Skip to article sections
Purpose

Information technology (IT) has changed the ways in which state agencies operate in Vietnam. IT audit is a new part of the processes at the State Audit Office in Vietnam, in the wake of both the Viet A corruption scandal and the Vietcombank misstatements case. This exploratory study aims to investigate state auditors’ perceptions related to IT audit in the State Audit Office in Vietnam, focusing on the role that IT audits play in preventing or detecting similar issues to those two cases.

Design/methodology/approach

We analyse the perceptions of 22 auditors from the State Audit Office of Vietnam. These 22 auditors participated in semi-structured interviews, and we used the theoretical lens of regulatory spaces in public audits to interpret the data collected.

Findings

The results indicate that the IT audit is becoming more relied upon in the State Audit Office of Vietnam after the corruption findings related to Viet A and misstatements in the IT systems of Vietcombank. We find, overall, that more e-services are being provided by government agencies and state-owned enterprises, making IT audits more crucial, given the issues from those two cases. Based on the perceptions of our 22 interviewees, the IT audit at present plays a pivotal role in the public sector of Vietnam. However, there are several challenges auditors currently face in terms of limitations of human resources, infrastructure and audit regulations.

Originality/value

The findings of this research may benefit various interested stakeholders, such as regulators, and academic researchers. We discuss how the technology that has emerged in public audits has affected the regulatory space.

Information technology (IT) audit, as defined by Pathak (2005), is the process of gathering and evaluating data to determine whether an information system: protects resources; upholds data integrity; successfully accomplishes organizational objectives and uses resources wisely. The primary goals of an IT audit (Pathak, 2005) are to: evaluate operational control adequacy; verify legal and regulatory compliance; determine how well-accounted for and safeguarded the corporate information system sources are; verify the accuracy and comprehensiveness of the information system; suggest different internal controls to ensure data integrity in the information system; and evaluate the efficacy and efficiency of the hardware and software used by the businesses for information and communication technology.

In general, the widespread use of IT in the public and private sectors has presented several opportunities as well as concerns about information security, confidentiality, dependability and integrity (Beridze, 2017). Therefore, to successfully execute audits, it is currently necessary to establish new audit methods and IT audits. Meanwhile, the dynamic between citizens and governments in government domains is changing because of the integration of e-business tools and practices into government organizations (Beridze, 2017). Governments are evolving as an increasing number of them move to provide services and information online. IT auditors must therefore ensure that systems are appropriately maintained, secured and functioning as intended. IT audit has thus become more important in recent years.

The increasing impact of IT on enterprises and society has led to an increased requirement for IT audits in Vietnam (Beridze, 2017), particularly in Vietnam’s public sector in the wake of the corruption findings related to Viet A and misstatements in the IT systems of Vietcombank. This impact is important considering Vietnamese efforts toward anti-corruption through improvements to accounting transparency, public integrity and accountability, with Vietnam being perceived to have relatively high levels of corruption compared with other parts of the world (Transparency International, 2023). This is evident by the low score on the Corruption Perceptions Index of 41 out of 100, meaning Vietnam has relatively high levels of corruption compared to most other countries in the world (Transparency International, 2023).

The state-controlled Vietcombank was implicated in several financial and accounting scandals over the last 12 years, including illegal lending practices and corruption among its employees, leading to millions of dollars in losses for the bank and misstatements impacting its financial records. The Viet A scandal was a bribery and corruption scandal that arose during the COVID-19 pandemic in Vietnam, in late 2021, leading to a wider crackdown on corruption in Vietnam and contributing to several senior Government ministers being removed and the resignation of Vietnam’s President in 2023. The IT audit business in Vietnam is still relatively new and mostly dominated by Big Four firms. On 14 December 2021, the director of the State Audit Office of Vietnam signed Decision No. 2076/QD-KTNN, which was titled, “Issuing the decision for guiding information technology audits. The State Audit Office of Vietnam, audit teams and audit team members are subject to guidelines that govern the quality of IT audits that they conduct. They also ensure that IT audit operations are planned, carried out and managed consistently. This guidance was thus expected to help auditors enhance the quality of IT audits in Vietnam (Nguyen et al., 2020).

Recent studies have demonstrated the importance of IT audits to businesses and have called for more research on this topic (Stoel et al., 2012). However, despite increased interest in the issue, there is relatively little research on the Vietnamese context. This exploratory study therefore investigates how IT audits are currently performed by the State Audit Office of Vietnam, and challenges of these audits, considering the issues related to the two scandals involving Viet A and Vietcombank. We contribute to the auditing literature by considering a developing country, Vietnam, and by investigating the socio-political environment of Vietnam, within the public sector. This provides new angles on the developments already captured in the extant audit literature and the reported challenges for the profession (Kend and Nguyen, 2020, 2022; Alsaif et al., 2025). The two scandals, mentioned above, motivating this study and the growing importance of IT audits in Vietnam, represent an opportunity to ground our analysis in a more context-specific narrative. The Viet A corruption scandal and the Vietcombank misstatements are motivators for the growing importance of IT audits. These specific events help the study to focus on how IT audits may prevent or detect similar issues in the future, leading to practical implications for public audits.

Andon et al. (2015) identify public audit as a new audit space that coalesces around four themes of the mediating roles of auditing: professional accreditation and institutionalised capital, independence, reporting and reorientation. Comparatively less is known about new audit spaces in relation to institutions and practices of the contemporary public sector and their regulatory spaces (Free et al., 2020). As Canning and O’Dwyer (2013, p. 173) observe, “A regulatory space is an abstract conceptual space constructed by people, organizations and events acting together upon a set of specific regulatory issues subject to public decisions.” Auditors have sought to expand the regulatory space of audit into other domains using various strategies to legitimate their work (Andon et al., 2014). As we argue in this study, based on its findings, IT audits in the public sector are one of the new regulatory spaces. As stated by Ferry and Ahrens (2022, p. 377), “Public audit has come in for increased criticism, for example concerning its failure to highlight the financial sustainability, financial resilience, and performance problems in governments and public organisations.” We thus contribute to understanding of regulation and the notion of the regulatory space, how this can be extended through research on new audit spaces, including public audit, and why this is important for regulating the public sector in Vietnam, given the increasing needs for IT audit because of corruption concerns and reduced public trust in the Vietnamese public sector.

The remainder of this study is structured as follows. The next section provides a literature review. Then the case study background and research methodology are presented, followed by the findings and discussion and, finally, the conclusion.

The research area of focus in this study, technologically driven audits, is still in its initial phase, without a solid theoretical basis (Agusti and Orta-Perez, 2022; Barr-Pulliam et al., 2022). Although the calls for further research have been responded to by some recent studies (e.g. Salijeni et al., 2019; Kend and Nguyen, 2022), such research has focused on more technologically advanced, developed countries such as the United Kingdom and Australia. Developing countries have largely been overlooked by this emerging research in accounting and auditing; yet these countries face distinct issues that developed countries do not regularly encounter, if at all (Nguyen et al., 2024).

Nkwe (2011) researched the state of IT audits in Botswana. Using a qualitative approach, their study examines the rate of IT adoption, its difficulties and achievements of IT auditing, and how IT has transformed auditing in Botswana. The findings demonstrate that, while Botswana has an encouraging degree of IT auditing adoption, few companies have implemented this new specialisation into their policies and frameworks. Large auditing firms in Botswana have established new departments responsible for IT audits, but most of these units are small and lack skilled staff, which has a detrimental effect on the expansion of IT auditing. Nkwe (2011) argues that IT audits are something that auditing firms should take seriously and devote sufficient resources to, including technology and subject matter specialists, and that professional bodies should advocate for the implementation of IT auditing.

Akbar and Suraida (2017) aim to ascertain how the professional care and competence of external auditors affect IT auditing in public accounting firms located in Bandung. In their study, primary data were used in conjunction with a survey strategy that combined a descriptive and verification approach. Professional care is found to have an impact on the IT audit, whereas competence had no influence at all. Stated differently, the simultaneous influence of competence and due professional care on IT audit was found to be accounting for 54.7% of the variation from the mean, whereas other variables included in the study, such as independence, software usage auditing and performance auditing, accounted for 45.3% of the variation. Asniarti and Muda (2018) sought to ascertain how computer-assisted audit tools (CAATs) affect the operational review of IT audits conducted by public accounting firms in Medan city. The population of their study sample, determined by purposive sampling, was limited to auditors of public accounting firms in Medan who were registered with the financial services authority and had authorization to perform examinations in the banking industry, and they employed questionnaire and basic regression analysis methods. Their study finds that operational review of IT audits benefits from the use of CAATs, suggesting that, with the better use of CAATs in audit activities, the quality of operational review of IT audit is increasing.

Prior research on IT audits has mostly concentrated on the variables influencing the quality of IT audits. Havelka and Merhout (2007) identify variables that could affect the IT audit procedure and create a model that can be applied to enhance the calibre of the process. Using focus groups of internal auditors at one large healthcare products and services company, they identify factors rated as critical by one or more of these groups and develop a first draft of a quality model. According to their findings, the following aspects can have an impact on the quality of an IT audit: (1) client factors; (2) target process or system factors; (3) IT audit personnel factors; (4) IT audit organization factors and (5) audit procedures or methodology factors. Stoel et al. (2012) created a survey instrument and asked professionals in financial accounting and IT to evaluate factors that affect the quality of IT audits. Their research provides insights into the prioritized influence of each component on IT audit quality by using factor analysis to refine the list of IT audit quality factors identified, showing that additional criteria are significant for IT audit quality, compared to previous studies, and that the proportional importance of the determinants for IT audit quality varies between IT and finance auditors. Independence and business process knowledge are two of the characteristics shown to have the biggest impact on IT audit quality, accounting for the most variance in factor analysis.

