Internal Audit
Internal Audit
Efficiency through Automation
DAVID CODERRE
John Wiley & Sons, Inc.
Copyright
C
2009 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the
1976 United States Copyright Act, without either the prior written permission of the
Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923,
(978) 750-8400, fax (978) 646-8600, or on the web at www.copyright.com. Requests to
the Publisher for permission should be addressed to the Permissions Department, John
Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,
fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their
best efforts in preparing this book, they make no representations or warranties with
respect to the accuracy or completeness of the contents of this book and specifically
disclaim any implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales materials.
The advice and strategies contained herein may not be suitable for your situation. You
should consult with a professional where appropriate. Neither the publisher nor author
shall be liable for any loss of profit or any other commercial damages, including but not
limited to special, incidental, consequential, or other damages.
For general information on our other products and services, or technical support, please
contact our Customer Care Department within the United States at (800) 762-2974,
outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that
appears in print may not be available in electronic books.
For more information about Wiley products, visit our web site at http://www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
Coderre, David G.
Internal audit : efficiency through automation / David Coderre.
p. cm.
Includes bibliographical references and index.
ISBN 978-0-470-39242-3 (cloth)
1. Auditing, Internal–Data processing. 2. Risk assessment–Data
processing. I. Title.
HF5668.25.C628 2009
657’.450285–dc22
2008037345
Printed in the United States of America.
10
9
8
7
6
5
4
3
2 1
For Anne, Jennifer and Lindsay
This book celebrates the spirit of all auditors who are trying
to do the best job they can with the tools available to them
and who are continuously searching for “better ways.”
David Coderre
E-mail: Dave
[email protected]
Internal auditors cannot stand by and watch as the business world embraces
new technology. The tools and techniques used in the past are no longer
adequate; we need to restock our toolboxes with a variety of software to
meet the challenges of auditing in today’s business environment.
David Coderre
About The Institute of
Internal Auditors
T
he Institute of Internal Auditors (IIA) is internationally recognized as a
trustworthy guidance-setting body. Serving members in 165 countries,
The IIA is the internal audit profession’s global voice, chief advocate, recognized authority, acknowledged leader, and principal educator on governance, risk, and internal control.
The IIA sets, stewards, and promulgates the International Standards
for the Professional Practice of Internal Auditing (Standards). The Institute
also provides various levels of accompanying guidance; offers leading-edge
conferences, seminars and Web-based training; produces forward-thinking
educational products; offers quality assurance reviews, benchmarking, and
consulting services; and creates growth and networking opportunities for
internal auditors throughout the world. The IIA also certifies professionals
R
R
), and
(CIA
through the globally recognized Certified Internal Auditor
provides specialty certifications in government, control self-assessment, and
financial services.
The IIA’s Web site, www.theiia.org, is rich with professional guidance
and information on IIA programs, products, and services, as well as resources for IT audit professionals. The Institute publishes Internal Auditor,
an award-winning, internationally distributed trade magazine and The IIA’s
other outstanding periodicals address the profession’s most pressing issues
and present viable solutions and exemplary practices.
The IIA Research Foundation (IIARF) works in partnership with experts
from around the globe to sponsor and conduct research on the top issues
affecting internal auditors and the business world today. Its projects advance
the internal audit profession globally by enhancing the professionalism of
internal audit practitioners. It also provides leading-edge educational products through the IIARF Bookstore.
vii
Contents
xv
Case Studies
Preface
xvii
Acknowledgments
xxi
CHAPTER 1
CHAPTER 2
CAATTs History
1
The New Audit Environment
The Age of Information Technology
Decentralization of Technology
Absence of the Paper Trail
Do More with Less
Definition of CAATTs
Evolution of CAATTs
Audit Software Developments
Historical CAATTs
Test Decks
Integrated Test Facility (ITF)
System Control Audit Review File (SCARF)
Sample Audit Review File (SARF)
Sampling
Parallel Simulation
Reasonableness Tests and Exception Reporting
Traditional Approaches to Computer-Based Auditing
Systems-Based Approach
Data-Based Approach
Audit Management and Administrative Support
Roadblocks to CAATT Implementation
Summary and Conclusions
2
3
3
4
4
5
6
7
8
8
9
9
9
10
10
11
12
12
15
19
20
24
Audit Technology
27
Audit Technology Continuum
Introductory Use of Technology
27
27
ix
x
Contents
Moderate Use of Technology
Integral Use of Technology
Advanced Use of Technology
Getting There
General Software Useful for Auditors
Word Processing
Text Search and Retrieval
Reference Libraries
Spreadsheets
Presentation Software
Flowcharting
Antivirus and Firewall Software
Software Licensing Checkers
Specialized Audit Software Applications
Data Access, Analysis, Testing, and Reporting
Standardized Extractions and Reports
Information Downloaded from Mainframe
Applications and/or Client Systems
Electronic Questionnaires and Audit Programs
Control Self-Assessment
Parallel Simulation
Electronic Working Papers
Data Warehouse
Data Mining
Software for Audit Management and Administration
Audit Universe
Audit Department Management Software
E-mail
File Transfer Protocol (FTP)
Intranet
Databases
Groupware
Electronic Document Management
Electronic Audit Reports and Methodologies
Audit Scheduling, Time Reporting, and Billing
Project Management
Extensible Business Reporting Language (XBRL)
Expert Systems
Audit Early-Warning Systems
Continuous Auditing
Continuous Auditing versus Continuous
Monitoring
Example of Continuous Auditing: Application to an
Accounts Payable Department
28
29
30
31
32
32
34
35
35
37
38
39
39
40
40
44
45
48
49
50
51
52
54
56
56
57
57
57
59
60
61
61
62
63
64
64
67
68
69
72
74
xi
Contents
Stages of Continuous Auditing
77
Continuous Auditing Template
79
Sarbanes-Oxley
80
Important SOX Sections
81
The Role and Responsibility of Internal Audit
83
Risk Factors
84
Detecting Fraud
85
Determining the Exposure to Fraud
86
SOX Software
88
Assessment of IT Controls and Risks
90
Defining the Scope
92
GAIT Principles
93
Governance, Risk Management, and Compliance (GRC) 94
Internal Audit’s Role in the GRC Process
97
Identifying and Assessing Management’s Risk
Management Process
99
Assessment of Internal Control Processes
100
GRC Software
101
Summary and Conclusions
102
CHAPTER 3
CHAPTER 4
CAATTs Benefits and Opportunities
103
The Inevitability of Using CAATTs
The New IM Environment
The New Audit Paradigm
Expected Benefits
Planning Phase—Benefits
Conduct Phase—Benefits
Data Analysis
Increased Coverage
Better Use of Auditor Resources
Improved Results
Reporting Phase—Benefits
Administration of the Audit Function—Benefits
Reduced Costs
Increased Performance
Increased Time for Critical Thinking
Recognizing Opportunities
Transfer of Audit Technology
Summary and Conclusions
103
105
105
108
109
112
112
112
115
116
116
117
119
120
122
124
126
127
CAATTs for Broader-Scoped Audits
129
Integrated Use of CAATTs
Value-for-Money Auditing
129
134
xii
CHAPTER 5
CHAPTER 6
Contents
Value-Added Auditing of Inventory Systems
Data Analysis in Support of Value-Added Inventory
Auditing
Inventory Management Practices and Approaches
Possible Areas for Audit-Suggested Improvements
Audit and Reengineering
Audit and Benchmarking
Summary and Conclusions
134
135
136
138
144
148
152
Data Access and Testing
153
Data Access Conditions
Mainframe versus Minicomputer versus
Microcomputer
Portability of Programs and Data
Limitations to Using the Microcomputer
Processing Speeds
Single Tasking
Inability to Deal with Complex Data and File
Structures
Client Facilities
Auditor’s Microcomputer-Based Facilities
Data Extraction and Analysis Issues
Accessing the Data
Data Storage Requirements
Analysis of Data
Risks of Relying on Data—Reliability Risk
Reliance on the Data
Knowledge of the System
Assessment of the Internal Controls
New Topology of Data Tests
Reducing Auditor-Induced Data Corruption
Potential Problems with the Use of CAATTs
Incorrect Identification of Audit Population
Improper Description of Data Requirements
Invalid Analyses
Failure to Recognize CAATT Opportunities
Summary and Conclusions
153
156
157
158
159
160
161
162
163
164
165
166
167
168
169
169
171
172
173
174
Developing CAATT Capabilities
177
Professional Proficiency: Knowledge, Skills,
and Disciplines
Computer Literacy: Minimal Auditor Skills
177
178
154
154
155
155
156
xiii
Contents
CHAPTER 7
Ability to Use CAATTs
Understanding of the Data
Analytical Support and Advice
Communication of Results
Steps in Developing CAATT Capabilities
Understand the Organizational Environment/Assess
the Organizational Culture
Obtain Management Commitment
Establish Deliverables
Set Up a Trial
Plan for Success
Track Costs and Benefits
Lessons Learned
Organize Working Groups
Computer Literacy Working Group
CAATT Working Groups
Information Systems Support to Audit
Assure Quality
Quality Assurance Methodology
Preventive Controls for CAATTs
Detective Controls for CAATTs
Corrective Controls for CAATTs
Quality Assurance Reviews and Reports
Summary and Conclusions
180
181
182
184
184
184
185
186
186
186
187
187
188
189
190
191
195
196
197
198
199
200
200
Challenges for Audit
203
Survival of Audit
Audit as a Learning Organization
Knowledge Acquisition
Information Dissemination
Information Interpretation
Organizational Memory
New Paradigm for Audit
Computer-Assisted Audit Techniques
Computer-Aided Audit Thought Support
Auditor Empowerment
Access to Microcomputers and Computer Networks
Access to Audit Software—Meta-Languages
Universal Access to Data
Access to Education, Training, and Research
Skills Inventory
Needed versus Actual Skills
Required versus Actual Performance
203
204
204
205
205
205
206
206
207
208
209
209
210
210
212
212
215
xiv
Contents
Auditor Skills for Using CAATTs
IS Auditor Skills
Training Programs and Requirements
Conceptual Training
Technical Training
Training Options
In-house
Professional Associations
Educational Institutions
Computer-Based, Video-Based, and Web-Based
Training
Summary and Conclusions
216
216
217
217
218
218
218
218
219
219
220
223
Appendices
The Internet—An Audit Tool
225
The Internet
Connecting to the Internet
General Internet Uses
Useful Sites for Auditors
Examples of Audit-Related Internet Usage
225
225
226
229
230
Information Support Analysis and Monitoring
(ISAM) Section
231
APPENDIX C
Information Management Concepts
235
APPENDIX D
Audit Software Evaluation Criteria
241
APPENDIX A
APPENDIX B
General Capabilities
Reporting Capabilities
Graphics Capabilities
Mathematical Functions
File Manipulation Capabilities
Record Definition Capabilities
File Type Capabilities
Programming Capabilities
Support
Other Capabilities
241
241
242
242
242
242
242
242
243
243
References
245
Index
249
Case Studies
CHAPTER 1
1 Financial Controls over the Supplier List
2 Review of Employees and Salary Costs
3 Telephone Charges
4 Audit Planning
5 Review of Overtime Expenditures
12
14
15
17
20
CHAPTER 2
6
7
8
9
10
11
12
13
14
Audit Reporting
Verifying Application Controls
Allocation of Cleaning Expenditures
Detail and Summary Data
Use of Summary Data
Data Capture Options
Insurance Premiums
Multisite Audit
Audit of Hazardous Materials
37
41
43
46
47
49
50
58
67
CHAPTER 3
15
16
17
18
19
20
21
22
23
24
Source Code Review
Analyzing Systems Log
Research and Development Audit
Audit of the Personnel Function
Inventory Controls
Audit of Gasoline Costs
Interest Charges on Overdue Accounts Payable
Confirmation Letters
Findings Database
Audit Program Administration
106
107
110
110
111
112
113
116
117
118
xv
xvi
25
26
27
Case Studies
On-the-Road Auditing
Environmental Audit
Paper File Review
120
121
122
CHAPTER 4
28 Management of Commissions and Bonuses
29 Identifying Obsolete Inventory Items
30 Store Closure
31 Review of a Downsizing Program
32 Fair Practices Program
33 Audit versus Benchmarking
130
139
144
145
147
150
CHAPTER 5
34
35
36
37
38
Processing Multireel Volumes of Data
Processing against a Sample File
Debits and Credits
Financial Audit
Personnel Audit
161
162
165
170
170
CHAPTER 6
39
40
41
42
Executive Information System
Overtime Audit
Computer Literacy
The Changing Role of the IS Auditor
180
182
190
193
Preface
T
echnology is pervasive—invading all areas of our personal and business
lives. In our personal lives, we have some control over how much
technology we will tolerate, but not so in our professional lives. Every aspect
of modern organizations involves technology, to the extent that auditors can
no longer audit around the computer as they did from 1960 until recently.
