1

A Systematic Literature Review

of Information Systems Auditing in Developing Countries

Eugen Munteanu

Department of Computer and Systems Sciences

Degree project: 30 HE credits

Degree subject: IT Project Management

Degree project at the master level

Spring term 2016

Supervisor: Stewart Kowalski

Reviewer: Paul Johanesson

A Systematic Literature Review of

Information Systems Auditing in

Developing Countries

Eugen Munteanu

Abstract

Problem; with its main focus on ensuring the security, reliability, integrity, and privacy of the

information, the Information Systems Auditing plays a critical role in the health of any organization

from the developing countries. The recent business failures increased the interest of researchers on the

topic of information systems auditing. While some research exists, it focuses on particular cases from the

developing countries. Yet the academia lacks a comprehensive overview of the information systems

auditing in the context of developing countries. Research question; in this light, the perceived gap in the

existing literature raised the following research question: What are the current difficulties, issues and

challenges which are experienced by the developing countries in terms of Information Systems Auditing?.

Method; to facilitate answering the research question, the systematic literature review for information

systems research was undertaken in conjunction with the grounded theory-based rigorous approach to

systematic reviews. Result; the review analyzed a number of 23 articles spread over a period of ten year

and selected from six literature databases. By using the means of grounded theory, a number of six main

categories related to challenges, difficulties and issues were identified. Conclusion; this comprehensive

literature review shows that the developing countries are facing various challenges, difficulties and issues

with regards to Information Systems Audit, ranging from legislation, policies and standards to education

and cultural aspects. Originality and Significance; this study fills the gap in the body of knowledge

related to Information Systems Audit in developing countries. Based on the outcomes, this thesis suggests

a number of potential research directions which were found as not being previously researched.

Keywords

Systematic Literature Review, Grounded Theory, Information Systems Audit, Developing Countries.

Table of Contents 1. Introduction ......................................................................................... 1

1.1 Introduction to the researched topic ................................................................. 1

1.2 Research problem ........................................................................................... 2

1.3 Research question .......................................................................................... 3

1.4 Research aim ................................................................................................. 3

1.4.1 Scope and delimitation .............................................................................. 3

1.4.2 Organization of findings ............................................................................. 3

1.5 Limitations ..................................................................................................... 4

1.6 Research Contribution/Significance (Anticipated Contribution) .............................. 4

1.7 Thesis Structure ............................................................................................. 4

2. Extended background ........................................................................... 6

2.1 The Concept of Auditing .................................................................................. 6

2.2 Information Systems ....................................................................................... 7

2.3 Information Systems Auditing .......................................................................... 7

2.4 Developing countries ....................................................................................... 8

3. Methodology ....................................................................................... 10

3.1 Reasoning for choosing the Systematic Literature Review as research strategy..... 10

3.1.1 Alternatives to the chosen research strategy .............................................. 11

3.1.2 Research Ethics ...................................................................................... 11

3.2 Research Design ........................................................................................... 12

3.3 Applying the Systematic Literature Review method ........................................... 14

3.3.1 Literature Search (S3) ............................................................................. 15

3.3.2 Practical Screening (S4) .......................................................................... 17

3.3.3 Quality Appraisal (S5) ............................................................................. 19

3.3.4 Data Collection/ Extraction (S6) ............................................................... 21

3.3.5 Data Analysis/Analysis of Findings (S7) ..................................................... 22

3.3.6 Writing the Review (S8) .......................................................................... 24

3.4 Validity and reliability .................................................................................... 25

4. Literature Overview ........................................................................... 27

5. Analysis and Results .......................................................................... 29

5.1 Analysis of the articles by means of Grounded Theory (open, axial and selective

coding) ............................................................................................................. 30

5.1.1 Open Coding .......................................................................................... 30

5.1.2 Axial Coding ........................................................................................... 30

5.1.3 Selective Coding ..................................................................................... 31

5.2 State the identified codes (concepts) explicitly ................................................. 31

5.2.1 The codes explicitly stated ....................................................................... 32

5.2.2 The categories and sub-categories explicitly stated ..................................... 33

5.3 Present the results through concept matrices ................................................... 33

5.4 Identify strengths, weaknesses and gaps in the literature .................................. 35

5.4.1 Legislation ............................................................................................. 35

5.4.2 Policies and Standards ............................................................................. 36

5.4.3 Organizational ........................................................................................ 38

5.4.4 Human Resources ................................................................................... 41

5.4.5 Education .............................................................................................. 44

5.4.6 Cultural ................................................................................................. 47

6. Discussion .......................................................................................... 48

6.1 Alignment with the research aim .................................................................... 48

6.2 Refection on the research carried out .............................................................. 49

6.2.1 Reflections on the steps of SLR ................................................................. 50

6.2.2 Reflections on the analysis of data by means of Grounded Theory ................. 51

6.2.3 Final reflections on the research carried out ............................................... 51

6.3 The originality and the practical and theoretical significance of the contributions .. 52

6.4 Limitations of the study ................................................................................. 53

6.4.1 Ethical and social aspects ........................................................................ 54

6.5 Suggested areas for future research ............................................................... 54

7. Conclusion .......................................................................................... 56

References ............................................................................................. 57

List of appendices .................................................................................. 62

Appendix A ........................................................................................................ 62

Appendix B ........................................................................................................ 69

Appendix C ........................................................................................................ 77

List of Figures

Figure 1: The work system framework (Alter, 2008) ....................................................... 7

Figure 2: Systematic Literature Review (Source: Okoli and Schabram, 2010) .................. 14

Figure 3: Research methods ...................................................................................... 27

Figure 4: Highlighting the type of publications ............................................................. 27

Figure 5: Clarifying the time of publication .................................................................. 28

Figure 6: Geographical distribution of articles per continents ......................................... 28

Figure 7: The Diagram of the Main Categories ............................................................. 34

List of Tables

Table 1: Search Results (Hits) ................................................................................... 16

Table 2: Screening for Inclusion Questions .................................................................. 18

Table 3: Screening For Exclusion Questions ................................................................. 20

Table 4: Highlighting the Emerged Sub-Categories ....................................................... 33

Table 5: The final Main Categories .............................................................................. 33

Table 6: The classification of categories and sub-categories ........................................... 33

Table 7: Type of publications ..................................................................................... 62

Table 8: Methodology of chosen articles ...................................................................... 62

Table 9: Distribution of articles per continents ............................................................. 62

Table 10: Years of Publication for the chosen articles .................................................... 63

Table 11: Appendix A - Summary of articles filtered for data analysis ............................. 63

Table 12: The identified open codes............................................................................ 69

Table 13: Mapping of the Open Codes to the articles .................................................... 70

Table 14: The complete matrix of the concepts ............................................................ 77

Abbreviations

ASQ – American Society for Quality

GNP - Gross National Product

IEC – International Electrotechnical Commission

IMF - International Monetary Fund

IS – Information Systems

ISO – International Organization for Standardization

IT – Information Technology

MS - Microsoft

SLR – Systematic Literature Review

1. Introduction

This is the introductory chapter of this thesis aiming at providing an overview of the research conducted

in this thesis. Firstly, the research topic is introduced to the reader. Then, the problem is stated. Further,

the research aim and research question which drive the research work are presented. Finally, the

perceived limitations are briefly mentioned, the anticipated contribution is drawn and the structure of this

thesis is highlighted.

1.1 Introduction to the researched topic

Nowadays, most organizations, acting either in the private or public sector, recognize the strategic

importance of the information. They rely on the information systems to process the information produced

internally or retrieved from outside of the organization (Prakash and Sivamukar, 2014). Hence, the

information is seen as a core asset which must be protected if the organizations want to survive in their

area of business.

Recent major business failures, such as Enron, WorldCom, and Global Crossing, as well as the terrorist

incidents like “September 11, 2001”, showed that ensuring the integrity of the information systems plays

a crucial role (Lovaas and Wagner, 2012).

Moreover, the misconduct of business executives in some renown fraud cases like “Ponzi scheme” of

Bernie Madoff or falsification of financial statements of American International Group, led to situations

when the financial records were altered using the means of information systems (Cannon, 2011).

Therefore, the need for a strict control and audit of the information systems in use in the organizations

became critical in the last years. Also, there has been a lot of pressure put on the governments and

subsidiary regulatory bodies from the businesses, in order for them to have a clear, up-to-date legislation

framework and policies with a focus on information systems auditing (Lovaas and Wagner, 2012).

An audit of an organization’s information system (IS) is a review of the past records. The information

systems auditor is expected to proceed by following a clearly defined audit process, set up audit criteria,

collect the meaningful evidence and write a report on the findings in an objective and independent

manner. Further, this report is presented to the management of the organization. If the management agrees

with the results of the IS audit, then a mitigation plan is compiled and applied in order to avoid any IS-

related risk which may further jeopardize the existence of the business(Cannon, 2011).

Therefore, the information systems audit helps the organizations to closely monitor how they do business.

The information systems audit is also beneficial for the managers, employees, investors and other

stakeholders, because they are protected against any potential fraud or illegal activity. Additionally, they

can validate the security, reliability and privacy of the information systems implemented in the

organization (Lovaas and Wagner, 2012). Also, IS Audit is beneficial for the companies because has a

critical role in discovering the potential areas where a company could lack IS controls to avoid any

2

business disruption such as data corruption, data leaks, whistleblowing, and successful hacking attack

(Merhout and Havelka, 2008).

Furthermore, from the practical and technical perspective, the information systems audit relies on

information systems controls. These controls comprise the rules, policies and procedures adopted by the

management to ensure that the information systems are efficient and effective in order to reach the

business goals of the organization (Soltani, 2007). Hence, the purpose of the information systems audit is

to assess and document the performance of the information systems controls to safeguard the resources,

applications, data, critical systems and the infrastructure of the existing information systems of the target

organization (Aida Lope Abdul Rahman et. al., 2015).

The developing countries are hosting the majority of the world’s population and become progressively

more important in the context of increasingly interconnectivity and globalization (Walsham and Sahay,

2006). This is one of the reasons why the auditing of the information systems has to be taken very

seriously by businesses and governments from the developing countries.

The examples provided in the opening of this chapter are about corporate failures from United States of

America (Enron, WorldCom) and Europe(Ahold, Parmalat) (El-Sayed Ebaid, 2011). Also, media outlets

revealed stories about governments from the advanced countries affected by leaks of information

(WikiLeaks) or information systems compromised by weak controls. Such embarrassing situations would

have been avoided by putting in place and enforcing a proper audit of the information systems (Carlin and

Gallegos, 2007; Henry, 2010).

As it happened in the case of the advanced countries, the adoption and usage of the information

technology in the developing countries brings not only benefits and advantages. This process is also

accompanied by all the associated threats: fraudulent activities or cybercrime (Gercke, 2009).

Given the increasing trend toward global business, global outsourcing and globalization (Walsham and

Sahay, 2006), it is important to prevent similar situations, as the one already mentioned, to occur in the

developing countries through a proper identification of the current obstacles in using information systems

auditing. In such a manner, the developing countries could improve their future development in the field

of IS Auditing.

1.2 Research problem

Yearly, a huge amount of research is produced by the academic world (Siddaway, 2014). In the particular

case of Information Systems Auditing, the online resources of Stockholm University Library retrieved a

considerable amount of articles focusing on this topic.

However, the initial review of the existing literature on the topic of Information Systems Auditing

indicated that up to the moment when this research was started, there was no literature review covering

the overall status of the Information Systems Auditing in the developing countries with regards to current

barriers experienced by companies from these countries.

3

Therefore, the perceived problem that this thesis addresses is the lack of research in the academic body of

knowledge regarding a deeper and more comprehensive understanding of the current difficulties, issues

and challenges of Information Systems Auditing in the developing countries.

1.3 Research question

To address the above formulated problem, the research question driving this thesis is:

What are the current difficulties, issues and challenges that are experienced by the developing

countries in terms of Information Systems Auditing?

By answering to this research question, this research work will attempt to fill in the identified gap in the

existing academic literature.

1.4 Research aim

Based on the aforementioned problem and the research question, this research aims at retrieving the

current status of Information Systems Auditing in the developing countries in order to understand what

the potential obstacles are in building a robust Information Systems Auditing in the context of developing

countries.

So, the goal of this research is to investigate and capture the aspects connected to the issues, difficulties

and challenges that are related to IS Auditing in developing countries and are revealed by the existing

literature at the moment of this study.

1.4.1 Scope and delimitation

The environmental scope of this research include the private companies and public sector of the

developing countries because it aims at capturing all potential information related to the auditing of

information systems.

Moreover, based on the observations from section 1.1 and given the fact that there is a lack of consensus

on using the right terminology, this thesis will consider the Information Technology Auditing as a subset

of the Information Systems Auditing in order to get all studies which are using these two concepts. The

reasoning around this decision is given in the chapter dedicated to the main concepts used in this thesis

(Chapter 2).

1.4.2 Organization of findings

In order to better organize the findings, it has been found appropriate to use the means of grounded theory

in order to do a literature review in a rigorous manner as is depicted by Wolfswinkel et al. (2013).

Additionally, inspiration from Wolfswinkel et al. (2013) has also been taken regarding technical aspects

on doing a systematic review.

The grounded theory-based analysis is described briefly in the chapter dedicated to the methodology used

in this thesis, as well as in the data analysis chapter.

4

1.5 Limitations

The research is going to search for online articles existing on the Internet. Being a distance student, there

is no intention to use paper based article stored in the library of the University of Stockholm. So, main

sources used for this research will be the Internet resources.

Secondly, this research assumes that all retrieved literature is reflecting properly the difficulties, issues

and challenges in terms of Information Systems Auditing concerning developing countries.

Thirdly, this thesis research work is limited in time and resources. There is only one individual working

on this research. Therefore, this limits the efforts in getting a broader view on the visited sources.

Finally, this thesis is limited research to articles written only in English, produced in the limited

geographical area of the developing countries which may use English in the academic world.

1.6 Research Contribution/Significance

(Anticipated Contribution) Given the fact that a literature review is always a starting point for further research (Siddaway, 2014), the

findings of this research could be used further to inspire or draw new directions of academic research

based on the information retrieved through a comprehensive literature review of such magnitude.

Also, by highlighting the current challenges, difficulties and issues of IS Auditing in the context of

developing countries, this research would also contribute by helping the practitioners(consultants,

managers or IS Auditor) to understand better the information systems auditing landscape of developing

countries.

Lastly, given the fact that the previous research has recognized the high potential of Information Systems’

related research in helping the developing countries reducing the “poverty, inequity, and marginalization”

(Walsham and Sahay, 2006), it is believed that this research work will contribute to the existing body of

knowledge by providing new research directions in order to diminish the gap between developed and

developing countries.

1.7 Thesis Structure The outline of this thesis is as follows.

Next chapter explains and discuss the main concepts used in this research paper. Chapter three discusses

the chosen methodology. Then, the chapter 4 presents the overview of the literature included in this

review.

Chapter 5 focuses on the analysis of the retrieved data and what are the results. Also, the results are

presented by using concepts matrices and the strengths, weaknesses and gap in the literature are identified

and reported.

5

Then, the outcomes of this thesis work are discussed with regards to the research question driving this

study. Also, the contributions are discussed and potential research avenues are suggested.

Finally, the conclusions are drawn by highlighting the fundamentals of this thesis.

6

2. Extended background

This chapter explains the main concepts used in this thesis. The main concepts are discussed from the

perspective of the existing literature on the researched topic and a reasoning why these concepts were

employed in this thesis.

2.1 The Concept of Auditing

Historically, the auditing practices were traced back by historians to about 4000 B. C. (Ramamoorti,

2003). Closer to our times, the Roman Empire, Ancient Greek or Babylonia were in need to audit their

financial situation of the public system (Ramamoorti, 2003). Perhaps, this might be a reason why the

word “audit” evolved from Latin “audire”, which could be translated in “to hear” (Teck-Heang and Ali,

2008).

Previous research on the history of audit quoted the accounting historian Richard Brown, who believed

that the origin of auditing is rooted in the needs of the development of civilization to have a proper

verification of the record keeping systems (Ramamoorti, 2003; Nkwe, 2011).

Taking this information further, traditionally, the purpose of the auditing was to focus mainly on the

financial part of the business. In the existing literature, it has been observed that the process of auditing

aims at ensuring that the information reported in the existing financial records are reliable (Soltani, 2007).

Therefore, the auditing is defined as being a systematic process of gathering and assessing the existing

information in order to make sure that there is a level of consistency between what has been found and a

set of established criteria (Soltani, 2007).

Another perspective on the above-mentioned definition is stressing out about the fact that the auditing has

to be defined as being a systematic process done in an objective manner (Krogstad, 1977).

In the last decades, the audit function has evolved by providing value-added services on top of what the

auditing has traditionally done: to endorse the trustworthiness of the financial statements of a given

business. So, nowadays the auditing is expected to help the business with details on suspicious activities,

potential risks and to contribute with meaningful advice for the management regarding the internal control

(Teck-Heang and Ali, 2008).

Moreover, confronted with the situations of conflicts of interests between different business stakeholders

(the owners and managers), it became more often for the business to have a way to address the issue of

independence of the auditors (Salehi, 2009).

Currently, there are two major approaches of auditing: external auditing and internal auditing. Even

though one may think that these two approaches are excluding each other, they may coexist and

complement each other in order to provide a better input for the business decisions. Therefore, depending

on the view of the management, the external auditors could help the internal auditors by compensating the

lack of time or resource to do a particular task (Nagy and Cenker, 2002).

7

2.2 Information Systems

Describing the term “Information Systems” seems to be a difficult and challenging effort. This difficulty

is associated with the fact that the academic world could not agree on a clear definition of “Information

Systems” (Alter, 2008).

The research conducted in this master thesis will rely on the definition of Information Systems as being a

special instance of a working system. A working system is seen as a system aiming at producing

particular products or services using machines which are handled by humans or they are working on their

own (Alter, 2008).

Therefore, an Information System is perceived as a specific case of a working system and is defined as a

system where individuals are using machines, or other means to produce informational products (Alter,

2008). The elements of such system may include the following: the infrastructure, technologies,

processes, customers and so on (See figure below).

Figure 1: The work system framework (Alter, 2008)

2.3 Information Systems Auditing

Having in mind the definition of Information Systems (IS) mentioned in the previous section, the

Information Technology (IT) could be seen as a subset of IS. The IT Auditing is considered as being a

quite new discipline. Despite this fact, it has an important role in the life of a business due to its critical

support in improving the control of the information produced inside of an organization (Lovaas and

Wagner, 2012; Carlin and Gallegos, 2007).

8

To cope with the fact that is new, Information Technology Auditing based it’s grown on the framework

already existing in the organizations in terms of controls and information systems management (Lovaas

and Wagner, 2012). This has evolved to IS Auditing which has the aim of investigating the various

elements/components of the information systems (Hingarh and Ahmed, 2012).

As part of IS Auditing, the IT Audit is also considered as a systematic method of documenting any found

evidence in order to prevent, detect and correct abnormalities, errors or illegal activities related to the

systems implemented in an organization (Carlin and Gallegos, 2007).

Therefore, the major ambition of Information Systems Auditing is to analyze and provide feedback, to

make statements to relieve any doubts and finally to suggest what actions could be done in order to help

the business to perform more securely (Lovaas and Wagner, 2012). Also, IS Auditing ensures that the

organization’s computerized activities are conform to all legal requirements (Hingarh and Ahmed, 2012).

Up to this moment, the IT industry related standards are using similar definitions for Information Systems

Audit. For instance, the well-known standard on “Systems and software engineering – Software life cycle

processes” is informing us that the audit in the context of “Systems and software engineering” means an

“independent assessment of software products and processes conducted by an authorized person in order

to assess compliance with the requirements” (ISO/IEC 12207:2008, 2008)

Therefore, the scope of IS Auditing is to focus on the components of the information systems, owned or

in use by the organization. This is extended also to the managers, employees and contractors (Hingarh and

Ahmed, 2012), in order to cover all aspects of the definition of Information Systems given by Alter

(2008).

2.4 Developing countries

The World Bank defines a developing country based on the country’s Gross National Product (GNP).

Hence, if a country has a low or a medium level of GNP, the World Bank categorize the country as being

a developing country.

On the other side, the World Bank is considering a country as being a developing country if the majority

of its citizens are living on far less money than the people living in a developed country (WorldBank.org,

2016).

The International Monetary Fund (IMF) publishes twice a year a report which is reflecting the current

classification of world economies based on three criteria. These criteria rely on the level of income per

citizen, the level of diversification of the country’s export and the level of integration of the country

economy in the global financial system (IMF.org, 2016). The report published by the IMF is called World

Economic Outlook and usually includes the list of developing countries at the publishing date (WEO

IMF.org, 2016).

On the opposite, the World Trade Organization is avoiding using the term of “developing country” and is

proposing another term, such as “least developed countries” (WTO.org, 2016). Moreover, the United

Nations is using also “small island developing states” and “landlocked developing countries” to

9

categorize countries which are falling under the developed country paradigm (Library Of Congress,

2008).

The reason for this situation is due to the fact that drawing a line between what is a developing country

compared to a developed country is “not obvious” (Nielsen, 2011)

Given the fact that there is no clear agreement on the definition of what means a “developing country”,

this master thesis will use the categorization of the IMF and the list provided by the World Economic

Outlook published on April 2015 as a basis for this research work.

10

3. Methodology

This chapter is dedicated to the methodology used in carrying out the research in this thesis. The

reasoning for choosing the methodology, the methodology itself, as well as data collection and data

analysis are extensively presented so that the scientific rigor is guaranteed.

This master thesis research work is relying on “Systematic Literature Review” methodology as it has been

described in the existing literature related to research guidance (Kitchenham, 2004; Keele, 2007; Okoli

and Schabram, 2010; Denscombe, 2014). The chosen methodology will be properly presented later on in

this chapter.