Stoel and Havelka (2020) examined the main elements influencing IT audit quality (ITAQ) with an emphasis on organizational and individual auditor aspects. Their study makes use of a variety of methodologies to comprehend how professionals generally see ITAQ and the outcomes of audits. The findings imply that the participants' perceptions differed on the importance of IT audit quality factors and those of IT audit experience. Participants’ general perceptions indicated the most important factors for ITAQ as being auditors’ knowledge and abilities, particularly their understanding of IT and business processes.

However, there is little research worldwide on IT audits focusing on State Audit Offices. Beridze (2017) uses a thorough literature analysis to define IT audit and investigate how IT audit functions in Georgia’s public sector, offering a comprehensive explanation of the experiences of those working in Georgia’s State Audit Office. The findings demonstrate the growing significance of IT in the efficient and successful delivery of services to both the public sectors. In examining the difficulties associated with conducting IT audits, the study suggests future paths for their advancement in the public sector. IT audits are starting to be issues for concerns for practitioners, lawmakers and academics. In general, Georgia lacks qualified employees. IT auditors should also have access to the necessary resources and technological infrastructure. The public sector requires the development and improvement of IT audit, both in terms of qualification and performance, as demonstrated by the analysis and studies conducted to evaluate actual problems in the sector.

Ferry et al. (2023a) compare the audit and accountability arrangements of supreme audit institutions (SAIs) internationally. They aim to build on a theorisation of the regulatory space, extended by new audit spaces of public audit. Their results show that there is diversity in the organization, capacities and scope of SAIs, but also an opportunity for recognizing the positive potential of the International Organization of Supreme Audit Institutions (INTOSAI). They state that “a comprehensive comparison of regulatory space for public audit and accountability arrangements of SAIs internationally could afford important and significant insights for future voice(s) of accountability” (p. 435).

Austin et al. (2021) examine how interaction with data analytics impacts the diffusion of the financial reporting environment. They respond to calls (Gepp et al., 2018) to investigate the dynamic interactions between data analytics technology and the major players within the financial reporting environment, by interviewing 55 professionals, including company managers (i.e. CFOs and controllers) and their respective auditors, accounting regulators and data analytics experts. Their study finds that there has been a shift in auditors’ client service strategy, one that could potentially threaten auditor independence and audit quality. Other studies (e.g. Kend and Nguyen, 2022) document the lack of accounting regulation related to data analytics, which causes confusion and frustration to auditors and managers, in the Western context. This issue could be a challenge for Vietnam also. However, in the Vietnamese regulation context, the rules and regulations are currently out of date and not updated as per IFRS, which makes the context more complicated than in the Western case; thus, the challenges faced by the Vietnamese auditors, audit clients and the public sector may be more severe.

The number of studies on IT audit conducted in Vietnam is limited. Nguyen et al. (2020) investigate auditors, auditing companies, and other outside variables, in terms of their impact on Vietnam’s IT audit quality, using surveys as well as direct data collection methods. Their findings indicate that the most crucial elements are independence, accounting expertise, and auditing abilities. In addition, independence is crucial because external auditors provide a wide range of assurance services. Their study’s findings also demonstrate the necessity for auditors to possess a sufficient level of professional and competent abilities when conducting audits, particularly in an IT setting where high standards are required.

Studies on the emergence of new or existing audit spaces contribute to accounting literature by offering a window into the social construction of auditor expertise (Andon et al., 2014, 2015). Coerced by new audit regulations, within a profession that inevitably has faced instability, all types of auditors are trying new ways to deliver the audit service traditionally demanded by society (Andon et al., 2015). Our study responds to calls for a more in-depth examination of how new auditing practices are translated into existing audit spaces (Andon et al., 2015), by considering these recent technological developments in public audit in Vietnam.

The existence of internal technologies and changes in the audit environment are what produce audit practice changes (Robson et al., 2007). Emerging technologies have been viewed by many scholars and practitioners as a threat to the status quo of the audit profession, and with that, there is the potential creation of audit risks (Kend and Nguyen, 2022). Gaining insights on the movement of new auditing ideas into existing public audit spaces could prove valuable in analysing how emerging technologies are starting to be embedded into public audit (Houghton et al., 2010), which can then circulate into existing audit spaces (Andon et al., 2014).

There may be junctures where new intersections between auditing and other fields demand change and adaptability if auditors are to mount successful jurisdictional claims for new audit services that emerge (Andon et al., 2015). As new audit spaces continue to emerge, conventional rules and logics of practice that characterise public audit practice will become more distant. Thus, establishing the legitimacy of assurance services in new spaces requires certain bridging activities – strategic actions and institutional work – that embed and legitimize assurance practices in novel ways (Andon et al., 2014). Ferry and Ahrens (2022) draw on the notion of regulatory space as extended through new audit spaces that specifically include public audit: “The potential for scope in audit to become what it was not affords reorientations for the nature of the audit role in the public sector as a new audit space” (p. 380). Their study reports that the regulatory space has been dependent on audit arrangements embracing institutions and practices reliant on the organising or fragmenting nature of the audit space. The nature of the audit role has changed over time through an extension to differing degrees of audit activities and processes.

Our contribution surrounds the discussion about how IT has affected the regulatory space in public audit. Indeed, only recently have studies of regulatory space and new audit spaces been undertaken for public services, and then this is especially at the local government level (Ferry et al., 2023a). We thus use an exploration of two key events in the Vietnam context, the Viet A corruption scandal and Vietcombank misstatements, as an opportunity to ground analysis in a more context-specific narrative.

The State Audit Office of Vietnam was officially established on 11 July 1994, under Decree 70/CP of the Government of Vietnam, with the function of certifying the correctness and the reasonableness of accounting documents, data reports of state agencies, and non-business units. Since the Law on State Audit took effect on 1 January 2006, the State Audit Office of Vietnam currently belongs to the National Assembly. The Constitution of the Socialist Republic of Vietnam, which was approved at the 6th session, the 13th National Assembly on 28 November 2013, established the legal status of the State Audit. According to the Constitution, the State Audit is an agency established by the National Assembly, operating independently and only obeying the law, which audits public finance and public property in Vietnam.

According to Decree No 63/QD-KTNN on 18 January 2021, the Information Technology Auditing Department in the State Audit Office of Vietnam has the functions and duties of conducting IT audits and applying IT audits in audit activities of the State Audit Office of Vietnam. Decision No. 1934/QD-KTNN in 2021 promulgates a set of criteria and methods to assess the level of IT application of the State Audit and to promote the application of IT in audit activities in the State Audit Office of Vietnam. The criteria properly assess the current situation and the level of IT applications to offer appropriate solutions. In addition, current IT audit guidelines are generally described in the financial statement audit process. Along with this, the State Audit Office of Vietnam has developed audit software to be applied in the audit process at state-owned commercial banks. On 14 December 2021, the State Auditor General issued Decision No 2076/QD-KTNN on “Issuing the guidelines of the information technology audit”. These guidelines ensure consistency in the organization, implementation and management of IT audit activities, and the quality control of IT audits of the State Audit Office of Vietnam, audit teams, and members of the audit team. The guidelines are the basis for the development of textbooks and training materials for IT audit in the State Audit Office of Vietnam. The main contents of IT audit under the guidelines include: (1) implement IT audit according to the audit process of the State Audit; (2) audit in the IT environment; (3) detailed instructions on several sample IT audit programs and (4) IT audit documentation. IT audit is often combined with the audit of other areas of the State Audit Office of Vietnam, such as financial audit, compliance audit and operational audit.

In Vietnam, the Auditing Standard No 401, “Auditing in the Information Technology Environment”, provides guidance on procedures to be followed when an audit is conducted in a computer information systems environment. However, this auditing standard is adopted for independent external audits, not public sector audits, thus this regulatory space is yet to be fully captured.

The present study has gathered and analysed data using a qualitative methodology. Techniques for gathering data from various sources for this study include secondary documents from additional sources and semi-structured interviews (Kvale and Brinkmann, 2009). During the interviews, respondents were free to voice their opinions and use their own language (Kvale, 1996). In-depth interviews were employed to collect data for this study for three key reasons. Firstly, the researchers could pose a series of questions designed to elicit information for a certain objective. Secondly, by employing a method of in-depth inquiry, the researchers could effectively moderate the conversation. Finally, according to Hecimovic et al. (2009), an in-depth interview encourages participants to divulge as much information as they can in an informal context. To have a complete grasp of the topic, the researchers can clarify the answers or request examples (Wahyuni, 2012). By offering information and context to elucidate differing opinions and interpretations of events, an in-depth interview seeks to gain further in-depth knowledge (Holstein and Gubrium, 2002). Semi-structured interviews with 22 auditors from the State Audit Office of Vietnam were thus conducted in late 2023 to investigate their perceptions. Table 1 contains background information about the 22 participants, including years of experience, age and position. The intended questions for each interview were developed from a variety of sources such as through a review of the relevant literature, the researchers’ own expertise and experience working in the Ministry of Finance (MoF), and extensive pilot testing involving retired auditors and accounting academics (see  Appendix).