Technology is an important element of a majority of the controls that are,
or should be, in place. In addition, not only is technology a necessary tool
of auditors, but it can also improve the efficiency and effectiveness of the
audit process.
The ease of access and the myriad types of audit software has taken
technology out of the hands of IT auditors and made it readily available to
all auditors. The key to harnessing the power of technology and increasing
audit efficiency is to ask the question “How can technology be used to
support the audit function?” Furthermore, too many auditors are simply
automating what was done manually before. Instead, auditors should be
asking, “What else will technology allow me to do?” This demands that
all auditors have access to, and an understanding of, the technology and
underlying data, and that technology be employed in all phases of the
audit from the initial development of the risk-based annual audit plan to
the planning, conducting, reporting, and follow-up phases of individual
audits.
Technology as an audit tool is not a new concept, but it has gained
considerable ground in the last five to ten years. Part of the recent drive to
incorporate technology in both business and audit has been a result of legislation such as Sarbanes-Oxley (SOX). The cost of compliance—millions of
dollars on average—drove organizations to employ technology to reduce the
people-intensive manual testing of financial controls that was overly time
consuming. In particular, data analysis techniques offered much-needed
efficiencies—reducing overall SOX compliance costs and expanding the
scope and reliability of audit tests. The use of data analytics also gives auditors an independent view of the business systems, the individual financial
transactions, and the key financial controls. Through continuous auditing,
auditors can highlight anomalies, control deficiencies, and unusual trends.
xvii
xviii
Preface
This means that errors, fraud, and other problems can be identified in a
timely manner—supporting the compliance requirements of SOX Section
409.
Increased globalization of businesses, market pressure to improve operations, and rapidly changing business conditions are providing additional
encouragement for technology-enabled auditing (TEA). These forces are
creating the demand for more timely and ongoing assurance that controls
are working effectively and risk is properly mitigated. To meet this need,
many internal auditors are implementing continuous auditing. This book
will help auditors learn what continuous auditing does and how it can help
auditors make better use of data analytics, while maintaining their independence and objectivity in evaluating the effectiveness of risk management
and control assessment processes.
Continuous auditing has two main components. The first is continuous
risk assessment: audit activities that identify and evaluate companywide
risk levels by examining trends in the data-driven risk indicators within
a single process or system. These processes are then compared to their
past performance and other business systems. For example, product line
performance is compared to the performance of the previous year, but it
is also assessed within the context of its performance compared the other
plants.
The second component of continuous auditing is continuous control
assessment: audit activities that identify whether key controls are working
properly. Through continuous control assessments, individual transactions
are monitored against a set of control rules to determine if the internal
controls are functioning as designed and to highlight exceptions. Assessing
a well-defined set of control rules allows auditors to warn the organization
when process or system controls are not working as intended or when the
controls are compromised. By identifying control weaknesses and violations,
auditors can provide independent assurance to the audit committee and
senior management.
A more recent catalyst for the use of technology in audit is governance,
risk management, and compliance (GRC). High-performing companies are
integrating their GRC activities to make them more efficient, effective, dependable, and legally sound. Internal audit can use technology to perform
independent assessments of the management GRC processes—to determine
whether there is reasonable assurance that the overall goals and objectives
of the organization will be met. To do this, internal auditors must consider emerging areas of risk, the effectiveness of management’s monitoring
programs, and the adequacy of management’s response to identified risks.
This requires a systematic approach to the evaluation of risk management,
control, compliance, and governance processes. Auditors can assist management by performing analytical reviews of the GRC processes, by testing
Preface
xix
compliance with general and application controls, and by performing trend
analysis to identify emerging areas of risk.
The key to effectively using TEA is to develop a good understanding
of the main business processes and the associated information systems and
infrastructure (i.e., their controls and the data contained therein). However,
the adoption of TEA will require all auditors to have knowledge not only of
information systems, but also the tools and techniques supporting the data
analysis.
The chief audit executive and all auditors must realize that TEA will
change the way audits are conducted, including the procedures and level
of effort required. This will place new demands on the audit department
and possibly on the work performed by IT auditors. Historically, the only
auditors who even dared to look at the application controls were IT auditors; however, the audit world has changed significantly in the past few
years. No longer are IT and business risks considered as separate entities.
All auditors are encouraged to consider IT risks as business risks and to
develop a more integrated approach to auditing. The role of the IT audit
specialist has expanded to include supporting general audit by arranging
for access, downloading the data, dealing with disparate data structures and
data normalization issues, and assisting with the more complex analyses.
The IT audit specialists can also be used in the quality assurance process—
reviewing analyses performed by the auditors to ensure the results can be
relied upon and developing standard routines that can ensure consistency
and bring additional efficiencies to the analysis activities.
Everyone has heard the phrases “if it ain’t broke, don’t fix it” and “don’t
reinvent the wheel.” These adages are useful to remember, but too often we
find ourselves constrained by mental barriers that we create for ourselves.
Methods that worked well in the past become entrenched in our way of
thinking. Sometimes this is good, because past experiences can help us
avoid pitfalls and maximize the use of our time. But strict reliance on past
experiences can result in trying to force familiar solutions onto different
problems, or can cause us to overlook new or more efficient approaches
to old problems. Even when we utilize our standard tools, such as data
analysis and audit software, we must try to find new approaches to address
new situations. Data analysis and audit software provide us with many
opportunities to be more creative in our approaches to problem solving.
This book describes many facets of TEA. It also presents numerous
case studies that illustrate the power and flexibility of standard and auditspecific software packages. Internal auditors cannot stand by and watch as
the business world embraces new technology. The tools and techniques
used in the past are no longer adequate; we need to check our toolboxes
to ensure that we have the tools needed to meet the challenges of auditing
in today’s business environment.
Acknowledgments
T
he author would like to acknowledge Eric Desmarais for his research
assistance, which was a great help in revising Appendix A.
xxi
CHAPTER
1
CAATTs History
C
omputers are not new to us. From microwave ovens to DVDs, everywhere around us we see and feel the effect of the microchip. But, too
often, we have either not applied these new technologies to our everyday
work activities, or we have only succeeded in automating the functions
we used to do manually. “Things are working fine the way they are” or
“I’m not an IS auditor” are just two of the many excuses we hear for
not capitalizing on the power of the computer. However, we cannot afford to ignore the productivity gains that can be achieved through the
proper use of information technology. The use of automation in the audit
function—whether it is for the administration of the audit organization or
tools employed during the conduct of comprehensive audits—has become a
requirement, not a luxury. In today’s technologically complex world, where
change is commonplace, auditors can no longer rely on manual techniques,
even if they are tried and true. Auditors must move forward with the technology, as intelligent users of the new tools. The vision of the auditor,
sleeves rolled up, calculator in hand, poring over mountains of paper, is
no longer a realistic picture. Automation has found its way into our homes,
schools, and the workplace—now is the time to welcome it into the audit
organization.
This book discusses microcomputer-based audit software, but the techniques and concepts are equally applicable to mainframe and minicomputer
environments. Examples of software packages are provided, but the focus
is on the discussion of an approach to using automation to assist in performing various audit tasks rather than the identification of specific audit
software packages.
Throughout this book, Computer-Assisted Audit Tools and Techniques
(CAATTs) and audit automation are meant to include the use of any computerized tool or technique that increases the efficiency and effectiveness of
the audit function. These include tools ranging from basic word processing
to expert systems, and techniques as simple as listing the data to matching
files on multiple key fields.
1
2
Internal Audit
The chapters:
Define audit software tools
Introduce relevant data processing concepts
Discuss the implementation and benefits of information technology in
auditing
Describe the issues of data access, support to the audit function, and
information technology training
This book was written as a guide to auditors who are interested in
improving the effectiveness of their individual audits or the complete audit
function through the application of computer-based audit tools and techniques. It does not cover technology audits, the audit of computer systems,
or systems under development. However, the ideas and concepts are valid
for IS auditors and non-IS auditors alike. The topics presented are particularly relevant to:
Auditors with a requirement to access and use data from client systems
in support of comprehensive or operational audits
Audit managers looking for ways to capitalize on the potential productivity increases available through the adoption and use of CAATTs in
the administration of the audit organization and in audit planning and
conduct
IS auditors wishing to expand their knowledge of newer tools and
approaches, particularly in the microcomputer environment
Persons with responsibility to implement automated tools and techniques within their operations
This book is designed to lead auditors through the steps that will allow
them to embrace audit automation. It is written to help the audit manager
improve the functioning of the audit organization by illustrating ways to
improve the planning and management of audits. It is also written with the
individual auditor in mind by presenting case studies on how automation
can be used in a variety of settings.
It is hoped that this book will encourage auditors to look at audit objectives with a view to utilizing computer-assisted techniques. More than ever,
auditors must increase their capability to make a contribution to the organization. The computer provides tools to help auditors critically examine
information to arrive at meaningful and value-added recommendations.
The New Audit Environment
These are exciting times for internal auditors, especially those who see
themselves as agents of change within their organization. The drive to do
CAATTs History
3
more with less, to do the right thing, or to reengineer the organization and
the way it does business is creating an environment of introspection and
change. Change is occurring at a faster rate than ever, and this change is
being driven by technological advances. Companies wishing to survive in
these times must strive to exploit new technologies in order to achieve a
competitive advantage. Today’s business environment is rapidly and constantly changing, and technology is one of the key factors that are forcing
auditors to reassess their approach to auditing. Other factors are the evolving regulations and audit standards calling for auditors to make better use
of technology. These forces are creating a new audit environment, and audit professionals who understand how to evaluate and use the potential of
emerging technologies can be invaluable to their organizations. New possibilities exist for auditors who can tie software tools into their organizations’
existing systems (Baker [2005]).
The Age of Information Technology
In the last 20 years, we have progressed from Electronic Data Processing
(EDP) to Enterprise-wide Information Management (EIM). We have gone
from a time when hardware drove the programming logic and the software
selection to a time when the knowledge requirements are driving business
activities. As little as 15 years ago, information was almost a mere by-product
of the technology; the selected hardware platform determined the software,
which would likewise be a determining factor of each application. Today,
the technology, the hardware and software, are merely delivery mechanisms,
not the determining factors behind either information technology purchases
or systems development activities. One of the main tenets of EIM is that the
information is a key resource to be managed and used effectively by every
successful organization. Data holdings are driving business processes, not
the reverse, and there has been an increased treatment of information as
a strategic resource of the business. From an audit perspective, this means
that data and information are equally important. First, to analyze the current
state of the business critically; and second, to help determine where the
business is going or should go.
Decentralization of Technology
We are seeing a greater reliance on computers in every aspect of our world.
Data processing is no longer confined to programmers or to the mainframe
systems. We have seen the emergence of enterprise-wide systems in all
business/operational areas in many organizations. In some, the separate
information processing by specialized applications is a thing of the past.
Enterprise-wide systems are changing the notion of traditionally centralized data and applications. Application programmers have been transferred
4
Internal Audit
to business areas to support and encourage use of enterprise technology.
Today, one can find business applications where a purchase order transaction is initiated in England, modified in the United States, and then sent
to a processing plant in Mexico. All of this occurs in minutes—or even
seconds—across time zones and continents. The modules or components
are fully integrated with the business processes and occur without a paper
trail. These types of applications make traditional manual audit approaches
useless and impossible to apply. Auditors must learn how to access and
analyze electronic information sources if they want to make a meaningful
contribution to their organizations’ bottom line.
