Effect of risk of using computerized AIS on external auditor's work quality in Yemen

This study aimed to identify the effect of the risks of using computerized AIS in facilities subject to auditing on external auditor's work quality. The study was applied to Yemeni external auditors, with a targeted sample size of 120 people who were randomly selected. Data were collected through questionnaires. The collected data were processed using SPSS version 23. The results of this study revealed a statistically significant effect of risk associated with the use of computerized AIS (human risks, environmental risks, and viruses’ risks) on external auditor's work quality. However, human risks are the most risk to the external auditor in the audited facilities. From a practical standpoint, AIS and IT auditors and facilities subject to auditing all stand to gain from the results of this study.


Introduction
*AIS stands for an accounting information system. Before computers existed, AIS was a manual paperbased system, but today, most companies use computer software as the basis for the AIS. Computers have become smaller, faster, easier to use, and less cost leading to the computerization of the accounting systems (Sugut, 2014). Manual accounting systems have become gradually inadequate for decision-making needs. Thus, public and private companies in both developing and developed economies view computerized AIS as a way to ensure effective and efficient flow of information in the recording, processing, and analysis of financial data (Appiah et al., 2014). According to Nicolaou (2000), AIS is a computerized system for processing financial information and strengthening decision-making functions. It has become the lifeblood of the company, where it could not imagine working without such a system (Al-Hattami and Kabra, 2019).
At present, all companies operate in a computerized environment, some are almost 100% computerized, and some use the applications needed for bookkeeping and financial reporting (Elefterie and Badea, 2016). Therefore, performing audits without the use of IT is not an option. When all information needed to conduct an audit is on computer systems, how can one perform an audit without the use of the computer? (Sayana and CISA, 2003) It is almost impossible to perform the tasks of auditors without the use of IT (Pedrosa et al., 2015). Although the use of IT in accounting (computerization) has created new job opportunities for the auditing profession, it has been accompanied by many risks, including the cancellation of traditional documents of evidence and the spread of computer crimes, viruses, and others. Hence, there is a need to refocus audit practices often associated with the computerized operated AIS.
Information Technology (IT) has greatly influenced contemporary businesses and thus imposes challenges to the auditing profession (Tarek et al., 2017). As this IT has further evolved, the threats and crimes framework associated with the use of technology has increased, posed a major challenge to many entities and professions, including the auditing profession. This reality has imposed a new responsibility on the auditing profession to avoid the risks that may result from those systems. Such risks may arise from possible errors (intentional or unintentional) that may occur during the input, operation, output, or even during the audit of the data issued by those companies. Kombo (2013) defined IT Auditing as "the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively, and uses resources efficiently." Audit risk is the possibility of misstatement in the financial statements. "It is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated" (BPPLM, 2016). Audit risk is "the failure of the audit procedures to detect significant errors and have a direct impact on the reputation of the external auditor" (Adow, 2020). Auditors may likely fail incorrectly to modify their view on financial statements that are materially misstated (Whittington and Pany, 2016). Audit risk may affect audit procedures and their results (Frias and Fajardo, 2008).
In the context of Yemen, the Yemeni Association of Chartered Accountants (YACPA) was established in 1987 with certified or accredited accountants as members. It aims to strengthen the accounting and auditing profession and to enhance investor confidence in the capital market (YACPA, 2011). However, the audit profession still faces many difficulties related to the lack of research in the field of IT auditing, which should highlight the impact of information technology on auditing and provide the necessary frameworks, tools, and techniques (Al-Kharbi, 2010). If audit firms are not updated in terms of computerized IS usage, they cannot meet the many challenges and risks posed by a technology-based business environment. Moreover, auditors with limited knowledge of IT, IT training, and IT use will lack the ability to audit typical customers with complex computer systems (Al-Ansi et al., 2013). This research highlights the types of risk associated with the use of computerized AIS faced by external auditors in enterprises under auditing. In addition to identifying the impact of these risks on external auditor's work quality in an attempt to reach recommendations that may help develop the auditing profession.
The remaining sections of this paper are organized as follows: Section 2 determines the related literature review. Section 3 summarizes the research questions. Section 4 is focused on the methodology. Section 5 outlines the data analysis and discussion. The last section formulates conclusions, determines the major limitations of this study, and suggests further research.

