Effect of Computer Assisted Audit Tools on Corporate Sustainability

: The literature is fertile in studies that examine the determinants of internal and external auditors’ adoption of computer-assisted audit tools and techniques (CAATs), often ignoring their practical effects on audit quality and organizational performance. This study provides novel evidence on the type of CAATs used by internal auditors, tests the effect of their adoption on corporate sustainability, and explores the moderating effect of organizational characteristics. In this paper, we used data from Portuguese internal auditors collected through a survey, whose research hypotheses were analyzed by the partial least squares–structural equation modeling technique. We found that internal auditors use CAATs moderately in the exercise of their tasks. The results of our study show that there is a strong and positive effect of the use of CAATs by internal auditors on fraud detection in the purchase-to-pay business process, and that the intensity of this relationship is not inﬂuenced by the type and size of the entity. This study complements previous research and provides support to practitioners’ decisions that can boost the use of CAATs in internal auditing to make organizations more sustainable.


Introduction
Over the years, the goals of companies have changed considerably [1], leading to the rise of theories that describe the core corporate objective-shareholder theory developed by Friedman [2] and stakeholder theory developed by Freeman [3]. The shareholder theory focuses on financial goals leading to shareholder value maximization, and the stakeholder theory suggests the firm ought to maximize its value with more associated responsibility, thus creating value for all stakeholders. Zumente and Bistrova [1] warn that sustainability and long-term value creation are the key drivers to a firm's commitments to its stakeholders. Therefore, firms should contribute for the well-being of society as for the environment.
Sustainability represents firms' commitment/ability to conserve resources, aiming to satisfy current demands as well as those of the future generation [4]. Elkington (p. 20 [5]) refers to sustainability as the "principle of ensuring that our actions today do not limit the range of economic, social, and environmental options open to future generations". The author also presents the triple bottom line, a set composed of three elements used to assess firms' performance-economic, environmental, and social. Thus, companies are being led to enroll in the harmonization of these pillars by focusing on the 3Ps-profit, planet, and people.
Fraud is one of the main threats to business continuity and frequently culminates in the failure of organizations and economic, social, and environmental calamities [6]. Thus, fraudulent activities undermine the capacity of organizations to become more sustainable. According to Montesdeoca et al. [7], the lack of ethics in business promotes a decrease in responsibility, which in turns leads to the occurrence of fraud, a kind of malpractice, among others, which has harmful consequences to companies, such as loss of value, reputation, and image. Martinez-Ferrero et al. [8] found a negative relationship between sustainability practices and fraud. To strengthen this idea, Jan (p. 523 [9]) states, "Financial statements creation should be supported by putting more attention in a long-term orientation instead of a short-term one. Hence, the company should be concerned about its actions in the long term in order to assure its presence in the economy, thus acting in a more sustainable and responsible way [25]. Here arise two keywords: "corporate social responsibility" (CSR) and "sustainability". To assure shareholder value creation, acting in a more responsible and sustainable way, it is important to develop and implement a good corporate governance system [26]. Defective corporate governance will promote resource deviation, corporate fraud, and hence, financial scandals [27]. Unfortunately, we have witnessed many cases of fraud around the world that harm citizens. Denying the existence of corporate fraud as well as its devaluation only benefits the cheaters, endangering the stakeholders' interests and, in some cases, the community where corporations are [28]. Even before these recent scandals, demand for nonfinancial information has been increasing, particularly in ethical, social, and environmental matters [7]. The authors state the relevance of the convergence of these areas due to their linking to CSR [29], a competing key drive [30]. Additionally, the European Commission (EC) implemented the Non-Financial Reporting Directive (NFRD) (Directive 2014/95/EU), which applies to large listed companies, banks, and insurance companies with more than 500 employees; such entities are required to publish reports on the policies they implement in relation to (1) environmental protection, (2) social responsibility and treatment of employees, (3) respect for human rights, (4) anti-corruption and bribery, and (5) diversity on company boards (in terms of age, gender, and educational and professional background). In 2021, the European Commission presented its proposal for a Corporate Sustainability Reporting Directive (CSRD), which aims to revise and strengthen the NFRD and to bring-over time-sustainability reporting on par with financial reporting. Companies will have to report on how sustainability issues affect their business and the impact of their activities on people and the environment.
In order to guarantee businesses' continuity and growth, it is vital to pledge efficient corporate management. However, due to fraud, several businesses fail [31], causing economic, social, and environmental calamities [6]. Considering the harmful effects of fraud, it is also important to notice that firms' investors are also harmed by fraud, which will have repercussions in the loss of confidence of potential investors [32]. Moreover, fraud entails loss of value, reputation, and image for private companies [7], whereas in the public sector it entails loss of jobs, deterioration of the quality of public services, and destruction of the value of money for taxpayers [33].
Yu and Rha (p. 1 [34]) highlight that " . . . accounting fraud is a highly unethical management activity with a significant negative influence on stakeholders and can harm a firm's long-term sustainability prospects. Accounting ethics is associated with corporate sustainability, and accounting transparency has become a critical requirement for major companies". Due to the consequences instigated by fraud, Margret and Peck [35] state that issues of CSR are increasingly relevant to organizations and to sustainable business practices.

