Neither a historical development nor a chronological literature review has been properly described yet (Lee 1994). The earliest checking activities were reportedly found in the ancient civilizations (Lee 1986), but also in Greece and Egypt (Boyd 1905). The closest checking activities to the present-day auditing were found in Greece around 350 B.C., where their existence is described by Aristotle, as cited by (McMickle 1978):

Ten [logistae]….and ten [euthuni].. are chosen by lot. Every single public officer must account to them. They have sole control over those subject to [examination].. they place their findings before the courts. Anyone against whom they prove embezzlement is convicted and fined by the court ten times the sum discovered stolen. Anyone whom the court on [their].. evidence convicts of corruption, is also fined ten times the amount of bribe. If he is found guilty of administrative error, they assess the sum involved, and he is fined that amount provided in this case that he pays it within nine months; otherwise the fine is doubled.

A similarity with Aristotle was found in the ancient Exchequer of England (1100–1135), where special audit officers were appointed to make sure that expenditure transactions and state revenue were properly accounted for. The person with the responsibility for examinations was known as the ‘auditor’. The role of such examinations was to detect and prevent fraudulent actions (Abdel-Quader 2022). Moreover, the existence of checking activities was also found in Italian city states. Auditors were used by the merchants of Venice, Genoa and Florence to verify the riches brought by captains returning from the distant journeys and bound for the European continent. Again, this form of auditing was considered to prevent fraud (Brown 1962).

During the pre-industrial era, the commercial industry was characterized by a smaller scale of operations, primarily consisting of individually owned (family) companies, which resulted in a lack of hierarchical structures and reporting lines to managers or directors. The limited scale and decentralized nature of the pre-industrial commercial industry resulted in a relatively low demand for auditing practices, as the need for formalized oversight and control mechanisms was not as pronounced (Porter et al. 2005).

To summarize, auditing in the period pre-1840 was restricted to performing a detailed verification of every transaction, whereby the concept of sampling or testing was not part of the auditing procedure.

The industrial revolution during the period from 1840s to the 1920s made a significant change in the practice of auditing (Gill and Cosserat 1996). During the industrial revolution, large-scale operations drove the corporate form of enterprise to the foreground (Brown 1962). Abdel-Quader (2022) concurred that in this period machine-based production and large factories were established. Capital was needed to facilitate the significant changes in industry. The middle class provided the funds for the establishment of commercial and industrial undertakings. However, this period was highly speculative and unregulated as procedures and standards were not formally described and executed. Therefore, the liability was not limited, and the rate of financial failure was high. There was a great need for protection for companies and small investors (Porter et al. 2005). The development of the auditing profession was necessary to help society by enabling control and reducing risk; thus, auditing entered the professional sphere.

In 1844, the Joint Stock Companies Act was passed in the United Kingdom; this act was a direct response to socio-developments in the UK during that period and the desire to transform unincorporated associations with many members, typical for those times, into incorporated companies with joined stocks, which made legal proceedings easier. The Joint Stock Companies Act described that ‘directors shall cause the Books of the Company to be balanced, and a full and fair Balance Sheet to be made up’. Additionally, and most importantly, the act stipulated the involvement of auditors to check the accounts of the company. This notwithstanding, the requirement of a statutory audit and the annual presentation of the balance sheet to shareholders was only made mandatory in the 1900s under the UK Companies Act 1962 (Leung et al. 2007).

In the early years of this 1900s, the accountant was normally a company manager with responsibilities to ensure the proper use of the funds entrusted to him (Porter et al. 2005). The auditors were shareholders chosen by their fellow members, which allows for favoritism. Brown (1982) adds that auditors were required to perform the completeness of transactions contributed to the correct accounts and financial statements. Still, little attention was paid to the internal control environment of companies.

According to Porter et al. (2005), the auditor and related duties were highly influenced by the decisions of judicial courts. In the literature two cases were found that concur with the statement of Porter et al. (2005). First, the verdicts from the case of Kingston Cotton Mill (1896) and later, the case of London and General Bank (1985). Both cases reinforced that the objective of audits was to find errors and detect fraud. The verdicts explicitly described the desired role of the auditor as cited by Leung et al. (2004, P.7): a practical manual for auditors, the objective was (a) the detection of fraud; (b) the detection of technical errors and (c) the detection of errors in principles.