An overview of Yemen
Yemen is located in south-west Asia, at the southern side of the Arabian Peninsula, between Saudi Arabia and Oman. It is located at the Bab Al-Mandab Strait entrance, which connects the Red Sea to the Indian Ocean; it is one of the world's most active and strategic shipping lanes (Sharp, 2010). However, it remains one of the least developed countries (LDCs) (WBG, 2007;UNCTAD, 2017). Moreover, it is one of the poorest countries in the Arab region. It has a population of about 29 million, and it has a high population growth rate estimated at 3% (UNY, 2011).

Computerized AIS
In literature, the use of computerized AIS is recommended for its important role in the success of organizations (Al-Hattami et al., 2020). The study of AIS is, to a large extent, a study of the application of information technology (IT) to accounting systems (Bagranoff et al., 2010). As IT develops further, manual accounting systems have become gradually inadequate for decision-making needs. Developments in the fields of accounting, IS, and IT over the last decades of the 20 th century have contributed to the scope and roles expansion of AIS (Mitchell et al., 2000). According to Lanier (1992), an IT-based accounting system is ''a set of organized procedures used to collect and record accounting data with the use of a computer.'' The AIS is the lifeblood of an enterprise, and without it, there will be no integration, coordination, or control of business activities (Das, 1989). According to Moscove and Simkin (1984), AIS is a component of MIS that collects, categorizes, addresses, analyzes, and offers financial information to external parties and decision-making management. Wongsim and Gao (2011) stated that AIS is a specific software application and management process. Pierre et al. (2013) defined AIS as a computerized system that collects, inputs, and processes data, in addition to storing, managing, controlling, and reporting information that can be used in different tasks such as planning and decision making. Overall, computerized AIS in this study can be defined as the application of the computer-based software to input financial data, process them, and thereafter output financial information (Fig. 1).

Auditing quality
Auditing begins where accounting ends (Kumar and Sharma, 2015). It can be defined as "the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. Auditing should be done by a competent, independent person" (Arens et al., 2006). The auditing includes searching and verifying the accounting records and checking other evidence supporting the financial statements. Auditors will collect the necessary evidence to release the audit report. The audit report includes the auditors' opinion, which states that financial statements follow GAAP (Whittington and Pany, 2016). Reports on the status quo of the firm are provided to the shareholders and government. The stakeholders would like to have knowledge of whether or not the firm is making the right steps towards its aims. While the government would like to make a more reliable estimate of many things, for example, taxes (Azzam et al., 2020).

Fig. 1: Computerized AIS
The auditing job is performed by an independent person or body of people qualified for the job (Kumar and Sharma, 2015). The auditor's independence guarantees objectivity and imposes confidence in the users of the financial statements. Audit quality is one of the most important issues in today's audit practices. Regulators, investors, and all related parties gave this concept of absolute importance (Azibi, 2018). Many individuals and groups, either internal or external, have an interest in the quality of audited financial information (Farouk and Hassan, 2014). When planning the auditing, the auditor should consider what might make the financial statements materially misstated (Frias and Fajardo, 2008). Auditing quality describes how well auditing detects and reports physical errors of financial statements. High auditing quality should be associated with high information quality (Yasser and Soliman, 2018).