3.1 Reasoning for choosing the Systematic

Literature Review as research strategy A research strategy helps a researcher to come up with a plan on how to proceed on doing a particular

research (Denscombe, 2014). Given the fact that there is no universally accepted way to conduct a

research, a research strategy has to include (1) a distinct logic of the research and the justification of that

and (2) an action plan and a specific problem which has to drive the research (Denscombe, 2014). While

the last element was addressed in the previous chapter, the first component will be discussed in this part

of the thesis.

Systematic reviews are having the origins in the medical and pharmaceutical studies (Kitchenham, 2004;

Keele, 2007; Denscombe, 2014). Initially, these kinds of reviews were used to reflect the findings of the

clinical research. Therefore, the systematic reviews are associated with solid evidence of a good quality

research (Denscombe, 2014). Hence, this is the reason why systematic reviews are used by researchers,

practitioners and policymakers when there is a need for a reliable and objective overview of the existing

information on a distinct topic (Denscombe, 2014).

A research is suitable for being conducted by using a systematic literature review, if is aiming to:

- Compile the existing, reachable knowledge on an identified topic

- Find out a gap in the current research aiming at proposing further research directions

- Specify a framework to organize the new research on the topic (Kitchenham, 2004).

The research work related to this master thesis started with the gap found in the existing literature

regarding the challenges, difficulties and issues of developing countries in terms of Information Systems

Auditing.

The objective of this research effort is to draw new research opportunities for the academia and to provide

practical insights for the practitioners acting in the field of Information Systems Auditing.

Therefore, employing systematic literature review has been seen as a natural research approach for this

master thesis.

11

3.1.1 Alternatives to the chosen research strategy

In the beginning of this research, alternative research strategies were also taken into consideration. There

are always different ways to reach the goal of a research project and finalize it. Choosing the right option

or alternative is strictly linked to the researcher’s decision and judgment (Denscombe, 2014).

For a small-scale research project with a low budget, Denscombe (2014) propose several research

strategies: surveys, case studies, experiments, ethnography, grounded theory, action research and mixed

methods. Each of them has to be carefully evaluated and analyzed in order to decide if it’s suitable to

answer the research question. After judging them, the big decision has to be made by having in mind all

potential constraints, advantages and disadvantages (Denscombe, 2014).

As mentioned above, this research project is driven by the research question defined in Section 1.3. So,

initially, some research strategies were put on the list of potential and suitable strategies for this research

by constantly asking: how the research question could be answered by using this particular strategy?

Case studies look at one or more particular situations in order to understand what’s happening in that

setting in order to facilitate the comparison between these situations and to come up with some lessons

learned during the research (Denscombe, 2014). In a case study, the researcher builds up the knowledge

through a set of iterative cycles between the parts and the whole, by engaging in a dialog between the data

and theory (Klein and Myers, 1999; Walsham, 1995). Moreover, another benefit of using case studies is

that it contributes to the body of knowledge by exploring and getting insights from complex issues

(Zainal, 2007).

However, to engage case study as strategy is very demanding since the researcher has to have a direct

access to the studied cases and the generalizations could be easily put under discussion (Denscombe,

2014; Zainal, 2007). Given the number of developing countries, this strategy may have worked when

there were several researchers as well as enough time to research all potential cases. This research work is

conducted using only one human resource and the work has to be done in a given time framework.

Therefore, the decision was to drop this strategy.

Surveys are used when there is a need to assess some particular aspects of a trend or social phenomenon.

By gathering such information a theory could be tested (Denscombe, 2014). This thesis aims at evaluating

the current status of information systems and information technology audit and to build a theory regarding

the barriers faced by the developing countries. Therefore, this strategy was also considered as not suitable.

Grounded Theory was also judged. Grounded Theory is aimed at generating theories from the retrieved

data. Although “Systematic Literature Review” was considered as the research strategy, the way how

grounded theory contributes to having a rigorous review (Wolfswinkel et al., 2013) was judged as being

an appropriate way to conduct this research work for this thesis. Therefore, the Grounded Theory was

chosen to be used in conjunction with the Systematic Literature Review, so that, the review will benefit

from the exactness of the Grounded Theory.

3.1.2 Research Ethics

The ethical aspects of a research are employed when the research work has a main focus on individuals

(Denscombe, 2014). In this research there are no human subjects involved.

12

Given the fact that this is a literature review, the main input consists of the online documents found in the

literature databases. Therefore, in order to avoid any ethical issues which may arise from using one’s

academic work it is critical to properly refer the author(s) (Denscombe, 2014). To be in line with this

recommendation, the strategy used for this research work consist of giving credits each time when a paper

is used, by carefully cite the study included in the literature review. Also, a comprehensive list of

references is to be compiled throughout the research work.

Another ethical aspect of this thesis is related to neutrality in presenting the findings in the literature

review report (Chapter 5). Therefore, the review aims at not including the name of the involved countries.

Moreover, no product name or IS Auditing-related framework, standard or policies will be mentioned.

More details on the ethical aspects are included in the discussion chapter.

3.2 Research Design

The difference between a traditional literature review and a systematic literature review (SLR) is the rigor

used in doing the review (Kitchenham, 2004; Keele, 2007). In order to have a systematic literature

review which is methodical, explicit and could be easy to be repeated, it is necessary to employ a

meticulous procedure which can explain how the review has been performed (Okoli and Schabram,

2010).

In order to answer the unique needs of Information Systems researchers, Chitu Okoli and Kira Schabram

came up with a set of eight steps to perform a systematic literature review.

Because the research work of this thesis is a part of Information Systems-related research, using the

guidelines of Okoli and Schabram (2010) seemed to be a legitimate selection.

The eight steps proposed by the guide of Okoli and Schabram (2010) are grouped into four main phases.

Phase 1 (P1) is called “Planning” and has two steps:

- S1: Purpose of the Literature Review – where it has to be defined the intention of the literature

review. So, this step has to summarize the information around the research topic of the systematic

literature review.

- S2: Protocol and Training – is the step when a clear agreement is set in order to follow the same

procedure to guarantee that there is a consistency in the work done. This is applicable to

situations when there is more than one researcher.

Phase 2 (P2) is “Selection” when the existing literature available for the researcher is chosen. This phase

is also made out of two steps:

- S3: Searching the Literature – is the moment when the researcher has to outline in a detailed

manner how the search was performed. To sustain this work, the researcher has to explain and

justify the approach to this step.

- S4: Practical Screen – the output of the above step may include a large number of studies related

in a way or another to the topic of the systematic review. Hence, the reviewer has to explain in

detail how the screening was done to include the most valuable studies. Also, it is important to

13

justify why the other studies were dropped off. This step is also known as “screening for

inclusion”.

The third phase is “Extraction” (P3) when the collected data is evaluated and extracted for further

analysis. Again, two steps are part of this phase:

- S5: Quality Appraisal – is the step which is focusing on “screening for exclusion”. In other

words, this is the moment when the researcher will evaluate which article could be used for data

extraction. The included articles will be categorized based on a scoring system to reflect their

importance and relevance to the topic of the review.

- S6: Data Extraction – the role of this step is to use the articles from S5 in order to extract

systematically the information which could answer the research question of the review.

Finally, the last phase, “Execution” (P4) is the phase when information collected in the previous phase is

synthesized and articulated in a report which will reflect the findings.

- S7: Analysis of Studies – is the step which will put together the findings looking after a link or

sense of the information collected. This step could be approached either in a quantitative or

qualitative way or even in a combination of both.

- S8: Writing the review – is the final stage of the Okoli and Schabram’s guide. This step has to

produce a report of all meaningful findings retrieved during this process. The report has to have

enough information to make the review easy to be reproduced independently.

The steps and phases of this guide are visually depicted in figure 2.

14

Figure 2: Systematic Literature Review (Source: Okoli and Schabram, 2010)

3.3 Applying the Systematic Literature Review

method The Systematic Literature Review’s guidance suggested by Okoli and Schabram is proposing for Data

Extraction/Collection and Data Analysis, a quantitative or qualitative approach or even a combination of

both in the case of Data Analysis stage.

15

Given the aim of this research and the research question used in this thesis work, the qualitative approach

is going to be used for Data Extraction/Collection and Data Analysis. While the steps of SLR enumerated

above will be treated in a more extent in this section, the aspects related to qualitative approach will be

reviewed at the moment of the data analysis.

The first two steps of SLR are out of the scope of this section because they were already done. The

reasoning around this decision is based on the following two aspects.

The first step, “the purpose of the literature review”, has been already detailed in the chapter one as well

as in the introduction of this chapter. Therefore, Step One doesn’t need to be included in this section.

Furthermore, given the fact that the second step, “Protocol and Training”, is necessary when there is more

than one researcher (Okoli and Schabram, 2010), this step was also excluded because this research is

conducted only by one researcher.

3.3.1 Literature Search (S3)

Once the context of the literature search was identified, including research gap, research question and

keywords used for search, the literature search has begun.

An important success factor for a search through the online sources relies on a perfect understanding of

Boolean operators’ usage. This is crucial in the process of getting the most out of the online databases

(Okoli and Schabram, 2010).

Having in mind the above suggestion, the search started using a set of meaningful words for the research

work. Hence, expressions containing combinations of the concepts defined in the first chapter were

employed. For instance it has been used expressions such as “information systems auditing”,

“information technology auditing” combined with “developing countries” or “developing country”. These

expressions are listed in Table 1.

The initial search was done using Google Scholar because it has been perceived as being the most famous

source. The search using Boolean operators in combinations like (Information technology auditing)

AND (developing country) retrieved a lot of information which was discarded due to its insignificance for

this review. Perhaps, this happened due to the way this source is behaving (Wolfswinkel et al., 2013).

However, the usage of AND operator has been more successful in the case of other outlets. This is

reflected in the overall results consolidated in Table 1.

During the search phase, the researcher may need several iterations in order to pick up all studies which

are relevant to the literature review (Wolfswinkel et al., 2013).

Hence, a second search iteration was initiated using “Information technology auditing” “developing

country” or similar combinations based on the initially identified key terms. After this iteration, it was

possible to get a higher number of meaningful articles. The articles found at this stage were noted for

further steps.

Also, given the fact that Google Scholar offers the option to display citations where the searched key

terms are used, an investigation has been done by doing the so-called backward search as well as a

forward citation-based search(Okoli and Schabram, 2010; Wolfswinkel et al., 2013). These types of

16

search are assuming that there are articles cited in the retrieved article. So, the researcher could use the

citations and do an additional search for those articles. By using such method, it was possible to learn

about more useful journal articles which were considered for further screening.

In their guideline, Okoli and Schabram (2010) insist on using specific subject databases to get valuable

information from the most published literature in an electronic format. Hence, the literature search was

extended to the sources offered by Stockholm University Library.

Therefore, the following databases were queried: IEEE Xplore, Emerald Insight, Scopus, EBSCO, Web of

Science and ACM Digital Library. These databases were considered relevant and significant to this

review based on the recommendations made by the guidance of Okoli and Schabram (2010). The list was

amended with Emerald Insight, a database of a personal choice of the reviewer.

Wolfswinkel et al. (2013) are pointing out the fact that the searches, the search terms, sources and the

results have to be documented properly for the “sake of transparency”. Moreover, the literature reviews

must to be reproducible by any other researcher. So, it is very important to show to the reader how the

search for the literature was done (Wolfswinkel et al., 2013).

Therefore, to cope with the above-mentioned requirements of a systematic literature review, the results of

the search through all these sources were summarized in the following table:

Table 1: Search Results (Hits)

Expression(s) Google

Scholar

IEEE

Xplore

Scopus EBSCO Web Of

Science

ACM

Digital

Library

Emerald

Insight

(Information systems

auditing) AND

(developing countries)

218000 12 53 192879 83 92036 11179

(Information systems

auditing) AND

(developing country)

205000 12 53 192913 83 92036 11179

"Information systems

auditing" "developing

countries"

67 2 11 91 0 640 12

"Information systems

auditing" "developing

country"

27 0 11 47 0 640 12

(Information

technology auditing)

AND (developing

country)

164000 7 19 155171 20 72618 7473

(Information

technology auditing)

AND (developing

countries)

160000 7 19 155198 20 72618 7473

"Information

technology auditing"

"developing

45 1 4 35 0 640 6

17

Expression(s) Google

Scholar

IEEE

Xplore

Scopus EBSCO Web Of

Science

ACM

Digital

Library

Emerald

Insight

countries"

"Information

technology auditing"

"developing country"

16 0 4 19 0 640 6

At this stage, it is also crucial to organize and maintain the references of the found articles. This is

important, since the amount of information may become hardly to be managed using traditional methods.

It is also recommended to use a systematic mean for recording and storing the references and storing the

abstracts in order to save time and efforts in the process of literature review (Okoli and Schabram, 2010).

Initially, the software considered for this work was EndNote (http://www.endnote.com). It turned out that

the software is commercial, so, a license has to be paid. Therefore, it was discarded. So, next step was to

look at those programs based on open source. Hence, Zotero from zotero.org was chosen for this work,

because it seemed to be a good alternative.

The installation of Zotero and how to work with, is out of the scope of this thesis. Therefore, this

information is not included here. However, for further information one could search the Internet.

Specifically, YouTube has plenty of videos on how to use Zotero.

Discussion: During this step, it has been observed that the filters and Boolean operator AND used in this

step are behaving differently in the case of the selected databases. This is reflected by comparing the

number of hits per each expression in the context of each literature database.

Moreover, the usage of quotation marks (“<searched text>”) didn’t retrieve any result in the case of Web

Of Science and IEEE Xplore. On the other hand, the usage of quotation marks in the case of Google

Scholar, EBSCO and ACM Digital Library produced a manageable amount of hits. The opposite

situation happened while using AND operator and parenthesis. For the same database, the number of hits

was so high that reached more than 200 000 hits in the case of Google Scholar.

Therefore, the conclusion of this step was that the results are dependable on the experience of the

researcher in building up the search expressions and how familiar is she/he to the behavior of various

databases.

3.3.2 Practical Screening (S4)

The next stage in this endeavor is to screen the found articles using a practical approach. This step is

focusing on finding the most suitable articles for the review. This is the moment when the researcher has

to decide which article must be eliminated, basing his/her decision on two main criteria: firstly, the

article(s) doesn’t answer the research criteria and, secondly, the number of retrieved article has to be

manageable for the next step (Okoli and Schabram, 2010).

18

As a rule of thumb, during this step the reviewer normally reads the abstracts of the article(s) to establish

whether the article is useful for the review or not. To narrow down the articles, the researcher is invited to

use a set of questions based on suggestions given by the existing literature (Okoli and Schabram, 2010).

In the case of this thesis the following criteria were considered as basis for the research work (adapted

after Okoli and Schabram, 2010):

- Content: the literature review has to use those studies which are appropriate to the specific

research question.

- The language of Publication: the literature review has to rely on those studies written in a

language understandable by the reviewer.

- Journals: only those articles published in well-known, renown, high-quality journals have to be

taken in consideration for the literature review.

- Authors: the review has to focus on those authors which are outside of any doubt regarding their

work.

- Date of publication or of data collection: the studies included in the review have to be chosen

from a well-defined time span.

The practical screening is a process which has to balance between two aspects. Firstly, the screening has

to be wide enough to capture all studies which could answer the research question in an adequate manner

and, secondly, the review has to be manageable from the practical point of view, given the resources

involved in this activity (Okoli and Schabram, 2010).

Therefore, the screening is considered by the existing literature on Systematic Literature Review as being

a very subjective component of the review (Okoli and Schabram, 2010).

Given the fact that the IS Auditing field is quite new, the target time interval considered for the reviewed

studies is restricted to the last 10 years or a decade (based on the example of Wolfswinkel et al., 2013).

To sum up, in this master thesis, the criteria used for practical screening (also known as screening for

inclusion) are listed below:

- C1: The abstract of the articles/studies is relevant to review’s research question

- C2: The articles/studies are written in English

- C3: The articles/studies are within a time span of 10 years: 2006 – 2016

- C4: The articles/studies published and available fully online in renown journals/databases

Therefore, a set of questions (screening for inclusion questions - SIQ) was built up using the above-

mentioned criteria:

Table 2: Screening for Inclusion Questions

No. Question Criteria

correspondence

SIQ1 Is the study/article relevant to IS Auditing and developing countries? C1

SIQ2 Is the study/article written in English? C2

SIQ3 What is the year of publication? Is it between 2006 and 2016 C3

SIQ4 Is the study/article fully available online? C4

19

The number of the articles brought forward for the next phase was 42. One may argue that the number of

articles selected might not be sufficient. However, this was expected, given the fact that Information

Systems and Information Technology Auditing is an ongoing developing area in the developing countries.

Discussion: Reading the abstracts to screen all found articles was a tough work. However, this work has

been seen as a learning curve. So, after a number of articles the process was smoother based on the

accumulated experience in doing so.

A special situation arose when an article was spotted as having the same title, but with two different

authors (an empirical study from Saudi Arabia). It turned out that the title of article and the abstract were

somehow misleading and the article didn’t treat any case from Saudi Arabia. Instead, the study was

focused on Egypt. Moreover, it wasn’t related to information systems auditing, but more on accounting

regulations in the case of Egypt.

This sort of situation may consume plenty of time of the reviewer if it’s happening often. So, relying

100% on the accuracy of the databases consulted could be tricky and may pose some pressure on the

reviewer.

One important note about Web of Science is that the search done using the keywords defined previously

in this thesis, retrieved plenty of articles from the field of medicine and associated areas.

These are just two examples which are reflecting the potential “noise” a researcher may face while

searching for the literature. Such kind of “noise” involves a tremendous waste of time and energy to sort

it out, with a direct impact on the research work. So, from this perspective, it is strongly recommended

that the researcher allocates additional time for this step of SLR.

3.3.3 Quality Appraisal (S5)

Also known as “screening for exclusion”, this step aims at evaluating the found articles to judge whether

the articles/studies are valuable for the review (Okoli and Schabram, 2010). So, the quality of the articles

is weighted and the researcher has to decide if the article has enough quality to qualify for the next step of

the systematic review.

Normally, the first screening (“Practical Screening”) would have already helped the reviewer to get an

idea regarding the level of quality of the collected articles (Okoli and Schabram, 2010). So, “Quality

Appraisal” is expected to take this advantage further.

Okoli and Schabram consider this step as being of a major importance for the review of the literature.

Therefore, they suggest as being necessary to define stricter criteria to filter the articles and studies for a

good quality review.

In the case of this thesis, the criteria used for this step were based on a set of questions. These questions

were found appropriate for a proper and stricter filtering of the articles and studies retrieved previously.

So, the set of “screening for exclusion” questions (SEQ) is listed in the following table:

20

Table 3: Screening For Exclusion Questions

No Question

SEQ1 Is the article related to developing counties in general or a particular developing country?

SEQ2 Does the author(s) are talking about Information systems/information technology auditing

SEQ3 Does the author(s) are mentioning any challenges, difficulties and issues faced by developing

countries in terms of information systems auditing?

From the practical point of view, Okoli and Schabram propose to use the suggestion of Fink. They advise

on using a grid-like structure where criteria are answered per each study or article.

For this thesis, the technical and practical approach was to combine the reference tool used in the

“Literature Search” (S3) with the annotation capabilities of MS Word and Adobe Reader. Additionally, it

was used a customized structure of folders and subfolders where all retrieved articles were stored during

the step of practical screening. All this effort was consolidated in a table containing the articles and

studies which qualify for the next step of this endeavor.

At this stage, some inspiration was taken from Wolfswinkel et al. (2013) in terms of how to organize the

work as well as some guidance given by Webster and Watson (2002).

Webster and Watson (2002) suggest using a matrix of concepts where articles and studies are summarized

and, a so-called meta-data is extracted and stored per each study/article. This is somehow in line with the

suggestion of Fink outlined above.

Therefore, the table concluding the results of this step was constructed based on the table used in the

previous step. This table was enriched with the instructions retrieved from the above-mentioned articles in

order to answer to the needs of Quality Appraisal step. For the articles and studies kept for the literature

review, the following meta-data was also stored:

- The title of the paper,

- The year of publication,

- The research approach/method

- The purpose of the paper.

Having these practicalities established, the work has begun with the analysis of each article from the set

of 42 articles brought forward by the previous step-Practical Screening.

At the end of this effort, 23 articles were able to meet the criteria mentioned in the beginning of this step.

In other words, all 23 articles answered with yes to all three “screening for exclusion” questions (SEQ1,

SEQ2 and SEQ3).The excluded 19 articles were related to developing countries (SEQ1), but not to SEQ2

or SEQ3.

Out of 23 selected articles, 17 are journal papers and 6 are conference papers. Also, in terms of the

methodology used, the survey was used as a methodology in 14 articles, 5 articles were using mixed

methods, 3 were using case studies and one was a review paper (this categorization was done by using the

guidance of Denscombe, 2014).

21

So, a number of 23 articles were carried over for the final literature review. A comprehensive list of the

selected articles is provided in Appendix A.

Discussion: For this step, 42 studies were analyzed and screened for inclusion. This step has been done

by carefully reading each study.

Wolfswinkel et al. (2013) suggest that at this stage the reviewer has to read the title, abstract and some

more text. For this thesis, it has been decided to read also the introduction, discussion and conclusion.

Despite the huge amount of information and the fact that the screening for exclusion stage was done by

only one researcher, it has been decided to also read the sections dedicated to research methodology,

because it has been seen as important for this review.

Although the practical setup of tools was seen initially as being “bulletproof”, there was a need to do

some manual verification and double checking to ensure the accuracy of this step. Also, it was necessary

to use an iterative process to exclude the non-relevant articles and to keep the appropriate articles for this

study.

Of course, the set of questions used to screen the articles for exclusion could be considered too broad and,

hence, a target for interpretation. Given the research question which drives this study, it has been

considered necessary to include all articles and studies which positively answered all questions used for

quality appraisal step.