Internal Auditing as a Key Element of Corporate Governance
To be aware of the effects of fraud, especially occupational (internal) fraud cases, Ramamoorti [36] highlights the importance of firms having internal control systems, namely, an internal audit department. Flesher (pp. 1-3 [37]) states, "Necessity created internal auditing and is making it an integral part of modern business. No large business can escape it. If they haven't got it now, they will have to have it sooner or later, and, if events keep developing as they do at present, they will have to have it sooner". Vadasi et al. [38] highlight the need for restoring investors' confidence through corporate governance that improves the attention given to internal audits and its role in corporate governance. Indeed, internal auditing was moved into the role of supervision and improving risk management processes and corporate governance [39]. The importance of internal audit as a corporate governance mechanism is shown by several studies [39][40][41][42].
The interaction between internal auditing and an audit committee, external auditing, and management, described by Cohen et al. [43] as the "corporate governance mosaic," is crucial to boosting the role of internal audits in corporate governance [44]. Most times, corporate governance mechanisms are related to large firms, though they are also important to small and medium enterprises (SMEs) [45]. A good corporate governance process will help SMEs in the decision process and access to different resources.

Hypothesis Development
Leung et al. (p. 6 [10]) state that "Internal auditors are positive about their role in corporate governance but are less confident with respect to how to put such a role into practice". The auditors are aware of their role, and have benefited from the development of information technology (IT) and its usage in several businesses. Ramamoorti and Weidenmier [46] emphasize the importance of IT because it helps many organizations to achieve better performance in their activities. In what concerns internal auditors, they performed better by using CAATs, which allowed internal auditors to keep playing their key roles in firms' corporate governance process. According to Singleton et al. [47], CAATs are described as tools and techniques provided by IT to help auditors manage an organization's information system by performing the set of tasks they are entitled to, namely, fraud detection. Due to its effectiveness, CAATs have gained relevance in audit methodologies [48], thus contributing to a good corporate governance process, and hence, shareholder value creation. Despite the awareness of the relevance of CAATs by internal auditors, Li et al. [49] state through previous studies that the use of CAATs in an internal audit context is lower than expected. In the context of external auditing, Bierstaker et al. [50] and Mansour [51] express similar concerns.
The IIA's standards [19] recommend the use of CAATs for the proficient exercise of professional activity. CAATs can be used by internal auditors in tasks related to testing internal controls [22], in risk assessment during the planning process [24], and in forensic investigations [23]. Singleton et al. [47] mention six benefits of using CAATs: (1) CAATs can be used to audit whole data, allowing a trained auditor to identify a plethora of red flags; (2) CAAT software products use commands and procedures that auditors are used to, shortening the learning curve (e.g., Microsoft Excel, Stata, and SPSS); (3) CAATs facilitate auditors in creating reports; (4) CAATs are flexible and can export data in several formats; (5) some CAATs typically cannot edit the data, preserving its full integrity; and (6) CAATs allow auditors to automate test running. Consequently, CAATs improve the internal efficiency of internal audits [52] and are critical to organizations' ongoing survival and competitiveness [22].
CAATs can be used to identify fraud risks and to detect fraud. Fraud is a disruptive event, whereas fraud risk can be managed [53]. Coderre [23] and Smidt et al. [54] note that CAATs can be used by internal auditors to highlight transactions with characteristics likely associated with fraudulent acts-red flags. In parallel, CAATs can be used to allow the auditor to discover fraud cases and their causes with greater evidence [55,56], thus making it possible to improve the audit quality. Pereira and Nascimento [57] found that audit software was the second most used instrument by Brazilian internal auditors to detect fraud.
In summary, the use of CAATs improves internal audit performance in terms of both efficiency and effectiveness [47]. On the one hand, the internal auditor is able to cover the highest risk areas more frequently, improving the reliability of audit results [49] and producing more relevant, reliable, and timely information [58]. On the other hand, the use of CAATs increases the likelihood of internal auditors detecting anomalies, such as fraudulent activities, that would otherwise not be discovered [49], thus improving the quality of their work [58].
The empirical studies of Ariwa et al. [21] and Olasnami [59] highlight that CAATs have enhanced the ability of external auditors to detect fraudulent activities. Considering that external auditors and internal auditors perform oversight activities, it is expected that the use of CAATs will increase the likelihood of internal auditors identifying fraudulent activities, thus being reflected in smaller losses, and consequently contributing to corporate sustainability. Additionally, internal auditing may influence improving sustainability disclosures [60], and CAATs are one of the most apt technological innovations for improving the reporting of sustainability indicators [61].