Absence of the Paper Trail
While a “less paper” rather than a “paperless” office is the best we may be
able to achieve in the near future, we have already seen the disappearance
of paper in many areas as a result of information systems and technology
such as enterprise system, Electronic Data Interchange (EDI), Electronic
Commerce (EC), and Electronic Funds Transfer (EFT). The audit trail is
electronic and is therefore no longer visible and more difficult to trace. The
volume of data and its complexity is increasing at a rapid rate because of
the requirement to quickly focus company resources on emerging problems
or potential opportunities. To some, this lack of transparency is a problem;
to the more enlightened auditor, this is an opportunity.
Do More with Less
There is increasing pressure to do more with less. Over the last 200 years,
most of the productivity gains have occurred within the areas of production,
inventory, and distribution, but little gain has occurred within the administrative functions. The automation of production plants saw reductions in
the number of production workers within a plant, going from 200 people
on the assembly line with five managers to 50 people on the assembly line
and five managers. With productivity increases in the traditional, blue-collar
areas becoming harder to achieve, there is increasing pressure to make improvements in the white-collar areas. Reducing overhead, doing more with
less, and rightsizing all circumscribe efforts to make productivity gains in
the management areas of administration. Given the unfortunately still widely
held view that audit is overhead, internal audit must not only become more
efficient in delivering its products and services but often must also pay its
own way and become more effective in order to succeed.
As might well be expected, the factors driving business organizations
also drive the audit function. In order to better serve the increasingly complex needs of their clients, auditors must provide a better service, while
CAATTs History
5
being increasingly aware of the costs. To this end, auditors are looking for
computer-based tools and techniques.
Definition of CAATTs
Many audit organizations have looked to the microcomputer as the new
audit tool, a tool that can be used not only by IS auditors, but by all auditors. This book highlights the benefits of Computer-Assisted Audit Tools
and Techniques (CAATTs) and outlines a methodology for developing and
using CAATTs in the audit organization. Today’s auditors must become
more highly trained, with new skills and areas of expertise in order to be
more useful and productive. Increasingly, auditors will be required to use
computer-assisted techniques to audit electronic transactions and application controls. Laws like the U.S. Sarbanes-Oxley Act of 2002 are pushing
audit departments to find new ways to link specialty tools into the complex
business systems (Baker [2005]). By harnessing the power of the computer,
auditors can improve their ability to critically review data and information and manage their own activities more rationally. Due to the critical
shortage of these skills and talents, they will become even more valuable
and marketable.
CAATTs are defined as computer-based tools and techniques that permit auditors to increase their personal productivity as well as that of the
audit function. CAATTs can significantly improve audit effectiveness and
efficiency during the planning, conduct, reporting, and follow-up phases
of the audit, as well as improving the overall management of the audit
function. In many cases, the use of the computer can enable auditors to
perform tasks that would be impossible or extremely time-consuming to
perform manually. The computer is the ideal tool for sorting, searching,
matching, and performing various types of tests and mathematical calculations on data. Automated tools can also remove the restrictions of following
rigid manual audit programs as a series of steps that must be performed.
CAATTs allow auditors to probe data and information interactively and to
react immediately to the findings by modifying and enhancing the initial
audit approach.
In today’s age of automated information and decentralized decisionmaking, auditors have little choice concerning whether or not to make
use of computer-based tools and techniques. It is more a question of
whether the use of CAATTs will be sufficiently effective, and whether implementation will be managed and rationally controlled or remain merely
haphazard. Many organizations have tried to implement CAATTs but have
failed. By understanding the proper use and power of computer-based tools
and techniques, auditors can perform their function more effectively. This
6
Internal Audit
understanding begins with knowledge of CAATTs, including their beginnings, current and potential uses, and limitations and pitfalls.
Evolution of CAATTs
Today’s microcomputer-based audit tools and techniques have their roots
in mainframe Computer Assisted Audit Tools (CAATs), which in turn are
surprisingly rooted in manual audit tools and techniques. These mainframebased tools were primarily used to verify whether or not the controls for an
application or computer system were working as intended. In the 1970s, a
second type of CAAT evolved, which sought to improve the functionality
and efficiency of the individual auditor. These CAATs provided auditors
with the capability to extract and analyze data in order to conduct audits
of organizational entities rather than simply review the controls of an application. A third type of CAAT, and a more recent use of automated audit
tools, focuses on the audit function and consists of tools and techniques
aimed at improving the effectiveness of the audit organization as a whole.
But, for a moment, let’s step back in time to the late 1970s, as illustrated in
Exhibit 1.1.
Books written on computer controls and audit in the 1970s did not include sections on end user computing or, at best, mentioned audit software
only in passing. In fact, for the most part, auditors avoided dealing with the
computer and treated it as the black box. Audit methodologies discussed
the input and output controls, but largely ignored the processing controls
of the system. The methodology employed was one of auditing around the
computer. The main audit tools included questionnaires, control flowcharts,
and application control matrices. Audit software was specifically written in
general-purpose programming languages, was used primarily to verify controls, and parallel simulation was only beginning to gain ground. Audit software packages were considered as specialized programming languages to
meet the needs of the auditor and required a great deal of programming expertise. The packages were mainframe-family dependent and consequently
were limited in data access flexibility and completely batch-oriented.
By the 1980s, some of the more commonly used tools to verify an
application system were test decks, Integrated Test Facilities (ITF), System
Control Audit Review File (SCARF), and Sample Audit Review File (SARF)
(Mair, Wood, and Davis [1978]). Other techniques included parallel simulations, reasonableness tests and exception reports, and systematic transaction
samples. Some organizations were still achieving very effective results with
these types of audit tools in the 1990s. In fact, according to a 1991 Institute of
Internal Auditors’ Systems Auditability and Control (SAC) study, 22 percent
of the respondents were still using test decks, 11 percent were still using
7
CAATTs History
EXHIBIT 1.1 Audit Tools and Techniques (Computer System Audit)
1970s
1980s
1990s
2000s
Programming
Language
Applications
3rd-Generation
Programming
Language
Applications
4th-Generation
Programming
Language
Applications
Web-enabled
Software
(XBRL)
1st-Generation
Audit Software
(Batch)
2nd-Generation
Audit Software
(Interactive and
batch)
3rd-Generation
Audit Software
(PC-based
interactive and
batch)
Continuous
Auditing
Simple Parallel
Simulations
Extensive Parallel
Simulations
Comprehensive
Data Analysis
and Testing
Digital Analysis
Test Decks/
Integrated Test
Facilities (ITF)
Input/Output
Testing
Test Decks/ITF
SCARF/SARF
(Definition in
text)
Audit Software
Audit Assurance
Software
Internal Control
Review (ICR)
Automated ICR
Questionnaires
Integrated ICR
Questionnaires
Control Self
Assessment
Questionnaires
Control
Flowcharts
Program
Flowcharting
Process Flows
Emphasis on
Data Auditing
Visualization
Software
1st Computerbased Monetary
Unit Sampling
More Developed
Dollar-Unit
Sampling
Diverse Sampling
Options
including
Stratified
Less Emphasis on
Sampling
Control Matrices
Improved Control
Expert Systems
Neural Networks
and Artificial
Intelligence
Matrices
ITF, and 11 percent were still using embedded audit modules (Institute of
Internal Auditor’s Research Foundation [1991]).
Audit Software Developments
The first audit software package, the Auditape System, which implemented
Stringer’s audit sampling plan (Tucker [1994]), already provided limited
8
Internal Audit
capabilities for parallel simulation. The system facilitated limited recomputation of data processing results based on only a few data fields. In response
to the Auditape System, many accounting, auditing, and software firms developed audit software packages that supported parallel simulation within
computer families and against limited file and data types.
This proliferation of audit software and the overwhelming variety of
data and file types to be audited led to the design of a generalized Audit
Command Language (ACL), the implementation of several prototypes, and
repeated calls for joint implementation efforts by all concerned.
In the late 1980s and early 1990s, the advent and proliferation of end
user computing and the birth of the microcomputer became a major driving
force in the computing world. These factors created the conditions within
which audit software research results could be transferred into audit practice
(Will [1980]). It became easy and economical to use the microcomputer to
assess the controls over input data, over the processing of the actual data,
and over the validity of the information generated as output. In fact, practically all electronic data has now become accessible to auditors anywhere
and at any time.
Historical CAATTs
It is useful to review the various CAATTs briefly, in order to develop a
common body of knowledge from which to judge the currently available
audit technology and to assess its impact on audit practice.
Test Decks
Test decks are sets of input data created by the auditor to cover and test
all types of possible transactions and scenarios. The name test deck comes
from a time when transactions and even commands were entered into the
computer via a stack (deck) of punched cards. The test data are input
in the computer system and verified through the actual processing of the
test transactions. These decks are used to test for incorrect processing of
transactions by the application. The technique can be used to verify that
edit checks and application controls are working. The main condition for
the proper use of test decks is that the auditor must have an excellent
knowledge of the system in order to generate a test deck that presents
every possible combination of invalid transactions that may be encountered
by the system. Of course, the auditor also has to be able to determine what
the valid inputs and outputs are—or should be—in order to compare these
with the actual processing results based on the test deck.
CAATTs History
9
Obviously, errors and omissions can occur with test decks. The first
type of error is the failure to include certain types of transactions that would
have been incorrectly processed. These errors will not be identified because
the transactions that should cause errors, are not part of the test deck.
The second type of error is the failure to notice that data were incorrectly
processed (i.e., transactions were entered and resulted in invalid processing,
but the auditor failed to notice the errors that occurred).
Integrated Test Facility (ITF)
The Integrated Test Facility (ITF) is an improvement on the test deck. The
ITF involves the entry of selected test items into a system, as if they are live
data. The transactions are traced through various functions in the system
and compared with predetermined results. Usually the ITF involves the
creation of dummy accounts or organizational entities and departments,
against which transactions are applied. For example, a fictitious division
might be established with personnel and pay data entered for fictitious
employees of that division. The results produced by the application are
compared with the expected results, as determined by the auditor.
One of the main sources of problems with ITF lies in the requirement
to remove the effects of the dummy transactions. If the test data or dummy
accounts are not removed from the system, they may be inappropriately
included in the live data and affect the processing results.
System Control Audit Review File (SCARF)
The System Control Audit Review File (SCARF) approach requires the auditor to develop detective tests. Auditor-determined reasonableness tests are
coded in the normal processing programs and all transactions entered into
the system are checked for reasonableness. If a transaction falls outside of
the expected range, it will be flagged and an exception report produced.
The results of these tests are then retained in a file for review by the auditors.
SCARF, or a variation thereof, has seen a resurgence in use as companies
search for responses to the requirements of legislation, such as SarbanesOxley.
Sample Audit Review File (SARF)
The Sample Audit Review File (SARF) is similar to the SCARF, except that
it uses randomly selected transactions rather than flagging transactions that
failed the reasonableness tests. The random selection of transactions is retained as representative sample of transactions for audit review. The main
drawbacks to the implementation of ITF, SCARF, and SARF are the requirement to involve the system development team and to identify the audit’s
10
Internal Audit
requirements during the user specification phase of the system development. In many cases, the priority afforded audit’s requirements—when most
development projects are running late and over budget—can easily be reduced or overlooked entirely. Often the audit modules are developed as
add-ons after the system has been completed. Further, as modifications are
made to the application, these audit modules and the test data may not be
kept up-to-date. Before long, the embedded audit modules will not work
properly. Often, as a result of the lack of management support required
to maintain these tools, the use of these techniques decreases and auditors
look to other approaches.
Sampling
Sampling as an audit technique has been around for many years. The American Institute of Accountants (the predecessor of the American Institute of
Certified Public Accountants, AICPA) made an official statement on statistical sampling in 1962 (Ratliff, Wallace, Loebbecke and McFarland [1988]).
