With the growing role of Information Technology (IT), many organizations have incorporated IT governance practices that include keeping executives apprised of IT risks. To perform this function, organizations rely upon their internal audit staff to obtain an independent evaluation of IT risks. While both general auditors and IT auditors are involved in assessing IT risks, they may not be equally adept at identifying such risks.  We draw on the expert vs non-expert perspective to understand how general auditors and IT auditors perceive IT risks differently. Through a quasi-experiment with 70 internal auditors of a financial institution, we found that general auditors perceived IT risks to be lower than their IT audit colleagues. We also found that personal risk preferences influenced the level of IT risks that general auditors perceived. Personal risk preferences did not affect the risk perceptions of IT auditors. Implications for both research and practice are discussed.

This content is only available via PDF.
You do not currently have access to this content.