Based on the literature review, there should be a positive relationship between CAAT adoption and corporate sustainability, as captured by the following research hypothesis: Hypothesis 1 (H1). The adoption of computer-assisted audit tools positively influences the scope of detection of fraudulent schemes.
The potential benefits of using CAATs in internal auditing may be affected by organizational context, namely, the ownership and size of the entity. Firstly, private and public organizations have distinct goals to achieve. Whereas the former are focused on shareholder value creation (through profit maximization), the latter are more focused on providing public goods and services efficiently [62]. Furthermore, Goodwin [63] states that (1) public organizations have a more rigid and bureaucratic structure, where activities are covered by legislation, and (2) public organizations do not have profit maximization as their key goal, yet they must be efficient when providing public goods and services to their citizens. Additionally, Lartey et al. [64] state that differences exist in financial reporting between private firms and public entities. In the scope of our paper, authors like Goodwin [63] and Spraakman [65] state that internal auditing is more common and accepted within public organizations than private firms. On the other hand, it is argued that private firms put a higher value on management control systems due to their complex and dynamic environments; thus, they are more prone to generating risks for their businesses [66]. In this vein, Goodwin [63] found that internal auditors' involvement in financial risk management activities was higher in private firms compared to the public sector. The Common Body of Knowledge 2015 [67] reported that the internal auditors in privately held organizations put more priority on fraud risk than internal auditors in the public sector did. Moreover, the Association of Certified Fraud Examiners [68] reported that for-profit organizations had a higher incidence of fraud than governmental organizations. Due to computerization, many governments run their services through e-government applications, and their data are also stored digitally [69]. Furthermore, the subset of this data should be audited using proper computerized detection tools.
The increasing use of IT in business processes gives organizations, whether they belong to the public or private sector, a huge volume of data that needs to be processed and analyzed. Therefore, in the era of digitalization, internal auditing is required to use data analysis tools and software to prevent fraud and give more comfort to stakeholders [70]. However, the effective implementation of CAATs has been slower to develop in the public sector. Compared to the private sector reality, the Common Body of Knowledge 2015 [71] reported that internal auditors in the public sector are less proactive in using data mining and analytics techniques in the areas of identifying fraud and monitoring risk/control.
Public organizations differ from their private counterparts in terms of environmental demand and structural characteristics [72], elements that may influence internal auditors' decisions to employ CAATs in fraud discovery tasks. First, internal auditing departments in the public sector have greater difficulty attracting and retaining employees with IT skills, particularly in cybersecurity and data mining [71]. Moreover, public organizations denote a greater need to invest in skills and competencies of internal audit staff for a more effective response to fraud [73]. Consequently, investing in CAATs in the private sector turns out to be more productive, as they have more talented employees capable of being used effectively to detect fraudulent practices. Second, internal auditors in public entities exhibit less compliance in the application of IIA standards [71]. These standards recommend the use of CAATs for more efficient and effective professional activity. The context of less pressure for compliance may lead internal auditors in the public sector to opt less for the use of CAATs in detecting fraudulent schemes. Third, internal audit departments in the public sector enjoy a lower level of independence from management [71]. Independence affects the stages of the audit process, notably in the design of the audit procedures to be performed, the conclusions to be drawn from the audit evidence, and the audit report. Considering the potential of CAATs in uncovering anomalies, internal auditors may be constrained to use these tools to a lesser extent in the public sector. Finally, the Common Body of Knowledge 2015 [74] reported that internal audit departments in the public sector are less prevalent in some performance measurement metrics (e.g., timely closure of audit issues). The lower concern for performance evaluation may lead to less pressure to use more sophisticated techniques to improve the efficiency (cost/time) and effectiveness (quality) of audits in the public sector. In the opposite vein, many private sector organizations consider IT as a key element to develop competitive advantages and improve their performance [75].
Lee and Xia [72] suggest that the type of organization should be considered a moderator variable in the study of IT use, and a stronger moderating effect can be expected in for-profit organizations. Consequently, the different objectives and operational context of public and private organizations can impact the relationship between the use of CAATs and fraud detection activities. Therefore, we hypothesize that:

