With the growing role of information technology (IT), many organizations have incorporated IT governance practices that include keeping executives apprised of IT risks. To perform this function, organizations rely upon their internal audit staff to obtain an independent evaluation of IT risks. Although both general and IT auditors are involved in assessing IT risks, they may not be equally adept at identifying such risks. We draw on the expert versus nonexpert perspective to understand how general and IT auditors perceive IT risks differently. Through a quasi experiment with 70 internal auditors of a financial institution, we found that general auditors perceived IT risks to be lower than their IT audit colleagues. We also found that personal IT risk preferences influenced the level of IT risks that general auditors perceived. Personal IT risk preferences did not affect the risk perceptions of IT auditors. Implications for both research and practice are discussed.

You do not currently have access to this content.