IMPACT OF THE ELECTRONIC INTERNAL AUDITING BASED ON IT GOVERNANCE TO REDUCE AUDITING RISK

This paper analysed the effect of electronic internal auditing (EIA) based on the Control Objectives for Information and Related Technologies (COBIT) framework. Organisations must implement an up-to-date accounting information system (AIS) capable of meeting their auditing requirements. Electronic audit risk (compliance assessment, control assurance, and risk assessment) is a development by Weidenmier and Ramamoorti (2006) to improve AIS. In order to fulfil the study's objectives, a questionnaire was prepared and distributed to a sample comprising 120 employees. The employees were financial managers, internal auditors, and workers involved in the company’s information security departments in the General Company for Electricity Distribution (GCBED) of Baghdad, owned by the Iraqi federal government. The Statistical Package for the Social Sciences (SPSS) software was employed to analyse the data and hypotheses. The study concluded that there is a substantial effect on the performance of EIA depending on the COBIT framework in reducing electronic audit risk in GCBED. According to the findings, additional research should be undertaken to improve efficiency, accounting control efficiency, and asset protection programs to lessen audit risk.


INTRODUCTION
For years, Middle Eastern governments such as Iraq have worked hard to eliminate corruption, safeguard integrity, and establish effective institutions for running the country's affairs (Abass et al., 2022). These countries realise that corruption can impede government reforms and investors' confidence. Some countries have successfully eliminated corruption through constitutional and legislative reforms and by joining the United Nations Convention against Corruption. In order to maintain public sector integrity, maintaining ongoing efforts to develop practical measures is necessary for proactively managing corruption risks, strengthening legal guarantees to solidify integrity controls on government spending, and strengthening accountability actors such as external and internal auditing and anti-corruption agencies (Noorullah et al., 2020;Al-Taee & Flayyih, 2022). The Organisation for Economic Cooperation and Development (OECD) asserts that transparent and responsible governments must have strong enterprise risk management (ERM) and independent internal audit operations (Nerantzidis et al., 2022).
According to Garven and Scarlata (2020), in the agency theory, the agent is just concerned with his or her self-interest. Hence, this considers the requirement for a steward who can address this problem. Thus, the stewardship idea is accepted as a way to explain how an auditor works with a corporation.
The security of electronic systems and the informative outputs have required embracing procedures and a broad knowledge base to manage information technology (IT) systems effectively. The electronic system accelerates the development of instructions and controls that maximise the benefits of IT. These metrics are primarily intended to protect system outputs from tampering. Therefore, organisations aim to apply IT governance frameworks to reduce agency problems (Al-Fatlawi et al., 2021). Control Objectives for Information and Related Technologies (COBIT) is considered among the models that provide controls through which the status of IT can be evaluated since COBIT is a tool for developing a control system and an internal reference that leads to the governance of the information system with best practices. This strategy is achieved through a model describing IT operations, control objectives, and measuring performance and results (Suryawan & Veronica, 2018). The smart IT environment can be captured by combining client relationships, auditing, management, and technology expertise (Alhawari et al., 2012).
Regardless of the fact that computer-aided audit techniques help auditors increase audit efficiency and effectiveness (Braun & Davis, 2003), the expected outcome of the electronic audit was inconclusive. Accordingly, the electronic audit is not without flaws. Studies undertaken in different environments (mostly from developing countries) reveal the lack of connection between electronic auditing and audit risks.
The impacts of digital transformation on businesses have been devastating in the past years. The present scenario is distinguished by the rapid evolution of innovation, which has had different effects on organisations than past technological revolutions. Notably, as a result of external pressure from rivals and regulators, many organisations have modified their management control systems to meet their business models (Pizzi et al., 2021). Buzz (2020) indicated that the electronic audit leads to incomplete results, as it is limited to assessing the efficiency of the internal control system without performing the main tasks of verifying the validity and legitimacy of the financial statements.