Sampling techniques are used to generate statistically valid samples that
can be reviewed by the auditors. Sampling was born out of the reality that
auditors could not examine every single transaction using the methods at
the time.
Statistical sampling has traditionally been an effective technique for testing the controls and other characteristics of computer systems. And with the
advent of computer-generated samples, it became an even more effective
approach. Audit software supported random, interval, and stratified sampling. In addition, new sampling methods, such as Dollar Unit Sampling,
were developed to improve the utility of the results and reduce the sample
sizes. Stratified sampling techniques and Dollar Unit Sampling became an
accepted part of auditing in the 1990s, saving audit organizations many days
of work while remaining an effective audit tool.
More recently, there has been a move away from sampling because
of failures to identify significant misstatements and other irregularities. Today’s audit technology allows auditors to review 100 percent of transactions,
using embedded audit modules or advance analysis techniques (see the sections on continuous auditing and digital analysis techniques in Chapter 2).
It should be noted, however, that while a number of audit organizations
are performing continuous auditing of all the transactions, sampling techniques still offer a significant level of reliability when correctly applied and
interpreted.
Parallel Simulation
Parallel simulation is a technique that involves duplicating a portion or
module of the automated system either with a program written in a
CAATTs History
11
general-purpose programming language or with audit software. Ideally, parallel simulation makes use of the same input data as the application system
and produces results that are then electronically compared with the output
produced by the actual system.
Initially, the problem with parallel simulation was the requirement to
write mainframe programs to duplicate portions of the application’s code.
This usually involved programmers and required a lot of time, and as a
result, was often not a viable option for a one-time audit.
Today, modern audit software and powerful microcomputer packages
are much easier to use than mainframe programming languages and are
equally powerful. Now, auditors can perform parallel simulation tests on
the microcomputer, using data downloaded from the mainframe system, in
a fraction of the time and without the involvement of the mainframe application programmers. The user-friendliness of modern audit software—its
flexibility, power, speed, and ability to handle legacy data—allows auditors
to design, implement, and execute their own comprehensive tests independently and in an unrestricted fashion.
In the 1990s, object-oriented programming languages allowed for rapid
program development and the reusability of code for other audits. This
sped up the development of the required programs for parallel simulation
and allowed the code to be reused in other similar audits. However, the
techniques of object-oriented programming may be beyond the capabilities
of most auditors and will therefore require the involvement of computer
specialists.
Reasonableness Tests and Exception Reporting
Current audit software allows auditors to perform reasonableness checks
and exception reporting without the use of test decks, ITF, SCARF, or SARF.
The entire transaction file can be directly accessed from, or downloaded to,
the auditor’s microcomputer and all transactions reviewed for edit checks,
reasonableness, invalid data, and more. Rather than using test decks to see
if specific edit checks are working properly, the auditor can review every
transaction to identify all instances of erroneous, invalid, or unreasonable
transactions. However, auditors recognize that the absence of invalid transactions does not mean that the system has edit checks to prevent the user
from entering incorrect data—only that none was found. As a result, the
audit emphasis has shifted and continues to shift. Not only the traditional
meaning of CAATTs, but also the traditional audit paradigm, has been called
into question (Will [1995]). Let us first consider the traditional approaches
to computer-based auditing.
12
Internal Audit
Traditional Approaches to Computer-Based Auditing
Computer-based auditing has traditionally been considered from two perspectives: a systems-based approach and a data-based approach.
Systems-Based Approach
A systems-based approach can be used to test the application’s controls to
determine if the system is performing as intended. In other words, the audit
object is the whole information system in general and the various programs
used to process the data in particular. Some approaches to internal control
reviews are primarily based on a review of the application system in terms
of input-output relationships and program reviews.
Test decks, IFT, SCARF, and so on are all forms of system-based audit
techniques. But the design of audit software has eliminated the need for
these approaches by including commands to assess the values of a field
with the defined field type, or to summarize all transactions based on the
value of the specified field.
Case Study 1 is an example of how a system-based approach can be
used to test the controls of an application system. In this case study, the
auditor was examining the controls over the supplier table as part of a larger
audit of the financial controls.
Case Study 1: Financial Controls over the Supplier List
As part of the evaluation of the effectiveness of the financial controls,
the auditors reviewed the supplier list. The financial system requires
that all suppliers, from which the company bought goods or services,
be on the supplier list. During a manual review of the financial controls,
the auditors determined that many people could add a supplier’s name
to the list. The auditors decided to analyze the list, and a download of
all suppliers was obtained. The file contained detailed information for
82,000 suppliers including name, supplier code, and address. The first
test involved sorting the file and checking for duplicates. This revealed
that, because of variations in the spelling, a supplier could have many
different supplier codes. For example, the system treated XYZ Corporation, XYZ Corp, and XYZ Corp. as different suppliers, each with their
own supplier code.
A second test was performed to identify cases where the same
supplier had different addresses or different suppliers had the same
13
CAATTs History
address. Finally, because of the risk over the ability of all staff to add
suppliers to the list, the auditors performed two additional tests: one
to match the supplier addresses with employee addresses and one to
match supplier name and employee name.
The results of the match on names are shown in the table below.
Match Employee File with Vendor File
Vendor Name
Employee Name
Payment
T. SCARBARELLI CONSULTING
CODERRE DAVE
CODERRE D
D CODERRE
CONSULTING - CODERRE
TILBURN BENEFIT FUND
CODERRE DAVE
CODERRE DAVE
LAEYER, CHRISTIAN
THE MATERIAL MANAGEMENT LTD
SWIFT MESSENGER SVC
SWIFT MESSENGER SVC
PERRY JOHNSON, INC.
C JAMES GIFT FUND
BEALL INSTITUTE
PERRY JOHNSON, INC.
SCARBARELLI
CODERRE
CODERRE
CODERRE
CODERRE
TILBURN
CODERRE
CODERRE
LAEYER
RIAL
SWIFT
SWIFT
JOHNSON
JAMES
BEALL
JOHNSON
6,976.67
3,765.32
3,342.36
3,168.97
3,358.34
985.50
3,217.17
2,930.19
634.05
700.00
24.00
11.04
2,003.30
748.35
280.00
2,003.30
The automated analysis easily confirmed the control weaknesses
with the supplier list and showed how these weaknesses presented
opportunities for fraud. As a result of the audit, the controls over the
supplier list were tightened and reports were produced to identify suppliers added to or deleted from the list, or when supplier addresses were
changed.
Obviously, as illustrated in Case Study 1, the ultimate solution to the
systems-based approach would be program verification, preferably automated; however, program verification is next to impossible and impractical. Only extensive testing of the systems is feasible and methodologically
sound, and one can never be absolutely sure about the performance of
computer systems.
Today, system-based approaches are not just used to test system edit
checks. The approaches are often used in the planning phase of the audit
to obtain an overview of the audit entity during the analytical review rather
14
Internal Audit
than to test the application’s controls. As such, they provide auditors with
an historical perspective of the entity, for example, summary information
concerning the business and activities of the entity and discernible trends
over several years.
Case Study 2: Review of Employees and Salary Costs
The following table, Employees and Salary Costs by Department, is an
example of a system-based CAATT, providing an historical view of the
number of employees and associated salary costs for a branch office
over three years.
Employees and Salary Costs by Department
Department
# Emp
CYR-2
# Emp
CYR-1
# Emp
CYR
Production
Personnel
Finance
Marketing
Total:
976
210
132
10
1,328
$39M
$15M
$7M
$1M
$62M
952
252
132
15
1,351
$40M
$16M
$8M
$2M
$66M
963
216
125
20
1,324
$41M
$10M
$8M
$3M
$62M
This type of high-level summary, across several years, gives the
auditor an understanding of the employment trends of the business.
The comparative picture of the audit entity, over years, helps to identify
trends that would not be visible by examining the detailed transactions
or by considering only one year of data. For instance, it is relatively
easy to see that the average salary cost per person in the personnel
department has decreased over the past three years, while the average
salary cost per employee in the marketing department has increased
significantly. A report of this type would also highlight any anomalies,
such as an invalid department, or unreasonable conditions, such as
unexplained, overly large increases from one year to the next for a given
department.
While the presentation of the data contained in Case Study 2 may be
considerably refined and even displayed in graphical form with modern
microcomputer software, auditors must still be able to delve deeper into the
data and information to identify causes and effects. The analysis shows you
where to look, but it does not identify the reasons why.
CAATTs History
15
Data-Based Approach
The second view of computer-assisted auditing focuses on the data and is
commonly called transaction- or data-based auditing. This approach is primarily used during the conduct phase, providing the auditor with increasingly more detailed information about the audit entity. Often this technique
is used to verify the accuracy, completeness, integrity, reasonableness, and
timeliness of the data. It is also often used to address Sarbanes-Oxley compliance requirements. However, thanks to the increased power and functionality of audit software, transaction-based techniques are being employed
in the planning phase as well. During the planning phase, transaction-based
CAATTs can be used to assess risk and materiality issues, to identify specific lines of inquiry, or to develop the audit organization’s annual plan.
This helps ensure that audit resources are applied effectively in areas where
audit will have a positive impact.
Case Study 3: Telephone Charges
As a result of the increased use of fax machines, personal computers
with modems, and Internet accounts, telecommunication charges were
increasing steadily. When the telecommunications budget more than
doubled in three years, the vice president of Informatics asked the
internal audit department to identify inefficiencies and areas for cost
savings.
During the planning phase of the audit, an Internet search of audit
programs found two telecommunications audit programs. The first audit
program was more technical than the audit director desired, but the
second proved to be very useful. Many of its lines of inquiry and audit
steps were extracted and copied into the audit program.
The first part of the audit focused on possible abuses of longdistance privileges. Since headquarters was responsible for a significant
portion of the billing increases, the audit team obtained detailed information for all calls made from headquarters. The data received from the
telephone company included the originating telephone number, telephone number called, date and time of call, length of call in minutes,
and cost. The auditors ran several reports, the first of which identified
all long-distance calls longer than three hours. The auditors were quite
surprised to discover a number of calls which were exactly 999 minutes
(over 16 hours) in length.
16
Internal Audit
Analysis of Telecommunications Bill
March Billing—Calls 999 Minutes in Length
Phone No.
Date
Start
End
Time
555-1234
555-1256
555-1385
555-2341
555-2348
······
555-9745
555-9897
18/03
18/03
19/03
17/03
26/03
08:32
09:17
12:08
14:51
16:04
01:11
01:56
04:47
07:30
08:43
999
999
999
999
999
06/03
01/03
12:42
01:17
05:21
17:56
999
999
Note: Time can be calculated by using start and end dates and
times (hours and minutes) as follows: (((24* (END DATE-START DATE)
+ END HR)* 60 + END MIN) − (START HR* 60 + START MIN))
By performing a detailed review of the activity on these telephone
lines, the auditors found that other telephone calls had been made
from the same telephone line during the same time period as the 999minute call. None of the telephones in headquarters had a feature that
would allow the caller to make two calls at the same time. The auditor
checked with the telephone company and determined that a faulty communication switch had remained open after these persons had hung up
the telephone, effectively failing to register the completion of the call,
resulting in an erroneous long-distance charge. The telephone company’s system had a maximum call length of 999 minutes; otherwise,
the call lengths would have been even higher. All charges related to the
999-minute calls were reversed by the telephone company.
In some of the cases where the calls were longer than 180 minutes,
the auditors determined that large data transfers were being performed
between two sites. The auditors summarized the detailed billing information where data transfers were being conducted and identified
instances where the usage was high enough to justify leasing a dedicated line, reducing the overall cost of the file transfers and improving
the reliability and speed of the transmission.
The next test identified all long-distance calls made after regular
working hours or during holiday periods. The auditor recommended
controls over the ability to dial outside of the local area code after
6:00 P.M. and on weekends and holidays. Another test identified calls
to long-distance exchanges for pay-per-minute numbers (1-900, 1-976,
etc.). Despite no serious evidence of abuse, the auditors recommended
a simple change to the company’s telecommunication software switch,
which blocked all access to the pay-per-minute exchanges.
