problem with this data set (Diamantopoulos & Winklhofer, 2001) (Note 8).

Structural Model Results
The second stage of analysis focused on determining which types of IT knowledge significantly impact the integrated approach.T-statistics used to interpret the significance of the path coefficients and the outer weights were generated via the bootstrap procedure in PLS (Chin, 1998).As shown in figure 2, encouragement to learn IT has a positive impact on IT risk and IT application controls knowledge, thus providing support for hypotheses H1b and H1d.With regard to hypotheses H2a through H2d, IT risk knowledge has the strongest impact, followed by IT application controls knowledge; these results support hypotheses H2b, and H2d.H2a and H2c are not supported, suggesting that IT general controls knowledge and IT audit software knowledge do not significantly impact the level of IT integration.
Figure 2. Structural model results

Additional Analysis
The insignificant path coefficient from the IT general controls construct to the level of IT integration dependent variable is surprising, given the importance of IT security controls.Considering this unexpected result, additional analysis was conducted to determine if the three IT security-related items measuring the IT general controls construct (i.e., IT_GEN_KNOW1, IT_GEN_KNOW2, and IT_GEN_KNOW3) have a significant impact on the level of IT integration dependent variable apart from the other three IT infrastructure related items (i.e., IT_GEN_KNOW4, IT_GEN_KNOW5, and IT_GEN_KNOW6).To conduct this analysis, the six items initially measuring the IT general controls construct were separated into two constructs: an IT security controls construct, formed by IT_GEN_KNOW1, IT_GEN_KNOW2, and IT_GEN_KNOW3 and an IT infrastructure knowledge construct, formed by IT_GEN_KNOW4, IT_GEN_KNOW5, and IT_GEN_KNOW6.Results from this analysis suggest that neither the IT infrastructure knowledge construct nor the IT security knowledge construct have a significant impact on the level of IT integration dependent variable (Note 9).Thus, it appears that knowledge of IT general controls-IT security knowledge and IT infrastructure knowledge -does not have a significant impact on the integrated approach.