Hypothesis 2 (H2).
Ownership moderates the effect of use of computer-assisted audit tools in the scope of detecting fraudulent schemes, such that the effect is stronger in private organizations.
Secondly, the literature reveals that organizational size is a determinant of CAAT adoption [18,49,50,76,77]. For example, Daoud et al. [77] argue that it is unanimously accepted that there is a general positive relationship between organizational size and CAAT adoption. Moreover, Li et al. [49] argue that it is expected that size has a positive impact on CAAT adoption because larger entities have the best chances to afford CAATs and have more transactions and procedures to be audited than smaller entities. Rosli et al. [78], Abou-El-Sood et al. [79], and Pedrosa and Costa [80] also found that there is a positive association between the sophistication of the CAATs used and organizational size, because in small entities the investment in CAATs is not considered economically worthwhile [18].
Organizational size is a critical factor to consider in fraud control [47]. According to Singleton et al. [47], size is reflected in the following points: (i) fraudulent financial reporting is more likely to occur in large organizations, whereas misappropriation of assets occurs more in small organizations; (ii) large organizations have more resources to improve internal control and invest in internal audit and fraud prevention and detection programs; and (iii) segregation of duties is insufficient or absent in smaller organizations, and this control activity is relevant to preventing fraud. Barnes and Webb [81] found that susceptibility to fraud and the resulting losses are affected by organizational size.
Organizational size may also have a contingent effect on the original relationship between the use of CAATs and the scope of activities performed by internal auditors in fraud detection. Investment in CAATs is a whole-firm decision, not an individual's decision, because it represents a significant investment [82]. However, internal auditors are free to choose the most appropriate tools to perform their activities. The IIA standards [19] do not impose the use of CAATs, but rather state that internal auditors should consider their use. The interaction of the provision of CAATs to internal auditors (which is higher in large entities) and the perception of their usefulness in performing certain tasks may have an effect on the scope of activities performed in detecting fraudulent schemes. The moderating effect of size in the study of IT use is suggested by Lee and Xia [72]. In the specific domain of fraud, the Common Body of Knowledge 2015 [67] reported that internal auditors in large organizations use more data mining and data analytical tools to detect fraudulent schemes. Kummer et al. [83] found that larger organizations use more fraud detection instruments, which subsequently leads to more fraud being discovered. For this reason, the use of CAATs in actual internal audit activities to achieve certain results (e.g., detecting fraud) may be affected by the organization size. Drawing from the foregoing discussion, the following hypothesis is proposed: Hypothesis 3 (H3). Entity size moderates the effect of the use of computer-assisted audit tools in the scope of detecting fraudulent schemes, such that the effect is stronger in large organizations.

Sample and Data Collection
The target population of this study comprised internal auditors working in private and government Portuguese organizations. The unit of analysis was the individual. The inexistence of a database with the identification of internal auditors meant that contact with the target population was made by e-mail, via the Portuguese Internal Auditing Institute with its members and through the social network LinkedIn. Thus, as obtaining a sampling frame in this case was difficult, we used a non-probability sampling, or more specifically, a convenience sampling. A total of 128 questionnaires were received but 68 responses had to be discarded due to excessive missing data and straightlining responses (According to Hoonakker and Carayon [84], nonresponse items in internet surveys are affected by design factors, namely, they are easily discarded and prematurely completed. Moreover, we forced responses to questions. This approach encourages some individuals to stop answering the questionnaire [85]). Therefore, a total of 60 usable questionnaires were received.
To collect data, we used an internet-based survey questionnaire, which was developed through a review of the literature. The survey method is suitable for obtaining data in a context where the variables studied are associated with organizations and professional practices [85]. The availability of the questionnaire on the Qualtrics platform was preceded by the application of the translation/back-translation technique of the scales, as well as a pre-test with three auditors.
The Mann-Whitney test was used to compare the early and late response for all items used to measure the dependent and independent variables. No significant differences were found in the comparisons, indicating overall a likely absence of nonresponse bias [86]. In order to minimize common method variance, we adopted the following procedures [87]: (i) The questionnaire contained an introductory note explaining the purpose of the research, ensuring the anonymity of responses, informing them that participation was voluntary, providing the contacts available should any questions arise, and encouraging them to answer honestly according to their experience; (ii) inclusion of the variables in the questionnaire did not follow a logic and the measurement items were mixed in order to avoid illusory correlations; (iii) we labeled the points of the scale to reduce acquiescence bias; and (iv) we used nominal scales and five-and seven-point Likert scales to minimize the anchor effect. Finally, we used Harman's single-factor test [87] to check whether a factor accounted for less than 50% of the total variance [88]. The exploratory factor analysis with unrotated factor solution yielded seven factors with eigenvalues greater than 1, explaining about 78.1% of the variance, with the first factor accounting for 48.8% of the variance. Therefore, results suggest that common method variance was not present.
The respondents' mean age was 38.6 (SD = 9.3) and they worked in an internal audit department that had an average of 13 employees (SD = 15.7). The majority of the respondents were men (55%), in-house internal auditors (97%), and had an average of 9 years (SD = 6.7) of professional experience in internal auditing. Additionally, slightly more than half of the respondents occupied the position of audit senior (30%) and audit manager (25%). Most of the participants were trained in the economic-financial sciences, namely, undergraduate (35%), postgraduate (13%), and master's (37%). The main certifications held by our respondents were Certified Internal Auditor (25%), Accountant (22%), and Certification in Risk Management Assurance (8%).