3.3.4 Data Collection/ Extraction (S6)

This step aims at collecting data in a raw format to be used for the next step of this method- Analysis of

Findings (Okoli and Schabram, 2010). Therefore, Data Collection/Extraction step it is seen as a crucial

stage in the whole process (Okoli and Schabram, 2010).

Normally, after finishing the previous two steps (Practical Screening and Quality Appraisal), the reviewer

has got a clear picture of the articles and studies which are going to be included in the review. The list

compiled through these two iterations is going to be the foundation of the review (Okoli and Schabram,

2010).

Data collection/Extraction step is another iteration of reviewing the found articles. The goal of this

iteration is to extract systematically all information from each article in order to use it as input for Data

analysis step (Okoli and Schabram, 2010).

Given the above-mentioned aspects, each article was reviewed again and it was evaluated to ensure that is

valid for the literature review.

Denscombe (2014) is mentioning that a good practice about literature review is to provide a table

tabulating basic information about each article which has been reviewed in a systematic literature review.

Therefore, additional information was extracted during this step and summarized in the table from the

previous step (Appendix A).

Discussion: This step was useful for this review because it helped to get more insight from the selected

articles.

22

From the practical perspective, Okoli and Schabram (2007) strongly advise that the reviewer has to

annotate the extracted raw data in order to provide early evidence related to the studied topic.

Given the fact that all articles retrieved were in PDF format, the annotation was done using the built-in

annotation mechanism of Adobe Reader.

The huge amount of information put a lot of pressure on the ability to process this big volume of articles

and studies. Therefore, a strict timeline was set in order to reach the end of the list of articles included in

the review.

3.3.5 Data Analysis/Analysis of Findings (S7)

This is the step when the reviewer is synthesizing the findings. This synthesis should be of enough good

quality to be used in the last step of this method-Writing the Review (Okoli and Schabram, 2010).

Normally, the inputs of Data Analysis step are the articles which were screened, selected and quality

appraised in the previous steps (Okoli and Schabram, 2010).

From the procedural point of view, the method for literature review developed by Okoli and Schabram

(2010) suggests that this step could be conducted by using an approach which may be qualitative,

quantitative or a combination of both ways. By complementing the descriptive, qualitative analysis with

quantitative synthesis, the data analysis could help in the process of ensuring relevance in presenting the

review (Kitchenham, 2004). However, this kind of combination seems not to be widely used in reviews of

the literature (Kitchenham, 2004).

Therefore, in the case of this thesis, the data analysis for this the literature review has been done in a

qualitative manner. This seemed to be relevant for this review, given the research question defined in the

first chapter.

There are many methods for analysis and synthesis of data. For instance, to qualitatively analyze the

retrieved data some authors are arguing that there are some predominant approaches. The main options of

qualitative data analysis are Conversation Analysis, Content Analysis, Discourse Analysis, Narrative

Analysis and Grounded Theory (Denscombe, 2014).

All these methods were reviewed and weighted by referring to the research question and the goal of this

research. Following this process, it has been decided to use Grounded Theory for this thesis. Also, given

the amount of data retrieved in the previous steps, using Grounded Theory has been seen as a natural

choice.

Therefore, the techniques of grounded theory based data analysis were revisited (using the Denscombe,

2014). Additionally, inspiration was taken from Wolfswinkel et al. (2013) from where the technical

aspects were borrowed and adapted to this research work.

Developed about 50 years ago by Barney Glaser and Anselm Strauss, Grounded Theory became a popular

choice in the research field. Grounded Theory is a way to create theory by the means of empirical

fieldwork (Denscombe, 2014). Moreover, Grounded Theory could be used in those research works where

there is a need to use iterations to analyze the existing evidence by constantly referring to the existing

fieldwork data (Denscombe, 2014).

23

In the last years, Grounded Theory has been seen to be widely used in the research field of Information

Systems due its rigorousness (Wolfswinkel et al., 2013).

Given the recognized fact that the method of systematic literature review is seen as a rigorous approach to

reviewing the existing academic data about a certain topic (Kitchenham, 2004; Keele, 2007), using

grounded theory to analyze data was considered as the most suitable way for this thesis to evaluate the

retrieved articles in the previous steps.

Wolfswinkel et al. (2013) came up with the idea of using Grounded Theory in the literature reviews in

order to get the most valuable information out of the previously retrieved set of articles and studies.

When it comes to analyzing the retrieved information, Wolfswinkel et al. (2013) propose to use the key

ingredients of Grounded Theory:

Open coding

Axial coding and

Selective coding.

Open coding is the first phase in doing data analysis when grounded theory is involved. This coding is

also called initial coding when the reviewer goes through the data and mark the important parts by adding

a descriptive name (Denscombe, 2014; Khandkar, 2009).

In the beginning, the open codes are expected to be quite general and there might be situations when the

reviewer has to link the codes to larger blocks of text (Denscombe, 2014) instead of linking the codes to

words, expressions or sentences. These codes could be seen as temporary, as long as the codes are

revisited and distilled in more conceptualized codes (Denscombe, 2014; Khandkar, 2009). In other words,

during these iterations, the reviewer is supposed to be able to extract meaningful information. This

information could roughly draw the findings of the research, because, at this stage, a relationship between

the codes could be observed (Denscombe, 2014).

From the practical point of view, Wolfswinkel et al. (2013) introduce the concept of the excerpt and

suggest that during the open coding phase the reviewer is expected to build up a “stack of excerpts”.

During an additional iteration, these excerpts are re-visited and carefully read aiming at extracting the

codes.

Wolfswinkel et al. (2013) go further and points out that the open coding is very critical for the whole

process because, at this moment, the reviewer will be able to draft the study’s findings through the

distillation of excerpts in a set of concepts and insights.

As soon as the open coding does not reveal any new code, the reviewer has to move to the next phase:

axial coding.

Axial coding is aiming at grouping codes discovered by open coding and to organize them into categories

and sub-categories (Denscombe, 2014). During the axial coding, the reviewer has to focus mainly on

identification of key categories in order to prepare for the next phase, selective coding.

The selective coding is having as input the codes and, sub-categories and categories derived from these

codes after the previous two phases were finished. Wolfswinkel et al. (2013) recommend that the

24

reviewer has to also look at the relationship between categories, because this will help the reviewer to

further put together all pieces of the puzzle.

The output of this final phase is a set of core concepts. Around these concepts, the reviewer is going to

build up the theories that can explain the phenomenon (Denscombe, 2014).

Also, at the moment of selective coding, it is important to theorize on the main categories in order to build

up a single reasoning around the interrelations between the main categories (Wolfswinkel et al., 2013).

During this process of coding, it is important that the reviewer is engaging in a constant comparison of the

findings. In such a manner, the reviewer will be able to constantly check whether the codes, categories

and sub-categories are up to date and there are no duplicates (Denscombe, 2014; Wolfswinkel et al.,

2013). These duplicates could become noisy for the research process and time-consuming for the

reviewer if there is no real-time comparison of the newly emerged codes, categories and sub-categories to

the existing ones.

As observed above, each of the three phases of coding is, in some sense, an iterative process because the

reviewer has to go back and forth between papers, to double or triple check the codes or excerpts, to

revisit several times the emerged categories and sub-categories in order to keep a discipline of findings

(Wolfswinkel et al., 2013). This is quite sensitive and very important for the final report and could easily

jeopardize the whole research work. Moreover, it is very effort intensive and time-consuming for the

reviewer.

This effort of evaluation and analysis of the selected set of articles and studies actually gives the reviewer

an idea of what may be expected from the remaining texts (Wolfswinkel et al., 2013). In other words, this

is also called theoretical sampling because during this sampling the reviewer is looking for signs which

are leading to concepts. Later on, these concepts are going to be examined how they may vary in different

setups/environments (Denscombe, 2014).

When all papers (studies/articles) were read and no other concepts, categories or links between categories

are emerging, the review work is reaching the theoretical saturation (Wolfswinkel et al., 2013).

In order to have a better reflection of the analysis and due to the needs to have a proper logical

organization of this thesis, it has been decided to present more specific details on how the analysis of the

data was performed in the chapter “Analysis and Results”.

3.3.6 Writing the Review (S8)

This is the final step in the research work based on a Systematic Literature Review. This is going to be

addressed in the chapter dedicated to findings of the research work done in this thesis. The findings, as

well as the conclusion of this work, are part of this last step of Systematic Literature Review as per Okoli

and Schabram (2010).

25

3.4 Validity and reliability

It is crucial for a researcher to ensure that the study achieve an adequate level of scientific quality. This

has to be addressed from the early stages of the research in order to answer any potential critique (Leung,

2015). Like any scientific research, a systematic literature review has to be trustworthy and the output of

the review has to be based on acknowledged practices for good researching (Denscombe, 2014).

Therefore, a researcher has to struggle fulfilling aspects such as validity and reliability (Leung, 2015).

Validity encompasses the appropriateness of the research methodology, data collection, data analysis as

well as the analyzed data, so that the research question can be answered (Leung, 2015). This study

employs the systematic literature review for information systems research proposed by Okoli and

Schabram (2010). This is a process based on eight steps aiming at retrieving the literature in a systematic

and rigorous manner. Using this research methodology was considered to be a good and proper choice

since it was designed for literature reviews in the field of information systems. Also, the process describes

extensively the specific way how to search, include and exclude the retrieved studies, how to assess the

quality and how to write the review.

The literature search was done using more than one literature outlet in order to get as many studies as

possible to sustain a comprehensive coverage of the topic. Choosing six specific subject databases such as

IEEE Xplore, Emerald Insight, Scopus, EBSCO, Web of Science and ACM Digital Library was dictated

by the suggestion made in the guidelines of the systematic literature review and by the fact that they offer

electronic access to the most of the published literature (Okoli and Schabram, 2010). So, the validity of

the retrieved literature is linked to the credibility of the sources used during the research. Since these

sources are well-known academic sources provided by the online library of Stockholm University, this is

considered as being another factor which ensured the validity of this research work.

Additionally, the retrieved studies were analyzed by adopting the method for rigorously reviewing

literature of Wolfswinkel et al. (2013). The retrieved codes were constantly compared in order to comply

with the need of having a “constant comparison” (Leung, 2015) and to be in line with the principle of

“constant comparative analysis” as highlighted by Wolfswinkel et al. (2013). Also, in the process of

coding, the codes were iteratively distilled by engaging the key principles of Grounded Theory

(Wolfswinkel et al., 2013). The Grounded Theory was also used to generate the theory.

Lastly, the validity was ensured by paying attention to how the study reached the theoretical saturation.

Of course, the theoretical saturation is a subject for debate (Wolfswinkel et al., 2013) and is linked to the

resources involved in the research. The theoretical saturation was achieved by combining two aspects.

The first one is related to the basic rule of literature search: the search stops when the articles found

through repeated searches on target literature outlets are duplicates (Okoli and Schabram, 2010). So,

when the search triggered a significant number of duplicates, the search was stopped. The second aspect

is connected to the analysis of the papers. In this respect, the analysis was performed until all papers were

carefully read and until the new codes had the tendency to overlap the existing ones.

In order to ensure the reliability of a systematic literature review, the reviewer has to provide clear

evidence on how such a study could be reproducible (Okoli and Schabram, 2010; Leung, 2015). To cope

with such requirement, the literature review has to document carefully each step, action and decision

taken during the research process (Okoli and Schabram, 2010; Denscombe, 2014). Therefore, significant

26

attention was given to the way how the research was conducted for this master thesis. The steps of the

systematic literature review of Okoli and Schabram (2010) were strictly followed and documented. The

reasoning related to different choices made throughout the research was also documented. The way how

the selected articles were filtered was discussed in depth and the criteria used for filtering were presented

to the reader. Furthermore, all problems faced during the research method application were presented in a

transparent way. Statistical aspects of the literature overview were compiled and presented in a

meaningful way through tables (Leung, 2015) and graphs.

As mentioned above, the data analysis of this thesis was conducted by means of Grounded Theory using

the guidelines of Wolfswinkel et al. (2013). To stay in line with the need of having a reliable research, the

study followed a similar approach as for SLR in terms of reliability. This is reflected in the chapter 5. All

three phases of coding were detailed, including which set of tools was used, how the work was done, what

challenges arose and how they were approached. Also, the retrieved codes were explicitly mentioned and

mapped to the selected articles for the review.

Finally, even though anyone could replicate the research conducted in this study based on the facts listed

in this section, the results might be different. This could be linked to new developments in the area of

Information Systems Auditing (new literature emerge due to the time progress) or could be linked to new

improvements in the searching algorithms used by literature outlets.

27

4. Literature Overview

In this chapter, the reader gets an overview of the characteristics of the articles brought forward from the

previous chapter. Aspects as the research methods used by the selected articles, type of publication as

well as geographical dispersion are visualized through diagrams.

In total, twenty-three articles were reviewed.

From the methodological point of view, these papers were categorized as follows: 14 articles were using

the survey as a research method, five articles were using mixed methods, three were case studies and one

was a review paper. As stated in the previous chapter, the categorization was done by using Denscombe

(2014) as a guideline.

Figure 3: Research methods

As seen in Figure 4, from the publication type perspective, 17 were papers published in various journals

and the rest were conference papers.

Figure 4: Highlighting the type of publications

0

5

10

15

Survey Mixed Methods Case Study Review

Research methods

0

5

10

15

20

Journal Conference Papers

Publication Type

28

This thesis targeted the articles and studies published during a particular decade: 2006 – 2016. The

screening for inclusion/exclusion revealed that the majority of articles were published in 2011(seven

articles). However, there were four years without any published article or study included in this review.

Figure 5: Clarifying the time of publication

This research work is focusing on developing countries. It has been seen suitable to include in the

literature overview also a geographical dispersion of the articles reviewed per continents. In order to do

so, during this work, the information about the country targeted in the reviewed articles was also

collected. Then, each country was associated with a continent based on the info provided by United

Nations Geospatial Information Section Web Site.

As illustrated in Figure 6, from the geographical dispersion perspective, the majority of articles included

in the review are from Asia (18 out 23 articles), then four are from Africa and only one is from Europe.

Figure 6: Geographical distribution of articles per continents

0

1

2

3

4

5

6

7

8

2006 2008 2010 2012 2014 2016

Number of publications per year

0

5

10

15

20

Africa Asia Europe

Geographical dispersion of articles per continents

29

5. Analysis and Results

This chapter reflects how the data retrieved from the literature review were analyzed. Also, it reflects the

open codes, axial and selective codes retrieved using the guidelines of Wolfswinkel et al. (2013) so that

the theory could be built under the scope of grounded theory. Lastly, it presents the findings of the review

in order to fulfill the last step of SLR method developed by Okoli and Schabram (2010).

As previously stated, Okoli and Schabram (2010) are poiting out that the step of “Data Analysis” is one of

the crucial steps of the systematic literature review method. Data analysis is basing its existence on the

properly assessed, screened and qualitatively evaluated list of articles retrieved in the previous steps of

Okoli and Schabram’s method. They also recognize that the synthesis or analysis of the articles and

studies is a complicated stage and the reviewer may face some challenges in finding the way through.

The previous overview on the literature highlighted that an amount of 23 articles and studies was

retrieved at the moment when the Data Analysis step has to start. Given the fact that the analysis is done

by using the suggestion of Wolfswinkel et al. (2013), the coding process has begun. Denscombe (2014)

suggests as a good practice to use dedicated software for qualitative data analysis. In such a way the

researcher can code the retrieved data more easily. Also, this sort of software helps in building up the

categories and concepts out of the fetched codes (Denscombe, 2014).

Therefore, for the need of this thesis, NVivo 10 was employed. This qualitative data analysis tool

developed by QSR International (http://www.qsrinternational.com/product) seemed to be suitable for the

needs of this literature review. However, the tool is not free, being under a commercial license.

Nevertheless, QSR International offers the opportunity to use NVivo 10 in a trial mode for 14 days. Given

the fact that NVivo 10 was not found in the Stockholm University portfolio of software for students, the

14-days trial version was used for coding and the development of the categories and concepts.

NVivo 10 has a quite intuitive interface; however, a period of one week was dedicated to understanding

how it works and to get the most of it, given the short trial period. All 23 articles were imported into the

tool. The excerpts extracted during previous steps of SLR helped to get a baseline before the start of the

data analysis. Also, as previously stated, plenty of annotations were made by using the existing

capabilities of Adobe Reader and Microsoft Word. These annotations were also imported and linked to

the corresponding article or study. These activities were time-consuming and involved plenty of work.

However, there was some manual work before getting used to NVivo. So, some articles were coded using

the old school method: pen and paper. These articles were scanned and revisited to add the info to the

final output.

Having all these practicalities settled the process of open coding, axial coding and selective coding was

perceived as being less complex.

Wolfswinkel et al. (2013) argues that a literature review based on Grounded Theory has to be transparent.

Moreover, a systematic literature review has to be reproducible (Denscombe, 2014). So, because of the

need of this review to be rigorous, reproducible and transparent, the open coding, axial coding and

selective coding are going to be clarified and explained during this chapter.

30

5.1 Analysis of the articles by means of Grounded

Theory (open, axial and selective coding)

5.1.1 Open Coding

Open Coding or initial coding has started by carefully reading each annotation per selected article in order

to identify particular notions or opinions which may help in the coding process. An important task at the

beginning of open coding is to define units or to “unitize” the data (Denscombe, 2014). This could be

done by focusing on words, lines of text, complete sentences, and paragraphs (Denscombe, 2014). Given

the amount of data, this thesis used a combination of the mentioned units. This helped the reviewer to

capture as much information as possible to “codify” the articles.

Little by little, by constantly comparing the findings (as per suggestion of Denscombe, 2014) it was

possible to consolidate same meaning of the codes even though they were present in a different wording

or phrasing in the read articles.

There were situations when the same expressions were found written in different words in several articles.

Therefore, it has been decided to merge in one code in order to keep a consistent approach.

While analyzing the data, the reviewer confronted a situation regarding the way some articles were

written. Therefore, it is important to mention that some articles were having a weird phrasing or the

sentences were structured in such way that the meaning was a bit fuzzy. Perhaps, this could be found

normal since the English language is not the native language of the writers and probably proofreading was

not done properly.

There were situations when in the same article the authors used words or expressions which might be

interpreted in the same note (example: “management pressure”, “management personal influence” and

“management intrusion”). Given the fact that subjectivity of the reviewer might be a target for discussion,

to avoid any inference it was considered appropriate to apply the same code for expressions or words with

the same message or signification. This decision was based on the recommendation of Denscombe(2014)

who is suggesting that the principles of grounded theory have to be applied in a research by using an open

mind. This gives the reviewer some space for maneuvering, so that, the analysis could be done in a

creative manner.

After the first round of open coding, a number of 114 codes were extracted. Given the complexity of

handling such amount of codes, another more in-depth iteration took place by a continuous comparison,

back and forth, of the initial codes (Urquhart et al., 2010; Denscombe, 2014; Wolfswinkel et al., 2013).

After this iteration, from all 23 selected articles, a number of 69 codes were identified. The list with all

these codes is presented in Appendix B.

5.1.2 Axial Coding

After finishing the open coding, the list of codes was revisited and the axial coding stage was begun.

Schlagenhaufer and Amberg (2015) are pointing out that axial coding is a stage when the reviewer has to

proceed in an inductive and a deductive manner so that the previously retrieved codes could be correlated

into categories and subcategories. Also, this has to be done iteratively by continually refining the axial

31

codes and by comparing the already defined categories in order to avoid duplicates or similar categories

(Paagman et al., 2015).

Therefore, the articles were analyzed again and the codes were grouped based on their relationship.

Initially, it was very hard to find a way through. The process of axial coding was giving hard times to the

reviewer because of the difficulty in handling such large amount of information.

Again, the open mind principle of grounded theory was employed and another iteration of the axial

coding has started by using a diagramming tool to better visualize the relationship between the codes.

For this stage of the coding, the diagramming tool chosen was Dia. This tool is free, open source

software, with a quite simplistic interface, but good enough to answer the needs of this research.

According to Wolfswinkel et al. (2013), in the beginning of axial coding, the task of building up the

relationship between codes is more subjective rather than rigorous. To address this situation the articles

have to be carefully read and methodically assessed to see whether there are other ideas which may

emerge. Hence, the articles were reassessed in order to determine whether the already developed sub-

categories have comprised correctly the codes retrieved during the open coding. In the situations when

adjustments were needed, the new emerged sub-category was compared to the existing ones. Then, if

there was clear that it doesn’t overlap or is not a duplicate, the new sub-category was added.

After this stage, a number of 17 subcategories were identified. The listing of these sub-categories is done

in section 5.2, as well as in Appendix C.

5.1.3 Selective Coding

In the last stage, selective coding was engaged to refine and integrate the core concepts of this review

(Wolfswinkel et al., 2013). Also, at this stage, the reviewer has to theorize and abstract the main

categories (core concepts) (Wolfswinkel et al., 2013) by using an iterative conceptualization with a

certain focus on the relationship between categories (Urquhart et al., 2010).

During the “Selective Coding”, the main categories were refined by having in mind the suggestion of

Wolfswinkel et al. (2013): this stage has to be done by looking at the main categories from the

perspective of the research question used in the research or from the viewpoint of the subject of the

review. For this thesis, it was used the research question-based approach in order to refine the main

categories of this review.

The work done during the Selective Coding resulted in getting six abstract categories. They are the

drivers which are shaping “the story to be told” (Wolfswinkel et al., 2013).

The six main categories are depicted in Figure 7, in the next section of this chapter.

5.2 State the identified codes (concepts) explicitly

To organize the coding, Wolfswinkel et al. (2013) suggest ways regarding how to document the found

codes from the selected set of articles. These suggestions are more at a general level.

32

Therefore, some inspiration was taken from Yang and Tate (2012), El-Gazzar (2014), Hjalmarsson et al.