Websites and published papers or reports in Vietnamese were used as additional information sources for this investigation; for example, public sector websites such as https://mof.gov.vn, https://tapchicongthuong.vn and https://kpmg.com/vn/vi/home.html were used. Qualitative, thematic analysis, by following Hayfield et al. (2017) was conducted, comprising the following phases: getting to know the data; generating some basic codes; searching for themes; evaluating themes; defining, and labelling themes; and creating our findings report. Thematic analysis is used to arrive at and validate conclusions (Boyatzis, 1998). Prior to the commencement of the interviews in this study, broad codes pertaining to the research themes were developed, and these codes were refined over the course of the interviews. We enhanced the traceability and verification of the analysis by using this method to code interviews from the start. To characterize and organize the results of the respondents, coding the qualitative data requires compiling a list of themes and patterns that causally connect themes. To avoid presenting untrustworthy data, it is crucial to incorporate evidence that validates patterns and to be open to information that contradicts them when creating the analysis and conclusions. Following Boyatzis’s (1998) advice, we simultaneously used memo-writing, diagramming and coding techniques during the data collection phase.

NVivo 20 software was used to facilitate the data analysis procedure. Through the identification of textual patterns from the transcriptions of several interviews, the authors were able to draw conclusions from the data’s themes and trends by utilizing this software. Moreover, we reviewed themes or patterns and ensured that all information classified in a specific code was accurately classified. For the information in each code, we reclassified this information to sub-codes that address one sub-issue under the main issue. We then classified all sub-areas based on dimensions relevant to audit and regulatory spaces. Finally, we produced a summary report for the findings. The findings report produced from the data analysis of interviews was used to draw and verify the conclusions. In addition to the more unique findings, we also considered whether any findings are consistent with previous studies and discussed this further among ourselves.

The IT audit represents a new era for the State Audit Office of Vietnam. After the corruption and bribery scandal from the Viet A case and the misstatements discovered in Vietcombank IT systems, the State Audit Office of Vietnam is currently more concerned with IT audits and their implementation. The IT audit is conducted independently or combined with other audit engagements (financial, compliance and operational audits) within this new audit space. The results from our interviews indicate that most public agencies no longer manage accounts manually, so that the IT audit has become essential, as the following interview excerpt reveals:

Theoretically, I know that a detailed IT audit will increase the audit cost significantly and the process is also very complicated. However, all transactions have been recorded and controlled mostly on the IT system. Thus, an IT audit is an essential part of a financial statement audit.

Auditors confirmed that most public agencies have transformed operations into digital systems. In the era of digital transformation, IT systems are becoming more complex as well as potentially risky. Thus, auditors are required to understand the agencies' IT system to fully understand the agencies themselves. Contemporary public sector and their regulatory spaces at present encompass these new and more complex digital systems and operations; thus, auditors currently face increased challenges to better understand these public sector agencies.

In the process of auditing, instead of performing substantive procedures to collect evidence to support the assertion that there are no material misstatements, performing an IT audit would help auditors to reduce a significant amount of their workload. The following interview excerpt explains further:

I find IT audits to be quite important in audits. If the auditor discovers problematic IT system controls and business process controls, he or she can quickly decide to perform additional procedures on potentially material erroneous items.

Furthermore, performing an IT audit is essential because errors are inevitable in the operation process. Therefore, an IT audit means to evaluate the internal controls of auditees to minimize the risk of damage due to errors, fraud and other acts or incidents that make system downtime materially affect the financial statements. As an auditor explained:

Basically, from personal computers or laptops to IT systems, there are inherent risks. As the demand for computer equipment is increasing, the potential demand for document storage systems increases greatly and the risk of cybersecurity attacks also increases significantly. We need IT audits.

Overall, the role of the IT audit is changing in Vietnam due to the transitions to e-services in public agencies, and the concerns after the corruption of the Viet A case and the misstatements related to Vietcombank IT systems. Related to theoretical framing, we have seen important changes to the audit environment and the creation of new audit spaces. The results of our study thus far are consistent with the results of Beridze (2017) and Aditya et al. (2018). Beridze (2017) concluded that it is necessary to develop IT audits in the public sector, while Aditya et al. (2018) concluded that digital transformation has opened new opportunities for IT audits to play a greater role in contributing positively to government agencies. Table 2 presents a summary of these findings, and those below, explicitly linking each finding to the relevant sections in the literature review and the theoretical framework.

According to Xuan (2019), since 2015 the State Audit Office of Vietnam has developed a number of CAATs for audits of large banks, such as Joint Stock Commercial Bank for Foreign Trade of Vietnam (Vietcombank), Joint Stock Commercial Bank for Industry and Trade of Vietnam (Vietinbank), Bank for Investment and Development of Vietnam (BIDV), that have assisted their auditors to easily check the accuracy of credit classifications, determine the cost of risk provisions and analyse transactions including big data sets. The audit results for financial statements incorporating IT audits of three commercial banks have been shown to be useful, with the total number of recommendations for financial settlement increasing by 59% in 2016 compared to the previous year. In 2016, the first independent IT audit related to Vietcombank's 2015 financial statements had significant results, recommending a financial adjustment of VND 394 billion for risk provisions. The interest cost due to faulty software systems was 516 billion dong. In 2018, the State Audit Office of Vietnam continued to conduct two audit engagements of the IT system related to state budget revenue at the General Department of Taxation and the General Department of Customs. Through this audit, the State Audit Office of Vietnam comprehensively assessed the risks in tax management activities through IT system application. For these two audits, the State Audit had access to huge amounts of data on state budget revenue nationwide. The State Audit Office of Vietnam thus discovered many errors in tax administration, including handling state budget revenues at the General Department of Taxation of 37.8 billion VND, and recovering a tax fine amount of 371 billion VND. At the General Department of Customs, the state auditors recovered fines for late tax payment and handling the wrong flow of customs goods of more than 700 billion VND.

When considering the State Audit Office of Vietnam’s responses, the political nature of audit regulatory processes, or what happens when auditors and regulators claim to work in the name of the public interest, must be considered, as well as how public audits and auditing regulations help to define and/or translate matters of social concern (Malsch and Gendron, 2011). Patterns of influence and resistance are likely to be more salient in turbulent times, and undoubtedly the Viet A and Vietcombank scandals represent a turbulent time in Vietnam’s financial or economic history. Public sector auditing in Vietnam is under increasing public scrutiny and political pressure, especially following crises that challenge public finances, including at state and local level. In line with prior research (Ferry et al., 2023a), the resilience of public sector audit arrangements at the international level and at national central, state, regional and local levels continues to be challenged (Ferry et al., 2023b).

Auditors at the State Audit Office of Vietnam have conducted two types of IT audit: IT audits are conducted separately, or together with other audit engagements (financial audit, compliance audit and operational audit):

Auditors in other departments perform the audit and ask for an IT auditor from the information technology audit department to support the audit, for example, financial statement audit, operational audit, compliance audit.

If the IT audit is implemented together with other types of audits, for example in addition to the financial statement audit members, the team will include the IT audit specialists. The IT auditors will work with the financial auditors as a team at all stages of the audit engagement, including the (1) planning stage, (2) fieldwork stage and (3) audit report stage. Related to regulatory spaces, this represents changes at the organizational level:

The IT auditors are part of the audit team. The number of IT members involved in an audit engagement will depend on the complexity and high or low-risk ratio of the client's IT systems.

The authors of this study also note from the interviews that the scope of the audited IT system is directly related to the auditees' transaction processes, which thus requires the IT auditor to have both financial and accounting knowledge and knowledge of various IT systems. In addition, the authors also note that the results of the IT audit process will directly affect the whole audit process:

During the audit, if the IT auditors team discovers that any control is not effective leading to unreliable information in the system, we will immediately discuss it with the financial audit team so that they can design more substantive procedures to cover risks related.

If the IT audit is conducted separately, this mainly involves the audit of State Banks, Commercial Banks and other state agencies and audit of IT projects in the Vietnamese government. During the time of the Viet A and Vietcombank scandals, the IT audits had yet to be implemented in that manner. Within these crises, the public sector had often acted as the residual bearer of responsibility, mitigating the effects either of manmade or natural shocks through a variety of policy responses (Ferry et al., 2023b). In the aftermath, public audit arrangements, both in central and local government, have had to evolve to cope with these pressures; and in some departments, this has led to an evolution in the role of IT auditing itself, as an auditor explained:

Information technology audit mainly audits information technology bidding packages of Vietnamese government independently.

At the planning stage, IT auditors mainly focus on understanding the general structure of the client, and the preliminary structure of the IT system, IT environment, IT general controls and IT application controls, and on defining automated controls on the business process to determine the scope of the IT audit. The auditor must also determine which IT applications are important to focus on in the fieldwork stage. An audit plan is prepared to ensure the audit is on time and detecting fraud, risks and potential problems. The auditor must assess audit risks and determine audit procedures to reduce audit risk to an acceptable level. The following excerpts from the interviews elaborate further on these points:

Typically, all IT audit members will attend client meetings along with financial audit members to get a rough understanding of business processes as well as common IT systems. Then, the IT specialist decides which systems and IT layers will be covered by the IT audit. After that, the leader divides the work among members reasonably. After completing the preparation steps, the Planning memo and IT Profile will be reviewed and approved by the team leader.