The risks of using computerized AIS
Risk is present in IT, and no organization is safe from computer security risks/threats. A risk may have one or more causes and may have one or more effects if it occurs (Řeháček, 2017;Bansah, 2018). In assessing threat-sources, it is important to consider all potential threat-sources that could cause harm to an IT system and its processing environment. The threat-source is defined as any circumstance or event with the potential to cause harm to an IT system (Stoneburner et al., 2002). The threat sources can be natural, human, or environmental.
1. Human risks: Humans can be threat-sources through intentional acts, such as deliberate attacks by malicious persons or disgruntled employees, or unintentional acts, such as negligence and errors. A deliberate attack can be either (1) a malicious attempt to gain unauthorized access to an IT system (e.g., via password guessing) in order to compromise a system and data integrity, availability, or confidentiality or (2) a benign, but nonetheless purposeful, attempt to circumvent system security. One example of the latter type of deliberate attack is a programmer's writing a Trojan horse program to bypass system security in order to "get the job done" (Stoneburner et al., 2002). 2. Environmental risks: The risks resulting from the IT environment are determined by the lack of physical protection of hardware and software and their exposure to cases of misuse, vandalism, and environmental damage (such as fire, heat, and humidity) (Arens and Loebbecke, 2005). 3. Viruses' risks: Computer Viruses are destructive programs which can affect other programs in computer and sometimes result in big losses to the organization, in terms of loss of productivity and continuity of losses (Mathur et al., 2015). Such risks cause many problems in the data and programs where they are utilized to destroy part of the software so that it cannot be recovered (Kamil and Nashat, 2017).

Research question
Based on the literature discussed in section 2, the main research question was formulated, which states: 'Do risks of using computerized AIS affect the external auditor's work quality?' Sub-questions are: Q1. Do human risks affect the external auditor's work quality? Q2. Do environmental risks affect the external auditor's work quality? Q3. Do viruses' risks affect the external auditor's work quality?

Methodology
The main aim of this research is to examine the impact of risk associated with the use of computerized AIS on external auditor's work quality. A questionnaire was used as a tool for data collection. The study's accessible target population is comprised of all external auditors practicing the profession in Yemen. According to YACPA, the number of external auditors in practice is 244 people (YACPA, 2011). The questionnaire was distributed to 120 external auditors. Out of 120 questionnaires, only 70 were returned, yielding a response rate of 58.3%. All of the returned questionnaires were valid and appropriate for analysis (Table 1). To score answers, the (5)-point Likert scale was used.

Data analysis and discussion
Based on a sample of 70 chosen external auditors, this study clarifies the effect of risk associated with the use of computerized AIS: 1) Human risks, 2) Environmental risks, and 3) Viruses' risks.

Profile of respondents
With regard to the profile of respondents shown in Table 2, all respondents are males. In terms of age, the highest percentage was for those aged 38 to 47 years. Finally, in terms of experience, 23.7% of the respondents have less than two experience years, 30.9% of them have 2 to 5 experience years, 28.4% have 6 to 10 experience years, and the rest have more than 10 years of experience.

Reliability testing
Reliability in statistics refers to the overall stability or consistency of a measure used. With regard to reliability testing and questionnaire items: (1) The number of questionnaire items was twelve; (2) Cronbach's alpha for these items was 81.2%, which is more than seventy percent, reflecting the stability of the measuring instrument used (Hair et al., 2010). Table 3 shows reliability testing.