CAATTs History
17
The audit also reviewed the accuracy of the telephone bill and
the efficiency and effectiveness of the use of leased lines. The audit
team used the current month’s bills for leased long-distance lines (dedicated lines) from all branch offices for review. Using the computer,
they automatically generated confirmation letters, which were sent to
the appropriate branch offices. The letter asked the branch managers to
verify the accuracy of the charges and, in particular, to ensure that the
line was still connected. The managers were also asked to review the
justification for the use of a dedicated line. In close to 10 percent of
the cases, the lines were no longer required, but the service had never
been canceled. In a further 5 percent of the cases, the lines were not
even physically connected to a telephone. For example, because of
office space redesigns, some telephone lines terminated in closets or
were enclosed within the new walls. In other cases, dedicated lines purchased to support data transfer requirements were no longer connected
to computer terminals or branch offices had closed, but the service had
not been discontinued.
The use of the computer to generate confirmation letters, to analyze thousands of lines of detailed calling information, and to highlight
anomalies or potential abuses greatly improved the effectiveness of the
audit. The overall result was a 17 percent reduction in the telecommunications bill.
Other examples of transaction-based CAATTs include refined data analyses, statistical and judgmental sampling, searching for particular attributes,
testing the validity and reasonableness of transactions, and determining the
impact and significance of a finding.
The real power of the data-based approach lies in the auditors’ ability
to examine the data easily, flexibly, independently, and interactively. The
auditor can formulate hypotheses based on conjectures and imagination
and test them immediately. “What-if” scenarios can be developed, with the
results often examined in real time. The ability to review data comprehensively and down to every minute detail enhances the creativity of auditors
and allows them to adjust their critical inquiries immediately as they gain
new relevant insights into the data.
Case Study 4: Audit Planning
As part of the planning phase in the example of Case Study 2: Review
of Employees and Salary Costs, the auditor decided to look closer at the
salary costs for the marketing department. The following table, Salary
18
Internal Audit
Details—Marketing Department, provides detailed salary information,
by employee, for the past two years.
Salary Details—Marketing Department (in 000s)
Base Salary
Name
Brown
Smith
Jones
Rogers
······
Black
Stevens
Total:
CYR-1
50
50
50
50
200
CYR
50
50
50
50
50
250
Bonus
CYR-1
20
15
12
26
73
Total
CYR
30
80
52
26
48
236
CYR-1
CYR
70
80
130
102
76
65
62
76
273
98
486
The analysis shows that the base salary remained fairly constant over
the last two years, at $50,000; however, the amount paid in bonuses has
more than tripled, from $73,000 to $236,000. The information led the
auditor to expand the original scope of the audit to include a review of
sales data for the last two years. The review showed that, while the sales
volume had increased, the increase was not sufficient to justify the large
increase in the bonuses. Following up, the auditor learned that a new
compensation system was introduced early in the current year, and the
bonus schedule was revised. A review of the individual bonus payments
discovered an error in the program used to calculate the bonuses.
This specific line of inquiry had not been included in the original
audit scope, but with a minimal investment of time, the issue was raised
early in the planning phase and was added to the scope of the audit.
The addition of this line of inquiry resulted in a significant audit result.
Case Study 4 is an example of how the application of CAATTs can
improve audit planning by allowing the auditor to capitalize on risks identified early in the planning phase and adjust the original audit plan. In the
example, the audit had not called for a review of the bonus payments, but
the auditor was not constrained by a rigid audit plan. Critical thinking and
audit judgment was demanded and supported by the power of the software. It has therefore been suggested to change the traditional meaning of
CAATs from Computer-Assisted Audit Techniques to Computer-Aided Audit
Thought Support (Will [1995]), and to distinguish between audit thinking in
discovery mode and audit reasoning in judgment mode in line with modern
philosophy of science and technology (Fetzer [1996]).
19
CAATTs History
EXHIBIT 1.2 Tools for Administration and Planning of the Audit Function
Administration
Planning
Budgeting
Client Billing
Time Tracking (Staff and Projects)
E-mail
Project Management
(Resource and Schedules)
Audit Universe
Risk Identification and Assessment
Audit Assurance
Continuous Auditing
Issue and Finding/Tracking
Follow-Up Tracking
Audit Management and Administrative Support
A variety of microcomputer-based audit tools exists and has already had a
significant impact on the audit function. They include spreadsheets, presentation graphics, databases, and more. Further opportunities for computerbased support lie in the support to the management of the audit function.
This area has seen a rapid increase in the use of microcomputer tools. More
audit organizations are employing software packages to develop and maintain their audit universe, to conduct risk assessment when planning audit
coverage, to schedule and manage audit resources, and to improve the ability of all auditors to use and share information. Further, automated tools are
being used to track audit issues and monitor follow-up on audit recommendations. Exhibit 1.2 illustrates areas where computerized tools could assist
in the administration and planning of audits.
The list and types of CAATTs continues to grow in number, complexity, and utility. These types of tools include a variety of software packages
and programs designed to help auditors perform the audit and report the
results of their work, not just perform data analysis. They include software
for text search and retrieval, flowcharting, database creation and manipulation, telecommunications, and electronic working papers. More advanced
CAATTs such as expert- or knowledge-based systems, self-auditing, continuous auditing, and neural networks are also available. (These tools are
discussed in more detail in Chapter 2, Audit Technology.)
However, the tools are not effective without the application of a sound
audit mentality. Auditors must adopt innovative approaches to using the
computer as an effective and efficient audit tool in areas where these tools
can be applied. Audit professionals who are critical and understand the
potential of these new technologies can bring about significant productivity
increases. Properly applied, CAATTs can reduce costs, improve the reliability
of audit work, and allow auditors to examine areas that are not easily
examined using manual methods.
20
Internal Audit
Roadblocks to CAATT Implementation
Audit software has been available for a number of years. Still, in many
organizations, only the IS auditors have attempted to introduce CAATTs
into their audits and, even then, only to a limited degree—for very specific
tests or under rigid circumstances. Too few auditors and audit organizations
have invested much thought and resources into computer-based tools and
techniques, let alone information technology.
Before examining the roadblocks to the implementation of CAATTs,
please review Case Study 5.
Case Study 5: Review of Overtime Expenditures
Two audit teams were sent out to review the management and use
of overtime at two branch offices (one on the West coast, the other
on the East). During the planning phase, the first team conducted a
detailed review of collective bargaining agreements, company policies,
and procedures with respect to overtime. They estimated that the review
would involve air travel and take five people ten days.
The second team performed a similar review of the relevant policies,
procedures, and agreements; however, prior to leaving headquarters,
they also obtained detailed pay records for all employees of the branch.
Using data analysis software, they identified all employees with overtime
payments and selected a statistical sample from this group. The team
leader spent one day playing with the data file. By producing different
stratifications of the data along various lines, the team leader discovered
that certain individuals had received more than twice their salary in
overtime payments. The team leader further determined that certain job
classes, as a group, consistently earned a lot of overtime. In particular,
the janitorial services group was collecting large amounts of overtime.
The team leader added a new line of inquiry, a review of overtime
payments by job classification, and selected a directed sample consisting
of all employees who had received more than one-and-a-half times their
regular salary in overtime.
The first team arrived at the branch office and proceeded to select
a sample of employees and pull their pay files. After eight days of
review, the team leader determined that they would have to expand
their sample, since less than 10 percent of the employees in the sample
had worked any overtime. This added four extra days to the audit.
The second team faxed the list of selected employees, all of whom
had received overtime pay, to the branch’s personnel office, requesting
CAATTs History
21
that all the pay files be pulled. When the team arrived on-site, they were
able to start their review immediately.
In addition, the second team reviewed the current situation regarding the janitorial services group. They found that last year management
decided to reduce the number of cleaners by 10 percent and to only
pick up the garbage every second day. This led to numerous complaints
and a health and safety complaint. Management quickly decided to provide the same level of service as before, but did not hire any additional
staff. The projected savings from the 10 percent cut in janitorial staff was
eroded by the remaining cleaners working overtime, resulting in an 18
percent increase in the total cost of janitorial services.
With the audit of overtime, Case Study 5 demonstrates the power and
utility of automated tools in audit. The ability to review thousands of transactions during the planning phase and the utility of sorted/summarized data,
statistical sampling, and other techniques can revolutionize an audit. So,
why is it that when the utility of CAATTs has been demonstrated time and
time again, many auditors fail to make use of them? The reasons for the
reluctance to embrace the automated tools are linked to the past and mired
in myths or assertions that are no longer valid. (For similar observations,
see also Will and Brodie [1991] and the Canadian Institute of Chartered
Accountants [1994]).
These myths remain powerful even in the 21st century:
Hardware and software are too costly to purchase and expensive to
maintain.
Logic or tests must be hard-coded into the application during the system
development phase, and the programming is technically complex and
requires the involvement of mainframe programmers.
Automated tools and techniques can only be used by IS auditors because general auditors lack the necessary training or computer literacy
required to benefit from the use of automated tools.
Auditors must maintain a hands-on approach by performing physical/manual reviews of all relevant information.
Client systems and data will be compromised by the use of audit software.
While there was an element of truth to some of these statements 15
or 20 years ago, to a large degree this is no longer the case. The power
of the microcomputer, the knowledge level of all auditors, and the ease
of use of various tools has increased dramatically. To further dispel these
22
Internal Audit
myths, each is discussed as follows from the perspective of the newer tools
available employing microcomputer technology.
MYTH 1: TOO COSTLY TO PURCHASE AND MAINTAIN Some audit organizations
believe that audit software is costly and cannot be proven to be costeffective. Early audit software only ran on mainframe computers and often
required site licenses and expensive maintenance contracts. Embedded audit modules had to be written during the development of the application
and were expensive to program and had to be maintained when the application was modified. Often the audit organization was billed for the time the
mainframe was used and had to request special runs or to create copies of
the production databases. Also, the output was usually paper-based and had
to be reviewed manually. Moreover, audit organizations had to deal with
different software for each application. To make matters worse, depending
on the cycle time for the audits, the software may not have been used more
than once every two or three years. This often meant that no one had sufficient expertise with the software to make effective use of the tool. Under
these conditions, the cost/benefits of maintaining the audit software would
obviously be questioned, and often a decision would be made to suspend
its use and to develop more robust controls and manual audit procedures.
The belief that computer-assisted tools and techniques are too expensive stems from experiences of ten or more years ago. Today, audit software
offers more choices, and the costs have decreased dramatically. Modern audit software is more flexible and can be used to analyze data from a variety
of applications on various computer platforms.
Typically, audit software supports access to various databases and
file formats and data types, including DB2, IDMS, IMS, Microsoft Access,
AccPac, dBASE, Excel files, and other esoteric data types. So there is no
need to purchase and maintain a variety of tools.
Today, microcomputer packages are affordable, not only by the smallest
of audit organizations, but also by intelligent sole practitioners who can
amplify their power and potential enormously without becoming dependent
on “Big Brother organizations.”
MYTH 2: TOO TECHNICAL AND COMPLEX FOR NON-IS AUDITORS Once again, this
false belief stems from the historical usage patterns of audit software. The
mainframe audit modules/packages had to be developed and maintained by
a programmer. Traditionally, programming departments were under considerable pressure and had backlogs of up to several years. The priority given
to developing audit modules for new applications was not always as high
as audit would have liked. Little time was spent developing user-friendly,
menu-driven interfaces, and documentation was likely to be absent or not
very useful. To add to the problem, the programmer did not usually have
CAATTs History
23
any audit expertise. Consequently, the audit routines were often difficult
to use, and the results did not exactly meet audit’s requirements. Also, all
requests would have to be made through the programming area, adding delays and raising questions of auditor independence. After several attempts at
developing and using audit software, many audit organizations abandoned
this approach.
Today’s audit software does not have the same limitations. Software vendors have developed audit-specific packages with excellent user interfaces.