Internal control systems are needed to ensure the veracity of financial reporting and compliance with laws, rules, and policies to conserve public funds. The present study intends to achieve several objectives. First, the study aims to highlight the difficulties and obstacles experienced by internal auditors within the companies administered by the Iraqi federal government and solutions to solve them. Second, the study intends to examine the threats facing internal auditing in local government agencies administered by the federal government and their relevance to anti-corruption activities (Eulerich & Eulerich, 2020). Third, the present study aims to explain the illegal interventions of provincial council members in the work of internal auditing for investment projects' spending and their relationship to anti-corruption efforts, and finally, analysis of the effect of electronic internal auditing (EIA) based on the COBIT framework (Joshi et al., 2013).
Measuring the relationship between internal electronic auditing and audit risk has been a controversial subject in previous studies (Drogalas et al., 2017;Lois et al., 2020). These studies failed to reach inevitable results regarding the nature of the relationship. The researchers of the present study attempt to bridge the gap created by previous studies and the extent to which the current study agrees with them or the points of difference in this regard. This research is consistent with several previous studies (Weidenmier & Ramamoorti, 2006;Moorthy et al., 2011;Lois et al., 2020;Flayyih et al., 2022). The present study's contribution is to employ the abilities of the COBIT framework in electronic auditing systems to reduce the risks of electronic auditing.
This paper is organised into several sections to explain the attainment of the objectives of the study. Section 1 is devoted to the introduction of the study. Section 2 addresses the literary reviews correlated with the current study. Section 3 is dedicated to the research methodology, and Section 4 discusses the findings. Finally, Section 5 concludes the study.

LITERATURE REVIEW
The significance of this study arises from the necessity of monitoring public expenditure and its impact on the federal budget and the role that internal auditors should play in government units in controlling government spending and avoiding wrongdoing of local government administrations. The study presents the most critical challenges faced by internal audit departments to draw decision-makers attention to enhance their performance and enable them to carry out their jobs efficiently and effectively to protect public funds from corruption in the local government agencies administered by the federal government.
A company, classified as a part of the public sector, must not be owned or managed by the private sector. Rather, it must be established, managed, and funded by the federal government on the general public's behalf. The public sector comprises entities under the supervision of central and local governments. The public sector tries to deliver services to the public without charging or for a symbolic cost, as profit is not the primary motive. Alyaarubi et al. (2021) discovered that assessing success in the public sector can be challenging, although economic motives are absent, and intangible services are difficult to measure.
The Institute of Internal Auditor (IIA) Guidance 2011 specifies that the public sector comprises governments and all agencies and entities subject to public inspection or sponsored by the public sector. In addition, various organisations provide public goods and services (Jóhannesdóttir et al., 2018). Nevertheless, it is vital to set certain criteria to help define the idea of the public sector, which is larger than that of the government, since it is not necessarily clear whether any particular organisation should be classified under the government label. The primary government is at the core of the public sector, which includes public agencies and institutions. Around this ring is a grey region of publicly owned enterprises and government-funded contractors, which are excluded from the public sector (Narayanaswamy et al., 2019).
The public sector, which is part of the economy, comprises all levels of government and firms owned by the government and does not include private companies and volunteer groups. Instead of simply being an activity, public sector work encompasses all government ownership and control aspects, including the exercise of policy implementation and public power. The inner circle of the public sector is defined by the basic public service in central and local governments (Chiarini et al., 2021). The control over state property has been acknowledged since the Babylonian era, as stated in Article 6 of the Hammurabi Sharia. If a hand steals wealth belonging to a deity or palace, the individual and anyone who takes the stolen stuff is executed. Temples and palaces are considered public institutions, and their assets belong to the people who use them. Therefore, the punishment was harsh, amounting to the execution of everyone who stole the property of God. Some scholars argue that Article 6 of the Hammurabi Sharia is the first piece of legislation to implement control on public monies (Azzolini et al., 2019).