To summarize, the role of auditors during the period from 1840s to the 1920s was mainly about fraud detection and in the assessment of completeness of transactions in the financial statements of companies.

During the period from the 1920s to the 1960s, economic development predominantly centered on the United Kingdom (UK), despite the period of the Great Depression around 1930 (Armstrong 1987), which some may question. However, the evolution of auditing practices gradually shifted from the UK to the United States (US), particularly during the post-Wall Street Crash (1929) recovery years when business entities experienced significant growth. This shift was also facilitated by advancements in credit-granting institutions and securities markets, contributing to the development of the capital market. As small-sized companies transitioned into professional organizations with a need for a clear separation of ownership and management functions, a necessity arose to ensure the reliability of financial transactions and flows from investors to companies, thus emphasizing the importance of providing a true and fair representation of a company’s performance and position (Porter et al. 2005).

In the context of auditing, the primary objective during this era was to provide reliability and credibility to financial statements presented by company managers to their shareholders. A noticeable shift occurred from a focus on fraud detection towards enhancing the credibility of financial statements. This transformation is evident in successive editions of Montgomery’s Auditing text, which emphasized that the auditor’s objective went beyond detecting fraud and extended to verifying the fairness and accuracy of financial statements. Montgomery’s 1934 edition noted that the detection of fraud was an important but incidental objective of an audit, while the 1940 edition emphasized that the primary responsibility for controlling and discovering irregularities lay with management (Montgomery 1934, 1940).

By 1939, the profession of auditing had witnessed rapid growth (Mock and Jerry 1981), prompting the American Institute of Accountants to establish a committee on auditing procedure. This committee’s main purpose was to address the increasing complexity of modern businesses and provide guidance on auditing procedures. Rather than revising existing documents, the committee chose to issue Statements on Auditing Procedure (SAPs), leading to the publication of the first auditing pamphlet in 1939. SAP1 highlighted the role of the auditor’s judgment in designing audit programs, particularly in determining the extent of sampling and testing based on the auditor’s assessment of the effectiveness of internal control.

During this period, the concepts of materiality (Queenan 1946) and sampling techniques (Mock and Jerry 1981; Brown 1962) emerged as significant developments. The growing volume of financial transactions in companies prompted auditors to adopt a more statistical approach, reducing the necessity for verifying all transactions individually. SAP1 and the statements of Short (1940) highlighted that detailed examination of every entry, footing, and posting was no longer required, marking a shift towards statistical sampling techniques.

In 1949, the committee on auditing procedure conducted a study focused on the nature and characteristics of internal control. This study laid the foundation for the discussion of sampling techniques and materiality and provided a graphical representation of internal control within companies. The initial definition of internal control encompassed various measures within a business including safeguarding assets, ensuring the accuracy and reliability of the accounting data, promoting operational efficiency, and encourage adherence to managerial policies. This broad definition recognized that internal control extended beyond accounting and financial functions, and encompassed activities such as budgetary control, standard costs, training programs, and quality control (Brown 1962).

The auditing profession underwent significant transformations during these years, with increased emphasis on internal control systems, sampling techniques, and objective assessments of financial transactions and company performance. Shareholders’ demand for a formal, objective view of their investments led to many reports and discussions on the internal control environment and the assessment of financial transactions. Various accountant professionals introduced their definitions and elaborated on characteristics of internal control, focusing on segregation of responsibilities, authorization systems, and appropriate duties and functions across organizational departments (Brown 1962; American Institute of Accountants 1949).

Around the 1960s, the development of auditing was highly influential, with companies beginning to highlight characteristics of their audit approaches. This marked the beginning of the reliance on internal control systems and sampling techniques in auditing practices. Audit evidence was increasingly gathered through an assessment from an objective third party via physical observations, reflecting a growing emphasis on reliability assurance as organizations became more accountable for their financial statements, both internally and externally (Porter et al. 2005).

During the period under consideration, characterized by optimism, idealism, and economic growth, significant developments occurred in technology and the complexity of companies. Auditors played a crucial role in enhancing the credibility of financial information in the 1970s. While Leung et al. (2004) suggested that the role of auditors remained largely unchanged during this period, Davies et al. (1999) take a different stance, asserting that auditing underwent critical developments in the 1970s.