(2014), Paagman et al. (2015) and Schlagenhaufer and Amberg (2015). This was seen very appropriate in

the case of this thesis, because the need to have a proper organization of the codes, subcategories,

categories (core concepts) has been seen as being crucial for building up the theory around them.

Moreover, given the difficulties of finding a rigorous way to group the open codes, the grouping was done

during the axial coding by using the method K-J. This method is also known as affinity diagramming and

aims at using a systematic way to assess and agree on a classification (as suggested by Yang and Tate,

2012).

According to the ASQ website (Affinity Diagram - ASQ, 2016), the method K-J is suitable for works

when there is a need to organize a big quantity of information in order to develop their natural

relationship. It could be used when there is a perceived idea of an apparent chaos, when the issues are too

complex and seems to be too wide to be easily followed (Affinity Diagram - ASQ, 2016).

Practically, the method K-J consists of using a certain number of sticky notes and a large work surface

(wall or table). Then, each fact or idea is written on the notes and spread on the work surface in a random

order. Then, notes which look to be related to each other are gathered until nothing remains. Finally, the

reviewer has to reflect on each group and try to find a heading. If it is necessary, the review may consider

regrouping the headings in “super groups” (Affinity Diagram - ASQ, 2016).

Given the amount of information reviewed by this research work and the fact that it was necessary to

organize the codes, it has been found appropriate for this thesis to use this method in order to find the way

through the “Axial Coding” stage.

The affinity diagramming was used during the “Selective Coding” in order to integrate and refine the sub-

categories in the main categories. Also, the suggestion of Yang and Tate (2012) and Schlagenhaufer and

Amberg (2015) was taken further and the main categories were validated against the top level categories

of the classification scheme for keywords identified as being used in the information systems research.

This is a scheme developed and updated by Barki et al (1993).

5.2.1 The codes explicitly stated

Initially, the table with the identified open codes was seen as part of this section. However, due to the

complexity of the matrix it has been decided to include it in a dedicated appendix – Appendix B, where

the open codes were stated explicitly in alphabetical order.

By mapping the articles to the codes, another matrix has been developed. This matrix is included as well

in Appendix B.

33

5.2.2 The categories and sub-categories explicitly stated

The emerged sub categories are:

Table 4: Highlighting the Emerged Sub-Categories

Emerged Sub-Categories

Laws and legal framework

Regulations

IS Audit Policy

IS Audit Standards

Cost

Business characteristics

Management

Technology

Employees perception of IS Audit

IS Audit Job

Academic

IS Professional training and certification

IS Technical knowledge

Job related Skills

Knowledge base

Change Perception

Awareness

And the refined main categories emerged are:

Table 5: The final Main Categories

Main Categories

Legislation

Policy and standards

Organizational

Human Resources

Educational

Cultural

5.3 Present the results through concept matrices

Finally, the consolidated view of the coding is presented here:

Table 6: The classification of categories and sub-categories

Selective Coding Axial Coding Open Coding

Legislation Laws and legal framework Two open codes

Regulations Two open codes

Policy and standards IS Audit Policy Four open codes

IS Audit Standards Two open codes

34

Selective Coding Axial Coding Open Coding

Organizational Cost Three Open Codes

Business characteristics Six Open Codes

Management Seven Open Codes

Technology Four Open Codes

Human Resources Employees perception of IS Audit Four Open Codes

IS Audit Job Six Open Codes

Job related Skills Six Open Codes

Educational Academic Four Open Codes

IS Professional training and certification Five Open Codes

IS Technical knowledge Four Open Codes

Knowledge base Four Open Codes

Cultural Change Perception Three Open Codes

Awareness Three Open Codes

Given the initial complexity of the matrix concepts, it has been chosen to use the above representation.

However, a more comprehensive matrix is included in Annex C. This matrix is also including the number

of articles where the open codes were found. The numbers are represented in parenthesis.

From the perspective of the research question which drives this research and to have a better

visualization, a diagram was built up to present the main categories. This diagram was drawn based on the

recommendations of O’Connor (2012):

Figure 7: The Diagram of the Main Categories

35

5.4 Identify strengths, weaknesses and gaps in the

literature The review of the existing literature concerning the research question revealed that there are many

challenges, difficulties and issues which are experienced by developing countries concerning IS Audit.

They relate to legislation, policies and standards, organization, information systems audit as a whole,

culture and education. As mentioned in the first section of this chapter, these are the core concepts which

are framing the story to be told (Wolfswinkel et al., 2013) and are described more in detail in this section

of this chapter.

Moreover, this part of thesis aims at fulfilling the last step (Step 8 – Writing the Review) of the

systematic literature review method developed by Okoli and Schabram (2010). To do so, the suggestion

of Wolfswinkel et al. (2013) was employed for this step. They recommend that the building of theory has

to involve creativity. Also, the theory could be built up by analyzing the literature and broaden the

existing theoretical model, by using common sense or experience. In this thesis, it has been decided to

combine them in order to come up with a comprehensive view of the reviewed articles.

5.4.1 Legislation

Legislation related challenges, difficulties and issues faced by developing countries from the perspective

of IS Audit comprise of “Laws and legal framework” and “Regulations”.

From the perspective of “Laws and legal framework”, developing countries are encountering various

challenges and issues regarding the clarity of laws or how the government supports the implementation of

laws with regard to IS Audit.

There are multiple pieces of evidence related to the fact that there are some laws, but it is clear that the

existing laws are not enough to sustain the need of the organizations from the developing countries(Maria

and Hariyani, 2011; Nkwe, 2011; Upadhyaya et al., 2012; Wahdan et al., 2008).

Also, confusing and cumbersomeness of the existing laws combined with excessive bureaucracy puts a lot

of pressure on those organizations who are aiming at implementing and using IS Audit (Mahzan and

Veerankutty, 2011; Salehi and Husini, 2011; Upadhyaya et al., 2012; Mozhgani et al., 2014). Hence, the

developing countries need to complete the existing legislation with laws which are simpler and adapted to

the reality from the field or to the local specificity (Nkwe, 2011; Maria and Hariyani, 2011; Upadhyaya

et al., 2012).

The beneficial role of having a clear legislation is recognized as being the foundation of a proper

regulation of the IS Audit at the national level (Mahzan and Veerankutty, 2011; Nkwe, 2011; Upadhyaya

et al., 2012). However, governments don’t have enough expertise or resources in making the legislation

more accessible for the organizations, keeping the confusion at a very high level (Salehi and Husini,

2011; Mahzan and Veerankutty, 2011; Nkwe, 2011; Upadhyaya et al., 2012).

To cope with the inconsistency of legislations shortage of laws, some countries started to adapt to their

needs, laws used by Western countries. However, due to differences at the national legal framework level,

36

this direction added an additional layer of confusing in the adopted legislation concerning IS Audit

(Nkwe, 2011; Upadhyaya et al., 2012; Wahdan et al., 2008).

Of course, the legislation related to IS Audit has to be implemented by the government or delegated

ministries and agencies (Nkwe, 2011; Razi and Madani, 2013; Upadhyaya et al., 2012; Wahdan et al.,

2008). In this context, the government and ministries are urged to take the lead in adopting the right

approach for regulation of IS Audit. Also, the reviewed articles are talking about the need for government

support to promote the IS Audit legislation in order to have a wider awareness on this matter (Bani-

Ahmad and El-Dalabeeh, 2014; Mahzan and Veerankutty, 2011; Mozhgani et al., 2014).

When it comes to regulations, some articles are highlighting the fact that the lack of IS Audit regulations

is a major issue and there is an acute need to address this shortage (Al-Ansi et al., 2013; Mahzan and

Veerankutty, 2011; Nkwe, 2011). Also, the existing literature recognizes the usefulness of having IS

Audit regulations in order to help businesses to cope with the potential IT risks (Nkwe, 2011; Nijaz et al.,

2011). Therefore, it is important for developing countries to adopt a proper framework of regulations

which will reduce the gap between them and the more advanced countries. This has to be done in

concordance with national legislation in order to avoid any potential weaknesses (Al-Ansi et al., 2013;

Mahzan and Veerankutty, 2011; Nijaz et al., 2011).

As it happens in the case of legislation, IS Audit regulations are also perceived as being confusing or even

contradictory (Mahzan and Veerankutty, 2011; Razi and Madani, 2013; Upadhyaya et al.; 2012). This

may happen in the cases when there is a decentralized administration, so that, the country’s highest level

regulations may be contradicted by regulations adopted at a lower level of the administration. On the

other side, when national regulations are lacking consistency or are difficult to be applied, countries are

adopting the rules imposed by the national bank or similar bodies who are filling the regulatory gap

(Nkwe, 2011; Nijaz et al., 2011).

5.4.2 Policies and Standards

“Policies and Standards” are coming to support and complement the “Legislation” and, therefore, are seen

at the same level of importance. The challenges and issues related to “Policies and Standards” consist of

“IS Audit Policy” and “IS Audit Standards”.

In the context of IS Audit Policies, it is important to mention that the lack of the IS Audit policies has an

important impact on how organizations from the developing countries are dealing with IS Audit. The

importance of policies is recognized, given the fact that the policies are promoting a proper regulatory

environment. However, the absence or shortage of IS Audit-related policies has a negative effect on how

organizations are mitigating the potential IT risks (Nkwe, 2011; Upadhyaya et al., 2012).

Moreover, in those countries where the policies already exist, it is admitted by the existing literature the

fact that those policies must be continuously updated to answer to the advancements of information

technology, as well as to the challenges of the new risks associated to an ever changing environment as IT

is perceived (Nkwe, 2011).

Furthermore, in the countries where the IS Audit policies were observed as being in place, it has been

reported that there is a limited compliance with those IS Audit policies (Nkwe, 2011; Nijaz et al., 2011;

Rafiei and Moeinadin, 2014). Perhaps, this is linked to an inadequate implementation of IS Audit. The

37

issue of lacking or poor implementation of IS Audit is happening in those organizations where there is a

weakness in the level of understanding of what are the IS Audit policies for. This is occurring despite the

fact that the importance of these policies it is recognized in the most cases (Al Lawati and Ali, 2015;

Rafiei and Moeinadin, 2014).

Similarly, the reviewed articles are mentioning that there is a lack of best practices in the IS Audit field.

Even though the importance of the IS Audit best practices is out of any discussion, when it comes to

helping an organization to better protect their IT assets(Nkwe, 2011; Bani-Ahmad and El-Dalabeeh,

2014), the developing countries are lacking in using and/or adopting best practices (Bani-Ahmad and El-

Dalabeeh, 2014). Moreover, in the cases where best practices are used, they are in a basic format and

therefore there is a need to align them with the current, internationally recognized best practices (Bani-

Ahmad and El-Dalabeeh, 2014; Purwoko, 2011; Puspasari and Yuwono, 2013).

In line with challenges and issues related to IS Audit Policies, IS Audit Standards are also mentioned as

demanding a lot of efforts and work from the developing countries concerning the IS Audit.

Lacking adoption of standards in the IS Audit field has been reported by a significant number of articles.

While the international standards are quite known in the developing countries, the organizations are

avoiding adopting such standards and they try to use either internally developed procedures or national

standards(if exists)(Abuazza et al., 2015; Nijaz et al., 2011; Salehi and Husini, 2011).

Moreover, the adoption of IS Audit Standards is hindered by the level of understanding of what is an

Information Systems Audit Standard. This is observed amongst IS Audit professionals as well as at the

level of the decision makers (Abuazza et al., 2015; Al Lawati and Ali, 2015; Bani-Ahmad and El-

Dalabeeh, 2014; Maria and Ariyani, 2014; Upadhyaya et al., 2012).

On the other hand, the adoption of IS Audit standards is seen as being in a better shape in the case of

businesses which are in business relations with the companies from the developed countries. In such a

way, those businesses are obliged to adopt international IS Audit Standards in order to comply with the

requirements coming from their business partners (Abuazza et al., 2015; Nijaz et al., 2011). A similar

situation is in the case of businesses which are listed on the stock exchange (Abuazza et al., 2015; Nijaz et

al., 2011; Salehi and Husini, 2011).

Even if the need of having the IS Audit carried in a standardized way is considered as being important

(Nijaz et al., 2011), businesses from the developing countries are having difficulties to adapt to the

international standards due to local regulations.

The reviewed articles were also talking about the poor or partial implementation of IS Audit Standards.

This kind of cases are the ones were some efforts and resources were spent in order to implement an IS

Audit standard. However, issues like deficient communication and collaboration between involved

parties, as well as wrong perception of IS Audit from the management point of view, led to situations

when the implementation of standards was less successful (Al Lawati and Ali, 2015; Bani-Ahmad and El-

Dalabeeh, 2014; Nijaz et al., 2011). As a consequence, the poor implementation led to low performance

and less efficiency of the reported IT risks.

38

5.4.3 Organizational

Organizational related challenges, difficulties and issues consist of “Costs”, “Business Characteristics”,

“Management” and “Technology”.

The cost of IS Audit implementation, as well as the cost of IS Audit execution, are perceived by the

authors of the reviewed articles, as being high enough. Hence, the organizations are avoiding to involve

themselves in an endeavor to have IS Audit in place. Therefore, the IS Audit is relying its existence on the

financial capabilities of the organization. The IS Audit is likely to be implemented in the financial

industry–related businesses rather than other industries (Abu-Musa, 2008; Mahzan and Veerankutty,

2011). Moreover, the organizations are expecting that the IS Audit is executed at low prices and expenses,

which is not always the case (Majdalawieh and Zaghloul, 2009; Mozhgani et al., 2014; Wahdan et al.,

2008). Aditionally, by trying to minimize the cost of an IS Audit it has been observed a very low quality

of the results, as well as on the efficiency and performance of the IS Auditors (Mozhgani et al., 2014;

Wahdan et al., 2008).

Confronted with the perceived high cost of IS Audit implementation and execution, some organizations

are contemplating the alternative to outsourcing the IS Audit in one way or another. However, this is also

costly or is lacking competent companies able to take this load. Additionally, this is perceived as being

risky, with a potential negative impact on the business itself in terms of privacy and business safety

against competitors (Majdalawieh and Zaghloul, 2009; Puspasari and Yuwono, 2013; Upadhyaya et al., 2012).

Another source of challenges and issues are the “Business characteristics”. The size of the organization is

mentioned as having an important influence on the quality of the IS Audit carried in the organization.

This is tightly linked to the availability of resources, either budget related (Mahzan and Veerankutty,

2011; Alkebsi et al., 2014; Maria and Hariyani, 2011; Maria and Ariyani, 2014), human resources or both

(Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Razi and Madani, 2013; Wahdan et al., 2008).

Furthermore, the low level of business competition has as a consequence a reduced pressure on the

business to use IS Audit in order to mitigate potential IT risks in their information systems(Razi and

Madani, 2013; Alkebsi et al., 2014; Wahdan et al., 2008).

In spite of the fact that the reviewed literature acknowledge the benefit of having IS Audit included in the

business process, some of the reviewed articles are highlighting that this is challenging for the

organization due to either lack of knowledge about business process interaction with the IS Audit (Maria

and Ariyani, 2014; Maria and Hariyani, 2011; Mozhgani et al., 2014) or lack of competence in including the IS

Audit into the business process. This is happening at the IS Auditor level as well as at the management

level (Maria and Ariyani, 2014; Mozhgani et al., 2014; Puspasari and Yuwono, 2013; Salehi and Husini, 2011).

Additionally, the unclear, fuzzy or overlapped business demands are adding another layer of issues faced

by developing countries from the IS Audit perspective. This kind of maintaining a blurred view of the

items to be audited doesn’t help the IS Auditor to clearly understand what are the needs. Given the fact

that the ownership of the systems is not precisely defined, the work of the IS Auditor is also challenging

when the findings are to be reported (Al Lawati and Ali, 2015; Majdalawieh and Zaghloul, 2009; Rafiei

and Moeinadin, 2014). These situations lead a poor mitigation of the retrieved findings, or even worst, the

implementation of the counter-measures are simply delayed.

39

It is worthy to remark that the organizational and work culture has been mentioned as a potential

hindering factor for IS Audit usage in some particular developing countries (Majdalawieh and Zaghloul,

2009; Maria and Ariyani, 2014). So, the conclusion was that the way how the IS Audit is implemented or

used is linked to the level of the work rigorousness of the employees.

Lastly, it has been observed that in the developing countries, there is a lower adoption level of IS Audit

(Nkwe, 2011; Razi and Madani, 2013). This could be linked back to the shortage of legislation and

policies in the field of IS Audit as well as the resources at the organizational level.

When it comes to the aspect of “Management”, the analyzed articles are mentioning it as being very

challenging to the developing countries, fueling many issues from the perspective of IS Audit.

For instance, the lack of management support, help or commitment is, by far, the most researched topic

amongst the others, 60 % of the reviewed articles are focusing on it in one way or another. The

management support in implementing IS Audit in an organization is perceived as very important, because

of the budgetary needs and business process changes (Nkwe, 2011; Al Lawati and Ali, 2015). Despite this

aspect, this support wais not widely observed in the reviewed articles.

Also, the management’s ability to understand the benefits of IS Audit (Abuazza et al., 2015; Abu-Musa,

2008; Al Lawati and Ali, 2015) as well as the capability to provide the organizational framework for

adopting, implementing and enforcing the IS Audit (Al Lawati and Ali, 2015; Nkwe, 2011; Alkebsi et al.,

2014; Abu-Musa, 2008; Maria and Ariyani, 2014) are strongly challenging the organizations from the

developing countries.

In addition, it is admitted that the role of the management in supporting the IS Auditors is critical,

especially, when the IS Auditors are confronted with obstructed access or restricted authorization to audit

information systems. Despite this aspect, it is not easy in the case of the organizations from the

developing countries to have a supportive management regarding IS Audit-related matters.(Nkwe, 2011;

Purwoko, 2011; Puspasari and Yuwono, 2013; Rafiei and Moeinadin, 2014; Upadhyaya et al., 2012),

even though the reviewed studies are admitting the fact that the IS Audit helps the management in taking

decisions related to the business (Puspasari and Yuwono, 2013; Rafiei and Moeinadin, 2014; Razi and

Madani, 2013) by identifying the potential risks or weaknesses of the systems used by the organizations.

Another origin of challenges and issues is the fact that the management is using its influence to put

negative pressure on the IS Auditors, with an immediate effect on the trustworthiness and the neutrality of

the audit reports (Abuazza et al., 2015; Wahdan et al., 2008). In addition, despite the fact that the

management should respect the independence of the IS auditor, there is some evidence that the

management is influencing the results of the IS Audit by forcing the auditors to comply with the requests

or wishes from the management. This seems to be rooted in the particularities of the local culture

(Abuazza et al., 2015; Purwoko, 2011; Wahdan et al., 2008).

Additionally, the different agenda of management has a direct impact on the adoption level of IS Audit

(Abu-Musa, 2008; Nkwe, 2011; Alkebsi et al., 2014; Malgharni and Yusoff, 2011). The managers could

be busy with other managerial work, could have less time allocated to mitigate the IS Audit findings or

simply don’t take seriously the reports of the IS Auditors (Abu-Musa, 2008; Majdalawieh and Zaghloul,

2009; Purwoko, 2011; Razi and Madani 2013).

40

Therefore, the management usually delays or even ignore to take action to mitigate the reported IS Risks.

Moreover, the management may overlap in taking decisions with regard to the IS Audit report. This

overlap is emerging from the fuzzy or unclear managerial responsibilities, so that, for instance, one

manager’s decision may be overwritten by another manager, at a similar hierarchical level (Abu-Musa,

2008; Bani-Ahmad and El-Dalabeeh, 2014; Purwoko, 2011). This leads to confusions amongst employees

and, to avoid any confrontation, the findings of the IS Audit are just ignored.

Furthermore, the management’ role in creating a proper working environment is crucial. The way how

employees are made aware of the benefits of IS Audit, as well as the way of motivating the IS Auditors to

deliver efficiency and performance seems to be at a low level in the businesses from developing

countries. As expected, this has a direct, negative impact on how IS Audit is perceived in the

organizations (Ismail and Abidin, 2009; Mozhgani et al., 2014; Salehi and Husini, 2011; Steyn and Plant,

2009; Wahdan et al., 2008).

The whole picture of the challenges and issues from the organizational perspective is completed with the

“Technology”. One of the most researched areas focuses on the high diversity of IT technological

landscape. Almost half of the reviewed articles are highlighting that the IT in developing countries is very

diverse, ranging from chaotic, basic, to heterogeneous and sophisticated (Salehi and Husini, 2011; Abu-

Musa, 2008; Al Lawati and Ali, 2015; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011;

Majdalawieh and Zaghloul, 2009). From the perspective of IS Auditors this is very challenging because it

is necessary to deal with technologies, stacked in several layers (network, operating systems, applications,

database, different level of users’ IT literacy) (Al Lawati and Ali, 2015; Ismail and Abidin, 2009; Mahzan

and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009; Maria and Hariyani, 2011; Maria and Ariyani,

2014; Mozhgani et al., 2014).

Of course, the perceived complexity of information systems audited implies also a certain amount skilled

human resources to perform the required information systems audit. However, this seems to be very

challenging for developing countries (Majdalawieh and Zaghloul, 2009; Maria and Hariyani, 2011;

Purwoko, 2011; Salehi and Husini, 2011). Therefore, the organizations tend to focus only on minimum or

basic IS audit with a direct effect on the efficiency of the found risks. On the other hand, some

organizations with complex information systems are using the services of external companies highly

specialized in doing IS Audit. Besides the fact that this involves additional costs, the highly specialized

companies are not present in many of the developing countries (Al Lawati and Ali, 2015; Salehi and

Husini, 2011).

On the contrary of the cases with complex information systems, there are situations when the

technological landscape is less complicated and is focusing only on the basic function of the IT. In such

situations, there is less IS Audit and the auditors are not interested in doing rigorous IS Audits, in such

way some potential risks are overlooked with the associated consequences (Ismail and Abidin, 2009;

Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009).