Discussion
Our results indicate that business auditors are encouraged to further their knowledge of IT application controls and IT risks, but are not encouraged to develop a better understanding of IT general controls or IT audit software productivity.This result indicates that business auditors are being encouraged to seek the proper training since IT application controls knowledge and IT risk knowledge, but not IT general controls knowledge or IT audit software productivity knowledge, impact the integrated approach.
The significance of IT risk knowledge and IT application controls knowledge validates the IIA's recommendations regarding the importance of IT control knowledge for internal auditors (IIA, 2011, Sec.1210.A3).IT risk knowledge has the strongest impact on the integrated approach, suggesting that IT risk knowledge is most important for facilitating the integrated approach.As such, internal audit managers may want to allocate a larger share of IT training toward improving the identification of key IT risks as well as improving IT risk assessment skills.The importance of IT risk knowledge also underscores the need for business auditors to address all risks, technological and manual.
- IT application controls knowledge also has a significant impact on the integrated approach, suggesting that IT application controls knowledge is important for implementing the integrated approach.As such, internal audit managers may also want to increase training oriented toward increasing application controls knowledge.The significance of application controls knowledge confirms findings from prior academic that business auditors place a significant emphasis on application processing controls (Hermanson, Hill, & Ivancevich, 2000;Abu-Musa, 2008).
Contrary to expectations, IT audit productivity software knowledge does not have a significant effect on the integrated approach, suggesting that IT audit productivity software knowledge is not as important for implementing the integrated approach.One potential reason for this finding is that IT auditors may serve as knowledge repositories, assisting business auditors with data analysis, data extraction, and writing custom scripts.In this case, IT auditors, rather than business auditors, would need strong audit productivity software knowledge.
Similar to IT audit productivity knowledge, IT general controls knowledge does not have a significant effect on the level of IT integration, suggesting that IT general controls knowledge is not as important for implementing the integrated approach.The non-significance of IT security controls is surprising given that internal auditors frequently assess data integrity, privacy and security (Hermanson et al., 2000;Abu-Musa, 2008).One potential reason for non-significance of IT general controls is that Auditing Standard 5 (AS5) distributed by the Public Company Accounting Oversight Board (PCABOB) recommends a top-down approach to controls testing that focuses on those internal controls most relevant to the risk of material misstatement (Jabulani, 2007).Since IT general controls have an indirect relationship with the risk of material misstatement, business auditors may spend less auditing IT general controls under AS5 and more time testing application controls (Jabulani, 2007).
A second reason for the non-significance of IT general controls knowledge is that on average, organizations in the sample are implementing a partially integrated approach (level 2 for the IntegrationApproach item in Appendix A), rather than the fully integrated approach (level 3IntegrationApproach item in Appendix A).The average score for the IntegrationApproach dependent variable is 2.25 (slightly above the partial integrated approach), suggesting that on average, organizations in our sample are using a partially integrated approach.In a partially integrated approach, business auditors review the business processes and the IT auditors audit the system.Business auditors and IT auditors review each other's findings during the report writing phase, but the audit findings are grouped by business or IT.In this scenario, business auditors need to possess strong IT risk and application knowledge in order to review business processes, but may not need strong IT general controls knowledge since the IT general controls are reviewed separately by IT auditors.On the contrary, in a fully integrated approach, the integrated audit begins during planning and scoping.Business and IT auditors meet frequently to discuss the systems/process findings and the impact on each other.Level 3 integration requires more frequent meetings and joint planning sessions between IT and business auditors in order to assess both IT application and general controls.As such, this approach may require that business auditors possess greater IT controls knowledge.As more organizations move toward greater levels of the integrated approach, we anticipate that IT general controls knowledge will become more salient.
The results of this article have both theoretical and practical implications.From a theoretical perspective, this study builds on the knowledge base by extending the generalizability of shared mental models theory to the internal audit domain.Our findings indicate that business auditors and IT auditors need knowledge overlap in the form of IT risk and application controls knowledge in order for internal audit managers to effectively use the integrated approach.Furthermore, our paper extends academic research by explaining why business auditors should have IT knowledge even when IT auditors are present.The results should encourage future accounting information systems research to consider shared mental models theory as a theoretical basis for understanding the importance of IT knowledge for business auditors.
From a practical perspective, by highlighting the most important types of IT knowledge required for implementing the integrated approach, the results of this article serve as a conceptual roadmap for internal audit managers interested in moving toward the integrated approach, yet are challenged with allocating scarce training and development resources.While past research has discussed the importance of IT knowledge, as well as the importance of the integrated approach, this article combines these two research streams and addresses the roles of specific IT knowledge types.As such, companies need to develop integrated auditors who understand both IT controls and business processes (Chaney & Kim, 2007;Helpert & Lazarine, 2009).PricewaterhouseCoopers (2009)echoes this need and recommends that chief audit executives develop integrated internal audit departments in which business auditors possess IT control and audit skills rather than just being the domain of IT auditors.To begin solving these problems, internal audit managers need to assess the skill sets of business auditors and explore ways to enhance and broaden technological skills.Creating integrated auditors will require internal audit managers to allocate scarce training resources toward increasing IT knowledge.The results of this study can help internal audit managers pinpoint specific areas that should receive the greatest attention-in this case, IT risk and IT application knowledge.Accounting educators also have a role to play.Developing integrated auditors will require educating accounting students about the IT environment, including organizational and administrative activities, infrastructure and environmental controls over how systems are linked, physical security over IT assets, and physical and logical access (Chaney & Kim, 2007).

Limitations
The primary limitations of this article revolve around the data acquired from the IIA's GAIN database.The IIA does not identify responding organizations in data that they share for research purposes.As such, the response data and exact demographics are unknown.Nevertheless, the GAIN database is subject to numerous validation checks, includes participants from 16 industries, over 100 sub-industries, and over 40 countries, and has been used in prior accounting academic research focusing on internal audit issues (Prawitt et al., 2009;Lin et al., 2011).These factors significantly increase our confidence in the generalizability and validity of the data in the GAIN database.
A second limitation revolves around measurement of the IT knowledge items.Several items were measured using a dichotomous scale, which naturally introduces deviations from a normal distribution.The data analysis technique, PLS, however is useful for non-normal data (Chin et al., 2003).Further, several constructs in the research model are measured with single items.Single-item measures are useful in situations when constructs are unambiguous, focused (Sackett & Larson, 1990), concrete, and singular (Bergkvist & Rossiter, 2007).Under these conditions, Bergkvist and Rossiter (2007) argued that multiple item measures may be unnecessary and found that single-item measures are equally as valid as multiple-item measures.Since these conditions hold true for the encouragement to learn IT construct, the IT risk knowledge construct and the IT application controls construct, multiple items for these constructs are unnecessary and single-items are used.

