AUDITING IN THE IT ENVIRONMENT: DISCUSSION ON METHODOLOGY

systems and parameters Audit goals 3. Evaluation and comparison with the norm

Introduction and research problem. To date, scholars have not agreed on the positions on audit methods and methods used in economic control. The very concepts of control methods, audit methods, control activities, control procedures, audit and control methodology often are not distinguished. Moreover, they are being mixed with similar terms borrowed from management science, economics, mathematics, etc. Global practice of auditing research not only does not pay much attention to the basic terms and concepts but also omits the fact that at some point the application of information technologies both in accounting and auditing had begun. This short text is aimed to sum up and disclose some ideas that could be useful to start a wide discussion on the modern concepts of the method, techniques and methodology in audit and auditing research, and identify them in the context of global research practice and business practice.
Recent publications analysis. In general, the methodology deals with the study of the scientific basis for the use of individual methods in research, and it is a philosophical, theoretical background for the study of the particular object. In auditing and economic control, from the local Ukrainian point of view, there are fundamentally different approaches to the methodology (Ivakhnenkov, 2010, pp. 101-192).
Traditionally, scholars believe that auditing deals with both 'problems of fact' similar to those of the natural sciences and with 'problems of value', specific to those of the social sciences. Therefore, in the seminal work on the audit theory, R. Mautz and H. Sharaf write: "It <auditing> must have two procedures, one for dealing with each kind of problem in order to deal with each aspect" (Mautz & Sharaf, 1964, p. 27).
Ukrainian authors consider the classification of methods differently. The common approach is that in economic control in general and in auditing, in particular, there are certain universal general scientific (philosophical) methods (Bilukha, 1998;Drozd, 2004), and then there are individual methods or techniques. Such an approach to determining the theoretical foundations of the methodology cannot be found in English-language literature on auditing. Instead, authors typically write about the research procedure, the order of studying objects -not about philosophical principles or general scientific methods (Hayes et al., 2015;Mautz & Sharaf, 1964).
Unsolved parts of the problem. The further development of the theory and practice of audit requires clarification of methodology and the development of coherent, integrated, scientifically based concepts on methodological issues.
Research goals and questions. The purpose of the study is to develop methodological provisions of auditing in the IT environment, as well as for audits performed with computer-assisted audit tools and techniques.
To achieve the purpose, the following objectives were set: -to revise and systematize conceptual approaches to the audit methodology, formulate its modern paradigm and develop the conceptual apparatus according to its basic foundations; -to structure the audit method, consider its static and dynamic, general theoretical and technological components for further improving the methodology and organization of auditing in the context of the use of information systems and technologies.
Main findings. The search for the origins of the fundamental difference in scientific paradigms of auditing methodology led to the analysis of approaches in two theoretical works on logic, published in the middle of the 20th century in the Soviet Union and the United States (Bibler, 1958;Ruby, 1950). In these sources, approaches to the process of logical thinking in research are considered differently. The manual on 'dialectical' logic, published in 1958 in the USSR, identified 8 categories of dialectical logic, namely: analysis, synthesis, induction, deduction, abstraction, analogy, modelling, experiment. A textbook on logic, published in 1950 in the United States, identified also 8, but stages of scientific thinking: 1) consideration of preliminary data highlighting the problem; 2) the formulation of the problem; 3) an overview of the facts relevant to the problem; 4) use of prior knowledge; 5) hypothesis formulation; 6) development and specification of the hypothesis; 7) testing the hypothesis; 8) conclusion: the hypothesis is confirmed or not confirmed.
Thus, differences in the basic paradigms of Ukrainian and foreign scientists are explained by the different understanding of the basic provisions of logic. Ukrainian scientists, following Soviet traditions, firstly consider the basic scientific and philosophical categories, foreign ones -the procedure for conducting research. Prof. V. Rudnytskyi in this regard writes about the "additive" and "procedural" approaches to the methodology identification in accounting and auditing (Rudnytskyi, 2000, p. 31). The additive approach considers the system of methods and techniques; the procedural one -the mechanism of action and the sequence of certain types of work. Foreign researchers do not apply the additive approach to audit methodology at all, only the procedural approach is used. To underline this, an American researcher Philip Wallage states that "the audit process can be compared to the empirical scientific cycle" (Wallage, 1993). An empirical science cycle is a systematic process of experimentation that consists of formulating a research question, then drawing up a plan for empirically investigating that question. The authors from the USA and the Netherlands agree with this, noting: "Although the numerous judgments made during a financial audit (about audit approach, sampling, audit risk, etc.) make it more of an art than a science, the audit process follows a systematic process" (Hayes et al., 2015, p. 23). The audit process begins with the client's request, which is determined by the audit plan, continues with factual checks and ends with the auditor's opinion.