One notable shift in auditing during this time was a heightened focus on the stability of the internal control environment within companies. Auditors transitioned from primarily verifying transactions in the books to placing greater reliance on internal control systems. This shift was driven by the economic growth, which resulted in a substantial increase in the number of transactions. Auditors found it increasingly impractical to verify all transactions individually. Therefore, they began relying more on effective internal control systems. By around 1980, auditors were required to document internal controls and accounting systems, which reduced the need for extensive substantive testing when the internal control environment was effective (Salehi 2007).

The early 1970s witnessed another change in auditors’ approaches. The process of completing assessments was deemed too expensive and time-consuming, leading auditors to adopt cost-effective strategies. They started making greater use of analytical procedures, primarily driven by the introduction of risk-based auditing (Turley and Cooper 2005). Risk-based auditing focused on collecting information about high-risk aspects of the management system related to specific objectives. Auditors emphasized critical aspects of processes with the potential for errors, requiring a deep understanding of clients, policies, and key personnel. This methodology placed significant emphasis on examining audit evidence in terms of identified risks, rather than assessing all financial transactions comprehensively.

This era also marked the widespread integration of computers in business, particularly in accounting. By 1975, a substantial number of computers were in use, predominantly for accounting-related applications. The introduction of Electronic Data Processing (EDP) systems revolutionized how data was stored, retrieved, and controlled, resulting in debates within the literature. Auditors needed to understand these systems to comprehend underlying transaction calculations. The American Institute of Certified Public Accountants (AICPA) released guidelines in 1968, addressing EDP audits, leading to the development of EDP auditing practices (Kee 1993).

EDP auditors formed the Electronic Data Processing Association (EDPA) to establish standards, procedures, and guidelines for EDP audits. In 1977, Control Objectives around EDP were published, later evolving into Control Objectives for Information and related Technology (CobiT). Consequently, rapid technological changes, information security and EDP concerns began to emerge in academic literature (Ramamoorti and Weidenmier 2003). However, EDP auditing was not yet a distinct profession but was discussed as a subtopic within internal or financial auditing.

Professional associations, in contrast, were proactive in addressing EDP issues. AICPA published guidance on Auditing and EDP in 1969, followed by the Statement of Auditing Standards (SAS) No. 3, which introduced the terms general and application controls. The EDP Auditors Association (EDPAA), now ISACA, was formalized in 1969. The Institute of Internal Auditors (IIA) also responded with a focus on EDP auditing in 1973. A few auditors explored combined assurance practices, hiring specialized auditors for different aspects (Miller 1972).

The early integration of computer techniques led to the development of tools such as generalized audit software, EDP control questionnaires, Computer Assisted Audit Tools/Techniques (CAATs), and integrated test facilities (ITF). While some authors advocated for auditors to develop EDP audit skills, others expressed concerns about the cost of training, cooperation between EDP auditors and non-specialized auditors, and the reliability of IT. Ultimately, a consensus was reached that all auditors needed to update their skills to adapt to technological advancements (Seiler 1972; Holmes 1975).

To summarize, this era witnessed the rapid adoption of technology within auditing, with a focus on addressing the risks introduced by technological advancements. Auditors with various specializations collaborated to develop effective approaches to auditing. The profession of auditing was attractive due to the career possibilities it offered, whether in financial, internal, or EDP auditing. Governmental jurisdiction over the EDP auditing profession was not clearly defined, but the focus was primarily on how to conduct audits rather than determining who should perform them.

During the 1970s and 1980s, the applications of computers expanded beyond mere accounting tasks. They started to be utilized in other crucial sectors, such as production and inventory management. One of the most critical technological advances during this time was Material Requirements Planning (MRP), an early way to use computers to manage inventory (Azizi et al. 2024). At first, MRP was all about determining what materials were needed to meet production plans. However, over the years, it changed to include Distribution Resource Planning (DRP), warehouse management, and other critical supply chain tasks, bringing in more parts of managing operations.

The move to MRP led to the creation of Manufacturing Resource Planning (MRP II). This improved system included planning when to make products, managing the workspace, and keeping track of supplies, influencing almost every part of a company. For IT auditors, this was the first time dealing with checking systems that weren’t just about money data (Azizi et al. 2024). Auditing has become more complicated because it now requires understanding how different parts of the business work together in these systems. Auditors must ensure that the business operations and the financial information are reliable (Nguyen et al. 2023). This implies that they must acquire knowledge beyond standard accounting, including insights into production, logistics of delivery, and inventory management.