Measurement
Our questionnaire contained two exploratory questions to identify the prevalence of CAATs in internal audits. First, respondents were asked to indicate the extent to which they use CAATs in their Internal Audit Department and, subsequently, they gave their opinion on the frequency of use of 19 CAATs in internal audits. This list of CAATs was based on several studies [47,48,51,89,90]. In both questions, the items were measured on a five-point Likert scale, where 1 = "never," 3 = "sometimes," and 5 = "always".
Corporate sustainability, our dependent variable, is proxied by the scope of detection of fraudulent schemes performed by internal auditors in the purchase-to-pay business process (FRAUD). Fraudulent activities can destroy a business and frequently result in economic, social, and environmental calamities [6]. Consequently, fraud affects the ability of organizations to create value for shareholders and other stakeholders, resulting in a threat to organizational sustainability. Fraud risk is considered by internal auditors to be one of the top five organizational risks impacting internal audit activities [67]. Baader and Kremar [91] developed a list of seven common fraud patterns in the purchase-to-pay business process: kickback fraud, bid rigging, shell company, double payment, passthrough, non-accomplice vendor, and private purchases. We used these seven items to represent the scope of activities performed by internal auditors to detect fraud in the procurement cycle. The internal auditors evaluated the relevance of these items in the performance of their job using a seven-point Likert scale ranging from 1 (strongly disagree) to 7 (strongly agree).
The independent variable was CAAT usage (CAAT_USE). According to Henderson III et al. [20], usage is a nebulous concept and can be defined and measured in different ways. Thus, CAAT usage by internal auditors was measured with multi-item measures, allowing the researcher to capture the diversity of usage [20]. Consequently, participants were asked whether they use CAATs in specific internal auditing activities. Our scale comprised 31 items developed by referring to prior literature [49,76,92,93] and sometimes modified to meet the needs of this research. We measured these items on a scale ranging from 1 (strongly disagree) to 7 (strongly agree).
The moderating effect of entity characteristics was measured separately through two dichotomous variables: OWNER (private = 1 and public = 0) and ENTITY_SIZE (large entities = 1 and small and medium entities = 0). The classification of micro, small, and medium-sized entities (SME) used in Portugal follows the criteria defined in the EU Rec-ommendation 2003/361/EC, 6 May. The category of SME is made up of organizations that employ fewer than 250 persons and that have an annual turnover not exceeding EUR 50 million and/or an annual balance sheet total not exceeding EUR 43 million. Organizations that do not comply with these criteria are classified as large entities.
All the measurement items of FRAUD and CAAT_USE constructs used in this study and their sources are shown in Appendix A The questionnaire also included demographic and characteristics information for our participants, such as age, work experience, gender, education, professional qualifications, position held in the entity, employment relationship, and internal audit department size.

Data Analysis
Descriptive analysis of the variables and summarization of the participants' characteristics were performed using IBM SPSS Statistics 26. SmartPLS 3.0 was used to perform PLS-SEM to validate the measurements and test the two formulated hypotheses.
PLS-SEM is a second-generation regression technique that allows the causal relationships between one or more independent variables and one or more dependent variables to be simultaneously estimated [94] without imposing distributional assumptions on the data [95]. PLS-SEM is a method that assesses the measurement and structural models separately, combining principal component analysis with ordinary least square regressions [95]. Although PLS-SEM is similar both conceptually and practically to multiple regression analysis [95], this method can be used to better understand more complex structural and measurement models [94]. PLS-SEM is a suitable method when the goal is to perform a causal-predictive analysis [96] in exploratory studies that use small samples and where constructs are measured by several items with different scales of measurement [96]. PLS-SEM is a technique used in several social science disciplines [95], namely, in studies that seek to explain the determinants of auditors' use of CAATs [20,93]. Consequently, PLS-SEM is a suitable method for the current study, where it was used to predict the effect of the independent variable on the dependent variable and the moderation effect.
The implementation of the PLS-SEM model comprises two steps: (1) estimation of the reliability and validity of the measurement model, and (2) evaluation of the structural model and conclusion about the hypotheses under study [97]. Based on the guidelines proposed by Hair et al. [85], the present study used the reflective-reflective model since all measured indicators are manifestations of the underlying constructs. The measurement model assessment involves examining the individual indicator reliability, internal consistency reliability, convergent validity, and discriminant validity. In the assessment of the structural model, we used the coefficient of determination (R 2 ), the predictive relevance (Stone-Geisser Q 2 ), and the sign and relevance of the structural path coefficients. A bootstrapping procedure with 5000 samples was used to estimate the path coefficients' significance [85].