Moreover, it has been observed that the continuous change of the IT landscape makes the IS Audit more

challenging for the organizations. Additionally, the decision of buying particular technologies is not

backed by the involvement of IS Auditors in the decision-making process. This is combined with the lack

of communication between the IS Auditors and the IT department when a new technology is deployed

leading to an increase the chances of having difficulties in the approaching and auditing such type of

41

information system (Al Lawati and Ali, 2015; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011;

Majdalawieh and Zaghloul, 2009; Maria and Hariyani, 2011; Maria and Ariyani, 2014; Mozhgani et al.,

2014).

Therefore, the reviewed literature is insisting on the need of having a minimum standardization or, at

least, a consistency of the IT technological environment at the national level. This has to be adapted to the

specific characteristics of the local business, different management style compared to developed countries

and specific laws and regulations (Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009;

Mozhgani et al., 2014).

On top of the challenges and issues related to diversified IT landscape, the cumbersomeness of IS Audit

implementation is adding another layer of frustration amongst organizations from the developing

countries. It has been observed that the implementation of IS Audit doesn’t match always the need of the

organization. Therefore, those implementations are too complicated, with various parts completely useless

or without any added-value to the IS Audit (Al Lawati and Ali, 2015; Maria and Hariyani, 2011; Razi and

Madani, 2013; Salehi and Husini, 2011).

Additionally, the tools which are coming with the implemented IS Audit are either too complex or are not

supported in the local language, even though their intention is to automate the manual tasks and to

improve the efficiency and performance of the IS Auditor (Mahzan and Veerankutty, 2011; Maria and

Ariyani, 2014; Puspasari and Yuwono, 2013; Salehi and Husini, 2011). Therefore, the general impression

is that it is difficult to adjust the Western technologies to local needs, creating again a negative perception

of IS Audit (Al Lawati and Ali, 2015; Mahzan and Veerankutty, 2011; Malgharni and Yusoff, 2011;

Nkwe, 2011; Razi and Madani, 2013).

5.4.4 Human Resources

The challenges, difficulties and issues related to this category are threefold “Employees perception of IS

Audit”, “IS Audit Job” and “Job Related Skills”.

For instance, the IS Audit seems to be misunderstood in terms of what is the role, what are the benefits

and what is the scope of it. Even though the role of IS Audit is perceived as being an important part of the

organization aiming at helping the business to achieve its strategic objectives (Abuazza et al., 2015; Maria

and Hariyani, 2011; Nkwe, 2011; Puspasari and Yuwono, 2013), the lack of understanding of the role of

IS Audit is still high and there is a tremendous need to clarify its role at the level of the management and

the organizations(Nkwe, 2011; Purwoko, 2011; Puspasari and Yuwono, 2013; Rafiei and Moeinadin,

2014).

Also, the benefits of IS audit seems to be well known and recognized, but the reality of the field looks

differently in the developing countries. Perhaps, this is emerging from the lack of understanding of IS

Audit as a whole (Maria and Hariyani, 2011; Nkwe, 2011; Puspasari and Yuwono, 2013). Moreover, it

has been observed in the cases where the IS Audit is used that there is a continuous change in the scope of

IS Audit with a direct effect on efficiency and effectiveness.

Also, the lack of understanding of the scope of IS Audit provoke an endless modification of the scope.

Hence, the immediate effect of this continuous changes in the scope of IS Audit is to generate a huge

confusion on what has to be audited. This situation has a bad influence on the motivation of the IS

42

Auditor, because the outlook on the IS Audit is blurred and fuzzy, making the IS Auditor feeling under a

false pressure (Abuazza et al., 2015; Ismail and Abidin, 2009; Majdalawieh and Zaghloul, 2009; Nkwe,

2011; Puspasari and Yuwono, 2013; Rafiei and Moeinadin, 2014).

It has been reported that the IS Auditor is perceived as a verifier or a cop (Salehi and Husini, 2011),

inspector or controller (Abu-Musa, 2008). This seems to be a reason for the organizations, the

management and the employees to obstruct the work of IS Auditors. Of course, such attitude means that

the IS Auditors are treated with caution and their access to information systems is difficult (Al Lawati and

Ali, 2015; Maria and Ariyani, 2014; Nkwe, 2011). This way of hindering the work of the IS Auditors,

leads to low efficiency, incomplete reports and low effectiveness of the actions taken to mitigate the risks

associated with information systems(Abu-Musa, 2008; Al Lawati and Ali, 2015; Maria and Ariyani,

2014; Purwoko, 2011; Salehi and Husini, 2011).

Additionally, another challenge faced by developing countries from the IS Audit perspective is related to

little or no cooperation or collaboration with the stakeholders. This comprises communication or

collaboration with the internal IT department (Al Lawati and Ali, 2015; Abuazza et al., 2015), the IT

management or higher management (Alkebsi et al., 2014; Maria and Ariyani, 2014). This communication

or collaboration is even worst in the case when the IT department is outsourced and the information

gathering on audited information systems is very slow, jeopardizing the whole process of IS Audit (Al

Lawati and Ali, 2015; Alkebsi et al., 2014; Maria and Ariyani, 2014; Mozhgani et al., 2014; Nkwe, 2011;

Rafiei and Moeinadin, 2014).

Further, it has been reported the fact that the business processes are changing relatively often without

having the IS Auditors informed or involved. To cope with such lack of communication, the IS Auditors

have to use their knowledge and ability to deliver meaningful reports. Additionally, this involves more

resources to adapt to the new requirements (Mahzan and Veerankutty, 2011; Puspasari and Yuwono,

2013). In the case of the developing countries, this situation seems not to be easily to be fixed,

challenging their capability to manage such sort of situation.

When it comes to “IS Audit Job”, there are several aspects mostly researched. Firstly, lack of human or

budget resources is mentioned as being an important challenge for an organization acting in the

developing countries because there is a constant shortage of human resources as well as money for

implementation and execution of the IS Audit or mitigation of the reported risks (Abu-Musa, 2008; Al

Lawati and Ali, 2015; Al-Ansi et al., 2013; Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul,

2009). The lacking of budgetary resources goes as low as not having money to buy basic IS Audit tools,

forcing the IS Auditors to use the so-called “manual approach”. Given the fact that doing the manual

audit is boring and not challenging at all (Nkwe, 2011), the lack of IS Audit tools has a high impact on

efficiency and performance (Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Salehi and Husini,

2011),

Also, it has been found that there is a high pressure on IS Auditor independence, objectivity or identity

(Majdalawieh and Zaghloul, 2009; Abu-Musa, 2008; Purwoko, 2011; Rafiei and Moeinadin, 2014;

Wahdan et al., 2008). These types of pressure seem to be linked to the different management style

compared to developed countries. Perhaps, this is also connected to the negative understanding of the role

of IS Audit and its benefits (Abu-Musa, 2008; Bani-Ahmad and El-Dalabeeh, 2014; Mahzan and

Veerankutty, 2011; Majdalawieh and Zaghloul, 2009). Hence, it is required a change in the organizational

43

culture and skills across organizational elements (the employees and the management) (Wahdan et al.,

2008; Rafiei and Moeinadin, 2014; Abuazza et al., 2015).

Despite the fact that in some developing countries the IS Auditor profession reached its maturity

(Majdalawieh and Zaghloul, 2009), there are many pieces of evidence that support the contrary. Some of

the reviewed articles are mentioning the lack of qualified and competent IS Audit staff (Mahzan and

Veerankutty, 2011; Purwoko, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012). This is challenging

for organizations since it is not easy to find experienced IS Auditors at the national level as well is not

feasible to bring talented IS Audit staff from more advanced countries due to scarce budgetary resources

(Abu-Musa, 2008; Alkebsi et al., 2014; Mahzan and Veerankutty, 2011; Purwoko, 2011; Steyn and Plant,

2009; Upadhyaya et al., 2012).

A noticeable attention is accorded to the need for a code of conduct and professional ethics of the IS

Auditors in the developing countries. It is clearly recognized that lacking a code of conduct of the IS

Auditors has large implications on trustworthiness, integrity and authenticity of the reported risks (Maria

and Ariyani, 2014; Rafiei and Moeinadin, 2014; Razi and Madani, 2013; Wahdan et al., 2008). This

weakness of the IS Auditor profession has its own strong and challenging pressure on the organizations

from the developing countries, because the usage of IS Audit is questionable and the results are not taken

seriously (Wahdan et al., 2008; Abuazza et al., 2015; Bani-Ahmad and El-Dalabeeh, 2014).

Furthermore, the IS Auditor profession suffers also from the unclear job description. The confusion of the

mission of an IS Auditor in an organization is kept through wrong management’s misunderstanding of IS

Audit role in an organization (Ismail and Abidin, 2009; Majdalawieh and Zaghloul, 2009; Maria and

Ariyani, 2014). This is complemented by the fact that the standards and policies are confusing or

contradictory. Therefore, the blurring job requirements of the IS Auditor as well as the unclear role of the

IS Auditor in the Organigram of an organization adds another layer of issues to the organizations from the

developing countries (Ismail and Abidin, 2009; Puspasari and Yuwono, 2013; Upadhyaya et al., 2012;

Wahdan et al., 2008).

In regard to IS Audit Job related challenges and issues, it is important to mention the IS Auditor’s

motivation factors. This consists of salary level, workplace environment, and benefits package. Of course,

this is impacting the ability of an organization to find skilled and competent IS Auditors (Maria and

Ariyani, 2014; Steyn and Plant, 2009; Wahdan et al., 2008) due to direct influence on IS Auditor’s

decision whether to join or not an organization. Even though this is observed by the reviewed articles, the

budgetary constraints are preventing the organizations to deal with this issue in order to provide more

attractive motivation factors.

Job Related Skills are also claimed as being a cornerstone for an IS Auditor. From this perspective, the

experience as IS Auditor and capability to properly report the findings make the difference and add the

value to any IS Audit report. However, finding an IS Auditor with such skills is challenging for

organizations from the developing countries (Alkebsi et al., 2014; Mozhgani et al., 2014; Wahdan et al.

(2008).

Moreover, it has been found that the developing countries are lacking skilled IS Auditors with IT modern

experience and expertise (Al-Ansi et al., 2013; Mahzan and Veerankutty, 2011; Malgharni and Yusoff,

2011; Purwoko, 2011; Wahdan et al., 2008). Also, the reviewed articles observe that some IS Auditors are

44

showing low or no interest in using information technology in performing IS Audit (Al-Ansi et al., 2013;

Alkebsi et al., 2014; Malgharni and Yusoff, 2011; Mozhgani et al., 2014).

Moreover, there is a low attraction amongst IS Auditors to develop the ability to understand what are the

IS risks with a potential impact on the audited organization (Abuazza et al., 2015; Alkebsi et al., 2014;

Bani-Ahmad and El-Dalabeeh, 2014; Mahzan and Veerankutty, 2011; Malgharni and Yusoff, 2011;

Maria and Ariyani, 2014; Nkwe, 2011; Razi and Madani, 2013). This has the consequence of not being

able to implement the IS Audit in a proper manner in order to reduce the potential risks related to

information systems (Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009; Maria and

Hariyani, 2011).

Nowadays, there is a constantly increasing demand of IS Auditors able to audit highly complex and

sophisticated information systems. However, it is said that it is difficult to find locally, IS Auditors with

such ability of understanding complex information systems (Abu-Musa, 2008; Ismail and Abidin, 2009;

Mahzan and Veerankutty, 2011; Majdalawieh and Zaghloul, 2009; Majdalawieh and Zaghloul, 2009;

Maria and Hariyani, 2011; Maria and Ariyani, 2014; Rafiei and Moeinadin, 2014; Salehi and Husini,

2011). Therefore, the IS Audit is poorly implemented, focusing on basic aspects of the information

systems.

5.4.5 Education

The challenges, difficulties and issues related to “Education” consist of “Academic” related matters, “IS

Professional training and certification”, “IS Technical knowledge” and “Knowledge base”.

Despite the fact that it is widely recognized the importance of academic research in the field of IS Audit,

the reviewed material is claiming that in the developing countries the academic research in the field of IS

Audit is, by far, insufficient. The local universities don’t present enough interest in promoting and

focusing on IS Audit research. This is presented as challenging because without the research in this area,

the organizations have to adapt studies from outside of the country to the local specificities. This is time-

consuming and may imply controversies in the used terms, frameworks, techniques and legal implications

(Abuazza et al., 2015; Al-Ansi et al., 2013; Nkwe, 2011; Upadhyaya et al., 2012).

Also, there is a stringent need to adapt the university curricula (Al-Ansi et al., 2013; Alkebsi et al., 2014;

Nkwe, 2011; Upadhyaya et al., 2012; Wahdan et al., 2008) to the need of having a more specialized

education at the university level in the field of IS Audit(Al-Ansi et al., 2013; Alkebsi et al., 2014; Mahzan

and Veerankutty, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012; Wahdan et al., 2008).

Moreover, it has been observed that it is very important to increase the quality of Information systems’

related education in order to produce a more qualified workforce. This is seen as a fundamental need for

the organizations from the developing countries to cope with the increasing need for specialized IT staff

able to understand properly the requirements of IS Audit. Further, by having more qualified IS graduates

there are higher chances to fill in the gaps related to the profession of IS Auditor with IS graduates

interested in becoming an IS Auditor. This is understandable, given the fact that an IS Auditor is more

effective if she/he has an extensive IT Knowledge (Al-Ansi et al., 2013; Alkebsi et al., 2014; Mahzan and

Veerankutty, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012).

45

Complementary to academic education, the “IS Professional training and certification” represents another

important and researched topic in the reviewed articles.

It has been reported that the lack of training in the new IT technologies has a huge impact on the IS

auditors because they are facing issues when they have to audit information systems which include new

technologies (Al-Ansi et al., 2013; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011;

Majdalawieh and Zaghloul, 2009; Upadhyaya et al., 2012; Wahdan et al., 2008). A study advocates that

the learning and training have to be continuously done in order to cope with the rapidly changing

technological landscape of the IT (Ismail and Abidin, 2009). Also, the training has to be tailored to the

auditors needs so that the time spent grasping new developments in IT should not take too long (Al-Ansi

et al., 2013; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011) with a positive effect on the

efficiency and motivation of the IS Auditors.

Similarly, the continuous training has to concern also the IS Audit field as well. Lacking continuous

training in the IS Audit is preventing the IS Auditors from developing countries to learn and get familiar

with the new techniques, the new standards internationally used or the practices from the developed

countries (Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Steyn and Plant, 2009; Al-Ansi et

al., 2013). There is an agreement amongst researchers that this issue leads to situations when the IS

auditors can’t deal with new, complex systems with an immediate effect on the perception of the

professionalism of the IS Auditors (Al-Ansi et al., 2013; Ismail and Abidin, 2009; Mahzan and

Veerankutty, 2011; Maria and Ariyani, 2014; Steyn and Plant, 2009; Upadhyaya et al., 2012; Wahdan et

al., 2008). Although some efforts were already made, the reviewed articles are recognizing that there is a

huge room for improvement.

Also, there is a shortage of opportunities for training on the IS Audit tools. Even though, their usefulness

is recognized, there are not too many options for the IS Auditors to train on how to use or how to get the

most of the IS Audit tools, with a tremendous impact on the performance, efficiency and motivation of

the IS Auditor (Al-Ansi et al., 2013; Ismail and Abidin, 2009; Maria and Ariyani, 2014; Nkwe, 2011;

Salehi and Husini, 2011).

It has been speculated that one possible reason linked to lacking training could be rooted in the reluctance

of management to train staff (Salehi and Husini, 2011; Steyn and Plant, 2009).

Furthermore, the lack of professional bodies at the national level from some developing countries is

claimed as being a challenge for all the parties involved in the IS Audit field. Some evidence points out

that there is a high need to have more active IS Audit-related professional institutions at the national level.

This is necessary in order to support and build up a favorable environment to the development of the IS

Audit profession (Nkwe, 2011; Steyn and Plant, 2009; Upadhyaya et al., 2012). In line with this, the

benefits of having a strong IS Audit professional body would help organizations to address their concerns

regarding the IS Audit (Al Lawati and Ali, 2015; Al-Ansi et al., 2013; Bani-Ahmad and El-Dalabeeh,

2014; Nkwe, 2011).

“Information Systems Technical Knowledge” comprises challenges and issues related to information

technology in general and to new technologies that make their way to the market and are included in one

way or another in the information systems from the developing countries.

46

Typically, the information technology is an ever changing environment and even the developed countries

are having difficulties to keep up with the new technologies. Therefore, is not surprising that the

developing countries are lagging behind.

In the case of the reviewed articles, it has been observed that the digital gap seems to be too wide and, as

a consequence, there is a huge lack of knowledge amongst the IS Auditors from the developing countries

regarding highly specialized information technologies (Ismail and Abidin, 2009; Majdalawieh and

Zaghloul, 2009) or even in the case of less demanding IT-related technologies (Abuazza et al., 2015;

Wahdan et al., 2008).

Perhaps, this situation has its roots in the lack of IT knowledge at a more generalized level. For instance,

it is claimed that an IS Auditor must have good knowledge of IT in order to be able to understand the

audited information system. In the case of the reviewed articles, it has been observed that this basic

requirement for an IS Auditor is not fulfilled in many situations. This has a negative impact on the

accuracy of findings and how the IS Auditor is perceived in the audited organization (Abu-Musa, 2008;

Al-Ansi et al., 2013; Mahzan and Veerankutty, 2011; Maria and Ariyani, 2014; Mozhgani et al., 2014).

Therefore, it is crucial to develop amongst the IS Auditors from the developing countries, the culture of

continuous update of the IT technical knowledge in order to keep up with the related challenges (Abu-

Musa, 2008; Al-Ansi et al., 2013; Ismail and Abidin, 2009; Mahzan and Veerankutty, 2011). Also, it has

been recognized that this should be linked to academic and professional training and education. However,

this is still under consideration of the decision-makers from the developing countries.

Sharing the knowledge and the imperative need to have a knowledge base at the national level seems to

be another challenge for developing countries from the IS Audit perspective. The benefits of a knowledge

base are out of any discussion. However, this is obstructed by various factors. For instance, in order to

bridge the knowledge gap, developing countries are using pieces of information from the developed

countries. The issue is that the most of the information is in English. On the other hand, the observed

unsatisfactory level of English amongst IS Audit professionals is hindering the transfer of IS Audit know-

how into the local language (Mozhgani et al., 2014; Nijaz et al., 2011; Nkwe, 2011). Hence, building a

knowledge base related to IS Audit in the local language is very challenging and troublesome (Al-Ansi et

al., 2013 ; Alkebsi et al., 2014; Bani-Ahmad and El-Dalabeeh, 2014; Nkwe, 2011; Wahdan et al., 2008).

It has been suggested that one way to cope with the hindering causes to build a national IS Audit

knowledge base is to develop cooperation between countries which are sharing the same language, such

as Arabic language(Alkebsi et al., 2014; Bani-Ahmad and El-Dalabeeh, 2014; Nkwe, 2011; Wahdan et

al., 2008). In such a manner, many countries sharing Arabic language would benefit from the usage of an

Arabic-based knowledge base. However, this is still difficult and needs a significant and larger

coordination between countries. Perhaps, a regional or intergovernmental organization may regulate this

aspect of having a pan-Arabic IS Audit knowledge base.

Moreover, the required IS Audit knowledge base would benefit also from documentation of successful

projects in the field of IS Audit. Despite this fact, it has been reported that there is a lack of such

documentation regarding successfully finalized IS Audit projects in the organizations from the developing

countries (Majdalawieh and Zaghloul, 2009; Nkwe 2011). Likewise, the professional networking amongst

IS auditors is lacking adherence, making the spread of knowledge and information about IS Audit to be

47

very challenging (Mozhgani et al., 2014; Bani-Ahmad and El-Dalabeeh, 2014; Steyn and Plant, 2009;

Upadhyaya et al., 2012).

5.4.6 Cultural

Cultural related challenges, difficulties and issues reported by the reviewed is twofold: “Change

Perception” and “Awareness”.

Adopting new technology, new techniques or new regulations involves a certain amount of change. The

change perception with regards to IS Audit in developing countries consists of several aspects. It has been

observed a resistance to change of employees when the organization used or implemented IS Audit

having a direct impact on how the employees perceived the IS Auditor and IS Audit, in general (Bani-

Ahmad and El-Dalabeeh, 2014; Steyn and Plant, 2009; Wahdan et al., 2008). This might be linked to the

local culture (Majdalawieh and Zaghloul, 2009; Maria and Ariyani, 2014; Razi and Madani, 2013; Salehi

and Husini, 2011; Wahdan et al., 2008) as well as how management is communicating with the

employees and how much support is employed with regards to IS Audit (Razi and Madani, 2013; Wahdan

et al., 2008). Also, difficulties may arise from the management style from some developing countries,

which is different compared to the developed countries (Al Lawati and Ali, 2015; Razi and Madani, 2013;

Wahdan et al., 2008).

To cope with the changes related to IS Audit, the organizations or the authorities can make use of a proper

communication of the changes. This may include awareness programs. In such a manner, the employees

and the organization as a whole can deal with the change in a more acceptable approach, by preparing

plans for change implementation.

Implementing IS audit in an organization is a challenge which involves employees, the IT department,

management and even the authorities. This is the reason why it is necessary to have programs which are

focused on increasing the awareness of IS Audit at the employee level (Alkebsi et al., 2014; Majdalawieh

and Zaghloul, 2009; Purwoko, 2011; Upadhyaya et al., 2012). The reviewed articles are advocates that

having employees aware of the benefits of IS Audit, the fear of being controlled may become lower and

the wrong perception of IS Audit as well as obstruction of IS Auditors will decrease (Abu-Musa, 2008; Al

Lawati and Ali, 2015; Al-Ansi et al., 2013; Alkebsi et al., 2014; Majdalawieh and Zaghloul, 2009;

Purwoko, 2011; Upadhyaya et al., 2012).