After completing the IT Understanding, the IT audit team leader will make a detailed list of documents and evidence to be provided for each control and send it to the auditees. At the meeting with the auditees, we will explain in detail the types of evidence required.

When planning, there are two main types of controls that will be assigned to team members: general IT controls (ITGC), and application controls. All 22 interviewees noted to the interviewers that, normally, staff will be assigned to general controls testing; while the Senior Auditor will take care of application control testing because this requires in-depth knowledge and experience of the client’s business:

The ITGC testing will generally have the same method across different systems or clients. Application Control testing, on the other hand, requires auditors to have a thorough understanding of the logic and business associated with different professions, so it is usually assigned to experienced auditors.

Interviewees noted to the authors that they will perform audit procedures such as inquiry, observation, inspection, confirmation, analysis and reperformance to test the design, implementation and effectiveness of IT controls. When asked who would be interviewed, auditors said they would start their inquiry with the IT Manager first, then non-IT employees. The general controls for IT systems are divided into four main control groups: Access to Program and Data, Program Change, Program Development and Computer Operation. All interviewed auditors agreed that ITGC testing is extremely important in the audit process to conclude whether the financial-related data from the system is reliable or not. IT auditors conduct tests of control of the four control groups above:

If the general IT controls on the system are effective, many risks leading to misstatements in the financial statements are minimized. Conversely, if the overall IT control fails, the auditor cannot rely on the IT system nor the data it outputs, leading to a massive number of substantive procedures for the relevant material items.

Through the interview process, the interviewers noted that program and data access include control of creating, revoking access to or modifying accounts and system security mechanisms:

The purpose of the Access to Program and Data category is to ensure that these are properly limited to authorized people. A common example is the case of a person who is part of the company, always has an active account, and has access to sensitive data. Unauthorized access to programs and data may result in data corruption, deletion, or leakage.

The second category that the 22 interviewees mentioned was program changes. Through inquiry and inspection of evidence related to system configuration and system program change, the IT auditor will review whether the features are stable and whether changes in the program will affect the system. The following interview excerpts reveal more:

Change management in the IT environment is critical for organizational success. This is not only to improve or update existing application functionality but also to implement necessary patches to help secure those applications. Moreover, in some cases, the system change is to comply with relevant regulatory requirements.

Usually, I interview the head of the client's IT department first to understand their system change process. In addition, I also need to find out whether they have made any configuration changes or system program changes: if so then I collect the documentation; if not then I need proof from their system.

A Senior Auditor noted that, sometimes, changes can be caused by an error or an incident in the system, in which cases need to be analysed carefully to avoid confusion between the lists. The third category in ITGC testing is Program Development. As per the answers of many interviewees, the purpose of the category is to ensure that new systems and programs either under development or already implemented, are properly authorized, tested, approved and implemented. Due to the deployment of new systems, inappropriate new programs can lead to data corruption:

To limit this risk from program development, the controls that we test that are major improvements to the whole IT systems are properly tested and approved before migration to production, the data is correctly migrated, problems encountered during the development of the program are monitored and resolved, and appropriate training is provided.

The last control category in the ITGC testing process of IT auditors is Computer Operations. The objective of this category is to ensure the availability of the information system and that its operation is correct; otherwise, this can lead to a risk of the information system malfunctioning:

The controls in this category are related to the operation of information systems, specifically related to data backup, batch jobs, and troubleshooting errors or incidents.

Interviewees noted that controls are tested to ensure that the auditee’s system will be running smoothly and problems will be handled in a timely manner. In addition, for this category, the auditors also conduct sample testing for incidents and data backups to see whether, during the financial year, the audited organizations effectively implemented controls. Interviewees noted that, if the auditors conclude that the general controls are effective, the next step is to evaluate the effectiveness of the applied controls. However, inefficient general controls make application controls ineffective. Therefore, the auditors consider application controls only if the general controls are effective. All 22 interviewees agreed that testing of application controls is also an important part of the IT system audit process:

The data in an enterprise's business flow from input, processing and output exposes many of its material risks, so identifying and testing application controls is essential.

The 22 interviewed auditors noted that application controls are controls that relate to specific computer software applications and individual transactions. The control functions vary based on the business purpose of the specific application, but the main objective is to help to ensure the privacy and security of data used by and transmitted between applications. Application control includes completeness and validity checks, identification, authentication, authorization, input controls and forensic controls, among others.

Furthermore, the auditors also noted that application controls are categorised into three types: Input Controls, Processing Controls and Output Controls:

The application controls that I usually test with are System A is configured properly to calculate X item, or the interface is set up properly to transfer data from System B to System C. Another application control related to access rights is that access to update Item Y in System D is restricted to authorized personnel.

The procedures that IT auditors perform in this section are inquiry, inspection, and reperformance. An interview procedure is performed to determine whether the audited organizations anticipated the risks associated with the application and whether there were any relevant alternative controls. If policies and evidence are in place, the auditor will ask the client to provide them with, and conduct an inspection of, these documents. The goal is to ensure that the auditee has closely designed the controls and deploys them on the system that conforms to that design. In addition, interviewees noted that, for automated computational controls on the system, they usually perform observations on the system configuration to see whether the calculation formula is correct in relation to the business logic, as well as perform the recalculation manually and then reconcile this with the output from the system to review the accuracy:

For the automatic interest calculation control in the bank's system, I often interview the IT Manager and the head of the operations department to understand their control design. I then directly observe the system configuration and inspect the screenshots with the support of the IT Manager. Then, I do the recalculation manually and reconcile it with the system-generated result: if there is any deviation it could be a finding.

In addition, interviewees also noted that, in IT audit jobs, application testing is often assigned to experienced auditors; the reason being that it has many controls that require experience and business-related knowledge in many industries as well as a deep understanding of business logic. The auditor may obtain audit evidence by observation, examination, investigation and confirmation, reconstruction, recalculation, analysis or other generally accepted methods.

The auditor documents each significant finding with a report on the legal framework, facts, conclusions and IT risks. In addition to individual findings, the auditor should draw general conclusions about IT controls. Along with that, the auditor needs to explain each control weakness related to IT risks. Overall, the regulatory space is shaped by the constitutional role that audit in local government is called upon to perform (Ferry et al., 2023b), which brings the scholarship of local government audit closer to the scholarship of the State Audit Office itself, which has long explained its regulatory space through its constitutional function.

We emphasize that public audits have implications for regulating local government audit space. The IT audit has expanded the regulatory space of audit into the public sector in the wake of the Vietnamese corruption and misstatement scandals. With the removal of key ministerial officials during these crises, the public sector audit has emphasized the connections between public sector audit and the political context in which it is embedded. Public sector audits have thus recently become the way in which new rationalities of administration have been introduced into government (Parker et al., 2019). An extensive body of scholarship sees these rationalities as co-existing with previous constitutional ideas about audit in mature democracies, in which performance audit has been identified as having two faces: accountability and performance improvement (Rana et al., 2021). The implications of digitalization and emerging technologies thus have the potential for widening accountability in the public sector. These findings thus respond to a call for further research by Rana et al. (2021) on the implications of IT audit and the widening of accountability in public audits.

The findings of this study suggest that IT auditing in the State Audit Office of Vietnam has challenges, including human resources, auditors’ perceptions on IT audit, infrastructure, including modern technology and equipment, and IT audit regulation. The IT audit department belongs to VII Specialization in the State Audit Office of Vietnam. Digital transformation affects the increasing need for qualified IT auditors. However, the number of personnel working in this department is small, and the staff’s quality and knowledge are still limited. There are many technologies used for finance and IT auditing, and they keep changing. It is thus a challenge for IT auditors to keep up with the changing technology. To properly evaluate risk, the IT auditor must not only have extensive knowledge and experience on the subject and related regulations but also have a broad knowledge of information and communication technology as well as the modern trends happening in the field. IT auditors also require special skills and knowledge related to security aspects. State Audit Office of Vietnam thus needs to pay attention to training and hiring IT audit staff who are knowledgeable about IT and key personnel who are proficient in IT auditing. Training is needed in several audit spaces, including digital forensics, audit data analytics and cybersecurity for auditors, which includes network safety simulation drills and undertaking specialized training on network safety. The auditors shared the following:

Human resources for IT audits are lacking and weak …

Information technology audits have many limitations. Because it's so new. Information technology audits need in-depth knowledge. Programming requires deep skills, moreover, cost calculation and calculation methods also need a lot of knowledge to audit. Auditors lack this knowledge and skills.

There is a reluctance among auditors when conducting IT audits. The interviewees stated that the IT audit is riskier. Congress assigns IT auditors to conduct audits of IT projects of Ministries and state agencies. The Viet A corruption case is an example of when the price of products in the project was much higher than the market price, and IT staff were accused of stealing money from the Vietnamese state budget. Some of the IT projects in the Vietnamese government are part of the corruption case against Viet A, thus, IT auditors are not interested in conducting such types of audit engagement.