Descriptive Analysis
The first goal of this work was to identify the CAATs used by internal auditors. The average use of CAATs was 3.55, indicating that the use of IT in internal audit processes is not very intense (Table 1). This result corroborates the international findings of the Common Body of Knowledge 2015 [98], which found that 52% of internal auditors made no or very little use of CAATs in audit processes and 23% of respondents had a primary reliance on manual systems and processes.
From an individual perspective, the internal auditors reported that the most used CAATs are generic personal productivity tools, database management systems, ActiveData for Excel, and firm-tailored audit software. On the other hand, several CAATs identified in the questionnaire have an average of below two, signaling that these tools are virtually unused by internal auditors. Additionally, the Mann-Whitney test of difference of means indicates that the use of the 19 CAATs was similar between internal auditors working in pri-vate and public entities. Excluding the data mining and erase fraud manager tools, internal auditors at large entities had an identical level of use of CAATs as those at smaller entities. Table 2 summarizes the relevant statistics for the variables and their measures used to test the research hypotheses underlying the remaining objectives of this work. The variable CAAT_USE presented a mean of 5.07, with the items having scores between 3.63 and 5.75. Overall, the data show that CAATs are sometimes used by internal auditors in concrete tasks, although there was a notable heterogeneity in the data mirrored by the high standard deviations in some items. The three items that showed the highest agreement were the use of CAATs to identify specific records to be analyzed, select sample transactions, and visualize data. Conversely, CAATs are hardly used to apply Benford's law or to assess the going concern assumption. The average FRAUD score was 4.14, with the items having means between 3.28 and 5. The standard deviations of all items were above 2.1, which denotes a remarkable variability in responses. The most (least) relevant item was the detection of double payments (bid rigging). The data also revealed that 80% of the participants work in private entities (OWNER) and 75% in large entities. Skewness of each item was less than the threshold of 1.96. Table 3 presents a summary of the Mann-Whitney tests for the difference of means in the latent variables FRAUD and CAAT_USE and their respective indicators, considering the organizational context (size and ownership). The results show that there were statistically significant differences for several indicators of the latent variables FRAUD and CAAT_USE between respondents working in public and private organizations. In turn, the distribution of the respondents' assessment of the indicators was practically indifferent to the size of the organizations.  Table 4 shows the results of the item loadings, Cronbach's Alpha (CA), composite reliability (CR), and average variance extracted (AVE), the parameters used to evaluate the measurement model. All items had standardized loadings greater than 0.7, providing evidence of individual indicator reliability [85]. For both constructs, CA and CR were greater than 0.7, which indicates sufficient internal consistency reliability [94]. To assess the validity of the constructs, we started by checking that the AVE of the FRAUD and CAAT_USE variables was greater than the minimum threshold value of 0.50 [95], meaning that the constructs explained a significant proportion of the variance of the items. Thus, we concluded that the constructs had convergent validity. Subsequently, we verified that the constructs had discriminant validity ( Table 5). The square root of the AVE of each construct was higher than its correlation with the remaining constructs, confirming the Fornell and Larcker [99] criterion. Additionally, the heterotrait-monotrait (HTMT) ratio was lower than the minimum threshold value of 0.85 [95]. The structural model assessment was performed in two steps. In the first step, the focus was on the relationship between CAAT_USE and FRAUD (Hypothesis 1). Subsequently, moderation was introduced (Hypotheses 2 and 3) and the full structural model was assessed. Table 6 shows the results without the moderation effect. The R 2 of the FRAUD variable was 0.448, close to the threshold of 0.50, considered an explanatory model displaying moderate power [95]. The Q 2 value generated by a blindfolding procedure with an omission distance of 7 was larger than zero, indicating the predictive relevance of the structural model. The estimated path coefficient showed a positive effect of CAAT_USE on FRAUD (β = 0.669; p < 0.01), confirming H1. This result suggests that the use of CAATs produces an effect on internal auditors in performing activities that can minimize the risk of fraud in the procurement processes. Second, the structural model was assessed by including the two moderating variables separately. Table 7 shows that the model's predictive accuracy evidenced by the R 2 remained at a level close to moderate, as well as that the Stone-Geisser Q 2 metric was greater than zero, confirming the predictive relevance of the models. The results show that the positive effect of CAAT_USE on FRAUD remained significant, with path coefficients slightly higher than estimated in the unmoderated model. However, the effects of the moderation variables on the relationship between CAAT_USE and FRAUD were not found to be statistically significant, thus not allowing support for H2 and H3.