Liston-Heyes and Juillet (2020) explained that an internal audit is an independent evaluation function within an organisation to review activities as a service for all levels of management. As part of its role in ensuring that the organisation's resources are used efficiently, the internal audit unit is expected to conduct audits and verifications of the mechanisms utilised to safeguard and verify assets and report on their findings. Financial control focuses on cash flow, procurement procedures, and the responsibility of budget execution officials for current and capital spending. The purpose of an internal audit is to provide the management with a comprehensive picture of all the activities they have been responsible for overseeing. Internal audit units, whether in the public or private sector, are granted autonomous authority to assess compliance with the laws and regulations in place in the facility. The survival of any establishment depends on its successful use of financial and non-financial resources.
Internal auditing is defined by the IIA as an objective and independent activity that confirms the level of control through operations and makes suggestions for improvising operations and adding value to the company. Internal auditing is an additional guarantee of adequate financial management in the public sector and is expected in every ministry and quasi-governmental body. Internal auditors will oversee the establishment's financial activities, undertaking a thorough assessment of accounting records to identify frauds and fix errors, if any (Ježovita et al., 2018).
According to the IIA, internal auditing is a consultative, objective, and independent activity that enhances the organisation's operations adds value, and helps the organisation achieve its goals by offering a systematic and disciplined strategy for assessment and enhancement of the effectiveness of ERM, control, and governance processes. Management and the audit committee are informed by the internal audit activity that the organisation's risks are recognised and effectively handled. It acts as an internal consultant in a variety of fields. When it provides an appropriate and objective assurance and helps to improve the effectiveness and efficiency of control, governance, and ERM processes, internal audit also adds value to the business (Rikhardsson et al., 2019).
Auditing the government's financial statements is necessary to hold the government accountable to the public according to the audit findings. Ensuring transparency is also necessary when linking resources with programme results in government institutions such as departments of transportation, health and education, the military, and the police force. Internal auditing is tasked to ensure compliance with government regulations and procedures. The Federal Office of Financial Supervision for external auditing for the government checks the federal government departments in various regions and governorates unrelated to a region and their programmes (although internal audit officials audit their accounts). Internal auditing determines whether the laws, instructions, and infrastructure approved by the House of Representatives and the instructions issued by the federal ministries and local governments are properly followed. The audit determines whether plans are being implemented cost-effectively and efficiently and producing the desired results (Sinha & Arena, 2020).
Internal auditors must be equipped with the knowledge, abilities, and other competencies necessary to carry out their duties. The more effective internal auditors are, the more probable they will comprehend the causes, signs, and mitigation of managerial bias in accounting entitlements. Additionally, if management has reason to believe that the competent International Accreditation Forum (IAF) is closely examining its accounting decisions, it will be less motivated to control profits aggressively. The Statement on Auditing Standards No. 128 (SAS 128) stated that the external auditor should consider many specific aspects of the examination.
The executive management in the public sector is responsible for establishing and maintaining strong internal control in the government system. The management must have reasonable assurances that the internal control system can prevent or discover any large inaccurate transactions. Alternatively. The extent of government internal audit activity significantly impacts the complexity of the internal control system (Jóhannesdóttir et al., 2018). Good internal control systems guarantee that organisational goals and objectives are attained. The supplementary policy statement on the internal audit function and outsourcing issued by the Board of Governors of the US Federal Reserve System in 2003 underlines the necessity for such a system. In order to ensure that the facility complies with all applicable laws, regulations, policies, and plans, the internal audit should detect significant overall control concerns as part of the compliance assessment processes and determine the effect of these problems overall on the business risk profile. Additional audit coverage of the business activities that pose the greatest risk to the company is anticipated (Mexmonov & Temirkhanova, 2020).