The findings also suggest that there is a lack of modern equipment for IT auditors in the State Audit Office of Vietnam. The State Audit Office of Vietnam should focus on building software applications to support auditors in IT auditing activities. Consideration of regulatory spaces suggest that organizations adjust to environmental challenges through the adoption of new IT processes. Thus, newly designed applications must be compatible with existing IT platforms and tested through a team of auditors. In particular, the State Audit Office of Vietnam should pay attention to building a data centre and upgrading the infrastructure system. Such systems will need to integrate recent digital technologies (such as AI-based and Big Data-focused). In an era defined by burgeoning data volumes and increasing business complexity, the State Audit Office of Vietnam needs infrastructure systems that can help IT auditors to swiftly and efficiently interrogate vast datasets, uncovering patterns, anomalies and insights that traditional audit methods may overlook (Alsaif et al., 2025). Naturally, costs are a barrier to successful implementation; however, the emergence of some new tools and applications to interpret these vast datasets, which often complement the existing tools already in use, can result in cost savings in some instances:

The application of IT audit is an inevitable trend in the development of the 4.0 era, when commercial banks are increasingly dependent on computer systems for recording and processing, and controlling, business transactions. More attention should be paid to the development of modern auditing technologies and techniques.

There is a lack of a complete set of regulations on IT audit in Vietnam. The state audit law has not promulgated the IT audit contents. While standards on IT audit in the State Audit Office of Vietnam have not been issued, audit programs and audit outlines are merely materials on which auditors base their work. The following interview excerpts share more:

Currently, the information technology audit has an outline and an audit program. The outline issued to guide the auditor through the audit process. The audit outline is a specific guide for a special IT audit, while auditors utilize audit programs for other IT audits.

State audit should issue auditing standards on information technology audit, which are consistent with international standards.

Overall, the findings show that the challenges that IT auditors in Vietnam are facing are the limited knowledge of auditors regarding IT knowledge and skills, the lack of infrastructure, the perceptions of auditors on IT audit and the limitation of existing frameworks. These results are consistent with the findings of Nkwe (2011). According to Nkwe (2011), there is a limitation of human resources, technical materials and frameworks in IT audit, since IT audit is an emerging field. Nkwe (2011) suggests training for IT auditors and the promulgation of policies and frameworks from government and professional bodies. IT auditors find it difficult to stay up to date with the diverse and constantly evolving technology utilized in IT auditing and finance. There is a lack of academic or other literature available on this subject in Vietnam. These results are also consistent with those of Beridze (2017), who concludes that there is a lack of qualified IT audit staff in Georgia. IT auditors in Georgia require more training and should be provided with suitable materials and technical facilities.

This study reports on state auditors’ perceptions related to IT audit in the State Audit Office in Vietnam, focusing on the importance of the IT audit, how state auditors conduct IT audit, and what challenges they face. Our findings indicate that IT audit is becoming more important in the State Audit Office of Vietnam after the corruption of Viet A and the misstatements in IT systems of the Vietcombank scandal, in considering the adoption of modern IT systems and e-services in government agencies. Based on the perceptions of the 22 auditors interviewed, IT audits will play a pivotal role in the future due to the digital transformation in government agencies in Vietnam. Auditors actively conduct IT audits under the guidelines and audit programs issued by the State Audit Office of Vietnam. However, there are several challenges they face, including limited knowledge, infrastructure and regulations, and risk issues when conducting IT audits. Related to challenges, one of the main findings of this study is that the State Audit Office of Vietnam needs to focus on building software applications to support its staff in IT audits. The notion of regulatory spaces predicts that an organization adjusts to environmental challenges through the adoption of new IT processes. Therefore, newly designed applications must be compatible with existing IT platforms and tested through a team of auditors.

The findings of this research may benefit various interested stakeholders, such as regulators and academic researchers. Regulators such as the State Audit Office and the Government could use our findings to better regulate IT audits in Vietnam. In making decisions or setting policies, IT auditors and regulators may also find our study’s findings helpful. Academic researchers may benefit from the study by utilizing the concept of IT audit and the findings of this study to conduct further analysis. Our study adds to the body of knowledge about IT audits in the public sector of developing countries. This is the first thorough study of its kind on the emerging economy of Vietnam. We chose qualitative techniques to help answer the research questions we are investigating. We report useful insights for Vietnam’s public sector IT audits, showing the challenges faced by the public sector in Vietnam and how the organizations involved face problems in integrating cutting-edge technology.

Regulatory spaces have been a useful lens for us to investigate how organizations respond to the environmental challenges they face in Vietnam in the wake of the Viet A and Vietcombank scandals. Regulatory spaces predict that an organization adjusts to environmental challenges through the adoption of new IT processes. In Vietnam, such challenges have included high rates of corruption and bribery, as Vietnam has exhibited vulnerabilities to high level corruption (Martini, 2012; Maitland, 2001; Transparency International, 2023). Due to this, we recommend that the State Audit Office of Vietnam pay attention to building a data centre, and upgrading the infrastructure system, to better counter these risks. Such changes will further help IT audit to make regulatory space claims in Vietnam’s public sector.

In terms of practical implications, we suggest that training is needed in several audit spaces, including digital forensics, ADA, and cybersecurity for auditors, including network safety simulation drills and other specialised training on network safety. Table 2 further referred to some practical implications of the study, including a suggestion that the State Audit Office of Vietnam should review hiring policies, considering these findings.

The Vietnam case highlights the political nature of public audit for regulatory spaces. We specifically highlight this as a theoretical contribution to regulatory space scholarship. Our study extends Ferry et al. (2023a,b) work on regulatory spaces, that extended into new audit spaces of public audit. This ties in with earlier debates on public audits that Radcliffe (2008) and Funnell (2011) had on the political/technical nature of audit. That debate highlighted that, while public sector auditors may know the truth, as may others, they choose not always to tell the truth in their audit reports and, instead, treat what may be publicly unpalatable as a public secret (Radcliffe, 2008). Public auditors modify their findings to ensure that they will be more acceptable to governments, and thereby to enhance their opportunity to influence their government (Radcliffe, 2008). Funnell (2011) counter-argues that, rather than keeping secrets, the contents of the auditor’s reports may instead reflect the constitutional and institutional limitations in which public auditors must work. We report in the Vietnamese context both constitutional and institutional limitations on public auditors, highlighted by a lack of a complete set of regulations on IT audit in Vietnam.

However, this study does have some limitations. The sample size of the respondents is not substantial, with only 22 participants contributing their perceptions; hence, the results may not be generalizable. We also acknowledge other relevant constraints, such as the potential for response bias in our interviews, the lack of a cross-country perspective, and the challenges of generalizing findings from a single emerging economic context. If our methodology is combined with a survey approach, the results of usage frequency on IT audits may reveal more information from a larger sample. Future research should consider combining the survey and interview approaches to confirm the results of this study and other issues related to IT audits conducted by the State Audit Office of Vietnam and in other, similar developing country contexts. Future studies could also include: (1) cross-country analysis to explore whether our findings on Vietnam are consistent with other regions; (2) quantitative analysis to validate the qualitative insights provided in our study (e.g. a survey methodology) and (3) longitudinal analysis to assess the long-term impacts of IT audit reforms in the public sector.

The authors have no relevant financial or non-financial interests to disclose.

We declare there was no use of generative artificial intelligence (AI) and AI-assisted technologies in the writing process.

Thank you to Dr Mahesh Joshi from RMIT University for his helpful comments, and the helpful comments of Tran, Dung Manh and Nguyen, Lan Hoang from Vietnam National University. The authors in advance gratefully acknowledge the comments of the anonymous reviewer/s and the editor. Last, but not least, we thank all our interviewees for supporting this study.

Interview questions

  1. Have you conducted an IT audit? What is your role in the IT audit?

  2. What is the role of IT audit at the State Audit Office of Vietnam?

  3. Are there any changes in the role of IT audit at the State Audit Office of Vietnam recently?

  4. Have you conducted an IT audit that is separate from financial audit, compliance audit or operational audit?

  5. What do you do if IT audit is conducted together with a financial audit, compliance audit or operational audit?

  6. What do IT auditors do in the planning phase?

  7. What do IT auditors do in the conducting phase?

  8. What do IT auditors do in the completing phase?

  9. What challenges are IT auditors facing?

  10. How would IT auditors overcome the challenges?

Aditya
,
B.R.
,
Hartanto
,
R.
and
Nugroho
,
L.E.
(
2018
), “
The role of IT audit in the era of digital transformation
”,
IOP Conference Series: Materials Science and Engineering
, Vol. 
407
, 012164, doi: .
Agustí
,
M.A.
and
Orta-Pérez
,
M.
(
2022
), “
Big data and artificial intelligence in the fields of accounting and auditing: a bibliometric analysis
”,
Spanish Journal of Finance and Accounting/Revista Española de Financiación y Contabilidad
, Vol. 
52
No. 
3
, pp. 
1
-
27
, doi: .
Akbar
,
M.S.
and
Suraida
,
I.
(
2017
), “
Competence and professional care of external auditor on information technology audit
”,
Trikonomika
, Vol. 
16
No. 
1
, p.
21
, doi: .
Alsaif
,
M.
,
Phan
,
D.
,
Kend
,
M.
and
Alharbi
,
M.
(
2025
 