Furthermore, there is a harsh demand on having the IT departments aware of the benefits of IS Audit in

order to reduce their reluctance in cooperation and communication with the IS Auditors (Al Lawati and

Ali, 2015; Al-Ansi et al., 2013; Upadhyaya et al., 2012).

Lastly, it is very important to see more IS Audit-related awareness at the national authority level or

government because it has been observed that the developing countries don’t recognize the value of IS

Audit (Majdalawieh and Zaghloul, 2009; Nkwe, 2011.).

Cultural related aspects are forming the last piece which completes the puzzle that depicts the challenges,

difficulties and issues faced by developing countries from the perspective of IS Audit.

48

6. Discussion

This chapter gives extensive insights about how the research was carried out, reflects the results from the

research question perspective, highlights the originality and contributions of this research work,

proposes some potential research avenues and depicts the limitations of this thesis.

6.1 Alignment with the research aim

Based on the findings of the analysis done in the previous chapter, this section depicts how these findings

are answering the research question and how it aligns to the research aims of this thesis.

The aim of this research was to retrieve the current status of Information Systems Auditing in the

developing countries in order to understand what the potential obstacles are in building a robust IS Audit

in the context of the developing countries. Hence, the goal was to capture aspects related to issues,

difficulties and challenges related to the IS Audit in the developing countries, which are revealed by the

currently existing literature.

The research carried out in respect to the above-mentioned aim has disclosed that the current challenges,

difficulties and issues are related to six main categories.

Firstly, the legislation related to the IS Audit is lacking proper laws and legal framework. In the cases

where the laws exist the organizations are having issues in understanding the laws, because they are

perceived to be cumbersome and confusing. In addition, there is a huge need for having supportive

governmental agencies in order to help with implementation. Moreover, the regulations are either

confusing or contradictory or they do not exist at all.

Secondly, even though the IS Audit-related policies and standards might exist in some countries they are

either implemented partially or overlooked. Of course, the existing literature is highlighting that in some

cases there is a pronounced shortage of policies and standards (probably because they are not considered

as being important for the business).

Thirdly, from the organizational point of view, the most researched topic which is listed as a challenge is

the lack of management support, help or commitment to implement and use the IS Audit. This seems to

become a major issue since is linked to different management style in developing countries. It is also

worthy to mention that the lack of understanding of the benefits of IS Audit by the management is

negatively influencing the adoption of IS Audit. Therefore, low budget is allocated to IS Audit and related

activities (training, tools, and awareness programs). Additionally, the developing countries are facing a

very diverse IT technological landscape. This landscape is either too sophisticated or is simply chaotic.

Hence, the IS Audit implementations are perceived as being too cumbersome compared to the level of

technical sophistication.

Challenges and issues related to the Human Resources are ranging from the wrong perception of IS Audit

to lack of human resources. IS Auditors are perceived as cops, inspectors, verifiers or controllers.

Consequently, they are either treated with caution or their access to the audited information systems is

49

obstructed or, even more, they don’t get the authorization from the management. There are issues when

the IS Auditors are facing complex, sophisticated information systems where new technologies are used.

Hence, they need to have enough knowledge to approach such systems. Otherwise, the observed behavior

is just doing the minimum of IS Audit with negative consequences for the efficiency, performance, and

effectiveness of the IS Audit. Of course, to cope with such situations the reviewed literature is stressing

out about the need for a proper educational system.

Even though it is recognized that the education is a driver for a healthy development of the IS Audit in the

developing countries, the fact that the IS Audit is under-researched in the local universities, the low level

of qualification of the IS graduates and poor professional training in IS Audit are factors which are

challenging the adoption, implementation and usage of the IS Audit.

Moreover, there seems to be a huge need to have an IS Audit knowledge base where the IS Audit

professionals could share information or could find help for their IS Audit projects. Also, the reviewed

articles mention the urgency of having a national knowledge base in the local language and the necessity

of having the know-how transfer facilitated by the government in cooperation with national professional

bodies.

Further, lack of a knowledge base is observed in the inconsistency of terms used in the reviewed articles,

even though that the meaning of the used terms seems to be the same (a so-called “jungle of terms”).

Likewise, it seems that there is a huge need to have the IS Audit related documentation translated from

English in the local language and it is believed that in such a way more IS professionals will embrace the

IS Auditor profession in the future.

Finally, it has been observed that the awareness of the IS Audit is at a low level amongst the employees,

IT professionals, and national authorities. Hence, awareness programs have to be employed to increase

the IS Audit awareness level aiming at improving the perception on IS Audit and to understand that IS

Audit helps the business to stay away from potential IS risks. Cultural related challenges and issues

include also the resistance to change of the employees or the organization where the IS Audit is

implemented or used. However, addressing such a wide matter is hard to be done and depends on the

characteristics and specificity of each developing country.

To sum up, the above-presented challenges, difficulties and issues are answering the research question

which drove this research.

6.2 Refection on the research carried out

This section’s goal is to reflect on how the research was done and what were the main lessons learned

from it.

This thesis aimed at answering the research question defined in the first chapter and to find what are the

current challenges, difficulties and issues that the developing countries are encountering from IS Audit

perspective. To respond to such demanding investigation, it has been used the Grounded Theory to build

up a rigorous, systematic literature review using the method of Okoli and Schabram (2010) in conjunction

with guidelines of Wolfswinkel et al. (2011).

50

Some discussion was done during the work; however this will be summarized here with the intention to

give the reader a big picture overview of it.

6.2.1 Reflections on the steps of SLR

This review includes twenty-three articles selected by using the steps of Okoli and Schabram’s systematic

literature review method in a rigorous manner.

The work performed during the initial literature search of the articles was done by carefully looking after

the articles using well-defined searching terms in combination with Boolean operators. This was done in

order to capture the studies which potentially could be selected for the final review. However, it was

necessary to use personal experience in building up the right search expression to cope with the different

behavior of the databases interrogated for the review. Moreover, it was imperatively needed to find a way

to keep the records of all retrieved articles. So, specialized software was employed to keep up with the

huge amount of the data retrieved.

Then, for the next stage, certain criteria were used to screen the articles. Additionally, the screening

involved reading the abstract of each article. This was a very tough work involving plenty of time, energy,

and effort. However, some noise due to unexpected behavior of Web of Science hindered the process of

screening for inclusion. Despite the fact that it has been used same search expressions as for the other

databases, the Web of Science retrieved many articles and studies from the field of medicine and

associated fields. This sort of situation consumed a lot of time to sort out this kind of results. So, relying

100% on the accuracy of the databases consulted could be tricky and may pose huge pressure on the

reviewer.

Next, 42 articles were screened for exclusion. The guidelines of Wolfswinkel et al. (2013) were

suggesting reading the title, abstract and some more text. For this thesis, it has been decided to read also

the introduction, discussion, and conclusion. Additionally, the methodology section was also read to get

an overview of what kind of research approach was used in order to get a clear picture of the existing

literature on the IS Audit in the developing countries.

Again, there was an acute need of having a set of tools to keep the notes, observations and to capture

emerging ideas after reading each article. Therefore, it has been used the creativity of the reviewer to find

a way to cope with all information retrieved during this step and to be ready for more, upcoming

information in the next steps. Initially, the notes were kept by using the old school method (pen and

paper) and electronic annotations of the articles using capabilities of Adobe Acrobat. But, this became too

hard to be managed. So, a logbook and a memo were set. Additionally, MS Excel workbook was used in

combination with MS Word tables to organize the work better. After this tremendous effort, for data

analysis a number of 23 articles were put forward for data analysis.

It is also important to mention that several iterations took place in each of the following steps: practical

screening, quality appraisal and Data collection/extraction. This was seen as a very critical process

because there was the concern about losing important aspects reflected by the existing research.

The huge amount of information put a lot of pressure on the ability to process this big volume of articles

and studies. This was foreseen from the beginning of this thesis project. Therefore, a strict timeline was

set in order to reach the end of the list of articles included in the review.

51

6.2.2 Reflections on the analysis of data by means of Grounded Theory

Wolfswinkel et al. (2011) have proposed a rigorous approach to writing a systematic literature review by

means of Grounded Theory. The data analysis using open, axial and selective coding involved another set

of iterations, as happened while applying the SLR.

For the reviewer, challenges arose at each stage of coding. The iterations involved reading carefully

several times the articles in order to capture the codes while looking back and forth to avoid any

duplication of the codes. Slowly, during this process of continuous comparison between what has been

found, a list of codes was created. It was necessary to do again, another, more in depth iteration to distil

these codes in the final list. Also, during the coding process, there were challenging situations when there

was a strong need to consolidate same meaning of the codes despite the fact that they were differently

worded or phrased.

The extraction of categories and subcategories involved another reassessment of the articles in order to

avoid any redundancy of them. When adjustments of categories and subcategories were necessary

(Wolfswinkel et al., 2011), another cycle of comparison was performed to avoid overlapping or

duplicates.

Finally, the selective coding was carried out by having in mind the suggestion of Wolfswinkel et al.

(2011) to refine the categories from the perspective of the research question.

Diagramming, MS Word and Excel, Adobe annotations as well as “pen and paper” method were

extensively used to cope with the massive amount of information.

6.2.3 Final reflections on the research carried out

As a personal observation regarding the research, the review of existing literature is an intensive, time-

consuming, with a lot of energy and efforts invested to successfully finalize the work. Therefore, it is

crucial to have a proper planning of the activities and the work and, most important, to stick to this plan.

Otherwise, it is quite easy to get off the track and any derailing from the plan could jeopardize the whole

work.

Another personal observation regarding using the systematic literature review as the research method is

that the reflections were noted for each stage of the SLR. It has been done in such a manner because the

intention was to capture as much as possible information related to the research work conducted.

Alternatively, it could have been also possible to do at the end, but it has been foreseen that it may happen

that some crucial aspects would have been lost. Hence, it has been decided to reflect and write the

reflection(s) during the course of the thesis work.

This research relied heavily on choosing the right searching terms in the stage S3- Literature Search.

Having years of experience with internet-based search techniques acquired throughout 18 years of

professional IT career, it has been easier to define a set of search strings to get the most out of searches

inside of databases made available online by Stockholm University Library. Therefore, it is very

important to reflect in advance, based on the research question of the study, what are the right search

terms or expressions to be used in order to capture as much as possible from the existing literature on the

studied topic.

52

From the perspective of “what went wrong?”, it is worthy to mention that the whole research work was

perceived as a learning curve. There were many dead ends and obstacles which were overcome by a

continuous back and forth to stay in line with the requirements of the research methodology or when

unclear situations arose regarding to how to proceed further with the thesis work. At such moments, the

existing literature on the employed methods (Denscombe, 2014; Okoli and Schabram, 2010; Wolfswinkel

et al., 2011; Webster and Watson, 2002) was consulted in order to find a way through.

Furthermore, there were situations during the literature search step when some article showed up in the

result list due to an inadequate tagging or keyword usage. Perhaps, to avoid such struggling for future

reviewers, it is necessary to have generally recognized scheme for key wording. In such way, the search

of articles would be easier and the results retrieved would be more meaningful for the future research

works.

Finally, one last reflection on the research carried out is that the research topic driving this thesis work

emerged from the professional development needs of the reviewer. Being interested in the information

systems auditing topic, it came naturally to exploit this opportunity and to get the insight of the existing

academic records in order to provide a systematic review on this topic focusing particularly on the

developing countries.

6.3 The originality and the practical and theoretical

significance of the contributions First of all, the originality of this research work consists of the fact that, from the methodological

perspective, it has combined the method of systematic literature review of Okoli and Schabram (2010)

with the rigorousness brought by Grounded Theory as it is outlined by Wolfswinkel et al. (2011) in order

to capture the most important hindering factors affecting the IS Audit in the developing countries.

Secondly, this thesis emerged from the perceived gap of knowledge in the information systems audit

literature regarding the challenges, difficulties and issues faced by the developing countries. The findings

of this thesis aim at bridging the gap given the fact that there were no previous comprehensive attempts to

review the existing literature on the researched field. Moreover, the findings of this research work

contribute to the body of knowledge by helping the practitioners to understand better the hindering factors

related to the IS Audit as well as the decision makers (government, governmental agencies) and

lawmakers from the developing countries to start adjusting the existing landscape in order to facilitate the

adoption, implementation, and usage of the IS Audit at the organizational level.

Thirdly, the thesis used Grounded Theory. This helped the reviewer to ensure that the results of the

research work are not affected by a predefined mindset and, due to the open-mind principle of Grounded

Theory, the research was more a voyage of discovery (Denscombe, 2014) by following an undefined and

undiscovered trail. In such a way, the creativity played an important role in putting out of any doubt and

discussion the authenticity and usefulness of the findings.

Lastly, the significance consists of potential research avenues which may be used by the academic

community from the developing countries to explore more the IS Audit from their countries in order to

build up a robust research with the goal of diminishing the gap between the developed and developing

53

countries. Also, the findings of this review contribute to the general understanding of reasons why the IS

Audit is less accepted in the organizations and how this situation could be changed in order to increase the

IS Audit presence in the developing countries. Therefore, the review has both practical and theoretical

significance for the IS Audit field.

6.4 Limitations of the study

This study is limited by several aspects.

Firstly, the work was carried out as one single person, non-English native speaker. During the research

work, it has been observed that the work would have been more efficient and beneficial if there were at

least two reviewers. This aspect was mainly noticed during the coding process when a collaborative work

with a partner would have helped to synthesize faster and better the retrieved codes.

Secondly, the research was done using six databases, excluding potential helpful studies from other

literature databases. Also, the literature search was limited only to academic papers published in

internationally recognized journals without using magazine articles, technical papers, white papers and

independent blogs. Also, this study is limited only to the online published articles, so other sources like

books, either printed or electronic version, were not consulted. This would have helped at grabbing more

insights about IS Audit in the developing countries leaving potential other challenges, difficulties and

issues undiscovered.

Furthermore, this research was based solely on the retrieved articles available to students in the searched

databases. The studies non-published or not available to the students were not captured. Likewise, the

search was based on a narrow set of expressions and keywords. This limitation was seen in the cases

when the keywords of the articles didn’t mention expression(s) used in the search(for instance, the article

was using the name of the country instead of developing country or the usage of “developing country”

was avoided because of different understanding what a developing country/economy is).

Thirdly, the research was conducted focusing on a particular time span, a decade from 2006 to 2016 (as

suggested by Okoli and Schabram, 2010 and Wolfswinkel et al., 2013). Therefore, this study is limited to

the articles published during this period of time.

Fourthly, this research is limited with regards to the geographical distribution of the retrieved articles.

While the literature search was carried over with a focus on developing countries, the selected articles are

mainly from Asia and Africa. So, no article was retrieved from Latin America. The same limitation is

linked to the absence of articles from large countries such as China or Russia. Perhaps, this limitation is

linked to another limitation: the fact that the study was targeting only articles written in English. Possibly,

a study using Spanish, Russian or Chinese as the language would have captured more articles.

Finally, this study has assumed that all retrieved literature is reflecting properly the difficulties, issues and

challenges in terms of Information Systems Auditing concerning developing countries. So, is relying on

the found literature “as is”.

54

6.4.1 Ethical and social aspects

This research around this thesis didn’t involve any person since there were no participants. The whole

work was done based on the existing literature published and publicly available in the consulted literature

outlets.

The research was conducted by strictly following the guidelines of the research methods chosen. One may

argue that the reviewer could subjectively influence the research. This might be seen as an issue, but the

fact that the analysis of the data was done by using Grounded Theory helped the reviewer to minimize the

impact of subjectivity. However, the open mind was used to approach this research as per suggestion of

Denscombe (2014). In such a manner the articles were analyzed and the theory emerged smoothly and

gradually based on the findings of each step of the research. In addition, the personal and professional

experience was used to reach the end of the research project.

Also, giving credits and properly referencing the articles included in this study was crucial to produce a

high-quality literature review. Especially during the presentation of the findings, the referencing was done

in such a manner that the red thread of the story was not affected.

Finally, the literature review was written without pointing out the name of the countries mentioned in the

reviewed articles in order to keep the neutrality of the thesis. For the same reason, it was avoided to

mention any IS Auditing-related frameworks, standards or commercial products.

6.5 Suggested areas for future research

Based on the study carried on, some suggestions for future research could be made.

Firstly, a potential research avenue would be to use these findings of this study to develop a set of

recommendations or guidelines that can help the developing countries to reduce the perceived gap

regarding IS Audit. Also, the outcomes of this research could be used as a base for developing a

framework for future academic research in the field of IS Audit.

Secondly, the found set of challenges, difficulties and issues could be used in a multiple-cases study from

a group of countries which are sharing the same local language (for instance, Golf countries) in order to

validate the findings of this research. Even more, perhaps more case studies in English, documented and

available in the academic journals would help developing countries to learn from each other.

In the diagram of the main categories depicted in Figure 7, there is no weight between the categories.

Therefore, it is suggested to have a future study that would aim at weighting these categories, in order to

find out which one is the most important in implementing and using the IS Auditing in the developing

countries.

Based on one of the limitations mentioned in section 6.4, this research could be extended by using another

language which covers multiple countries such as Spanish, Arabic, French or Russian (covering also post-

Soviet countries). In such a way the developments in other languages could be added to this study and the

developing countries could learn from each other’s experience.

55

Further, this study used Grounded Theory for exposing the challenges, difficulties and issues regarding IS

Audit in developing countries. Perhaps, a suggestion of a future research would be to use another

methodological approach to widening the findings of this research.

Finally, future studies could also focus on particular aspects revealed by this thesis: such as having a

common language of the IS Audit related terms in order to avoid a “jungle of IS Audit terms” or to have

an automated translation of English studies in the local language to extend the knowledge base

56

7. Conclusion

The final chapter of this thesis is summing up the research work through some concluding remarks.

This research work focused on reviewing the existing literature on the IS Audit. Therefore, the following

research question was asked: “What are the current difficulties, issues and challenges which are

experienced by the developing countries in terms of Information Systems Auditing?”

To answer the research question driving this thesis, two research methods were combined to capture from

the existing academic literature all aspects related to IS Audit in the developing countries. That is, the

method of systematic literature review in information systems research of Okoli and Schabram (2010)

was employed in conjunction with the Grounded Theory approach for systematic reviews of Wolfswinkel

et al. (2013).

Initially, a number of 42 articles were found as being relevant for this research. These articles were

further analyzed and 23 articles were selected for the review. The selected articles were spanning

throughout a period of 10 years and were found in six distinct literature databases. By using the Grounded

Theory approach, a number of six main categories of challenges, difficulties and issues were identified.

They relate to legislation, policy and standards, organization, human resources, education and culture.

Based on these findings and identified limitations, further research was suggested.

As a concluding remark, this thesis has an undeniable contribution to the body of knowledge by

providing a better understating of current challenges, difficulties and issues of IS Auditing in the context

of developing countries. Therefore, it is believed that the findings of this thesis will play a major role in

opening new research directions to diminish the gap in the IS Audit field between the developing and

developed countries.

57

References

Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015). The perceived scope of internal audit

function in Libyan public enterprises. Managerial Auditing Journal, 30(6/7), 560-581.

Abu-Musa, A. A. (2008). Information technology and its implications for internal auditing: An empirical

study of Saudi organizations. Managerial Auditing Journal, 23(5), 438-466.

Affinity Diagram - ASQ. (2016). Asq.org. Retrieved 14 March 2016, from http://asq.org/learn-about-

quality/idea-creation-tools/overview/affinity.html

Aida Lope Abdul Rahman, A., Islam, S., & Al-Nemrat, A. (2015). Measuring sustainability for an

effective Information System audit from public organization perspective. In Research Challenges in

Information Science (RCIS), 2015 IEEE 9th International Conference on (pp. 42-51). IEEE.

Al Lawati, A., & Ali, S. (2015). Business perception to learn the art of Operating System auditing: A case

of a local bank of Oman. In GCC Conference and Exhibition (GCCCE), 2015 IEEE 8th (pp. 1-6).

IEEE.

Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013). The Effect of IT knowledge and IT Training

on the IT Utilization among External Auditors: Evidence from Yemen. Asian Social Science, 9(10),

307.

Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014). The Relationship between

Information Technology Usage, Top Management Support and Internal Audit Effectiveness. In

International Management Accounting Conference VII.

Alter, S. (2008). Defining information systems as work systems: implications for the IS field. European

Journal of Information Systems, 17(5), 448-469.

Avgerou, C. (2000). Recognising alternative rationalities in the deployment of information systems. The

Electronic Journal of Information Systems in Developing Countries, 3.

Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014). The Effect of Applying the Information Technology

Audit Standard# 21 on the Risk Related To ERP System in the Jordanian Companies. Global Journal

of Management And Business Research, 14(1).

Barki, H., Rivard, S., & Talbot, J. (1993). A keyword classification scheme for IS research literature: an

update. Mis Quarterly, 209-226.

Buchanan, S., & Gibb, F. (2007). The information audit: Role and scope. International journal of

information management, 27(3), 159-172.

Cannon, D. L. (2011). CISA Certified Information Systems Auditor Study Guide, Third Edition. John

Wiley & Sons.

Carlin, A., & Gallegos, F. (2007). IT audit: A critical business process. Computer, 40(7), 87-89. doi:

10.1109/MC.2007.246

Denscombe, M. (2014). The good research guide: for small scale social research projects. 5th Ed.

Paperback. Maidenhead: McGraw-Hill Open University Press.

58

Earl, M. J. (2000). In D. A. Marchand, T. H. Davenport, & T. Dickson (Eds.), Mastering information

management (pp. 16–22).