Initial control was described by the American Institute of Certified Public Accountants (AICPA) as a plan, means, and other coordinated techniques by the institution to maintain its assets and check the confidentiality and trustworthiness of data to boost its effectiveness and assure stable management policies (Mohammed et al., 2021). Nevertheless, the definition of the term "control" has evolved over time. As of today, a wide range of notions refer to the institution's internal control system as a means of ensuring asset integrity and growth. In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the COSO model appeared, which dealt with the principles of risk and internal control. The idea of internal control covered accounting errors and ways of preventing them and included areas of management and other control procedures (Mervelito et al., 2021). Developing the professional competence of auditors in the Middle East and North Africa depends on the validation of competencies by professional bodies and other initiatives aimed at skill development. Specific procedures are needed to solve the challenges of excessive personnel turnover and lack of technical skills and expertise in audit methods in some countries. In addition to the requirement for specific recruitment processes and attractive compensation schemes for observers and auditors in the public sector, internal auditors must retain essential professional skills and abilities and give career prospects. Thus, internal auditors must keep updated with the latest developments and adapt international auditing standards and techniques to match local norms (Vasile & Croitoru, 2019).
This requirement is particularly significant in areas where professional judgment is critical, such as performance audits that focus on economics and efficiency, the effectiveness of government policies and programmes that identify deviations from specified targets, and detecting fraud and corruption concerns (Organisation for Economic Cooperation and Development [OECD], 2017). Recognising that internal control and audit are not always stand-alone management instruments is vital, and they can only be effective to the extent that accounting and governance systems work. Organisational governance changes such as strategic planning, accounting, budgeting, a medium-term spending framework (such as capital expenditures), procurement and reporting, external auditing, public debt management, and asset management must be integrated with internal control and audit functions (Demeke et al., 2020).
Different forms of the public sector can be found in the business world. No market economy exists except in the public sector since the evolution of events related to this field. The internal control over the operations of public institutions has changed as a result of the change from the command economy to the market economy. The internal auditor is part of the management team that differs from the external auditors from outside the organisation. The management has developed an independent evaluation department to examine the internal control system. As a result, internal auditors must be staffed with appropriately trained and budgeted individuals who are all independent of one another.
The government machinery implements the state's general budget in all state departments, whether the current or investment budget and is backed by the general budget instructions provided by the finance ministry once the budget is passed. According to Prawitt et al. (2009), government organisations in Iraq that rely on the federal general budget for current and investment expenditures have the right to open current accounts with government banks to deposit funds allocated to local governments, sovereign ministries, and their subordinate units after receiving approval from the finance ministry. The internal audit is in charge of the pre-disbursement audit, which ensures that expenditures are spent according to approved allocations, accurate monthly and final audit balances are maintained, and records are retained regularly (Soh et al., 2021).
Government units must open current and investment accounts, income, and trusts for centrally supported governments, whether local governments or federal ministries. The Accounting Department of the Monetary Affairs Department provides the funding for the current and investment accounts of the main units. The main units fund the sub-units according to the branches' present system. The sub-units transmit their accounts to the main unit to issue the consolidated monthly account and send it to the accounting department to unify it with the state's monthly account (Baldacchino et al., 2021).
Budget openness is a necessary but not a sufficient prerequisite to achieving better accountability of government authority. While the legal framework establishes the overall budget and accountability frameworks, the capacity of stakeholders to hold the government accountable for attaining policy aims might be constrained by the limited engagement of the cabinet in examining and approving budget standards. The legislatures relatively restrict emphasis during budget deliberations on how closely budget allocations are related to government programmes. Translating budget openness into accountability for engagement in the budget process requires and involves emphasising priorities to ensure that the budget represents local needs and preferences besides participation in monitoring and assessment (Ghanim & Al Fatlawi, 2018).