The IIA expressed interest in the EDP audit field, suggesting its integration into their working domain. The EDPAA responded by asserting its jurisdiction and providing the Certified Information Systems Auditor (CISA) certification. The IIA, however, failed to secure a prominent leadership role in EDP audit, leading to EDPAA’s prominence in this complex field (Ramamoorti and Weidenmier 2003).

As technology continued to advance during the mid-1970s, there was a growing need for professional guidance related to technology and EDP auditing. Technology development often outpaced its implementation, leading to debates and discussions in the literature. Foreign Corrupt Practices Act scandals contributed to the maturation and growth of EDP as an audit profession (Toms 2019). Internal auditors began incorporating EDP into their practices, giving rise to the concept of “Operational Audit” and a shift in focus towards determining who should perform EDP audits.

Towards the end of this period, corporate financial scandals, such as the banking crisis of 1974–75, were marked by accounting manipulation facilitated by the incorporation of IT into business processes. These scandals led to further legislative scrutiny of the EDP profession.

To summarize, this period witnessed significant technological advancements and the expansion of auditing beyond accounting. It marked the growth of EDP as an audit profession, increased collaboration between different types of auditors, and the development of professional standards and certifications. The era was also characterized by corporate scandals that highlighted the importance of internal control and EDP audit in financial reporting and accountability.

During the period spanning from the early 1980s to the late 1990s, significant environmental factors led to the professional transformation of the Electronic Data Processing (EDP) profession. Developments during this period included the establishment of the Committee of Sponsoring Organizations (COSO) through a joint initiative involving AICPA, IIA, and IMA. This collaboration aimed to enhance guidance, reduce fraudulent financial statements, and improve financial reporting quality. Additionally, professional organizations such as the Association of Certified Fraud Examiners (ACFE) which emerged in 1988, contributed to updated guidance on internal control.

Technological growth and adoption, coupled with legislative changes like the Federal Sentencing Guidelines for Organizations (FSGO), incentivized organizations to bolster their internal auditing frameworks. The introduction of the IBM AS/400 in 1988 marked a shift in the use of computers, extending beyond organizational settings to private use. Moreover, the National Science Foundation’s endorsement of TCP/IP in 1992 facilitated the commercial use of the Internet, leading to greater decentralization of data processing (Zairi 1994).

The integration of technology into organizations prompted the need for systems and automation, resulting in the emergence of Enterprise Resource Planning (ERP) systems like SAP. This period also witnessed a shift in terminology from EDP to IT (ISCA 2019)), reflecting a focus on technology-related aspects. The EDPAA transformed into the Information Systems and Control Association (ISACA), aligning itself with the evolving landscape.

Academic research on EDP was initially limited but gained momentum in the late 1980s with the introduction of research journals like The Journal of Information Systems and the Managerial Auditing Journal (Amer et al. 1987). However, the focus on EDP within these publications remained relatively minor. A shift toward more academic research can be observed, with a decrease in articles related to systems auditing and internal control. Qualitative studies and surveys declined, giving way to modeling and experiments in research methods (Samuels and Steinbart 2022; Hutchison et al. 2004).

The role of IT auditors and their skills underwent examination, with studies indicating that auditors were more efficient, particularly in IT and general control domains. Meanwhile, a growing reliance on advanced computer auditing tools as well as the provision of advisory services by auditors became more prevalent (Vasarhelyi and Halper 1991).

The time from the 1980s to the late 1990s was marked by fast improvements in technology, especially with computers. During this time, Mainframe computers became popular, bringing all IT work together in one place. Data Centers were created and became the main hub for business computing. The development of Electronic Data Processing (EDP) auditing during this period significantly changed IT auditors’ jobs (Azizi et al. 2024). EDP auditing, which started as part of general financial checks, began developing into a separate area. This change happened because businesses increasingly use computer systems to handle their work. There is an increased demand for specialists to assess these systems’ safety, efficiency, and reliability.

Mainframe audits looked at how well these extensive computer systems worked and how secure they were since many organizations relied on them for essential tasks. Data Center audits, however, focused on the rules and protections in the data centre, including who could enter, plans for recovering from disasters and making sure the systems were always available (Treasury Inspector General for Tax Administration , 2022). IT auditors needed to learn special skills in building systems, keeping data safe and accurate, and following security rules. This change to more detailed audits focusing on specific systems meant that auditors needed to stay updated with new technology and how businesses increasingly depend on digital systems.