El-Gazzar, R. F. (2014). A literature review on cloud computing adoption issues in enterprises. In

Creating Value for All Through IT (pp. 214-242). Springer Berlin Heidelberg.

El-Sayed Ebaid, I. (2011). Internal audit function: an exploratory study from Egyptian listed firms.

International Journal of Law and Management, 53(2), 108 - 128.

Gercke, M. (2009). Understanding cybercrime: a guide for developing countries. International

Telecommunication Union (Draft), 89, 93.

Henry, J. (2010). Reducing the Threat of State-to-State Cyber Attack against Critical Infrastructure

through International Norms and Agreements.

Hingarh, V., & Ahmed, A. (eds) (2012) Overview of Systems Audit, in Understanding and Conducting

Information Systems Auditing, John Wiley & Sons, Inc., Hoboken, NJ, USA.

Hjalmarsson, A., Johannesson, P., Jüll-Skielse, G., & Rudmark, D. (2014). Beyond innovation contests: A

framework of barriers to open innovation of digital services. ECIS 2014 Proceedings

Hsieh, H. F., & Shannon, S. E. (2005). Three approaches to qualitative content analysis. Qualitative health

research, 15(9), 1277-1288.

Imf.org,. (2016). World Economic Outlook - Frequently Asked Questions. Retrieved 28 January 2016, from

http://www.imf.org/external/pubs/ft/weo/faq.htm

Ismail, N. A., & Abidin, A. Z. (2009). Perception towards the importance and knowledge of information

technology among auditors in Malaysia. Journal of Accounting and Taxation, 1(4), 61.

ISO/IEC 12207:2008,. (2008). ISO/IEC 12207:2008 - Systems and software engineering -- Software life

cycle processes. ISO. Retrieved from https://www.iso.org/obp/ui/#iso:std:iso-iec:12207:ed-2:v1:en

Keele, S. (2007). Guidelines for performing systematic literature reviews in software engineering. In

Technical report, Ver. 2.3 EBSE Technical Report. EBSE.

Kitchenham, B. (2004). Procedures for performing systematic reviews. Keele, UK, Keele University,

33(2004), 1-26.

Khandkar, S. H. (2009). Open coding. Paper presented at University of Calgary, October 23, 2009.

Klein, H. K., & Myers, M. D. (1999). A set of principles for conducting and evaluating interpretive field

studies in information systems. MIS quarterly, 67-93.

Krogstad, J. L. (1977). Toward A Methodology For Auditing. Transactions of the Nebraska Academy of

Sciences and Affiliated Societies. Paper 457.

Leung, L. (2015). Validity, reliability, and generalizability in qualitative research. Journal of Family

Medicine and Primary Care, 4(3), 324–327.

Lovaas, P., & Wagner, S. (2012). IT Audit Challenges for Small and Medium-Sized Financial Institutions.

Retrieved from http://www.albany.edu/iasymposium/proceedings/2012/7-Lovaas%26Wagner.pdf

Library Of Congress,. (2008). LIBRARY OF CONGRESS COLLEC TIONS POLICY STATEMENTS.

Retrieved from https://www.loc.gov/acq/devpol/devcountry.pdf

Mahzan, N., & Veerankutty, F. (2011). IT auditing activities of public sector auditors in Malaysia. African

Journal of Business Management, 5(5), 1551.

Majdalawieh, M., & Zaghloul, I. (2009). Paradigm shift in information systems auditing. Managerial

Auditing Journal, 24(4), 352-367.

59

Malgharni, A. M., & Yusoff, W. F. W. (2011). Review and Recognition of Auditing Applied Computer

Systems at Islamic Azad University (Sanandaj Branch Evidence). Interdisciplinary Journal of

Contemporary Research In Business, 2(12), 135.

Maria, E., & Ariyani, Y. (2014). E-Commerce Impact: The Impact Of E-Audit Implementation On The

Auditor's Performance (Empirical Study Of The Public Accountant Firms In Semarang, Indonesia).

Indian Journal of Commerce and Management Studies, 5(3), 1.

Maria, E., & Haryani, E. (2011). Audit Model Development Of Academic Information System: Case

Study On Academic Information System Of Satya Wacana. Researchers World, 2(2), 12-24.

Merhout, J. W., & Havelka, D. (2008). Information technology auditing: A value-added IT governance

partnership between IT management and audit. Communications of the Association for Information

Systems, 23(1), 26. Retrieved from

http://aisel.aisnet.org/cgi/viewcontent.cgi?article=3386&context=cais

Millichamp, A. H., & Taylor, J., (2002). Introduction To Auditing – The Why Of Auditing, in Auditing,

Tenth Edition. Cengage Learning EMEA. Retrieved from

http://www.cengagebrain.co.uk/content/9781408070086.pdf

Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014). Identification and ranking of virtual audit executive

impediments in Iran. Advances in Environmental Biology, 277-285. Retrieved from

http://www.aensiweb.com/old/aeb/Special%2015/277-284.pdf

Nagy, A. L., & Cenker, W. J. (2002). An assessment of the newly defined internal audit function.

Managerial Auditing Journal, 17(3), 130-137.

Nielsen, L. (2011). Classifications of countries based on their level of development: How it is done and

how it could be done. IMF Working Papers, 1-45.

Nijaz, B., Mario, S. & Lejla, T. (2011). Implementation of the IT governance standards through business

continuity management: Cases from Croatia and Bosnia-Herzegovina. In Information Technology

Interfaces (ITI), Proceedings of the ITI 2011 33rd International Conference on , vol., no., pp.43-50,

27-30 June 2011.

Nkwe, N. (2011). State of information technology auditing in Botswana. Asian Journal of Finance &

Accounting, 3(1).

O’Connor, R. (2012). Using grounded theory coding mechanisms to analyze case study and focus group

data in the context of software process research. Research methodologies, innovations and

philosophies in software systems engineering and information systems, 1627-1645.

Okoli, C., & Schabram, K. (2010). "A Guide to Conducting a Systematic Literature Review of Information

Systems Research,". Sprouts: Working Papers on Information Systems, 10(26).

Paagman, A., Tate, M., Furtmueller, E., & de Bloom, J. (2015). An integrative literature review and

empirical validation of motives for introducing shared services in government organizations.

International journal of information management, 35(1), 110-123.

Prakash, M., & Sivakumar, D. (2014). Information systems auditing and electronic commerce.

International Journal of Advanced Research in Management and Social Sciences, 3(2), 106-119.)

Purwoko, P. (2011). Auditing Information System: Delivery Product Service. Communication and

Information Technology Journal, 5(1).

Puspasari, D., & Yuwono, B. (2013). Implementing integrated internal control life cycle at Telecom

Company. In Advanced Computer Science and Information Systems (ICACSIS), 2013 International

Conference on (pp. 249-254). IEEE.

60

Rafiei, G. H., & Moeinadin, M. (2014). Identification of factors affecting the quality of auditing in

information technology (IT). Advances in Environmental Biology, 239-245. Retrieved from

http://www.aensiweb.com/old/aeb/Special%2015/239-244.pdf

Razi, M. A., & Madani, H. H. (2013). An analysis of attributes that impact adoption of audit software: An

empirical study in Saudi Arabia. International Journal of Accounting & Information Management,

21(2), 170-188.

Ramamoorti, S. (2003). Internal auditing: history, evolution, and prospects. The Institute of Internal

Auditors Research Foundation. Retrieved from https://na.theiia.org/iiarf/Public Documents/Chapter 1

Internal Auditing History Evolution and Prospects.pdf

Salehi, M. (2009). In the Name of Independence: with Regard to Practicing Non-Audit Service by

External Auditors. International Business Research, 2(2), p137.

Salehi, M., & Husini, R. (2011). A study of the effect of information technology on internal auditing:

Some Iranian evidence. African Journal of Business Management, 5(15), 6168.

Schlagenhaufer, C., & Amberg, M. (2015) A Descriptive Literature Review and Classification Framework

for Gamification in Information Systems. ECIS 2015 Completed Research Papers. Paper 161.

Siddaway, A. P. (2014). What is a systematic literature review and how do I do one? Retrieved from

https://www.stir.ac.uk/media/schools/management/documents/centregradresearch/How to do a

systematic literature review and meta-analysis.pdf

Soltani, B. (2007). An Introduction to Auditing and Assurance, in Auditing: An international approach.

Pearson Education.

Steyn, B., & Plant, K. (2009). Education and training considerations applicable to internal auditors in

South Africa. African Journal of Business Management, 3(13), 989-997.

Teck-Heang, L., & Ali, A. M. (2008). The evolution of auditing: An analysis of the historical

development. Journal of Modern Accounting and Auditing, 4(12), 1-8.

United Nations Geospatial Information Section Web Site. (2016). Un.org. Retrieved 8 March 2016, from

http://www.un.org/Depts/Cartographic/english/htmain.htm

Upadhyaya, P., Shakya, S., & Pokharel, M. (2012). E-government security readiness assessment for

developing countries: Case study: Nepal Govt. organizations. In Internet (AH-ICI), 2012 Third Asian

Himalayas International Conference on (pp. 1-5). IEEE.

Urquhart, C., Lehmann, H., & Myers, M. D. (2010). Putting the ‘theory’ back into grounded theory:

guidelines for grounded theory studies in information systems. Information systems journal, 20(4),

357-381.

Yang, H., & Tate, M. (2012). A descriptive literature review and classification of cloud computing

research. Communications of the Association for Information Systems, 31(2), 35-60.

Zainal, Z. (2007). Case study as a research method. Jurnal Kemanusiaan, 9.

Walsham, G. (1995). Interpretive case studies in IS research: nature and method. European Journal of

information systems, 4(2), 74-81.

Walsham, G., & Sahay, S. (2006). Research on information systems in developing countries: Current

landscape and future prospects. Information technology for development, 12(1), 7-24.

Wahdan, M.A. , Spronck, P. , Ali, H. F. , Vaassen, E. , Herik, H.J. van den. (2008). Auditors and IT

support in Egypt. The Proceeding of the Congress 17th International Management Development

Association. Suriname, 56-64

61

Webster, J., & Watson, R.T. (2002). Analyzing the past to prepare for the future: Writing a literature

review. Management Information Systems Quarterly, 26(2), p.3.

WEO Imf.org. (2016). World Economic Outlook Database April 2015 -- WEO Groups and Aggregates

Information. Retrieved from http://www.imf.org/external/pubs/ft/weo/2015/01/weodata/groups.htm

Worldbank.org. (2016). DEPweb: Beyond Economic Growth, Glossary. Retrieved from

http://www.worldbank.org/depweb/english/beyond/global/glossary.html

Wolfswinkel, J. F., Furtmueller, E., & Wilderom, C. P. M. (2013). Using grounded theory as a method for

rigorously reviewing literature. Eur J Inf Syst, 22(1), 45–55.

Wto.org,. (2016). WTO | Development - Who are the developing countries in the WTO?. Retrieved from

https://www.wto.org/english/tratop_e/devel_e/d1who_e.htm

List of appendices

Appendix A Total Number of Papers: 23

Table 7: Type of publications

Publication Type # of papers

Journal 17

Conference Papers 6

Total 23

Table 8: Methodology of chosen articles

Table 9: Distribution of articles per continents

Methodology # of papers

Survey 14

Mixed Methods 5

Case Study 3

Review 1

Total 23

Continent # of papers

Africa 4

Asia 18

63

Table 10: Years of Publication for the chosen articles

Table 11: Appendix A - Summary of articles filtered for data analysis

No

.

Author(s) and Title

Yea

r

Met

ho

do

logy

Type

Purpose

(Context/Comments)

Dev

elo

pin

g

Co

un

try

?

Country &

Continent

IS a

ud

itin

g?

IT a

ud

itin

g?

Ch

all

eng

es,

Dif

ficu

ltie

s,

Issu

es?

1 Majdalawieh, M., & Zaghloul,

I. (2009) - Paradigm shift in

information systems auditing

2009 Survey Journal A survey in the UAE context

focusing on change factors of

the IS Auditing and the

implication of these factors

Y United Arab

Emirates,

Asia

Y Y

Europe 1

Total 23

Year of publication # of papers

2008 2

2009 3

2011 7

2012 1

2013 3

2014 5

2015 2

Total 23

64

No.

Author(s) and Title

Yea

r

Met

hod

olo

gy

Type

Purpose

(Context/Comments)

Dev

elop

ing

Cou

ntr

y?

Country &

Continent

IS a

ud

itin

g?

IT a

ud

itin

g?

Ch

all

enges

,

Dif

ficu

ltie

s,

Issu

es?

on the IS Audit.

2 Razi, M. A., & Madani, H. H.

(2013) - An analysis of

attributes that impact adoption

of audit software: An

empirical study in Saudi

Arabia

2013 Survey Journal A study of the current

challenges faced by

organizations from Saudi

Arabia in adopting the

auditing software.

Y Saudi Arabia,

Asia

Y Y

3 Wahdan, M.A. , Spronck, P. ,

Ali, H. F. , Vaassen, E. ,

Herik, H.J. van den. (2008) -

Auditors and IT support in

Egypt

2008 Survey Conference

paper

A research addressing the

current challenges faced by

IT auditor in Egypt by

proposing a training system.

Y Egypt, Africa Y Y

4 Upadhyaya, P., Shakya, S., &

Pokharel, M. (2012) - E-

government security readiness

assessment for developing

countries: Case study: Nepal

Govt. organizations

2012 Mixed

Methods

Conference

Paper

Assess the current status of IS

audit in the case of Nepal

governmental organizations.

Y Nepal. Asia Y Y

5 Maria, E., & Haryani, E.

(2011) - Audit Model

Development Of Academic

Information System: Case

Study On Academic

Information System Of Satya

Wacana

2011 Mixed

Methods

Journal Development of a basic

framework to audit the

information systems in the

academic world in the context

of Indonesia.

Y Indonesia, Asia Y Y

6 Bani-Ahmad, A., & El-

Dalabeeh, A. E. R. K. (2014) -

The Effect of Applying the

Information Technology

2014 Mixed

Methods

Journal A paper on the beneficial

effects of using an

Information Technology

Audit standard to reduce the

Y Jordan, Asia Y Y

65

No.

Author(s) and Title

Yea

r

Met

hod

olo

gy

Type

Purpose

(Context/Comments)

Dev

elop

ing

Cou

ntr

y?

Country &

Continent

IS a

ud

itin

g?

IT a

ud

itin

g?

Ch

all

enges

,

Dif

ficu

ltie

s,

Issu

es?

Audit Standard# 21 on the

Risk Related To ERP System

in the Jordanian Companies

risks of business-related

information systems.

7 Maria, E., & Ariyani, Y.

(2014) - E-Commerce Impact:

The Impact Of E-Audit

Implementation On The

Auditor's Performance

(Empirical Study Of The

Public Accountant Firms In

Semarang, Indonesia).

2014 Survey Journal A study of the factors which

may have an impact on the

performance of IT auditors in

the case of a public auditing

company.

Y Indonesia, Asia Y Y

8 Nkwe, N. (2011) - State of

information technology

auditing in Botswana

2011 Review Journal A study which summarized

the current situation of

information technology

auditing in the case of an

African country.

Y Botswana,

Africa

Y Y

9 Abu-Musa, A. A. (2008) -

Information technology and

its implications for internal

auditing: An empirical study

of Saudi organizations

2008 Survey Journal An empirical study of Saudi

organizations regarding the

impact of information

technology on auditing

activities.

Y Saudi Arabia,

Asia

Y Y

10 Purwoko, P. (2011) - Auditing

Information System: Delivery

Product Service

2011 Mixed

Study

Journal A paper studying the case of

an Indonesian company

aiming at implementing

better controls in their

information systems.

Y Indonesia, Asia Y Y

11 Mahzan, N., & Veerankutty,

F. (2011) - IT auditing

activities of public sector

2011 Survey Journal In the context of public sector

of Malaysia, the study reveals

the challenges faced by the IT

Y Malaysia, Asia Y Y

66

No.

Author(s) and Title

Yea

r

Met

hod

olo

gy

Type

Purpose

(Context/Comments)

Dev

elop

ing

Cou

ntr

y?

Country &

Continent

IS a

ud

itin

g?

IT a

ud

itin

g?

Ch

all

enges

,

Dif

ficu

ltie

s,

Issu

es?

auditors in Malaysia auditors in achieving their

goals.

12 Malgharni, A. M., & Yusoff,

W. F. W. (2011) - Review and

Recognition of Auditing

Applied Computer Systems at

Islamic Azad University

(Sanandaj Branch Evidence)

2011 Mixed

Methods

Journal A study on the perceived

need to have a centralized

approach in dealing with the

information systems audit in

the case of a university from

Iran.

Y Iran, Asia Y Y

13 Salehi, M., & Husini, R.

(2011) - A study of the effect

of information technology on

internal auditing: Some

Iranian evidence

2011 Survey Journal The paper is studying the

impact on performance of

information technology

auditors who are confronting

lack of resources.

Y Iran, Asia Y Y

14 Al-Ansi, A. A., Ismail, N. A.

B., & Al-Swidi, A. K. (2013)

- The Effect of IT knowledge

and IT Training on the IT

Utilization among External

Auditors: Evidence from

Yemen

2013 Survey Journal An article which surveys the

practitioners from Yemen

regarding the potential impact

of training on performance of

IT auditors.

Y Yemen, Asia Y Y

15 Al Lawati, A., & Ali, S.

(2015) - Business perception

to learn the art of Operating

System auditing: A case of a

local bank of Oman

2015 Case

Study

Conference

Paper

A paper on the case of a bank

from Oman regarding the

need for continuous

improvement of Information

Systems Auditing.

Y Oman, Asia Y Y

16 Nijaz, B., Mario, S. & Lejla,

T. (2011) - Implementation of

the IT governance standards

through business continuity

2011 Case

Study

Conference

Paper

A study on the legal and

technical obligations to

reduce the downtime and risk

in organizations

Y Croatia

Bosnia-

Herzegovina,

Europe

Y Y

67

No.

Author(s) and Title

Yea

r

Met

hod

olo

gy

Type

Purpose

(Context/Comments)

Dev

elop

ing

Cou

ntr

y?

Country &

Continent

IS a

ud

itin

g?

IT a

ud

itin

g?

Ch

all

enges

,

Dif

ficu

ltie

s,

Issu

es?

management: Cases from

Croatia and Bosnia-

Herzegovina

17 Puspasari, D., & Yuwono, B.

(2013) - Implementing

integrated internal control life

cycle at Telecom Company

2013 Case

Study

Conference

Paper

Two case studies on the

challenges and issues of

implementation of

information technology

regulations in two companies

from Indonesia.

Y Indonesia, Asia Y Y

18 Mozhgani, F., Heirany, F., &

Ardakani, S. S. (2014) -

Identification and ranking of

virtual audit executive

impediments in Iran

2014 Survey Journal A study which surveys the IT

audit experts from Iran

regarding the challenges in

the field of information

technology audit.

Y Iran, Asia Y Y

19 Alkebsi, M. A. A., Aziz, K.

A., Mohammed, Z. M., &

Dhaifallah, B. (2014) - The

Relationship between

Information Technology

Usage, Top Management

Support and Internal Audit

Effectiveness

2014 Survey Conference

Paper

A survey of practitioners

concerning the effectiveness

of information technology

audit practices in the case of

Yemen’s private sector.

Y Yemen,

Asia

Y Y

20 Abuazza, W. O., Mihret, D.

G., James, K., & Best, P.

(2015) - The perceived scope

of internal audit function in

Libyan public enterprises

2015 Survey Journal A survey of Libyan public

sector companies which

highlights the need to clarify

the role of IT Auditors.

Y Libya, Africa Y Y

21 Rafiei, G. H., & Moeinadin,

M. (2014) - Identification of

2014 Survey Journal Another survey of

practitioners from Iran on the

Y Iran, Asia Y Y

68

No.

Author(s) and Title

Yea

r

Met

hod

olo

gy

Type

Purpose

(Context/Comments)

Dev

elop

ing

Cou

ntr

y?

Country &

Continent

IS a

ud

itin

g?

IT a

ud

itin

g?

Ch

all

enges

,

Dif

ficu

ltie

s,

Issu

es?

factors affecting the quality of

auditing in information

technology (IT)

issues linked to Information

Technology Audit’s quality

22 Ismail, N. A., & Abidin, A. Z.

(2009) - Perception towards

the importance and

knowledge of information

technology among auditors in

Malaysia

2009 Survey Journal The article is surveying a

number of Information

Technology Auditors from

Malaysian companies on the

value of IT technical

knowledge in performance of

information technology

audits.

Y Malaysia, Asia Y Y

23 Steyn, B., & Plant, K. (2009) -

Education and training

considerations applicable to

internal auditors in South

Africa

2009 Survey Journal A survey on the training

needs for professionals acting

in Information Technology

Audit area

Y South Africa,

Africa

Y Y

69

Appendix B

This appendix includes the open codes identified during the Open Coding stage as well as the mapping between the open codes and articles were

they were found.