Statistical results of study questions
The first question: 'Do human risks affect the external auditor's work quality?'. Table 4 shows the views of the study sample in the items of the first question.
According to the overall mean (M=4.297, p<0.001) in Table 4, the human risks (HR) associated with the use of computerized AIS have a significant impact on the external auditor's work quality. Upon taking each of these items separately, the risks associated with each of them on the external auditor's work quality are also significant. However, the highest of these risks (M=4.471; M=4.457; p<0.001) is related to items 3 and 1, respectively:  Intentional entering of false data by users.  The lack of scientific and practical qualifications of the cadres responsible for the implementation of AIS.
The second question: 'Do environmental risks affect the external auditor's work quality?'. Table 5 shows the views of the study sample in the items of the second question. The overall mean of the second type of risk (i.e., environmental risks) was M=4.043, which is also considered significant at p<0.001. Upon taking each of these items separately, the risks associated with each of them on the external auditor's work quality are also significant. However, the highest of these risks is related to item 4 (M=4.186; p<0.001):  Deliberate disasters committed by people such as non-periodic maintenance of computers, data theft, and deliberate fires.
The third question: 'Do viruses' risks affect the external auditor's work quality?'. Table 6 shows the views of the study sample in the items of the third question.
Looking at the overall mean (M=4.232; p<0.001) in Table 6, it is noted that the risks of viruses (VR) associated with the use of computerized AIS have a significant impact on the external auditor's work quality. This effect comes second after the human risks (M=4.297, p<0.001), while the environmental risks (M=4.043; p<0.001) are third in terms of the effect on the external auditor's work quality.  Lack of control procedures that prevent unauthorized persons inside or outside the organization from accessing and manipulating files and programs.
--10 51.4 38.6 4.286*** 0.640 3 Total 4.297*** 0.480 -Notes: All values of the mean are measured based on a 5-point scale of Likert, anchored on 1 (SD=strongly disagree); 2 (D=disagree); 3 (N=neutral); 4 (A=agree); 5 (SA=strongly agree); M=mean; SD=standard deviation; *significant at p<0.05; ** significant at p<0.01; ***significant at p<0.001; not significant (ns) at p≥0.05 All values of the mean are measured based on a 5-point scale of Likert, anchored on 1 (SD=strongly disagree); 2 (D=disagree); 3 (N=neutral); 4 (A=agree); 5 (SA=strongly agree); M=mean; SD=standard deviation; *significant at p<0.05; ** significant at p<0.01; ***significant at p<0.001; not significant (ns) at p≥0.05 Upon taking each of Table 6 items separately, the risks associated with each of them on the external auditor's work quality are high as well (Mean>3.40). However, the highest of these risks (M=4.414; p<0.001) is related to item 2:  Lack of awareness among employees of the need to check any new programs or magnetic discs when they are entered into computers connected to AIS.

Conclusion
The study's aim is to identify the effect of risks associated with the use of computerized AIS (human risks, environmental risks, and viruses' risks) on external auditor's work quality in Yemen. The findings revealed a statistically significant effect of risks associated with the use of computerized AIS (human risks, environmental risks, and viruses' risks) on external auditor's work quality. However, the most influential risks affecting the quality of the external auditor's work quality were found to be human risks. The lowest influential were environmental risks. Regarding the human risks, the highest was "the risks of intentional entering of false data by users," and the lowest was "perform unauthorized operations on data such as add, delete, or modify." For the environmental risks, the highest was "the risks of deliberate disasters committed by people such as non-periodic maintenance of computers, data theft, and deliberate fires," and the lowest was "hardware malfunctions (due to humidity, heat, or water) and lack of alternative plans." Finally, for viruses' risks, the highest was "lack of awareness among employees of the need to check any new programs or magnetic discs before entering into computers connected to the system," and the lowest was "the entry of viruses into the system intentionally or unintentionally." The study adds to the literature as it is one of a few studies that focus on the risks of computerized AIS and their effect on the quality of external auditor work. In practice, it draws the attention of auditors and related parties to the risks of computerized AIS and its impact on the quality of the auditing work. The study recommends that more attention be paid to the auditing profession in Yemen in order to raise it to a decent level among other professions. It is also important that auditors should keep pace with the rapid developments in both their job and IT in order to meet society's needs. The employment of IT in the audit field helps build an electronic base for customers and select the audit sample more accurately (Chersan, 2019). Moreover, auditors' performance related to computerized AIS risks affecting the quality of their work and how to deal with such risks should be improved by means of conducting training courses. Additionally, auditors should seek to maintain a higher level of specialization in computerized IS auditing, including AIS, by participating in special seminars and training. This will add more experience to the auditors in their field of work and increase their qualifications.
This study has its limitations. The main limitation of this study is the sample size, where it was somehow small. Further research is required, especially relating to the risks of using IT and AIS and its impact on the external auditor's work quality, as there is a clear deficiency in this field, requiring more research and studies.