These packages can easily be used by auditors and often do not require the
services of the programmers. Further, it has become much easier to extract
and transfer data from one application or computer system to another. Data
stored in complex databases can also be extracted using structured query
language (SQL) packages. The results can be accessed directly by audit software and used by practically all auditors. Further, the auditors can do most
of their analysis on their own microcomputers, and the communication and
download facilities are supported by most systems. For large files, many
audit organizations have powerful microcomputer audit workstations that
support CD-ROM, optical disks, and other facilities to handle large volumes
of data. Now, mainframe files, which are hundreds of megabytes in size,
are easily processed using microcomputer audit software. In addition, audit
software is available in client-server versions, providing auditors with the
ease of use of the microcomputer and the storage and processing capacity
of the mainframe.
MYTH 3: ONLY FOR USE BY IS AUDITORS More and more auditors are joining the
workforce with some level of computer expertise, have taken programming
courses in school, and have personal computers at home. The workplace
requires most auditors to use computers in one way or another, even if it
is only word processing or e-mail. With graphical user interfaces and application portability, the complexity of the audit software and the problems
surrounding access to data are not what they used to be. An auditor with
a basic understanding of computers and knowledge of data concepts (such
as fields, records, files, and databases) can use today’s audit tools effectively
because programming, as a logical exercise in itself, is no longer required.
Modern audit software makes it easy for auditors to develop their own analysis plans and to execute them with limited involvement and dependence
on technical experts. There is also an increased understanding among audit
managers that staff must be provided with sufficient computer training to
keep abreast with technology. Since the audit software is more standardized, there is little need for training on your company’s proprietary software
package. Self-directed learning, computer-based training, Web-based training, and a variety of seminar and instructor-led courses are readily available.
In fact, some of today’s general field auditors have more practical technical
24
Internal Audit
skills and a higher level of computer familiarity and expertise than did the
IS auditors of 10 to 15 years ago.
MYTH 4: HANDS-ON APPROACH TO AUDITING REQUIRED The feeling that auditors must conduct the review manually—physically touching and reviewing
files and reports—is more of a myth than a reality. Of course, automated
techniques do not eliminate the need to conduct a manual file review, but
the automated tools will help to focus the auditor’s attention for physical
review. Instead of having to examine 100,000 pay statements, the audit software might highlight the 100 that are of critical interest for one reason or
another. So, the auditor only needs to perform a manual review of a small
subset of transactions. In addition, the interactive nature of audit tools also
provides a high degree of hands-on analysis. Using transaction data, the auditor can pose what-if questions and test out various scenarios. The ability
to query the data, to run a variety of tests, and to get immediate responses to
specific questions provides the auditor with a hands-on capability that is not
available when dealing strictly with the physical files. Audit software allows
the auditor to perform tests of 100 percent of the transactions, regardless of
whether there are 10,000 or 10 million transactions.
MYTH 5: CLIENT SYSTEMS AND DATA COMPROMISED Previously, mainframe
audit software had to be loaded on the client’s computer system, modified
for the particular installation, and run. The only alternative was to obtain
a tape containing the client’s database and process the information on the
audit organization’s computer. Neither alternative was considered to be
completely secure. Clients were reluctant to allow unknown software on
their mainframe and did not want to release data to the auditors. Some of
these concerns still exist today, but auditors have more options. In particular,
the auditor can download the data to a microcomputer and analyze it at the
client’s site. Thus, software is not being loaded onto the client’s system,
and the data does not physically have to be removed from the premises.
For large data files, even portable laptop computers come equipped with
CD-ROM drives, which are capable of holding millions of bytes of data, and
external hard drives can hold hundreds of gigabytes of data.
Summary and Conclusions
Modern audit technology has freed auditors to use their judgment and all
of their critical faculties rather than be limited by physical reviews, rigid
audit programs, and information systems and technology that do not support audit. While some barriers to the use of CAATTs still exist, advances
in hardware and software have reduced negative attitudes significantly, so
CAATTs History
25
much so that you do not have to be a member of a large audit organization
with sophisticated mainframe software to make effective use of CAATTs.
The processing power and storage capabilities of the microcomputer continue to improve, while the hardware costs continue to decrease—making
microcomputer-based tools increasingly viable.
Modern audit software is more powerful and much easier to use than the
mainframe software of ten years ago. As a result, auditors can make effective
use of these tools with a limited investment in training. It is possible to equip
a stand-alone microcomputer with audit software for under $2,000, and the
required hardware and additional useful software for between $2,000 and
$3,000. Clearly, if you are considering the cost and benefits of automated
audit tools, you should examine the latest options and alternatives. Historical
comparisons and performance measures are no longer valid. However, the
road to automation is still lined with potential pitfalls.
The main elements of strategy to ensure effective use of computer
technology in the audit function must be delineated and clearly understood
by all participants. An effective plan to implement and support the use of
CAATTs must be developed to ensure that the tools and techniques are
properly understood and used by all.
CHAPTER
2
Audit Technology
I
nformation technology is not only all-pervasive, it is also critical to auditors who must analyze data and information and report on them. This is
especially true when much of the essential data and information is accessible
only by computers. This chapter illustrates the audit technology continuum,
identifies general software useful for auditors, introduces specialized audit
software, and describes software helpful for audit management and administration.
Audit Technology Continuum
The use of computer technology in auditing is not consistent across companies or even within organizations with branch operations and separate audit
groups. Some audit organizations are leaders in adopting, and deriving the
maximum benefit from, new technologies. Others are taking a more cautious approach to implementing the new technology. Many organizations
exist somewhere in the middle of what can be called the audit technology
continuum.
An audit organization’s place on this continuum is based upon the
degree to which auditors and audit management have integrated the use of
CAATTs into their audit operations. There are four distinct regions along the
continuum: introductory, moderate, integral, and advanced. The regions can
be characterized according to the degree to which general software, audit
software, and audit management and administrative software are used. This
is illustrated in Exhibit 2.1, Audit Technology Continuum, and subsequently
explained with a view to assisting auditors in achieving the more advanced
stage of using information technology in auditing.
Introductory Use of Technology
Audit organizations at the introductory stage of the continuum have not really begun to employ computer-based audit tools and techniques. Typically,
27
28
Internal Audit
EXHIBIT 2.1 Audit Technology Continuum
Introductory
Moderate
Integral
Advanced
Used by audit management
Administration: budgeting, time reporting, and text processing
Used by limited number of individual auditors
Data extraction and analysis for a few audits; limited use of
spreadsheets and presentation software
Used by all auditors and audit management
All audits, all phases, to define the audit universe and annually
identify and assess risk; electronic working papers and
distribution of audit reports
Used by all auditors and audit management
Continuous auditing for ongoing identification and assessment of
risk and to perform assurance audits; extensive use of intranet
automation has been on the periphery of the main audit functions. The efforts have focused on automating basic audit tasks rather than addressing
new or different requirements. Examples include e-mail, word processing
for preparing audit reports and working papers, and spreadsheets for managing the audit division’s budget. The audit process has not changed, nor
have any of the inputs to, or outputs from, the audit process. The audit
organization has failed to see how important technology is and how it can
help. Coincidently, the audits performed are also most likely to be the traditional “tick-and-bop” efforts, relying on manual file reviews, rather than
more comprehensive audits.
While organizations at the introductory stage of the continuum have
accrued some benefits from the use of computer technology, most auditrelated tasks are still performed manually. Such audit management does not
have a plan that will see the organization taking the next step in supporting
the audit function with technology. Technology is not anticipated, planned
for, or considered in either the short- or long-range plans of the audit
organization. Any use of technology is piecemeal and usually only intended
to deal with one problem, one functional area, or one specific audit.
Moderate Use of Technology
In a growing number of audit organizations, technology is having an impact
on the actual audits being conducted. However, this impact is still somewhat limited. Technology is not used by all audits, nor is it consistently
applied or managed in a centralized manner. Often, only one or two auditors are making use of specialized audit software, and their efforts may not
be sponsored or sanctioned by audit senior management. In many cases,
management may not even be aware of the type, or extent of the use, of
Audit Technology
29
automated tools and techniques by these auditors. Even in cases where
data extraction tools are used with management’s knowledge and consent,
it may only be used to select a sample of transactions. The resulting records
are then manually reviewed rather than analyzed electronically.
The types of audits performed, the results achieved, and the methodology employed have not changed, only the tools used to perform the functions necessary to deliver the final report. If there are a sufficient number of
successful examples of the application of automated tools and techniques,
the audit organization may move to the next stage on the continuum. However, since there is no focus on the use of technology and no vision for
where the organization’s use of technology is going, there is a risk that
minor setbacks will alter management’s view of CAATTs and the initiative
will falter. Further, the application of technology is still isolated to specific
tasks rather than integral to the entire audit function. The future of CAATTs
may lie with an informal group of users, without management’s backing or
guidance; however, these individuals may become frustrated and move on
to other opportunities. As a result, the modernization of the audit function
may fail to come to fruition. Also, in audit organizations that emphasize
a rotation of staff through internal audit, the expertise may quickly be lost
before plans can be made to ensure that the expertise is passed on to others
so it can be expanded.
Integral Use of Technology
At this point on the audit technology continuum, the technology is recognized by audit management as the way of the future, and resources have
been assigned to continue to develop its use and integration within the
audit function. Technology has successfully been used to improve some of
the basic components of the audit process. To a certain extent, the inputs
to, and the outputs from, the audit process have changed through the use
of computer-based tools and techniques. Computers are used in more sophisticated ways to improve the efficiency and effectiveness of the audit
process. Some examples of these are:
Extraction and analyses of client data in support of specific audit objectives
Automation of the administrative functions of the audit organization,
such as time reporting and billing, audit planning, risk analysis, and
project management
Establishment of an electronic library of audit-related reference materials
(policies, procedures, federal statutes)
30
Internal Audit
Automation of working papers and cross-referencing of source documents, possibly including the development of a corporate intranet with
hypertext links
Development of databases summarizing several years worth of client
data for critical or key information systems to be used for trend analysis,
audit planning, or early-warning systems
In particular, the use of technology is managed and encouraged in all
phases of audits and for the administration of the audit function. Audit
senior management has formalized the use of computer technology and
has a vision for the future of CAATTs. An effort is being made to do more
than simply automate current processes and tasks that had previously been
performed manually. CAATTs are factored into the organization’s business
plan, and resources (time and money) have been set aside to ensure the
continued development of new and innovative tools and techniques for
audit in order to provide the added value that should be expected of modern
auditing.
Advanced Use of Technology
At the advanced stage of the continuum, technology is changing not only
the way audits are conducted, but also the types of audits undertaken.
Audit organizations become involved in the design and development of
new and innovative uses of technology such as self-auditing systems, which
continuously review transactions. Once audit functions become part of a
system, auditing will become a continuous process that identifies anomalies
based on predefined, audit-determined criteria. Audit tools that are highly
integrated with the company’s information systems could be used to perform
audit procedures simultaneously with the company’s processes and controls
(Canadian Institute of Chartered Accountants [1999]).
For example, the comparison of customers’ current long-distance usage
to their typical calling patterns can detect possible calling card theft before
the owner is even aware of the loss. Other examples include trend analysis
on credit card purchases or the comparison of the profitability level for a
division to other divisions in other plants, after being normalized for various
factors that might affect costs. The results of these comparisons are used
as red flags by audit management to help determine what will be audited
and when. Continuous auditing of key information systems allows auditors
to use data-driven indicators to identify and assess risk in support of the
development of the annual audit plan. In addition, auditors can review
potential problems before they become serious, with red flags raised and
investigated for causes, and recommendations made in real time rather than
months after the fact.
Audit Technology
31
At this point on the technology continuum, the nature of the audit function is substantially different. The inputs, outputs, and processes of a typical
audit are not the same as that of an organization that has not embraced
automation in audit. To a large degree, the types of audits conducted, the
planning cycle and cycle time, and many other functions will also be affected by the implementation of advanced tools and techniques. Information
technology is utilized to the fullest extent in order to maximize the benefits
of the audit to the audited organization.
Getting There
Very few organizations are at the advanced stage of the audit technology
continuum, and not every organization can expect to reach this point in
the short term. However, substantial benefits in terms of efficiency and
effectiveness can be gained by auditors using specialized audit software. For
example, the increased use of analytical review can aid in the prevention and
detection of fraud (Pacini and Brody [2005]). Most organizations can improve
upon their use of computer-based tools and techniques and maximize their
return on the investment in computer technology.