Table 12: The identified open codes

Open Codes

1.Awareness at national authorities level

2.Confusing/contradictory IS Audit regulations

3.Confusing/Cumbersome/Lack of laws

4.Costs of IS Audit outsourcing

5.Cultural and Religious barriers

6.Cultural-related hierarchical issues

7.Cumbersomeness of IS audit

implementations

8.Delay/Ignore the mitigation of reported IS

Risks

9.Different agenda of the management

10.Different Management style(Arab countries)

11.Difficulty to adapt the Western technologies

to local needs

12.Employee general awareness of IS Audit

13.Government support to implement/spread

the law

14.High Cost of IS Audit

Implementation/Execution

15.High pressure on IS Auditor

independence/objectivity/identity

16.Human Resource Management

17.Insufficient local academic research in the

field of IS Audit

18.IS Audit is not implemented in the business

Processes

25.Lack of documentation of successful

projects

26.Lack of experience and proper reporting of

findings in IS Audit

27.Lack of general IT Knowledge

28.Lack of human/budget resources

29.Lack of interest in using IT for IS Audit

30.Lack of IS Audit regulations

31.Lack of IS Audit tools and related

automation

32.Lack of IT modern experience and expertise

33.Lack of knowledge to

incorporate/implement the IS audit

34.Lack of management

help/support/commitment

35.Lack of modern/up-to-date knowledge

36.Lack of money to buy IS Audit tools

37.Lack of professional bodies at the national

level

38.Lack of professional ethics/code of conduct

39.Lack of qualified and competent IS audit

staff

40.Lacking Adoption of Standards in the IS

Audit Field

41.Lack of training in IS Audit specific tools

42.Lack of training in the IT/new technologies

49.Low level of knowledge of highly

specialized technologies

50.Low level of quality of the IS graduates

51.Management intrusion/negative pressure on

IS Audit

52.Misunderstanding of IS

Audit(role/benefits/scope)

53.Motivation

factors(Workplace/salary/benefits) for IS

Auditor

54.Need for a Knowledge base at national level

in the local language

55.Need for more specialized education at

university level in IS Audit

56.Not adapted university curricula to

accommodate IS Audit

57.Obsolete/Need for a Continuous update of IS

Audit

58.Obstructed transfer of IS audit Know-how in

the local language

59.Obstruction or wrong perception of IS

auditor(seen as cop/inspector/controller)

60.Organizational and Work Culture

61.Poor or partial implementation of IS Audit

Standards

62.Professional networking

70

Open Codes

19.Lack IS Audit Policies

20.Lack of ability to approach complex

information systems

21.Lack of best practices

22.Lack of business competition

23.Lack of continuous development of the IT

technical knowledge

24.Lack of continuous training in IS Audit

43.Lack of understanding of IS Risks

44.Lacking or poor implementation of IS Audit

policies

45.Limited compliance with IS Audit policies

46.Little or no cooperation/communication

with stakeholders

47.Low adoption level of IS Audit

48.Low interest of management in IS Audit

63.Reluctance of management to train staff

64.Resistance to change of

employees/organization

65.Size of organization

66.Specific Awareness at IT department level

67.Unclear job description

68.Unclear, fuzzy or overlapped Business

demands

69.Very diverse IT technological

landscape(chaotic/basic/heterogeneous/sophistic

ated)

Table 13: Mapping of the Open Codes to the articles

No Open Code Reference

1 Awareness at national authorities level Majdalawieh, M., & Zaghloul, I. (2009); Nkwe, N. (2011).

2 Confusing/contradictory IS Audit regulations Mahzan, N., & Veerankutty, F. (2011); Nijaz, B., Mario, S. & Lejla, T. (2011);

Razi, M. A., & Madani, H. H. (2013); Upadhyaya, P., Shakya, S., & Pokharel, M.

(2012).

3 Confusing/Cumbersome/Lack of laws Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Hariyani, Y. (2011);

Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Nkwe, N. (2011); Salehi, M.,

& Husini, R. (2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan,

M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

4 Costs of IS Audit outsourcing Majdalawieh, M., & Zaghloul, I. (2009); Puspasari, D., & Yuwono, B. (2013);

Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).

5 Cultural and Religious barriers Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., & Ariyani, Y. (2014); Razi, M.

A., & Madani, H. H. (2013); Salehi, M., & Husini, R. (2011); Wahdan, M.A.,

Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

6 Cultural-related hierarchical issues Al Lawati, A., & Ali, S. (2015); Razi, M. A., & Madani, H. H. (2013); Wahdan,

M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

7 Cumbersomeness of IS audit implementations Al Lawati, A., & Ali, S. (2015); Maria, E., & Hariyani, Y. (2011); Razi, M. A., &

71

No Open Code Reference

Madani, H. H. (2013); Salehi, M., & Husini, R. (2011).

8 Delay/Ignore the mitigation of reported IS Risks Abu-Musa, A. A. (2008); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014);

Purwoko, P. (2011).

9 Different agenda of the management Abu-Musa, A. A. (2008); Majdalawieh, M., & Zaghloul, I. (2009); Purwoko, P.

(2011); Razi, M. A., & Madani, H. H. (2013).

10 Different Management style(Arab countries) Razi, M. A., & Madani, H. H. (2013).

11 Difficulty to adapt the Western technologies to local

needs

Al Lawati, A., & Ali, S. (2015); Mahzan, N., & Veerankutty, F. (2011); Malgharni,

A. M., & Yusoff, W. F. W. (2011); Nkwe, N. (2011); Razi, M. A., & Madani, H. H.

(2013).

12 Employee general awareness of IS Audit Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail,

N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z.

M., & Dhaifallah, B. (2014); Majdalawieh, M., & Zaghloul, I. (2009); Purwoko, P.

(2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).

13 Government support to implement/spread the law Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Mahzan, N., & Veerankutty,

F. (2011); Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Nkwe, N. (2011);

Razi, M. A., & Madani, H. H. (2013); Upadhyaya, P., Shakya, S., & Pokharel, M.

(2012); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den.

(2008).

14 High Cost of IS Audit Implementation/Execution Abu-Musa, A. A. (2008); Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M.,

& Zaghloul, I. (2009); Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014);

Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

15 High pressure on IS Auditor

independence/objectivity/identity

Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Abu-Musa, A. A.

(2008); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Mahzan, N., &

Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul, I. (2009); Purwoko, P.

(2011); Rafiei, G. H., & Moeinadin, M. (2014); Wahdan, M.A., Spronck, P., Ali, H.

F., Vaassen, E., Herik, H.J. van den. (2008).

16 Human Resource Management Ismail, N. A., & Abidin, A. Z. (2009); Mozhgani, F., Heirany, F., & Ardakani, S. S.

(2014); Salehi, M., & Husini, R. (2011); Steyn, B., & Plant, K. (2009); Wahdan,

M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

17 Insufficient local academic research in the field of IS

Audit

Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Al-Ansi, A. A.,

Ismail, N. A. B., & Al-Swidi, A. K. (2013); Nkwe, N. (2011); Upadhyaya, P.,

Shakya, S., & Pokharel, M. (2012).

18 IS Audit is not implemented in the business Processes Maria, E., & Hariyani, Y. (2011); Maria, E., & Ariyani, Y. (2014); Mozhgani, F.,

72

No Open Code Reference

Heirany, F., & Ardakani, S. S. (2014); Purwoko, P. (2011); Puspasari, D., &

Yuwono, B. (2013); Salehi, M., & Husini, R. (2011).

19 Lack IS Audit Policies Nkwe, N. (2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).

20 Lack of ability to approach complex information

systems

Abu-Musa, A. A. (2008); Ismail, N. A., & Abidin, A. Z. (2009); Mahzan, N., &

Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul, I. (2009); Majdalawieh, M.,

& Zaghloul, I. (2009); Maria, E., & Hariyani, Y. (2011); Maria, E., & Ariyani, Y.

(2014); Rafiei, G. H., & Moeinadin, M. (2014); Salehi, M., & Husini, R. (2011).

21 Lack of best practices Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Nkwe, N. (2011); Purwoko, P.

(2011); Puspasari, D., & Yuwono, B. (2013).

22 Lack of business competition Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Razi,

M. A., & Madani, H. H. (2013); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen,

E., Herik, H.J. van den. (2008).

23 Lack of continuous development of the IT technical

knowledge

Abu-Musa, A. A. (2008); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.

(2013); Ismail, N. A., & Abidin, A. Z. (2009); Mahzan, N., & Veerankutty, F.

(2011).

24 Lack of continuous training in IS Audit Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Ismail, N. A., &

Abidin, A. Z. (2009); Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani,

Y. (2014); Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., & Pokharel,

M. (2012); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den.

(2008).

25 Lack of documentation of successful projects Majdalawieh, M., & Zaghloul, I. (2009); Nkwe, N. (2011).

26 Lack of experience and proper reporting of findings in

IS Audit

Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014);

Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Wahdan, M.A., Spronck, P.,

Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

27 Lack of general IT Knowledge Abu-Musa, A. A. (2008); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.

(2013); Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani, Y. (2014);

Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014).

28 Lack of human/budget resources Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail,

N. A. B., & Al-Swidi, A. K. (2013); Mahzan, N., & Veerankutty, F. (2011);

Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., & Ariyani, Y. (2014);

Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Razi, M. A., & Madani, H. H.

(2013); Salehi, M., & Husini, R. (2011).

29 Lack of interest in using IT for IS Audit Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,

73

No Open Code Reference

Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Malgharni, A. M., &

Yusoff, W. F. W. (2011); Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014).

30 Lack of IS Audit regulations Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Mahzan, N., &

Veerankutty, F. (2011); Nkwe, N. (2011).

31 Lack of IS Audit tools and related automation Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani, Y. (2014); Puspasari,

D., & Yuwono, B. (2013); Salehi, M., & Husini, R. (2011).

32 Lack of IT modern experience and expertise Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Mahzan, N., &

Veerankutty, F. (2011); Malgharni, A. M., & Yusoff, W. F. W. (2011); Purwoko, P.

(2011); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den.

(2008).

33 Lack of knowledge to incorporate/implement the IS

audit

Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul, I. (2009);

Maria, E., & Hariyani, Y. (2011).

34 Lack of management help/support/commitment Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Abu-Musa, A. A.

(2008); Al Lawati, A., & Ali, S. (2015);Alkebsi, M. A. A., Aziz, K. A.,

Mohammed, Z. M., & Dhaifallah, B. (2014);Maria, E., & Ariyani, Y. (2014); Nkwe,

N. (2011); Purwoko, P. (2011); Puspasari, D., & Yuwono, B. (2013); Rafiei, G. H.,

& Moeinadin, M. (2014); Razi, M. A., & Madani, H. H. (2013); Salehi, M., &

Husini, R. (2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan,

M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

35 Lack of modern/up-to-date knowledge Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Wahdan, M.A.,

Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

36 Lack of money to buy IS Audit tools Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Ariyani, Y. (2014); Nkwe, N.

(2011); Salehi, M., & Husini, R. (2011).

37 Lack of professional bodies at the national level Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.

(2013); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Nkwe, N. (2011);

Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).

38 Lack of professional ethics/code of conduct Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Bani-Ahmad, A., &

El-Dalabeeh, A. E. R. K. (2014); Maria, E., & Ariyani, Y. (2014); Rafiei, G. H., &

Moeinadin, M. (2014); Razi, M. A., & Madani, H. H. (2013); Wahdan, M.A.,

Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

39 Lack of qualified and competent IS audit staff Abu-Musa, A. A. (2008); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., &

Dhaifallah, B. (2014); Mahzan, N., & Veerankutty, F. (2011); Purwoko, P. (2011);

Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012);

Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

74

No Open Code Reference

40 Lacking adoption of Standards in the IS Audit Field Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Al Lawati, A., & Ali,

S. (2015); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Maria, E., &

Ariyani, Y. (2014); Nijaz, B., Mario, S. & Lejla, T. (2011); Salehi, M., & Husini, R.

(2011); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).

41 Lack of training in IS Audit specific tools Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Ismail, N. A., &

Abidin, A. Z. (2009); Maria, E., & Ariyani, Y. (2014); Nkwe, N. (2011); Salehi, M.,

& Husini, R. (2011).

42 Lack of training in the IT/new technologies Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Ismail, N. A., &

Abidin, A. Z. (2009); Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M., &

Zaghloul, I. (2009); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan,

M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

43 Lack of understanding of IS Risks Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Alkebsi, M. A. A.,

Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Bani-Ahmad, A., & El-

Dalabeeh, A. E. R. K. (2014); Mahzan, N., & Veerankutty, F. (2011); Malgharni, A.

M., & Yusoff, W. F. W. (2011); Maria, E., & Ariyani, Y. (2014); Nkwe, N. (2011);

Razi, M. A., & Madani, H. H. (2013);

44 Lacking or poor implementation of IS Audit policies Al Lawati, A., & Ali, S. (2015); Rafiei, G. H., & Moeinadin, M. (2014).

45 Limited compliance with IS Audit policies Nijaz, B., Mario, S. & Lejla, T. (2011); Rafiei, G. H., & Moeinadin, M. (2014).

46 Little or no cooperation/communication with

stakeholders

Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Al Lawati, A., & Ali,

S. (2015); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B.

(2014); Maria, E., & Ariyani, Y. (2014); Mozhgani, F., Heirany, F., & Ardakani, S.

S. (2014); Nkwe, N. (2011); Rafiei, G. H., & Moeinadin, M. (2014).

47 Low adoption level of IS Audit Nkwe, N. (2011); Razi, M. A., & Madani, H. H. (2013).

48 Low interest of management in IS Audit Abu-Musa, A. A. (2008); Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., &

Dhaifallah, B. (2014); Malgharni, A. M., & Yusoff, W. F. W. (2011); Nkwe, N.

(2011).

49 Low level of knowledge of highly specialized

technologies

Ismail, N. A., & Abidin, A. Z. (2009); Majdalawieh, M., & Zaghloul, I. (2009).

50 Low level of quality of the IS graduates Mahzan, N., & Veerankutty, F. (2011); Steyn, B., & Plant, K. (2009); Upadhyaya,

P., Shakya, S., & Pokharel, M. (2012).

51 Management intrusion/negative pressure on IS Audit Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Purwoko, P. (2011);

Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

52 Misunderstanding of IS Audit(role/benefits/scope) Abuazza, W. O., Mihret, D. G., James, K., & Best, P. (2015); Ismail, N. A., &

75

No Open Code Reference

Abidin, A. Z. (2009); Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., &

Hariyani, Y. (2011); Nkwe, N. (2011); Purwoko, P. (2011); Puspasari, D., &

Yuwono, B. (2013); Rafiei, G. H., & Moeinadin, M. (2014).

53 Motivation factors(workplace/salary/benefits ) for IS

Auditor

Maria, E., & Ariyani, Y. (2014); Steyn, B., & Plant, K. (2009); Wahdan, M.A.,

Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

54 Need for a Knowledge base at national level in the

local language

Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,

Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Bani-Ahmad, A., & El-

Dalabeeh, A. E. R. K. (2014); Nkwe, N. (2011); Wahdan, M.A., Spronck, P., Ali, H.

F., Vaassen, E., Herik, H.J. van den. (2008).

55 Need for more specialized education at university level

in IS Audit

Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,

Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Mahzan, N., &

Veerankutty, F. (2011); Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., &

Pokharel, M. (2012); Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik,

H.J. van den. (2008).

56 Not adapted university curricula to accommodate IS

Audit

Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K. (2013); Alkebsi, M. A. A.,

Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014); Nkwe, N. (2011);

Upadhyaya, P., Shakya, S., & Pokharel, M. (2012); Wahdan, M.A., Spronck, P.,

Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

57 Obsolete/Need for a Continuous update of IS Audit Mahzan, N., & Veerankutty, F. (2011); Puspasari, D., & Yuwono, B. (2013).

58 Obstructed transfer of IS audit Know-how in the local

language

Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Nijaz, B., Mario, S. & Lejla,

T. (2011); Nkwe, N. (2011).

59 Obstruction or wrong perception of IS auditor(seen as

cop/inspector/controller)

Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015); Maria, E., & Ariyani, Y.

(2014); Nkwe, N. (2011); Purwoko, P. (2011); Salehi, M., & Husini, R. (2011).

60 Organizational and Work Culture Majdalawieh, M., & Zaghloul, I. (2009); Maria, E., & Ariyani, Y. (2014).

61 Poor or partial implementation of IS Audit Standards Al Lawati, A., & Ali, S. (2015); Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K.

(2014); Nijaz, B., Mario, S. & Lejla, T. (2011).

62 Professional networking Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Mozhgani, F., Heirany, F., &

Ardakani, S. S. (2014); Steyn, B., & Plant, K. (2009); Upadhyaya, P., Shakya, S., &

Pokharel, M. (2012).

63 Reluctance of management to train staff Salehi, M., & Husini, R. (2011); Steyn, B., & Plant, K. (2009).

64 Resistance to change of employees/organization Bani-Ahmad, A., & El-Dalabeeh, A. E. R. K. (2014); Steyn, B., & Plant, K. (2009);

Wahdan, M.A., Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

65 Size of organization Alkebsi, M. A. A., Aziz, K. A., Mohammed, Z. M., & Dhaifallah, B. (2014);

76

No Open Code Reference

Mahzan, N., & Veerankutty, F. (2011); Maria, E., & Hariyani, Y. (2011); Maria, E.,

& Ariyani, Y. (2014); Razi, M. A., & Madani, H. H. (2013); Wahdan, M.A.,

Spronck, P., Ali, H. F., Vaassen, E., Herik, H.J. van den. (2008).

66 Specific Awareness at IT department level Al Lawati, A., & Ali, S. (2015); Al-Ansi, A. A., Ismail, N. A. B., & Al-Swidi, A. K.

(2013); Upadhyaya, P., Shakya, S., & Pokharel, M. (2012).

67 Unclear job description Ismail, N. A., & Abidin, A. Z. (2009); Majdalawieh, M., & Zaghloul, I. (2009);

Maria, E., & Ariyani, Y. (2014); Puspasari, D., & Yuwono, B. (2013); Upadhyaya,

P., Shakya, S., & Pokharel, M. (2012); Wahdan, M.A., Spronck, P., Ali, H. F.,

Vaassen, E., Herik, H.J. van den. (2008).

68 Unclear, fuzzy or overlapped Business demands Al Lawati, A., & Ali, S. (2015); Majdalawieh, M., & Zaghloul, I. (2009); Rafiei, G.

H., & Moeinadin, M. (2014).

69 Very diverse IT technological

landscape(chaotic/basic/heterogeneous/sophisticated)

Abu-Musa, A. A. (2008); Al Lawati, A., & Ali, S. (2015). Ismail, N. A., & Abidin,

A. Z. (2009); Mahzan, N., & Veerankutty, F. (2011); Majdalawieh, M., & Zaghloul,

I. (2009). Maria, E., & Hariyani, Y. (2011); Maria, E., & Ariyani, Y. (2014);

Mozhgani, F., Heirany, F., & Ardakani, S. S. (2014); Purwoko, P. (2011); Salehi,

M., & Husini, R. (2011).

77

Appendix C

This appendix is including the comprehensive overview of the whole coding process.

Table 14: The complete matrix of the concepts

Selective Coding Axial Coding Open Coding

Legislation Laws and legal framework Confusing/Cumbersome/Lack of laws(7)

Government support to implement/spread the law(7)

Regulations Lack of IS Audit regulations (3)

Confusing/contradictory IS Audit regulations (4)

Policy and standards IS Audit Policy Lack IS Audit Policies (2)

Limited compliance with IS Audit policies (2)

Lacking or poor implementation of IS Audit policies (2)

Lack of best practices (4)

IS Audit Standards Lacking adoption of Standards in the IS Audit Field (7)

Poor or partial implementation of IS Audit Standards (3)

Organizational Cost High Cost of IS Audit Implementation/Execution (6)

Costs of IS Audit outsourcing (3)

Lack of money to buy IS Audit tools (4)

Business characteristics Size of organization (6)

Lack of business competition (3)

IS Audit is not implemented in the business Processes (6)

Low adoption level of IS Audit(2)

Unclear, fuzzy or overlapped Business demands (3)

Organizational and Work Culture (2)

Management Lack of management help/support/commitment (13)

Management intrusion/negative pressure on IS Audit (3)

Low interest of management in IS Audit (4)

Delay/Ignore the mitigation of reported IS Risks (3)

Different Management style(Arab countries) (1)

Different agenda of the management (4)

Human Resource Management (5)

78

Technology Very diverse IT technological

landscape(chaotic/basic/heterogeneous/sophisticated) (10)

Cumbersomeness of IS audit implementations (4)

Difficulty to adapt the Western technologies to local needs (5)

Lack of IS Audit tools and related automation (4)

Human Resources Employees perception of IS

Audit

Obstruction or wrong perception of IS auditor(seen as cop/inspector/controller)

(6)

Misunderstanding of IS Audit(role/benefits/scope) (8)

Little or no cooperation/communication with stakeholders (7)

Obsolete/Need for a Continuous update of IS Audit (2)

IS Audit Job Lack of human/budget resources (9)

Lack of professional ethics/code of conduct (6)

Unclear job description (6)

High pressure on IS Auditor independence/objectivity/identity (8)

Motivation factors(Workplace/salary/benefits) for IS Auditor (4)

Lack of qualified and competent IS audit staff (7)

Job related Skills Lack of experience and proper reporting of findings in IS Audit (3)

Lack of ability to approach complex information systems (9)

Lack of IT modern experience and expertise (5)

Lack of understanding of IS Risks (8)

Lack of knowledge to incorporate/implement the IS audit (3)

Lack of interest in using IT for IS Audit (4)

Educational Academic Insufficient local academic research in the field of IS Audit (4)

Not adapted university curricula to accommodate IS Audit (5)

Need for more specialized education at university level in IS Audit (6)

Low level of quality of the IS graduates (3)

IS Professional training and

certification

Lack of professional bodies at the national level (6)

Lack of continuous training in IS Audit (7)

Lack of training in the IT/new technologies (6)

Lack of training in IS Audit specific tools (5)

Reluctance of management to train staff (2)

IS Technical knowledge Lack of modern/up-to-date knowledge (2)

Low level of knowledge of highly specialized technologies (2)

Lack of general IT Knowledge (5)

Lack of continuous development of the IT technical knowledge (4)

79

Knowledge base Obstructed transfer of IS audit Know-how in the local language (3)

Lack of documentation of successful projects (2)

Need for a Knowledge base at national level in the local language (5)

Professional networking (4)

Cultural Change Perception Resistance to change of employees/organization (3)

Cultural and Religious barriers (5)

Cultural-related hierarchical issues (3)

Awareness Employee general awareness of IS Audit (7)

Specific Awareness at IT department level (3)

Awareness at national authorities level (2)

Department of Computer and Systems Sciences

Stockholm University

Forum 100

SE-164 40 Kista

Phone: 08 – 16 20 00

www.su.se