Those two approaches do not contradict each other. There is no disagreement between general methodological techniques (could be described as control 'statics') and procedures (could be described as control 'dynamics'). A common feature of the approaches is that the method of auditing is considered as the sum of methodological techniques, which, in turn, are used depending on specific objects to audit peculiar business cases. However, no methodological structure has been produced that would explain the principles for applying specific techniques. Also, as we already mentioned, traditionally auditing was considered as an activity that deals with social structures (organizations -people that unite to do business) and physical structures (physical business assets, energy, etc.). Now it is time to discuss characteristics of abstract systems that represent essential importance to modern business.
Abstract systems are interconnected and interacting sets of words, symbols, etc., created by means of communication in society (Marsh & Swanson, 1991, p. 24). A common example of abstract systems is a financial system based on the idea of monetary units that are not tied to the value of a specific material equivalent (a striking modern example is the concept of cryptocurrencies). Studying the characteristics of abstract systems and their parameters is an extremely important issue in auditing. Abstract systems at business entities include systems of artificially created formal indicators, which: 1) characterize the financial condition and business processes; 2) model the financial condition and business processes for their management. The first group of systems of artificially created indicators includes, for example, the financial accounting system, which is based on the double-entry principle, and, respectively, financial statements. The second group of systems includes algorithms inside computer business information systems (from simple accounting software to Enterprise Resource Planning systems).
Nowadays, most businesses use computerized accounting systems that work by software algorithms. Thus, the ongoing research project of the Kyiv-Mohyla Academy Department of Finance Faculty during 2010-2019 demonstrated that only 9 business entities out of total 142 respondents in Ukraine in 2010-2013 (6.3 %) and only 4 entities out of 114 interviewed in Ukraine in 2014-2019 (3.5 %) had financial accounting not automated in any way. Information processing algorithms and models of business processes implemented in such accounting systems are used not only to provide management with information but also to actively support and manage business processes.
All of this makes it necessary to pay detailed attention to the relationships of auditing with the exact sciences -mathematics, logic and computer science. The research methods in exact sciences are unique in their ability to provide accurate and fully proven knowledge, both about abstract concepts and about individual real (however modelled) objects. Natural sciences have physical objects as their subject; social ones deal with social and cultural objects (people, their collectives, activities, ideas); exact sciences deal with statements and numbers. Computer science, in particular, studies the development of algorithms, including (Schneider & Gersting, 2018, p. 6): 1) studying the behaviour of algorithms to determine if they are correct and efficient; 2) designing and building computer systems that can execute algorithms; 3) designing programming languages and translating algorithms into these languages so that they can be executed by the hardware; 4) identifying important problems and designing correct and efficient software packages to solve these problems.
The basic research method in mathematics and logic is proving, not confirmation of hypotheses or interpretation. The main question in computer science is: "What can be (efficiently) automated?" (Dodig-Crnkovic, 2002, p. 5), and the basic methods are modelling and computational experiment (simulation). The process of scientific thinking in computer science is thus reduced to the process of modelling, which is in a simplified way looks like this (Aho & Ullman, 1994;Dodig-Crnkovic, 2002): 1) selection of characteristics and formal methods for modelling; 2) building a model; 3) checking the model. Accordingly, in practice, the model is a particular computer program.
Programming was first seen as exact science that is similar to mathematics. But it turned out that it is very difficult to create a large software product that is free from errors. One of the suggested ways to solve the problem was as follows: since a computer program is a sequence of logical steps, similar to proving theorems in mathematics, then its correctness can be proved. C. A. R. Hoare, a leading scientist in this field, argued: "Computer programming is an exact science in which all the properties of a program, and all the consequences of its execution, in principle, can be found in the text of the program itself using purely deductive thinking" (Hoare, 1969). R. Stallman and S. Garfinkle expressed the idea even more precisely (Stallman & Garfinkle, 1992).