As IT grew in new business areas, ensuring rules were followed and accurate data became very important for auditors. During this time, a significant change happened. Auditors started to do more than just check financial information; they also had to ensure the computer systems that managed this information were safe and working well.

This period in the field of auditing and IT can be divided into two distinct halves, each marked by its unique characteristics and challenges. The first half of this period was influenced significantly by the Sarbanes-Oxley Act (SOx). Particularly Section 404, which became effective later in 2004, placed an emphasis on the importance of internal controls and IT auditing. Technological changes were also significant during this period, with a significant increase in IT spending per worker between 1995–2005, resulting in increased productivity for IT auditors (McAfee and Brynjolfsson 2008).

The 1990s to the 2010s was a transformative period in IT auditing due to the rapid digitization of business operations and the rise of outsourcing. During this time, most organizations began outsourcing non-core IT functions like software development, help desk support, and infrastructure maintenance to reduce costs and focus on their core competencies (Olagunju and Owolabi 2020). However, this outsourcing led to significant challenges in maintaining in-house expertise and deep knowledge of technical details. With the loss of direct control over IT operations, organizations faced risks associated with outsourced IT functions’ reliability, security, and compliance. IT auditors had to address these risks by ensuring that third-party providers adhered to the organization’s internal control frameworks and maintained the same high data integrity and security standards.

At the same time, the increasing complexity of IT systems, particularly with the widespread adoption of Enterprise Resource Planning (ERP) systems, demanded new auditing approaches. ERP systems like SAP, Oracle, and PeopleSoft integrated various business processes into a single unified system, including finance, supply chain management, human resources, and customer relationship management (Olagunju and Owolabi 2020). This integration made it critical for auditors to understand the interconnected nature of these systems, as a single failure or security breach could impact multiple areas of the business.

The complexity of ERP systems and their centrality to business operations meant IT auditors needed to collaborate more closely with business stakeholders, management, and technical teams to ensure that controls were adequately designed and implemented. Additionally, as organizations became more dependent on these integrated systems, the need for IT governance frameworks, such as COBIT (Control Objectives for Information and Related Technologies) and ISO/IEC 27001, grew (Azizi et al. 2024). These frameworks helped provide a standardized approach to IT management and auditing, ensuring that all aspects of the IT infrastructure, from security to data management, were aligned with business objectives and compliance requirements.

The growing prevalence of cybersecurity concerns and regulatory compliance (e.g., SOx, GDPR) further expanded the role of IT auditors. Cyber risks, such as data breaches, malware attacks, and system vulnerabilities, became top priorities, requiring auditors to focus on network security, access controls, encryption protocols, and incident response mechanisms (Azizi et al. 2024). Simultaneously, regulatory bodies introduced more stringent compliance standards, making it necessary for IT auditors to ensure organizations followed legal requirements and documented and maintained audit trails for regulatory review.

Regulators responded to these changes by updating standards and introducing new legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, to address information privacy and security concerns. Professional associations like ISACA and AICPA also issued updates to frameworks and certifications, reflecting the evolving landscape of IT auditing.

The second half of this era saw a significant shift in auditors’ approach due to SOx Section 404, which required CEOs and CFOs to certify the effectiveness of internal controls over financial reporting. This led to increased attention to internal control systems and a closer relationship between executive boards and internal audit functions.

The demand for IT auditors has risen as the importance of integrating IT into the audit process has become more widely recognized. Integrated auditing—an approach that merges IT and financial audits—has gained prominence, creating challenges in distinguishing between general IT controls and application-specific controls. This convergence necessitates closer collaboration between general IT personnel and specialized auditors (Chaney and Kim 2007; Helpert and Lazarine 2009). Historically, Information Technology General Controls and application controls were distinctly separate, with a primary focus on maintaining boundaries rather than integration.

Professional association membership trends showed substantial growth in organizations like NOREA (NL) and ISACA, highlighting an increasing importance of certifications and expertise in IT auditing and control.

Overall, this phase significant upheaval in the accounting and auditing profession, driven by technological advancements, regulatory changes, and a growing awareness of the importance of IT auditing and IT Security and Information Security. It set the stage for the continued evolution of the field in subsequent years.