There need not be a large internal audit organization within the company in order to use the computer more effectively as an audit tool. Nor is it
necessary to have a lot of dedicated computing resources such as powerful
hardware, sophisticated software, and highly trained programming professionals. In fact, many steps can be taken to produce significant benefits at
a minimal cost.
The remainder of this chapter describes various uses of technology.
Most of the uses are typical of the moderate to integral stages on the continuum. The examples range from the more intelligent use of the features
available in word processing software to expert systems. Most do not require the development of audit-specific applications, the generation of test
decks, the embedding of audit modules into existing application systems,
or the use of advanced programming techniques.
These tools and techniques can be implemented one at a time, on a
stand-alone workstation or on a local area network (LAN). It is strongly suggested that the audit organization choose what will work best, starting with
the tools and techniques that will produce the greatest payback. But, keep
in mind that the degree to which the organization has adopted automation
is a factor that auditors must consider when implementing automation in
audit (EDP Auditors Association, Toronto Area Chapter [1990]).
The examples of CAATTs begin with general software that can be most
easily implemented, producing immediate results. The examples of specialized audit software may require more familiarity with audit technology and
32
Internal Audit
support the application of more advanced and sophisticated approaches to
auditing without being technologically difficult.
General Software Useful for Auditors
The use of technology by auditors requires not only a change in the mind-set
of auditors, but also a degree of comfort and familiarity with the technology
and the concepts. The use of general software to support audit, such as text
processing, spreadsheet, and graphics, while beneficial in its own right, will
also introduce auditors to more relevant technology. The following section
discusses general software useful for audit with nontypical uses of these
packages from an audit perspective. Even if the organization is going to
remain at the moderate stage of the continuum, the auditor can make better
use of the technology already available. Simple word processing software
can become more than a text processor and more integral to the audit
function when looked at from a different perspective.
Word Processing
All writing is carried out with one aim in mind: to communicate an idea or
fact to the reader. One of the main functions of audit is to report the results
of audit reviews and to communicate opinions on a variety of subjects.
In order for this to be achieved effectively, we must capture the readers’
attention. The auditor must be skilled in the techniques of writing to ensure
that the messages are clear, concise, and readable. While the auditors may
think that audit reports are clear and to the point, their view is not always
shared by the readers. The clients will often criticize a report if it is too
long-winded or difficult to follow. As a result, auditors must improve their
writing style to make reports clear, concise, and readable. The first use of
technology is quite simply the production of audit reports and working
paper documentation using word processing software. Word processing
software can help in improving writing skills.
A simple word processor allows the user to enter and manipulate textual information. It is a supportive typewriter, because most word processors
provide much more functionality than an electronic typewriter. Edits, updates, and corrections can be made easily, and the electronic versions can
be stored for future use in follow-up audits. Text can be reformatted on
the screen to change the layout to the format the writer feels will have the
greatest impact. The word processor allows the writer to manipulate the
text using simple commands to copy, move, or delete the text as required.
This speeds up the drafting process, as the entire document does not need
to be retyped every time a correction is required. In addition, all members
Audit Technology
33
of the audit team can be actively involved in the production of the final report. Members of the team can work on different chapters, and the overall
document can easily be pulled together at a later date.
Many audit departments now provide auditors with laptops and portable
microcomputers, which allow them to write the draft audit report in the field
and be ready for its issue on their return. Draft reports can be edited using
redline; document compare features can be used to identify the changes;
and version control can be tightly maintained. Final reports will benefit
from the flexibility and clarity of electronic formatting, laser printing, and
the integration of text with graphics and even color printing. Further, word
processors have the added advantage of exposing all auditors to the computer, as well as building confidence in technology.
Word processors are being packaged with a wider array of capabilities.
Previously, many audit organizations found that management review comments focused on spelling errors rather than the issues raised in the report.
This can be virtually eliminated by the spell-checking feature of many word
processors. Spell-checking features, as well as reporting incorrectly spelled
words, will also suggest alternative spellings. Further, the value of a report
can be diminished by the repetition of particular words. Most word processors are also equipped with a thesaurus, a valuable tool for the auditor who
needs to find other ways of saying discovered (e.g., detected, determined,
learned, realized, uncovered, noticed, established, ascertained).
Word processors also have style (or grammar) checkers to assist in
ensuring that audit reports are clear and concise. A style checker will analyze
the readability of the text. Studies have shown that readable writing has
common characteristics: sentence length, number of syllables per word,
frequency of punctuation, and use of the active voice. However, the main
use of this type of tool is as a check. Auditors must know what is required
to produce readable reports at their organization. The checker can be used
to analyze reports or highlight sentences that are too long and can be
split into two or more sentences. They can also highlight long words with
which the reader may not be acquainted or where a simpler word may
suffice.
Many audit reports also suffer from being disjointed; the audit findings
are not always written in a logical sequence, and major points are often hidden in a plethora of minor findings. An outliner can help to plan the structure
of any document. The outliner (sometimes called a thought processor) is a
text processor that allows the user to enter items as a list and then move
these items around until they are in the best possible sequence. Items that
are entered are automatically numbered, and the numbering sequence will
change automatically as the list is rearranged. Many levels of detail can be
supported, and when a high-level item is moved, the underlying details are
also moved. Many word processors now include an outliner that can be used
34
Internal Audit
to plan the structure of the entire document. The findings can be entered as
a list of paragraph headings that can then be sorted until the best presentation sequence is found. The outline then can be transferred as a template
to the word processor and the details can be typed into each paragraph.
Outliner software even can be used as an audit planning tool. The audit
can be broken down into a series of distinct sections, and each section can
be further broken down into a series of steps. This process can continue
until the auditor is satisfied that all areas have been covered and can result
in more structured audit programs.
Other possibilities for word processing software include the automatic
production of confirmation letters using mail merge capabilities to improve
the production efficiency and final look of the letters, and the use of standardized working paper, report formats, and templates to reduce the time
required to format the final report. Further, standardization can make the
automatic generation of preliminary findings and final reports easier to accomplish. Hypertext links can also be established between the final report
and the audit program or detailed working papers. (This application of technology is discussed further in this chapter under Electronic Working Papers.)
The main problem with word processing software is that very few people use more than 25 percent of the power of the word processing packages. Capabilities such as spelling checkers, thesaurus, automatic paragraph
numbering, and the generation of indexes and tables of contents, as well
as grammar checking routines, can vastly improve the quality of the final
report. However, they require an investment in training. Audit organizations
are finding that the improvement in the quality of the correspondence more
than outweighs the training costs to acquire more advanced skills.
Text Search and Retrieval
The majority of the output from any audit department is in the form of text.
Reports and correspondence are produced within the department on a word
processing package, and there is a considerable amount of text littering
the hard disks. Usually, these documents are printed and maintained in
manual filing systems, making retrieval more difficult. However, since the
documents already exist in electronic format, there are better methods of
storing and retrieving required information for follow-up audits or research.
Microsoft operating systems (XP, NT) and most word processors provide search capabilities, including the capability to search all files within a
directory, or even an entire hard disk drive for a specific string of characters. However, there are now a considerable number of packages on the
market that perform these functions with more speed and functionality.
Text search and retrieval is achieved in two ways: (1) some packages index
words in documents and can therefore perform fast searches of all files
Audit Technology
35
for specific words or phrases, and (2) others carry out the scan of all files
for the required text as the query is entered into the system. The indexing
packages are obviously faster in operation, but have an overhead in storage
requirements, as the indexes often take up as much space as the documents
themselves. The pure search and retrieve packages are slower, but do not
have any additional storage requirements. Both types of packages allow the
user to retrieve all instances of a word or phrase.
For example, one architectural firm needed to find all correspondence
where they had quoted a certain section of the building code in the last
year and a half. This involved searching hundreds of proposals and letters.
Manually, the search would have taken days and there would have been
no guarantee that they found all references. Electronically, the search took
only minutes and was 100 percent complete.
Document management software also can be used to manage electronic
documents, even performing version control for draft audit reports.
Reference Libraries
The proper management of electronic documents can make them easier to
control and retrieve—in short, more useful. In particular, audit programs
or audit reports often contain information that might be relevant to future
audits. Audit management should ensure that a document management
program is enforced to protect the integrity of pertinent information.
A centralized reference library of company policies, procedures, previous audit reports, and methodologies, supported by text search and retrieval,
provides auditors with easy access to historical information. Cut-and-paste
capabilities can also allow auditors to use these electronic files during the
planning phase to create new audit programs, to build background working
papers, or as part of a follow-up audit of a client area.
The reference materials could contain just about anything—from specific legal statutes to generalized audit procedures. For example, modern
audit software is designed such that standard audit programs can be developed to be repeatable and maintained and made available to all audit
teams, improving their efficiency and effectiveness.
Further, reference materials that are fairly stable, such as company policies and procedures, could be written to CD-ROM and given to auditors for
use with laptop computers when working at remote locations. Today, the
organization’s intranet often contains all up-to-date versions of policies and
regulations and is accessible by all employees.
Spreadsheets
The spreadsheet started the revolution in the use of personal computers
for business. Spreadsheet software gave users the ability to automate many
36
Internal Audit
of the functions of business administration and accounting. An electronic
spreadsheet is like an automated calculator that can work in two or more
dimensions. A spreadsheet consists of rows and columns. The intersection
of each row and column forms a cell, and these cells form the basis of
the spreadsheet. They can contain text, numbers, formulae, or even programmed instructions (macros). Combinations of these types of cells can
be used to build applications. Rows, columns, or blocks of data can be
summed, sorted into sequence, moved to other locations, or copied. In
addition, spreadsheets can be linked to other spreadsheets.
The spreadsheet format of data presentation is so natural that it has
also been used by audit software to facilitate various views into any, and
practically all, electronic data files and summarizations of the data in diverse
ways. Other facilities offered by spreadsheet software include the capability
to generate graphical representations of data, which is often the most effective way of showing data. The graphs either can be copied or hot-linked
into audit reports, improving the understandability and presentation of the
results. Spreadsheet software also includes simple commands and formulae
to perform statistical functions such as cross tabulations (pivot table) and
regressions (linear or nonlinear).
Spreadsheets can be used by audit management to track budgets or to
record time and billing information. Some organizations have developed risk
and materiality criteria and use spreadsheets to evaluate the audit universe in
order to determine which audits to perform next. In fact, any audit process
that involves the analysis of quantities of data or repetitive calculation can
be made more efficient by using a spreadsheet. Where relationships exist
between data items, these relationships can be checked by entering the data
into a spreadsheet and writing a simple checking routine.
Audit packages, such as Spreadsheet Auditor and ExcelSmartTools Auditor, also have been written and can be used to verify the internal consistency of spreadsheets. These packages examine spreadsheets for circle
references and other anomalies, and compare the basic layout and structure
of the spreadsheet for good programming practices and will highlight all
formulae. In addition, packages like XLAudit analyze spreadsheets to evaluate the required controls, errors in formulae, and mapping precedents and
dependents.
Another concern for auditors is the error rate for spreadsheets, estimated at 2 to 4 percent of all formula cells. At that frequency, a material
error in financial reporting is almost a certainty in spreadsheets of any reasonable size. Some of the risk related to spreadsheets include errors in
downloading of corporate information—partial or out-of-date information;
errors in spreadsheet calculations; inappropriate changes to the data or the
spreadsheet logic; and invalid interpretations of the information (Institute of
Internal Auditors (IIA), Sarbanes-Oxley Section 404 [2008]).
Audit Technology
37
Studies have recommended that companies maintain a detailed inventory of their spreadsheets and implement a number of controls over changes,
version, access, input, security, and data integrity (PricewaterhouseCoopers,
Use of Spreadsheets, [2004]). This leads to a host of spreadsheet management software, promising to fill the many compliance holes inherent in
typical spreadsheets.