However, philosophers and mathematicians opposed the fundamental possibility of completely proving the correct functioning of computer programs. J. Fetzer, a philosopher, argued that it is in principle impossible to accurately verify computer programs since there are limitations arising from the very nature of computers as complex causal systems, the behaviour of which, in principle, "can be known only with such uncertainty that accompanies empirical knowledge as opposed to the confidence that is inherent in mathematical calculations. Therefore, when the set of entities consists of purely abstract entities, a convincing final check is possible, but when the set of entities consists of concrete physical objects, only relatively reliable checks are possible" (Fetzer, 1989). J. Barwise (1989), a mathematician, pointed out that to predict what a real program does on computers, it is necessary to simulate not only programs and hardware but also related conditions, including, for example, the qualifications of an operator. So, it is anyway necessary to experimentally test computer programs.
All of this is directly related to auditing because it encompasses all three general scientific procedures for scientific research, applicable in different types of sciences. Based on all of the above, we propose to present the auditing method as a complex twodimensional and three-level construction, as shown in Table 1. At the basic, general theoretical level, the method of auditing consists of 1) general scientific theoretical approaches and techniques (such as analysis, synthesis, induction, deduction, abstraction, analogy, modelling, experiment); 2) the general research procedure inherent in economic control that integrates the research methodology of natural, social and exact sciences (such as consideration of data; hypothesis formulation and development; testing the hypothesis).
We believe that on the second, applied (technological) level, the audit method is made up of its applied elements, which include: examination, observation, inquiries, external confirmation, recalculation, reperformance, etc. Those methods are described in the International Standard on Auditing No. 500 entitled "Audit Procedures for obtaining audit evidence" (ISAs, pp. 380-396). At the second, technological level, the elements of the auditing method are control procedures and control technologies (based on general scientific methods, approaches, research procedures, methodological techniques and techniques). In a broad sense, control technology is the entire set of methods and tools necessary for exercising control.
In a narrow sense, it is a complete system of clearly described control activities and means for their implementation (norms, descriptions, physical, technical tools, software). Control technology should have characteristics of a formalized system of actions and tools that perform clearly defined control tasks (in fact, to be an algorithm), and the final result of the control technology should be either a clear quantitative characteristic or a specific corrective action.
The general research procedure inherent in auditing as an interdisciplinary discipline combines the research procedures of natural, social, and exact sciences, can be shown using the following scheme (Fig. 1). Auditing includes various types of assessment of information about economic facts and business processes, performed by specialists (auditors) who are external to the business processes.
First of all, businesses are complex, sociotechnical systems that consist of personnel, materials, energy, and communications that have natural and monetary characteristics. Many of their parameters can be measured using physical parameters -for instance, the area on which the enterprise is located, the number of products sold, employed workers, the volume of resources that are consumed. Here, during the course of an audit, research procedures can be applied primarily by the scheme 1A-2A (see Fig. 1 An important feature of auditing is the issue of the quality and sufficiency of the necessary facts to exercise control. Auditors often base their opinions on satisfactory facts (reasonable audit evidence) rather than on the best possible facts. As R. Mauz and H. Sharaf noted, the auditor always works under time constraints (Mautz & Sharaf, 1964, p. 30), so his conclusions are often debatable. Rarely an auditor is not limited in time, staff, or funds. So, in practice (and it is allowed by auditing standards), auditors are forced to modify the research procedure 1A-2A and use the sequence 1A-2A together with 1A-2B, applying their understanding of the situation (professional judgment) to guide the procedures for gathering facts. That is why auditing applies such methodological techniques as risk assessment and materiality calculation, as well as iterative (cyclical) execution of the research procedure according to the scheme (1.1).
This research procedure includes the reassessment of audit risk, the refinement of the methodology for collecting facts at each step of an iteration (everywhere the professional judgment is used). Of course, the evaluation of results is also judgment-based (3A).
(1.1) Auditors also pre-accept the hypothesis they consider most likely to save efforts and speed up testing. As a general rule, this hypothesis states that there are no deviations from the norm, or they are insignificant (using the wording from the International Standards on Auditing -"there are no material misstatements").