In press
), “
Emerging technologies in external audit and how they are challenging auditors’ judgements and decision-making processes
”,
Accounting and Finance
, doi: .
Andon
,
P.
,
Free
,
C.
and
Sivabalan
,
P.
(
2014
), “
The legitimacy of new assurance providers: making the cap fit
”,
Accounting, Organizations and Society
, Vol. 
39
No. 
2
, pp. 
75
-
96
, doi: .
Andon
,
P.
,
Free
,
C.
and
O'Dwyer
,
B.
(
2015
), “
Annexing new audit spaces: challenges and adaptations
”,
Accounting, Auditing & Accountability Journal
, Vol. 
28
No. 
8
, pp. 
1400
-
1430
, doi: .
Asniarti
,
T.
and
Muda
,
I.
(
2018
), “
The effect of computer assisted audit tools on operational review of information technology audits
”,
Conference Proceedings: Advances in Social Science, Education and Humanities Research
, Vol. 
208
.
Austin
,
A.
,
Carpenter
,
T.
,
Christ
,
M.
and
Nielson
,
C.
(
2021
), “
The data analytics journey: interactions among auditors, managers, regulation, and technology
”,
Contemporary Accounting Research
, Vol. 
38
No. 
3
, pp. 
1888
-
1924
, doi: .
Barr-Pulliam
,
D.
,
Brown-Liburd
,
H.L.
and
Sanderson
,
K.A.
(
2022
), “
The effects of the internal control opinion and use of audit data analytics on perceptions of audit quality, assurance, and auditor negligence
”,
Auditing: A Journal of Practice & Theory
, Vol. 
41
No. 
1
, pp. 
25
-
48
, doi: .
Beridze
,
T.
(
2017
), “
Information technology audit in Georgia
”,
European Scientific Journal
, Vol. 
13
No. 
25
, p.
72
,
ESJ
doi: .
Boyatzis
,
R.E.
(
1998
),
Transforming Qualitative Information: Thematic Analysis and Code Development
,
Sage Publications
,
Thousand Oaks, CA
.
Canning
,
M.
and
O'Dwyer
,
B.
(
2013
), “
The dynamics of regulatory space realignment: strategic responses in a local context
”,
Accounting, Organizations and Society
, Vol. 
38
No. 
3
, pp. 
169
-
194
, doi: .
Ferry
,
L.
and
Ahrens
,
T.
(
2022
), “
The future of the regulatory space in local government audit: a comparative study of the four countries of the United Kingdom
”,
Financial Accountability and Management
, Vol. 
38
No. 
3
, pp. 
376
-
393
, doi: .
Ferry
,
L.
,
Hamid
,
K.
and
Dutra
,
P.H.
(
2023a
), “
An international comparative study of the audit and accountability arrangements of supreme audit institutions
”,
Journal of Public Budgeting, Accounting and Financial Management
, Vol. 
35
No. 
4
, pp. 
431
-
450
, doi: .
Ferry
,
L.
,
Midgley
,
H.
and
Ruggiero
,
P.
(
2023b
), “
Regulatory space in local government audit: an international comparative study of 20 countries
”,
Public Money & Management
, Vol. 
43
No. 
3
, pp. 
233
-
241
, doi: .
Free
,
C.
,
Radcliffe
,
V.S.
,
Spence
,
C.
and
Stein
,
M.J.
(
2020
), “
Auditing and the development of the modern state
”,
Contemporary Accounting Research
, Vol. 
37
No. 
1
, pp. 
485
-
513
, doi: .
Funnell
,
W.
(
2011
), “
Keeping secrets? Or what government performance auditors might not need to know
”,
Critical Perspectives on Accounting
, Vol. 
22
No. 
7
, pp. 
714
-
721
, doi: .
Gepp
,
A.
,
Linnenluecke
,
M.K.
,
O'Neill
,
T.J.
and
Smith
,
T.
(
2018
), “
Big data techniques in auditing research and practice: current trends and future opportunities
”,
Journal of Accounting Literature
, Vol. 
4022
No. 
1
, pp. 
102
-
115
, .
Havelka
,
D.
and
Merhout
,
J.
(
2007
), “
Development of an information technology audit process quality framework
”,
AMCIS 2007 Proceedings
, Vol. 
61
.
Hayfield
,
N.
,
Clarke
,
V.
and
Braun
,
V.
(
2017
), “Thematic analysis”, in
The SAGE Handbook of Qualitative Research in Psychology
, Vol. 
2
, pp. 
17
-
37
.
Hecimovic
,
A.
,
Martinov‐Bennie
,
N.
and
Roebuck
,
P.
(
2009
), “
The force of law: Australian auditing standards and their impact on the auditing profession
”,
Australian Accounting Review
, Vol. 
19
No. 
1
, pp. 
1
-
10
, doi: .
Holstein
,
J.A.
and
Gubrium
,
J.F.
(
2002
),
Handbook of Interview Research
,
Sage Publications
,
Thousand Oaks, CA
.
Houghton
,
K.A.
,
Jubb
,
C.
,
Kend
,
M.
and
Ng
,
J.
(
2010
),
The Future of Audit: Keeping Capital Markets Efficient
,
ANU E Press
,
Canberra
.
Kend
,
M.
and
Nguyen
,
L.A.
(
2020
), “
Big data analytics and other emerging technologies: the impact on the Australian audit and assurance profession
”,
Australian Accounting Review
, Vol. 
30
No. 
4
, pp. 
269
-
282
, doi: .
Kend
,
M.
and
Nguyen
,
L.A.
(
2022
), “
The emergence of audit data analytics in existing audit spaces: findings from three technologically advanced audit and assurance service markets
”,
Qualitative Research in Accounting and Management
, Vol. 
19
No. 
5
, pp. 
540
-
563
, doi: .
Kvale
,
S.
(
1996
),
Interviews: An Introduction to Qualitative Research Interviewing
,
Sage Publications
,
Thousand Oaks, CA
.
Kvale
,
S.
and
Brinkmann
,
S.
(
2009
),
InterViews: Learning the Craft of Qualitative Research Interviewing
, (2nd ed.) ,
Sage Publications
,
Thousand Oaks, CA
.
Maitland
,
E.
(
2001
), “
Corruption and the outsider: multinational enterprises in the transitional economy of Vietnam
”,
Singapore Economic Review
, Vol. 
46
No. 
1
, pp. 
63
-
82
, doi: .
Malsch
,
B.
and
Gendron
,
Y.
(
2011
), “
Reining in auditors: on the dynamics of power surrounding an ‘innovation’ in the regulatory space
”,
Accounting, Organizations and Society
, Vol. 
36
No. 
7
, pp. 
456
-
476
, doi: .
Martini
,
M.
(
2012
), “
Overview of corruption and anti-corruption in Vietnam, anti-corruption resource centre
(Transparency International), 315, 1-11
.
Nguyen
,
A.H.
,
Ha
,
H.
and
Nguyen
,
S.L.
(
2020
), “
Determinants of information technology audit quality: evidence from Vietnam
”,
The Journal of Asian Finance, Economics and Business
, Vol. 
7
No. 
4
, pp. 
41
-
50
, doi: .
Nguyen
,
P.T.
,
Kend
,
M.
and
Le
,
D.
(
2024
), “
Digital transformation in Vietnam: the impacts on external auditors and their practices
”,
Pacific Accounting Review
, Vol. 
36
No. 
1
, pp. 
144
-
160
, doi: .
Nkwe
,
N.
(
2011
), “
State of information technology auditing in Botswana
”,
Asian Journal of Finance & Accounting
, Vol. 
3
No. 
1
, pp.
125
-
137
, doi: .
Parker
,
L.D.
,
Jacobs
,
K.
and
Schmitz
,
J.
(
2019
), “
New public management and the rise of public sector performance audit
”,
Accounting, Auditing & Accountability Journal
, Vol. 
32
No. 
1
, pp. 
280
-
306
, doi: .
Pathak
,
J.
(
2005
),
Information Technology Auditing
,
Springer Science & Business Media
,
New York City
.
Radcliffe
,
V.S.
(
2008
), “
Public secrecy in auditing: what government auditors cannot know
”,
Critical Perspectives on Accounting
, Vol. 
19
No. 
1
, pp. 
99
-
126
, doi: .
Rana
,
T.
,
Steccolini
,
I.
,
Bracci
,
E.
and
Mihret
,
D.G.
(
2021
), “
Performance auditing in the public sector: a systematic literature review and future research avenues
”,
Financial Accountability and Management
, Vol. 
38
No. 
3
, pp. 
337
-
359
, doi: .
Robson
,
K.
,
Humphrey
,
C.
,
Khalifa
,
R.
and
Jones
,
J.
(
2007
), “
Transforming audit technologies: business risk audit methodologies and the audit field
”,
Accounting, Organizations and Society
, Vol. 
32
Nos
4-5
, pp. 
409
-
438
, doi: .
Salijeni
,
G.
,
Samsonova-Taddei
,
A.
and
Turley
,
S.
(
2019
), “
Big data and changes in audit technology: contemplating a research agenda
”,
Accounting and Business Research
, Vol. 
49
No. 
1
, pp. 
95
-
119
, doi: .
Stoel
,
M.D.
and
Havelka
,
D.
(
2020
), “
Information technology audit quality: an investigation of the impact of individual and organizational factors
”,
Journal of Information Systems
, Vol. 
35
No. 
1
, pp. 
135
-
154
, doi: .
Stoel
,
D.
,
Havelka
,
D.
and
Merhout
,
J.W.
(
2012
), “
An analysis of attributes that impact information technology audit quality: a study of IT and financial audit practitioners
”,
International Journal of Accounting Information Systems
, Vol. 
13
No. 
1
, pp. 
60
-
79
, doi: .
Transparency International
(
2023
), “
Corruption perceptions index
”,
Retrieved 9 April 2025, available at:
 https://www.Transparency.Org/Cpi2013
Vietcombank
(
2015
), “
Annual report
”.
Wahyuni
,
D.
(
2012
), “
The research design maze: understanding paradigms, cases, methods, and methodologies
”,
Journal of Applied Management Accounting Research
, Vol. 
10
No. 
1
, pp. 
69
-
80
.
Xuan
,
H.
(
2019
), “
IT audit in the state audit Office of Vietnam
”,
viewed 25 June 2025, available at:
 https://tapchitaichinh.vn/thuc-trang-kiem-toan-cong-nghe-thong-tin-cua-kiem-toan-nha-nuoc.html
Harper
,
D.
and
Thompson
,
A.R.
(
2012
),
Qualitative Research Methods in Mental Health and Psychotherapy a Guide for Students and Practitioners
,
John Wiley & Sons
,
NJ
.
The Institute of Company Secretaries of India
(
2014
), “
Information technology and systems audit
”,
viewed 25 June 2025, available at:
 https://www.icsi.edu/media/webmodules/publications/4.%20Professional-%20Information%20Technology.pdf
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at Link to the terms of the CC BY 4.0 licence.