Discussion
This study began by identifying the type of CAATs used by internal auditors. The results show that the use of IT in internal audit processes is not very intense, corroborating the findings of other studies [92]. According to Cangemi [98], internal auditors recognize that they could make better use of technology, and acknowledge that there are constraints to its adoption. Despite the potential of CAATs, the lack of IT training and expertise, difficulties in applying IT in real situations, and the risk associated with IT use are examples in the literature of factors that increase resistance to the proliferation of CAATs in the general audit context [80,98]. Therefore, identifying the determinants of IT adoption has given rise to several theories (theoretical models used to understand IT adoption include the unified theory of acceptance and use of technology [100], the technology acceptance model [100,101], the theory of planned behavior [102], diffusion of innovation [103], and the technology-organization-environment framework [104]) and empirical studies in the domain of CAATs in internal audits (see [20,48,54,92,105]).
The first hypothesis (H1) posits that using CAATs positively affects the scope of detection of fraudulent schemes. The results indicate that the hypothesis is supported by the data. Our study presents empirical evidence that supports the shared view in the literature [23,[55][56][57] that the adoption of CAATs improves the capabilities of internal auditors to detect fraud. Additionally, the estimated path coefficients show the magnitude of the impact of the independent variable on the dependent variable: A one-unit change of CAAT_USE changed the level of FRAUD detection between 0.68 and 0.69 (Tables 6 and 7). Organizations are witnessing a growing process of data digitalization and process automation, whereby the effectiveness in the performance of the internal audit role is conditioned to the adoption of IT adapted to the context of the organization in which they operate. Therefore, Ariwa et al. [21] suggest that the use of CAATs should be encouraged so that the organization can operate in a fraud-free environment. Organizations lose 5% of their sales annually because of fraudulent activities [68]. The amount of money lost represents a staggering drain on the global economy, with negative consequences for job creation, the production of goods, and the provision of public services [68]. Thus, the effective use of CAATs would contribute to the minimization of fraud occurrence, which highlights the role of IT in improving organizational sustainability.
The second and third hypotheses (H2 and H3) propose that entity characteristics have a moderating effect on the relationship between CAAT use and the scope of fraudulent scheme detection. The results indicate that the hypotheses are not supported by the data. The literature shows that there are differences in the challenges and objectives between public and private organizations [62], which could impact the role of internal auditing in monitoring internal control. In this regard, the Common Body of Knowledge 2015 [67] reported that the focus on fraud risk and fraud prevention/detection is higher in privately held organizations compared to public entities. Furthermore, Lee and Xia [72] report that the moderating effect of the type of organization in the study of IT use is more pronounced in for-profit organizations. Our study provides empirical evidence that ownership has no influence on the relationship between using CAATs and fraud detection. This finding shows that there is a homogeneous view of the usefulness of CAATs for improving corporate sustainability. In fact, fraudulent activities frequently end in business failure and economic, social, and environmental calamities [6], thus damaging organizational sustainability. Fraud risk is a contemporary reality that any organization faces today [67]. Fraud entails loss of value, reputation, and image for private companies [7], whereas in the public sector it entails loss of jobs, deterioration of the quality of public services, and destruction of the value of money for taxpayers [33]. Consequently, fraud risk management has gained a prominent position in 21st-century corporate governance [53], where incorporating more IT into internal audit processes to improve sustainability has become a global challenge shared by both public and private organizations. In addition, the results show that auditors in public entities have similar tools as their counterparts in private entities (see Section 4.1), and thus the technological potential is used to detect fraud in the same way.
The results also show that entity size does not moderate the relationship between CAAT usage and fraud. The finding is not consistent with the Common Body of Knowledge 2015 [67], which found a higher incidence in the use of data mining and data analytics for fraud discovery in larger entities. The result of the moderation effect could be explained by the "scope of size". Lee and Xia [72] suggest IT department size as an alternative proxy to the organization size. In this case, the results of the robustness test that considered the dimension of the Internal Audit Department maintained the previous conclusion Our finding can be attributed to the perception that exists in internal audit departments about the types of IT that are most useful for fraud prevention and detection. The results in Table 1 show that among the most commonly used CAATs are generic personal productivity tools and ActiveData for Excel-in other words, technologies that are widely used and do not require a high allocation of financial resources. This finding corroborates Araj [67], who argues that internal auditors are not fully aware of the specialized knowledge needed to respond effectively to fraud risk. Some studies [106] have found that the organization size correlates with fraud; therefore, the use of more sophisticated CAATs may be critical for internal auditors to respond appropriately to fraud.