Changes in the environment have significantly affected how IT audits are done. The fast growth of technology businesses use has made IT audit jobs more extensive and complicated (Hass et al. 2006). Emerging technologies such as smartphones and tablets have provided businesses with innovative tools while introducing new vulnerabilities. Although ideas like SaaS have changed over the years, early versions of Application Service Providing (ASP) in the 2000s helped create our current cloud services (Hinson 2007). IT auditors have had to adapt to new challenges. They need IT security and digital investigation skills because of rising cyber threats. This means they must be good in many different areas.

Implementing the Sarbanes-Oxley Act (SOx) led to significant changes in traditional accounting roles as organizations began adopting ERP systems. This created a need for skills in IT auditing (Dechow and Mourtisen 2004). SOx brought new ideas about managing rules and risks and following laws, making IT auditing more critical. Those auditors without an IT background required significant training to cope with this shift. Integrated auditing means that generalists and specialists need to work together. This has become a common practice, bringing chances and difficulties in balancing their different skills (Kliem 2005).

Professional associations like ISACA and the Institute of Internal Auditors (IIA) responded to the changing landscape by providing guidelines, introducing new certifications, and addressing the need for IT audit skills (IIA 2007; ISACA 2008). The introduction of Auditing Standard No. 5 by the Public Company Accounting Oversight Board (PCAOB) further emphasized the importance of IT controls in audits (PCAOB 2007).

Research during this era focused on the impact of IT on internal audits, the detection of material weaknesses, and the relationship between IT integration and control deficiencies (Grant et al. 2008; Masli 2010; Lin et al. 2011; Bédard and Graham 2011; Bédard et al. 2012). These studies highlighted the critical role of IT auditing in detecting and addressing control deficiencies.

During this time, it was essential for IT auditors to have skills related to technology. With the rise of outsourcing, SAS 70 audits gained more significant importance for businesses. IT auditors were vital in checking the IT services provided by other companies. This change made people see IT auditors as necessary for financial audits and helping manage technology-related risks. The connection with information security and risk management gave IT auditors a more active and independent role.

Since 2010, quickly changing technology has changed how IT audits work, bringing new and complex challenges. New technologies like cloud computing, artificial intelligence (AI), the Internet of Things (IoT), and machine learning offer new chances and some risks. These risks include communication problems and reliance on vendors because critical IT services are outsourced (Berghout and Fijneman 2023). As these new technologies change how businesses work, IT auditors need to check the risks from digital changes and the trustworthiness of outside vendors.

IT auditors find themselves grappling with this constantly shifting technological landscape, which is further compounded by evolving regulatory and professional guidelines. These guidelines lack standardization and are subject to frequent revisions by organizations such as COSO, ISACA, and the IIA. Professional associations have attempted to collaborate to address these challenges, but the practical benefits of such collaborations have been limited (Gray 2016).

Studies have shown that technology significantly affects auditors’ work, highlighting the need to understand IT to grow in their careers (Omoteso et al. 2010). Continuous auditing and monitoring, which require knowledge of technology and how businesses work, have become very important. Understanding the differences between IT auditors and financial auditors shows that IT auditors need to understand internal controls and business processes to understand audit results properly (Stoel et al. 2012). The debate surrounding integrated IT auditing (skills) is still ongoing. While some organizations are moving towards hybrid models that enhance the IT competency of financial auditors, the integration process remains gradual (Kwon et al. 2012). The quality of IT audits is also an area of attention, with deficiencies in the assessment of controls being a recurring issue (Havelka and Merhout 2013).

Kwon et al. (2012) argued that as technology continues to evolve and regulatory demands grow, the demand for proficient IT auditors is expected to rise. The changing landscape of technology is not only influencing the direction of research, it is also sparking jurisdictional debates within professional associations. These transformations may extend beyond traditional boundaries and may impact a broader range of professional organizations.

Reports from professional groups show that more people are joining IT auditing organizations. This indicates that technology is advancing and that more people understand how crucial IT auditing is. This trend suggests that more people in the professional world see IT auditing as an essential field. Many organizations now provide unique resources and certifications highlighting how established IT auditing has become as a profession. Refer to Table 1 for a summary of the available membership statistics, whereby the most relevant international associations are assessed on professional memberships including the most relevant ones in the Netherlands, where this study has been conducted.