However, none of the authors principally objects to such scope and extent of an audit, which makes it possible to verify with a high degree of accuracy all (namely, two) possible hypotheses -both about the presence and the absence of deviations. We believe that the basic research aim here is to find ways to remove time and scope restrictions by making control technologies cheaper and increasing their reliability.
Another procedure is applied when auditors deal with such objects as characteristics of social systems and states. When conducting an audit, it may be necessary to assess a number of qualitative characteristics of the system under study, which may relate to social subsystems -for example, the control environment, the moral and educational level of employees, the adequacy of business decisions made, for example, on the choice of fixed assets depreciation or the costing of current assets in accordance with accounting standards. Such audit objects are not clearly formalized and defined; they can be interpreted and understood in different ways. Accordingly, the assessment of these parameters by auditors will also be subjective, not clearly formalized, and the evidence, respectively, will be less accurate and reliable. In this case, the course of an audit of a research procedure typical for social sciences according to the scheme 1B-2B (see Fig. 1) is used.
To date, there are no developed fully effective methods for studying the functioning of the business computer information systems and the characteristics of such systems. The most efficient procedure for studying abstract systems is the application of modelling (as the next level of abstraction) and programming and the following study of the programmed model (by the procedure 1C-2C - Fig. 1). But since the computer information system of the business entity already contains abstract models of the specific business processes' functioning, in some cases the most efficient audit method for studying even physical systems will be studying the objects by the following procedure (1.2). (1.2) In this case, to control the physical parameters and characteristics of a specific physical system (inside a business entity), an abstract model of such a system, which is contained in a business computer information system is studied. Here a model for the next level of abstraction is being built -an ideal model for exercising control. An example of such an audit procedure would be, for example, when the auditor uses his/her own software to test the functioning of the client's business and accounting software and the data it contains.
Conclusions and further research proposals. Even though domestic and foreign accounting researchers express fundamentally different views on the main conceptual provisions of auditing theory, in the context of ІТ use it is possible to combine different paradigms. Auditing in the IT environment and with the use of ІТ is an area of scientific knowledge that combines the features of social, natural and exact sciences, and deals with research objects, which are conceptual systems (knowledge, skills, etc.), natural systems (physical objects and their characteristics) and abstract systems (conceptual and algorithmic models). The objects of an audit include both financial reporting indicators, characteristics of business processes, the functioning of the accounting system, and, subsequently, the functioning of information systems and technologies with the help of which business processes and accounting are carried out. In the context of the use of information systems, there is a mutual penetration and integration of different types of control activities in terms of their content and objects.
Depending on the specific tasks of an audit, various audit objects are distinguished. They can be financial statements, individual financial indicators, control technologies, ІТ, the state of the management system, etc.
The audit method has a two-dimensional (static and dynamic) and two-tier structure. At the basic, general theoretical level, this includes 1) basic, general scientific theoretical techniques and approaches; 2) general research procedures inherent in auditing as an interdisciplinary field that combines research methodologies from natural, social, and exact sciences. At the applied (technological) level, the elements of the auditing method are control procedures and control technologies based on general scientific methods, approaches, and research procedures.
The research method is arranged according to the selected objects. The techniques can be grouped into three categories: a) techniques for collecting facts about physical characteristics; b) methods of thinking to gain understanding; c) modelling and programming. The identified facts are assessed and compared with the norm (both a creative assessment by a specialist and an automatic one) and an auditing result is formed, which may be just providing information, as well as in the direct implementation of corrective action. In an ideal situation, to audit objects of different types, their own research methods are used.
In practice, time, spatial, budgetary and legal restrictions are always imposed on the exercise of audits. We believe that the main scientific and methodological task of research in the field of modern auditing today should be the issue of removing or expanding these restrictions. A real opportunity to do this today is provided by information technologies and modelling of business processes with their help.
Since in the practice of auditing, a methodological research procedure is used, which is characteristic for solving evaluative problems regarding actual problems and abstract systems, audit activity today cannot be described only in terms of control technologies. Issues related to value judgments and the specifics of the research procedure, which includes elements of the research procedure used in the social sciences, makes this impossible. In this case, the formulation and choice of alternatives significantly depend on the personality of the auditor himself, his education and experience, is unreasonable in the study of concrete (physical) and abstract systems.