Conclusions, Contributions, Limitations, and Future Research
Technology can offer opportunities to improve efficiency and effectiveness, helping organizations to become more sustainable. The results of our study show that there is a positive effect of the use of CAATs by internal auditors on fraud detection in the procurement cycle, and that the intensity of this relationship is not influenced by the type or size of the entity.
The findings provide theoretical and practical implications. First, this paper contributes to a stream of research on the use of CAATs and their effects on performance. Our findings agree with studies that have focused on external auditors [21,93], pioneering in focusing on the issue in the context of internal audits and sustainability. Second, we identified the type of CAATs used by internal auditors in the performance of their profession, expanding the list of IT considered in the study by Kim et al. [92]. Third, this study's use of the multivariate technique of PLS-SEM allows for more robust analyses to be made in exploratory research in comparison to previous studies [21,52] that used regression models. Fourth, the use of CAATs in concrete audit activities was measured by a more comprehensive scale compared to previous studies [20], with the CAAT_USE construct measurement model identifying 21 items with satisfactory levels of reliability.
Finally, the relationship found between CAAT use and fraud has practical implications. This study helps to understand the effect of using CAATs to improve internal audit performance through the benefits it may produce in terms of minimizing fraud risk. The use of IT increases the analytical capacity of internal auditors, which translates into expected gains in terms of detecting irregularities in accounting records, theft of assets, or inefficient operations. Consequently, improving the quality of internal audits will have a positive effect on corporate governance, helping organizations to achieve higher levels of sustainability.
This study has certain limitations. First, the sample size may have influenced the scale purification process of the CAAT_USE construct. The sample size affects the statistical tests, and it is desirable for it to be greater than 100 [95], although our study complies with the minimum size thresholds for the application of the PLS-SEM. Another limitation stems from the sensitivity of the fraud issue, whose measurement may be influenced by "political correctness". Future studies could control for social desirability direct effects on responses by using the 10-item social desirability scale from Strahan and Gerbasi [107] and its interaction with other constructs. The measurement of the FRAUD variable focused only on fraudulent schemes in the procurement cycle. Future studies could extend the scope of activities performed by internal auditors in the detection of fraud in the economic, social, and environmental fields or identify the number of frauds detected in a given period by internal auditors. Other limitations include the specificity of the study's geographical focus. An application in different cultural contexts, namely, common-law countries, would be a natural extension. Future research may also consider other entity characteristics to check moderator effects, such as industry. The direct effect of organizational size on the use of CAATs could also be explored. The organizational size can be measured using quantitative and qualitative criteria, with both approaches presenting advantages and disadvantages in their use [108]. Future studies could analyze the moderating effect of size based on other indicators, such as output measures (e.g., sales) or financial resources (e.g., net assets).  Informed Consent Statement: Informed consent was obtained from all subjects involved in the study. Data Availability Statement: Data used and analysed during this study are available from the corresponding author by request.

Conflicts of Interest:
The authors declare no conflict of interest.
Appendix A Table A1. Survey items used for dependent and independent variables.

Constructs
Code Indicators Source

CAAT_USE Risk_errors
Identify and assess the risks of errors in the audited information and processes Adapted from [93] Risk_fraud Identify and assess fraud risks in the audited information and processes Adapted from [93] Detect_errors Detect errors in the audited information and processes Adapted from [ Repeat Use large populations to electronically test a repetitive calculation [93] Going_concern Assessment of going concern assumption [93] Extract_records Extract specific records to be analyzed, such as payments more than a specified amount or transactions before a given date [93] Reperform Re-performance procedures [ Relationship Perform analysis of relationships between variables, such as linear regression Adapted from [92] Cluster Clustering [49] FRAUD Kickback Kickback fraud-collusion between suppliers and managers/employees for fictitious or inflated purchases (e.g., placing multiple purchase orders for small amounts for the same product) [91] Rigging Bid rigging-vendors who pay to influence a competitive bidding process in their favor (e.g., influence the specifications in their favor) [91] Shell Shell company-fictitious companies or companies with reduced activity with which the company is suddenly connected (e.g., company data coincide with employee data) [91] Double Double payment-payment is often made twice (e.g., a given purchase was invoiced at several points in time) [91]

Constructs Code Indicators Source
Pass Pass-through-manager/employee has a company that sells goods and services to the entity where he/she works at inflated prices (e.g., high-volume purchases from a new or unauthorized supplier) [91] Accomplice Non-accomplice vendor-involvement of innocent suppliers in the embezzlement of company funds or assets (e.g., overpayment of an invoice, requesting the return of the difference) [91] Personal Personal purchases-making private purchases at the expense of the company (e.g., receipt of unjustified goods) [91]