Data & Figures

Table 1

Participant’s background details (N = 22)

Auditors’ positionNumber (N)GenderAge range (years)Years of experienceCityLength/range of interview (minutes)
Auditor (Head of a department)3Male (M) (3)38–5515–301 (Ha Noi)
1 (Nghe An)
1 (Ho Chi Minh)
40–70
Auditor (Deputy head of a department)6M (6)36–4713–242 (Ha Noi)
1 (Nghe An)
1 (Da Nang)
2 (Ho Chi Minh)
45–70
Auditor (Junior staff)13M (9)
Female (F) (5)
30–407–155 (Hanoi)
2 (Da Nang)
2 (Nghe An)
4 (Ho Chi Minh)
45–60
Source(s): Created by the authors
Table 2

Findings – summary table

Themes (in public audits)Key findingsChallenges identifiedProposed solutionsPractical implications
Changes to IT audit roles
  1. Most public agencies no longer manage accounts manually, so the IT audit has become essential

  2. Performing an IT audit helps auditors reduce a significant amount of their workload

  3. These two findings are consistent with those of Beridze (2017) and Aditya et al. (2018) 

Auditors now face increased challenges to better understand public sector agencies
Digital transformation has opened new opportunities, but also new challenges for IT audits to play a greater role in contributing positively to Government agencies
Auditors in the public sector are required to understand the Government agencies' IT system to fully understand the agencies themselves. More resources are needed to better build these pathways to more understandingThe State Audit Office of Vietnam should better support auditors now facing increased challenges to better understand public sector agencies, by developing clear pathways to better understanding
Audit Methodology of IT auditors
  1. In Vietnam’s public sector two types of IT audits are conducted (i) separately or (ii) together with other audit engagements (financial audit, compliance audit and operational audit)

  2. For type one, if the IT audit is conducted separately, it mainly involves the audit of State Banks, Commercial Banks and other state agencies and audit of IT projects in the Vietnamese government

  3. For type two, where the IT audit is implemented together with other types of audits, the team will include an IT audit specialist

The resilience of public sector audit arrangements/methodologies remain in question after the Viet A and Vietcombank scandals, and the doubts that these scandals have created do not help build confidence in the public sectorThe implications of digitalization and emerging technologies, have the potential for widening accountability in the public sectorBetter recognition of the implications of IT audit and the widening of accountability in public audits. In this audit space accountability and performance improvements are needed
Regulatory Challenges for IT audits
  1. Public sector auditing in Vietnam is under increasing public scrutiny and political pressure, especially following the banking crises that challenged public finances, including at state and local levels

  2. There is a lack of complete regulations on IT audit in Vietnam

  3. These findings are in line with prior research (e.g. Ferry et al., 2023a,b) as concerns about the resilience of public sector audit arrangements in the absence of effective regulations has been analysed and discussed

It is a challenge in the public sector for IT auditors and regulators to keep up with the pace of changing and emerging technologiesBuilding better connections between public sector audit and the political context in which it is embeddedThe public sector interviewees have emphasized that IT audits need to continue to expand the regulatory space of audit further into the public sector and the relevant agencies
Other Challenges: Human Resources
  1. IT auditors require special skills and knowledge related to risk evaluation and security aspects of public sector audits

  2. The State Audit Office of Vietnam needs to pay more attention to the training and hiring of IT audit staff who are knowledgeable about IT and train key personnel who are proficient in IT auditing

  3. Nkwe (2011) suggested training for IT auditors and promulgation of policies and framework from government and professional bodies

  4. Also consistent with Beridze (2017), who concluded that there is a lack of qualified IT audit staff in Georgia. In addition, IT auditors should be provided with suitable work materials

There is more reluctance from auditors when conducting IT audits in the public sector. The IT audit is riskier without the special skills and knowledge requiredState Audit Office of Vietnam needs to pay more attention to training and hiring of IT audit staff who are knowledgeable about IT and develop key personnel who are proficient in IT auditingThe State Audit Office of Vietnam should review hiring policies considering these findings
Other Challenges
Infrastructure
  1. Findings suggest there is a lack of modern equipment for IT auditors in the State Audit Office of Vietnam

  2. The State Audit Office of Vietnam should focus on building software applications to support auditors in IT auditing activities

  3. Consistent with Beridze (2017) that concluded that there is lack of technical facilities and support for IT auditors in the public sector of Georgia

  4. From a theoretical perspective, regulatory spaces suggest that the organization will adjust to the environmental challenges through adoption of new IT processes

Some newly designed applications are not compatible with existing IT platforms and testing remains a challenge for IT auditors in the public sectorRegulatory spaces suggest that the organization adjusts to the environmental challenges through adoption of new IT processesNewly designed applications must be compatible with existing IT platforms and tested through a team of auditors. The State Audit Office of Vietnam should pay attention to building a data centre and upgrading the infrastructure system
Source(s): Created by the authors

Supplements

References

Aditya
,
B.R.
,
Hartanto
,
R.
and
Nugroho
,
L.E.
(
2018
), “
The role of IT audit in the era of digital transformation
”,
IOP Conference Series: Materials Science and Engineering
, Vol. 
407
, 012164, doi: .
Agustí
,
M.A.
and
Orta-Pérez
,
M.
(
2022
), “
Big data and artificial intelligence in the fields of accounting and auditing: a bibliometric analysis
”,
Spanish Journal of Finance and Accounting/Revista Española de Financiación y Contabilidad
, Vol. 
52
No. 
3
, pp. 
1
-
27
, doi: .
Akbar
,
M.S.
and
Suraida
,
I.
(
2017
), “
Competence and professional care of external auditor on information technology audit
”,
Trikonomika
, Vol. 
16
No. 
1
, p.
21
, doi: .
Alsaif
,
M.
,
Phan
,
D.
,
Kend
,
M.
and
Alharbi
,
M.
(
2025
 