Table 1 offers a comprehensive overview of membership trends within various professional associations spanning the years 1995 to 2024. These associations, encompassing IIA, ISACA, AICPA, IMA, NOREA (NL), and NBA (formerly NIVRA/NOvAA NL), represent international and national expertise. Over this timeframe, the data reveal intriguing patterns in membership evolution. In particular, the Institute of Internal Auditors (IIA) exhibited a consistent upward trajectory, with membership figures steadily increasing from 60,000 in 1995 to 230,000 in 2022. Similarly, ISACA showcased noteworthy growth, progressing from 15,000 members in 1995 to an impressive 170,000 members by 2024. AICPA, a prominent professional association of certified public accountants, demonstrated a steady increase from 343,000 members in 2009 to 698,000 in 2024.

Figure 1.

Graphical representation of Table 1.

In the Netherlands, the professional associations NOREA and NBA (formerly NIVRA/NOvAA NL) present an intriguing narrative. Around the year 2010, NOREA’s membership peaked at 1,809, before stabilizing, with the NBA showing a similar trend of relative constancy in its membership figures. This stabilization within the Dutch professional landscape around 2010 is particularly noteworthy, marking a point of equilibrium and maturity in these associations’ memberships. The collective data showcased in this table serve as a valuable academic resource, shedding light on the growth trajectories and noteworthy stabilization of professional membership associations, both on an international scale and in the Netherlands. This insight into the evolving composition of these associations over time contributes to a deeper understanding of their respective fields and the broader context in which they operate. In annual reports and membership meetings of the professional associations, it is being argued that the stabilization of members is due to deregistration caused by pension-related considerations.

1. Economic transformations and financial crises: economic developments, exemplified by the recovery from the Wall Street Crash of 1929, prompted a shift in focus from fraud detection to enhancing the credibility of financial statements. The growth of business entities and the establishment of credit-granting institutions and securities markets heightened the need for accurate financial reporting and accountability. Auditors adapted to evolving economic situations and contributed to the establishment of auditing as a profession.
2. Technological advancements: the rapid evolution of technology, particularly during the second half of the 20 ^th century and beyond, has been a crucial driver of the development of IT auditing. The widespread use of computers, the advent of electronic data processing (EDP), and subsequent technological innovations compelled auditors to adapt their methodologies and audit practices to incorporate emerging technologies. The integration of computers and technology into audit processes marked a significant shift in auditing paradigms.
3. Regulatory reforms and compliance requirements: legislative changes, such as the Sarbanes-Oxley Act (SOx) and subsequent regulations, played a crucial role in the reshaping of IT auditing. Sox’s emphasis on internal controls over financial reporting necessitated auditors to adopt a more comprehensive and risk-based approach to auditing. Regulatory reforms highlighted the importance of IT controls and accountability, leading to the evolution of IT auditing practices.
4. Professional associations and standardization: professional organizations such as the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), ISACA including the NOREA, and the NBA in the Netherlands have all played an essential role in shaping the development of IT auditing. Associations such as these have issued frameworks, standards, and guidelines that have provided a structured approach to IT auditing practices. The development of certifications, such as the Certified Information Systems Auditor (CISA) and the RE title in the Netherlands, has contributed to the professionalization of IT auditing.
5. Globalization and technological complexity: the increasing globalization of business operations and the proliferation of technology across industries have expanded the scope and complexity of IT auditing. Auditors are challenged to address cross-border regulatory variations and assess the risks associated with cutting-edge technologies such as cloud computing, artificial intelligence, and blockchain. These developments have prompted auditors to acquire specialized IT expertise and adapt audit methodologies accordingly.
6. Changing business environment: the evolving nature of business models, characterized by digital transformation and the integration of technology into every aspect of business operations, has required a corresponding evolution of IT auditing. Auditors are required to assess the risks posed by technology-driven processes, data management, cybersecurity threats, and privacy concerns, reflecting the shifting business landscape.

In conclusion, the development and adaptation of IT auditing have been shaped by a confluence of historical, technological, regulatory, and professional factors. These interconnected factors have propelled IT auditing from its early origins as a mechanism for transaction verification to a sophisticated discipline that addresses the challenges and opportunities presented by modern technology and the ever-changing business environment. The evolution of IT auditing is a testament to dynamic interplay between historical foundations, technological innovation, regulatory imperatives, and the proactive response of auditing professionals to the demands of their times.