Financial and administrative corruption is linked to the development of mechanisms and tools for monitoring and auditing its mission, examination, and auditing. Protecting money from tampering, embezzlement, and theft is not a simple matter but rather requires gathering large armies from all state and society institutions and appropriate accounting systems characterised by accurate accounting control. Internal auditing is a crucial component that aids in distributing available resources with the greatest possible efficiency and is a useful instrument to lessen the manifestations of corruption and accomplish economic progress according to current views and trends. The financial statistics and reports that are customarily examined conceal excess and inadequacy, which might prevent limited resources from being dispersed wisely and impede the achievement of economic units and state objectives. Iraq is one of the countries that suffered from financial and administrative corruption (FAC) in the public sector, notably in local governments within the governorates, as a result of its overall budgets from 2003 until the present (Oriakhi, 2020). Thus, the following hypothesis can be formulated: H1: There is a statistically significant effect between the relationship between EIA (compliance assessment, control assurance, and risk assessment) and reduced risk auditing.

Sample
In order to ensure reliability, the questionnaire was administered to a broad group of staff in companies administered by the Iraqi federal government. Their number (200) employees in the General Company for Electricity Distribution (GCBED) of Baghdad. We analysed based on the number of respondents (120) employees.

The method of measuring variables
The widespread use of IT in organisations aligns with the trend toward applying the COBIT framework in information security. Thus, the internal audit functions are required to use appropriate technology to increase their efficiency and effectiveness and face and mitigate the risks. Research questions related to IT were employed, and an internal audit framework developed by Weidenmier and Ramamoorti (2006) was used as a reference. The questions for this study were developed by including three activities related to IT governance under the COBIT framework. These queries are implemented by multiple departments at the company level, including the internal control department. The electronic internal audit function under the COBIT framework includes three main activities (compliance assessment, control assurance, and risk assessment). The relationship between electronic auditing and the risk-based internal audit environment by Weidenmier and Ramamoorti (2006) is shown in the figure below. The questionnaire included two variables. The first is the independent variable, the EIA, which includes three dimensions (compliance assessment, control assurance, and risk assessment). Risk auditing was a dependent variable. The five-point Likert scale, which is an ordinal scale ranging from 1 to 5 (agree completely = 5, agreed = 4, neutral = 3, disagree = 2, disagree at all = 1), was used. The Statistical Package for the Social Sciences (SPSS) was employed to gather the findings. Table 1 presents the results of the descriptive analysis and hypothesis testing. The EIA at GCBED was found to have a high relative value from respondents in a descriptive study. Control assurance was the most important dimension, followed by compliance assessment and risk assessment. Moreover, all dimensions are of considerable importance. Descriptive statistics revealed a general consensus among participants that the GCBED was a viable option. the β-factor for the Risk assessment was only 0.25. Thus, any increase in the risk assessment will affect positively the audit risk by 34%. Moreover, the value of the β-factor was only -0.10 for the Compliance assessment dimension, implying that any increase in compliance assessment will affect negatively the audit risk by 10% in reverse order. The calculated f-value was 19.4, which is greater than the tabular f-value of 4.19. The findings indicated that the electronic audit affects the audit risk. The significance of the model parameter was statistically complete for both control assurance and risk assessment because it is less than the significant level of 0.05. These findings contradict the compliance assessment dimension.

CONCLUSION
Despite the increasing reliance on technology to accomplish and support all audit activities today, one of the limitations of the research can be identified by noting the lack of a general model for technology tools for all companies. Studies such as those by Moorthy et al. (2011) emphasise that this limitation is common in the normative literature. One of the important research questions is how to integrate emerging technology risks for shaping business controls and audit methods and techniques. One of the determinants of the current study is state-owned companies, which are facing the problem of the inability to provide funds to contract companies specialised in applying the framework of modern auditing over information security, including the COBIT framework. The implementation of the framework requires contracting with organisations specialised in the application of this framework.
The benefit of COBIT contributes to assisting the audit in reducing the risks that may be exposed due to information insecurity in light of adopting electronic systems. Moreover, the results show that electronic audit risks impact risk audits. Nevertheless, the impact of the e-audit subbranches is different. The findings of this study support the findings of several studies in different environments that were previously covered in the study's introduction. The findings show the effect of electronic auditing in reducing audit risks in general, while on the variable level, they showed a discrepancy in the amount of impact.