In press
), “
Emerging technologies in external audit and how they are challenging auditors’ judgements and decision-making processes
”,
Accounting and Finance
, doi: .
Andon
,
P.
,
Free
,
C.
and
Sivabalan
,
P.
(
2014
), “
The legitimacy of new assurance providers: making the cap fit
”,
Accounting, Organizations and Society
, Vol. 
39
No. 
2
, pp. 
75
-
96
, doi: .
Andon
,
P.
,
Free
,
C.
and
O'Dwyer
,
B.
(
2015
), “
Annexing new audit spaces: challenges and adaptations
”,
Accounting, Auditing & Accountability Journal
, Vol. 
28
No. 
8
, pp. 
1400
-
1430
, doi: .
Asniarti
,
T.
and
Muda
,
I.
(
2018
), “
The effect of computer assisted audit tools on operational review of information technology audits
”,
Conference Proceedings: Advances in Social Science, Education and Humanities Research
, Vol. 
208
.
Austin
,
A.
,
Carpenter
,
T.
,
Christ
,
M.
and
Nielson
,
C.
(
2021
), “
The data analytics journey: interactions among auditors, managers, regulation, and technology
”,
Contemporary Accounting Research
, Vol. 
38
No. 
3
, pp. 
1888
-
1924
, doi: .
Barr-Pulliam
,
D.
,
Brown-Liburd
,
H.L.
and
Sanderson
,
K.A.
(
2022
), “
The effects of the internal control opinion and use of audit data analytics on perceptions of audit quality, assurance, and auditor negligence
”,
Auditing: A Journal of Practice & Theory
, Vol. 
41
No. 
1
, pp. 
25
-
48
, doi: .
Beridze
,
T.
(
2017
), “
Information technology audit in Georgia
”,
European Scientific Journal
, Vol. 
13
No. 
25
, p.
72
,
ESJ
doi: .
Boyatzis
,
R.E.
(
1998
),
Transforming Qualitative Information: Thematic Analysis and Code Development
,
Sage Publications
,
Thousand Oaks, CA
.
Canning
,
M.
and
O'Dwyer
,
B.
(
2013
), “
The dynamics of regulatory space realignment: strategic responses in a local context
”,
Accounting, Organizations and Society
, Vol. 
38
No. 
3
, pp. 
169
-
194
, doi: .
Ferry
,
L.
and
Ahrens
,
T.
(
2022
), “
The future of the regulatory space in local government audit: a comparative study of the four countries of the United Kingdom
”,
Financial Accountability and Management
, Vol. 
38
No. 
3
, pp. 
376
-
393
, doi: .
Ferry
,
L.
,
Hamid
,
K.
and
Dutra
,
P.H.
(
2023a
), “
An international comparative study of the audit and accountability arrangements of supreme audit institutions
”,
Journal of Public Budgeting, Accounting and Financial Management
, Vol. 
35
No. 
4
, pp. 
431
-
450
, doi: .
Ferry
,
L.
,
Midgley
,
H.
and
Ruggiero
,
P.
(
2023b
), “
Regulatory space in local government audit: an international comparative study of 20 countries
”,
Public Money & Management
, Vol. 
43
No. 
3
, pp. 
233
-
241
, doi: .
Free
,
C.
,
Radcliffe
,
V.S.
,
Spence
,
C.
and
Stein
,
M.J.
(
2020
), “
Auditing and the development of the modern state
”,
Contemporary Accounting Research
, Vol. 
37
No. 
1
, pp. 
485
-
513
, doi: .
Funnell
,
W.
(
2011
), “
Keeping secrets? Or what government performance auditors might not need to know
”,
Critical Perspectives on Accounting
, Vol. 
22
No. 
7
, pp. 
714
-
721
, doi: .
Gepp
,
A.
,
Linnenluecke
,
M.K.
,
O'Neill
,
T.J.
and
Smith
,
T.
(
2018
), “
Big data techniques in auditing research and practice: current trends and future opportunities
”,
Journal of Accounting Literature
, Vol. 
4022
No. 
1
, pp. 
102
-
115
, .
Havelka
,
D.
and
Merhout
,
J.
(
2007
), “
Development of an information technology audit process quality framework
”,
AMCIS 2007 Proceedings
, Vol. 
61
.
Hayfield
,
N.
,
Clarke
,
V.
and
Braun
,
V.
(
2017
), “Thematic analysis”, in
The SAGE Handbook of Qualitative Research in Psychology
, Vol. 
2
, pp. 
17
-
37
.
Hecimovic
,
A.
,
Martinov‐Bennie
,
N.
and
Roebuck
,
P.
(
2009
), “
The force of law: Australian auditing standards and their impact on the auditing profession
”,
Australian Accounting Review
, Vol. 
19
No. 
1
, pp. 
1
-
10
, doi: .
Holstein
,
J.A.
and
Gubrium
,
J.F.
(
2002
),
Handbook of Interview Research
,
Sage Publications
,
Thousand Oaks, CA
.
Houghton
,
K.A.
,
Jubb
,
C.
,
Kend
,
M.
and
Ng
,
J.
(
2010
),
The Future of Audit: Keeping Capital Markets Efficient
,
ANU E Press
,
Canberra
.
Kend
,
M.
and
Nguyen
,
L.A.
(
2020
), “
Big data analytics and other emerging technologies: the impact on the Australian audit and assurance profession
”,
Australian Accounting Review
, Vol. 
30
No. 
4
, pp. 
269
-
282
, doi: .
Kend
,
M.
and
Nguyen
,
L.A.
(
2022
), “
The emergence of audit data analytics in existing audit spaces: findings from three technologically advanced audit and assurance service markets
”,
Qualitative Research in Accounting and Management
, Vol. 
19
No. 
5
, pp. 
540
-
563
, doi: .
Kvale
,
S.
(
1996
),
Interviews: An Introduction to Qualitative Research Interviewing
,
Sage Publications
,
Thousand Oaks, CA
.
Kvale
,
S.
and
Brinkmann
,
S.
(
2009
),
InterViews: Learning the Craft of Qualitative Research Interviewing
, (2nd ed.) ,
Sage Publications
,
Thousand Oaks, CA
.
Maitland
,
E.
(
2001
), “
Corruption and the outsider: multinational enterprises in the transitional economy of Vietnam
”,
Singapore Economic Review
, Vol. 
46
No. 
1
, pp. 
63
-
82
, doi: .
Malsch
,
B.
and
Gendron
,
Y.
(
2011
), “
Reining in auditors: on the dynamics of power surrounding an ‘innovation’ in the regulatory space
”,
Accounting, Organizations and Society
, Vol. 
36
No. 
7
, pp. 
456
-
476
, doi: .
Martini
,
M.
(
2012
), “
Overview of corruption and anti-corruption in Vietnam, anti-corruption resource centre
(Transparency International), 315, 1-11
.
Nguyen
,
A.H.
,
Ha
,
H.
and
Nguyen
,
S.L.
(
2020
), “
Determinants of information technology audit quality: evidence from Vietnam
”,
The Journal of Asian Finance, Economics and Business
, Vol. 
7
No. 
4
, pp. 
41
-
50
, doi: .
Nguyen
,
P.T.
,
Kend
,
M.
and
Le
,
D.
(
2024
), “
Digital transformation in Vietnam: the impacts on external auditors and their practices
”,
Pacific Accounting Review
, Vol. 
36
No. 
1
, pp. 
144
-
160
, doi: .
Nkwe
,
N.
(
2011
), “
State of information technology auditing in Botswana
”,
Asian Journal of Finance & Accounting
, Vol. 
3
No. 
1
, pp.
125
-
137
, doi: .
Parker
,
L.D.
,
Jacobs
,
K.
and
Schmitz
,
J.
(
2019
), “
New public management and the rise of public sector performance audit
”,
Accounting, Auditing & Accountability Journal
, Vol. 
32
No. 
1
, pp. 
280
-
306
, doi: .
Pathak
,
J.
(
2005
),
Information Technology Auditing
,
Springer Science & Business Media
,
New York City
.
Radcliffe
,
V.S.
(
2008
), “
Public secrecy in auditing: what government auditors cannot know
”,
Critical Perspectives on Accounting
, Vol. 
19
No. 
1
, pp. 
99
-
126
, doi: .
Rana
,
T.
,
Steccolini
,
I.
,
Bracci
,
E.
and
Mihret
,
D.G.
(
2021
), “
Performance auditing in the public sector: a systematic literature review and future research avenues
”,
Financial Accountability and Management
, Vol. 
38
No. 
3
, pp. 
337
-
359
, doi: .
Robson
,
K.
,
Humphrey
,
C.
,
Khalifa
,
R.
and
Jones
,
J.
(
2007
), “
Transforming audit technologies: business risk audit methodologies and the audit field
”,
Accounting, Organizations and Society
, Vol. 
32
Nos
4-5
, pp. 
409
-
438
, doi: .
Salijeni
,
G.
,
Samsonova-Taddei
,
A.
and
Turley
,
S.
(
2019
), “
Big data and changes in audit technology: contemplating a research agenda
”,
Accounting and Business Research
, Vol. 
49
No. 
1
, pp. 
95
-
119
, doi: .
Stoel
,
M.D.
and
Havelka
,
D.
(
2020
), “
Information technology audit quality: an investigation of the impact of individual and organizational factors
”,
Journal of Information Systems
, Vol. 
35
No. 
1
, pp. 
135
-
154
, doi: .
Stoel
,
D.
,
Havelka
,
D.
and
Merhout
,
J.W.
(
2012
), “
An analysis of attributes that impact information technology audit quality: a study of IT and financial audit practitioners
”,
International Journal of Accounting Information Systems
, Vol. 
13
No. 
1
, pp. 
60
-
79
, doi: .
Transparency International
(
2023
), “
Corruption perceptions index
”,
Retrieved 9 April 2025, available at:
 https://www.Transparency.Org/Cpi2013
Vietcombank
(
2015
), “
Annual report
”.
Wahyuni
,
D.
(
2012
), “
The research design maze: understanding paradigms, cases, methods, and methodologies
”,
Journal of Applied Management Accounting Research
, Vol. 
10
No. 
1
, pp. 
69
-
80
.
Xuan
,
H.
(
2019
), “
IT audit in the state audit Office of Vietnam
”,
viewed 25 June 2025, available at:
 https://tapchitaichinh.vn/thuc-trang-kiem-toan-cong-nghe-thong-tin-cua-kiem-toan-nha-nuoc.html
Harper
,
D.
and
Thompson
,
A.R.
(
2012
),
Qualitative Research Methods in Mental Health and Psychotherapy a Guide for Students and Practitioners
,
John Wiley & Sons
,
NJ
.
The Institute of Company Secretaries of India
(
2014
), “
Information technology and systems audit
”,
viewed 25 June 2025, available at:
 https://www.icsi.edu/media/webmodules/publications/4.%20Professional-%20Information%20Technology.pdf

Languages

or Create an Account

Close Modal
Close Modal