Conclusion
As technology becomes increasingly embedded in business processes, business auditors need to develop the requisite technical knowledge to evaluate IT-based controls and processes (Curtis, Jenkins, Bedard, & Deis, 2009).By identifying the types of IT knowledge that influence the integrated approach, the results of this study can help internal audit managers prioritize training and development resources.Rather than developing generic IT competencies, this article suggests that business auditors need to have IT risk knowledge and application controls knowledge.It is hoped that the results of this article will first enable internal audit managers to benchmark the existing IT knowledge base of their internal audit staff and then subsequently allocate scarce training and educational resources in the most effective manner.Internal business auditors focus on financial concerns and improving operational performance, whereas IT auditors or IT audit specialists concentrate audit efforts on the technical aspects of an organization's information systems (Merhout & Buchman, 2007).Internal business auditors are hereafter referred to as "business auditors".Internal IT auditors or IT audit specialists are hereafter referred to as "IT auditors".

Notes
Note 2. The survey changes slightly from year to year; however, all the questions included in this study were unchanged from 2007 to 2009.As such, the authors were restricted to data for the years 2007, 2008, and 2009.Note 3. To ensure the anonymity of participants, demographic data is not available for the GAIN ABS.
Note 4. Measurement of IT general controls knowledge takes into account the "Category 1" IT general controls knowledge discussed in Richards et al. (2005).While the IT general controls construct may exclude systems development, systems implementation, and systems maintenance and program changes prior research has found that internal auditors evaluate these areas less frequently (Abu-Musa, 2008).On the other hand, items measuring IT general controls do capture the areas on which internal auditors evaluate most frequently, such as data integrity, privacy, and security, IT asset safeguarding, and operating system/network processing (Abu-Musa, 2008).
Note 5. Single-item measures are useful in situations when constructs are unambiguous, focused (Sackett & Larson, 1990), concrete, and singular (Bergkvist & Rossiter, 2007).Under these conditions, Bergkvist and Rossiter (2007) argued that multiple item measures may be unnecessary and found that single-item measures are equally as valid as multiple-item measures.Since these conditions hold true for IT application controls knowledge and IT risk knowledge and for Encouragement to learn IT, multiple items for these constructs are unnecessary and single-items are used.Note 6.After removal of these two items, all constructs are either formative or are measured with one item.Measurement properties are not necessary requirements for formative constructs (Diamantopoulos & Winklhofer, 2001;Rai, Patnayakuni, & Seth, 2006) or single-item constructs.Another measure of convergent validity is that the AVE for each construct should be greater than .5;however, since all constructs are either formative or measured with a single item, the AVE is 1.0 for constructs measured with single items and 0 for formative constructs.As such, we do not report the AVE scores.
Note 7. Another test for discriminant validity is that the square root of the AVE of a given construct is larger than its correlation with any other construct (Gefen & Straub, 2000).However, since all constructs in the research model are either formative or measured with a single-item, the AVE is 1.0 for constructs measured with single items and 0 for formative constructs.As such, we omit the AVE scores from the latent variable correlation table.
Note 8. Multicollinearity was investigated at the individual item level and the construct level.
Note 9. R-squared did not change.

Figure 1
Figure 1 illustrates the research model andTable 2 defines and describes each construct in the research model.

Note 1 .
Description: ELIT = Encouragement to Learn IT; APK = Audit Product Knowledge; DITI = Degree of IT Integration ITAC = IT Application Controls; ITGC = IT General Controls; ITKR = IT Knowledge Risk.

Table 1 .
Category 1 knowledge requirements mapped to four factor IT knowledge classification  IT general controls knowledge  Controls over IT infrastructure are classified as IT general controls

Table 2 .
Summary of constructs in the research model