Management and auditors now have numerous choices, including products such as Actuate, Cerity, Compassoft, ClusterSeven, Lyquidity, Mobius,
Prodiance, Qtier, Sheetware, and Spreadsheet Advantage. These products
generally include the ability to (1) track changes to spreadsheets, including
changes that cross multiple spreadsheets; (2) create and maintain access
and segregation of duties controls; (3) control versions; and (4) produce audit trails. Other features may include workflow, spreadsheet-development
tools, spreadsheet archiving, and analytical reporting. Their overall goal is
to combine the user-friendliness and widespread use of spreadsheets with
a centralized control infrastructure—to reduce the likelihood of errors.
Presentation Software
The use of presentation software can help auditors deliver their message
in an interesting and condensed format. In particular, presentation software
can help improve the quality and utility of the exit debrief to the client.
Concepts or recommendations that are complex are often more easily presented in graphical format rather than straight text. Graphics and the use of
color can make audit reports more readable and understandable. Further,
the appropriate use of graphics can focus the reader’s attention on the audit
findings and key recommendations. A number of audit organizations have
introduced multimedia presentations to senior management. These presentations include audio and visual (digital pictures and movies) components.
Case Study 6: Audit Reporting
The audit team was given a 15-minute time slot for their briefing to the
senior vice president. The facilities audit had taken more than six months
to perform and had identified seven major recommendations and a
number of minor findings. The detailed audit report was over 150 pages
in length. Obviously, the auditors could not fully explain the entire audit
to the senior vice president in the time allotted to them. However, using
a graphics package, they produced ten full-color slides and incorporated
a one-minute video of a particularly decrepit facility. The presentation
covered the main points raised by the audit and highlighted the key
results and recommendations. The senior vice president was sufficiently
38
Internal Audit
concerned by the contents of the briefing that she asked for a more
comprehensive report, at which point the audit team handed over the
detailed audit report and a condensed executive summary. Had they not
caught the attention of senior management, the detailed findings may
never have been given the focus they deserved. The use of presentation
software helped the audit team to maximize the time the vice president
was able to spend with them.
Auditors should use graphics and video to assist the reader in understanding the text, not as a replacement for the written word. One of the
temptations with presentation software is to stress form over substance. So,
be warned, do not go overboard; too many fonts, pictures, or the use of
sound and animation may distract from the main message of an audit.
Flowcharting
One of the tasks within any operational audit is to document business
flows and procedures or to ensure that existing documentation is updated
to reflect changes in the flows. Flowcharting is used as one technique
that enables the auditor to analyze the procedures and identify controls
(or the lack thereof). Updating and redrawing flowcharts used to be timeconsuming, but now specialized flowcharting software is available to assist
the auditor. As a result, it is much easier to change one symbol or flowline
on a microcomputer and produce a new version than to erase or redraw
it on paper. In addition, standards of flowcharting can be enforced more
easily through the use of computer software.
There are packages that will follow any of the generally recognized
flowcharting techniques. Therefore, auditors can produce audit flowcharts
using the Rutterman standards, computer flowcharts, or even data flow diagrams. Some flowcharting software is even capable of transforming English
constructs directly into a diagram.
Flowcharting software can be used to illustrate many relationships, such
as organizational charts, flowcharts for computer software or applications,
network diagrams, process flows, decision trees, and cause-and-effect relationships. The resulting diagrams can consist of one or more pages and
can be automatically sized or resized. Many flowcharting packages contain
standard templates for ease of use and offer online help.
Audit teams can use flowcharting software, such as Visio and Code
Visual to Flowchart, to model the audit entity, making any revisions or
updates easy to perform. Flowcharting critical processes can help identify
key control points and can be used to produce process and data flow
Audit Technology
39
diagrams. Of course, the flowcharts can be reused for the next audit of the
client or for audits of similar operations.
Documenting process flow has proved to be one of the most important
steps in Sarbanes-Oxley compliance because it provides the foundation for
all subsequent work (Kendall [2004]). While maintaining this documentation
is also costly, audit teams can use flowcharting software, such as Visio and
Code Visual to Flowchart, to model a process flow, making any revisions or
updates easy to perform. Flowcharting critical processes can help identify
key control points and can be used to produce process and data flow
diagrams. Of course, the flowcharts can be reused for the next audit of the
client or for audits of similar operations.
Antivirus and Firewall Software
Antivirus software is a class of programs that search your computer (hard
drive and floppy disks) for any known or potential viruses. All auditors
should ensure that their computers and LAN are protected from malicious
software by installing and maintaining adequate antivirus software. Equally
important is ensuring that your antivirus engine and database are up-to-date.
A firewall is a set of related programs, located at a network gateway
server (permitting the flow of data between two servers on the Internet).
The firewall protects the resources of a private network from users from
other networks. A firewall is designed to prevent unauthorized access by
persons external to the organization and to stop employees from going outside to unauthorized sites. Audit organizations with either a direct Internet
connection or an intranet that allows its workers access to the wider Internet should install a firewall to prevent outsiders from accessing private data
resources and to control what outside resources the auditors will be able to
access.
Software Licensing Checkers
The issue of copyright infringement and the associated penalties are serious
concerns. Previously, auditors wishing to conduct reviews of microcomputer software to ensure that the company was not breaking any license
agreements by running illegal software faced a difficult task. The job meant
visually scanning all the directories of all the microcomputers in the organization to identify all software on each microcomputer. Today, however,
other options are available that make the task less time-consuming and more
effective. Software exists that will scan all directories searching for file names
and compare these with a user-defined database of software (e.g., SPAudit).
Other packages (e.g., Barefoot Auditor) will read portions of all executable
files, searching for a foot print that uniquely identifies the software package,
40
Internal Audit
even if the user has renamed the file. The program retrieves the software’s
product name, version, license number, serial number, and date by reading
the information contained in the executable file. The auditor can use this
information to check for the appropriate software license.
Specialized Audit Software Applications
In addition to all the generalized software available to all users of microcomputers, specialized audit software has been designed to support auditors
in their various activities. Of course, since audit software is supporting auditing under diverse circumstances and in various ways, it is by definition
and functionality also a powerful accounting, controllership, and management information tool. The following discusses software applications that
may assist auditors in taking a more critical view of information. The use
of specialized audit software allows auditors to formulate and test hypotheses, look for transactions that meet specific audit-defined criteria, and much
more. The software applications described as follows range from simple
extractions to the use of expert systems.
Data Access, Analysis, Testing, and Reporting
Increasingly, the auditor is faced with electronic rather than paper files. The
source documentation may not be readily available—if at all—and then only
in electronic format. Often the sheer volume of information precludes the
use of manual analysis techniques. A variety of applications can give auditors the capability to analyze information contained on mainframe, mini-,
or microcomputer systems.
Audit software was designed to facilitate universal data access, comprehensive analyses, exhaustive tests, and representative reports, both interactively and using scripts. The interactivity and speed of these tools and
techniques lets the auditor explore and test hypotheses. Consequently, auditors have had a lot of success in analyzing data to address issues related
to data integrity, including the interrelationships between or anomalies with
data elements, the effective and efficient operation of the client’s accounting
and data processing, detection of control weaknesses, and so on. Various
sampling methods are also available with audit software. But even more
importantly, modern audit software facilitates electronic analysis, screening,
and testing of 100 percent of the audit populations.
Computerized audit techniques can also be used to supplement the
review of a system’s controls. Simple application controls such as edit checks
can be easily verified by sorting or summing the application’s transactions
on the given field to determine if the field contains only values that would
41
Audit Technology
pass the edit check. Sometimes, the edit check may verify field values on
data entry but does not verify data coming from another electronic source.
CAATTs can also be used to check for invalid combinations or fields, such
as a person with sex = male and pregnant = yes.
Case Study 7: Verifying Application Controls
In this example, an audit of the finance system (accounts payable)
determined that the control over the payment of duplicate invoices relied
on two fields. The financial system would reject and flag any transaction
where the combination of vendor number and invoice number was not
unique. The auditor raised concerns when he found that there was poor
control over the vendor table (the table that assigned vendor numbers to
vendors). As part of the review of the controls over duplicate payments,
the auditor summarized the vendor table on vendor name and found
that numerous vendors had more than one vendor number.
In many cases, vendors with slightly different names, such as ABC
Limited and ABC Ltd and ABC Ltd., had a different vendor number
assigned for each spelling of the vendor name.
Vendor Name
Vendor Number
Address
ABC Limited
ABC Ltd.
ABC Ltd
N3450D12
N5478X23
N5471C10
1080 Castlehill Cres
1080 Castle Hill Cres
1080 Castle Hill Cres
The auditor informed management that the poor control over the
vendor table, which allowed not only different vendor numbers to be
assigned to the same vendor, but also permitted any invoice clerk to
add or delete vendors from the vendor table, compromised the control
over the payment of duplicate invoices. Management did not seem to
feel that there was any significant exposure. They stated that other
compensating controls, including a manual review of payments by the
budget managers, would catch any duplicate invoices.
The auditor was convinced that management would not address
the control weakness in the vendor table without further audit evidence. So he performed a test to check for duplicate payments. The
auditor-defined criteria for duplicate payments were same invoice number and same payment amount. The resulting file contained several
thousand potentially duplicate transactions. On reviewing the file, the
42
Internal Audit
auditor realized that these criteria were not sufficiently restrictive, that
too many firms had invoice numbers using a similar sequence (#2005-1
for example), and that too many invoices were for even dollar amounts
($100.00).
The auditor refined the criteria by requiring that the invoice number be at least four characters in length and that the invoice amount
be greater than $1,000.00. The second extraction produced 214 possible
duplicate transactions totaling just over $1.8 million. A manual review
eliminated 36 transactions for a variety of reasons, such as vendors’
addresses at opposite ends of the country. The final file contained 178
transactions totaling more than $1.5 million. The auditor selected the ten
largest payments and requested copies of the invoices from the invoice
processing sections that had processed the payments. Nine of the payments turned out to be duplicates, although two vendors had returned
the duplicate payment. The total overpayment for the remaining seven
duplicate invoices amounted to close to half a million dollars.
When management was presented with the results of the auditor’s
test for duplicates, they readily agreed to implement tighter controls
over the vendor table and even proceeded with a review of the other
168 potentially duplicate transactions that the auditor had identified, and
ordered recovery action for all identified duplicate payments.
The use of CAATTs in Case Study 7 allowed the auditor to search
through millions of transactions for audit-specified criteria in hours. Further,
CAATTs permitted the auditor to adjust the criteria after reviewing the initial
results. While the test did not identify all duplicates and not all of the transactions were duplicates, the test did validate the auditor’s initial suspicion
and highlight a significant system weakness.
All audit phases can be supported with modern audit software, such as
Audit Command Language (ACL) and Interactive Data Extraction and Analysis (IDEA). For example, during the planning phase, the software can be
used to define the audit populations, review previous and current years’
expenditures and budgets, identify resource consumption and outputs, or
perform trend analyses. As a result, the auditor will have a better understanding of the client’s business even before leaving the office, and the
conduct phase can be much more focused.
During the conduct phase, audit software can be used in many ways,
including:
Testing reasonableness, edit checks, and interrelationships
Verifying posting and control totals
Audit Technology
43
Calculating days-aged for receivables and inventory turnaround times
Summarizing expenditures and revenues by location
Selecting statistical samples
Identifying judgmental samples or directed samples (based on risk or
materiality issues)
Producing (exception) reports
Case Study 8: Allocation of Cleaning Expenditures
The company had recently expanded its cleaning services to include
several new office buildings. This placed some unique requirements on
the cost-tracking system. Previously, all other buildings were occupied
by a single client; however, the new buildings each housed several
clients.
The audit reviewed the cleaning expenditures incurred for one of
the new office complexes that housed eight clients. The objective was
to identify and verify the allocation of the costs to each client. The costs
included the value of materials used in cleaning activities and the direct
labor costs. Headquarters paid all invoices, but the allocation of the costs
to each client and the production of client invoices were performed by
the staff at each local office building.
During the planning phase of the audit, information from the headquarters’ financial system was extracted to determine the composition
and characteristics of the audit population. The data was downloaded
to a microcomputer, and several standard reports were used to analyze and size the audit population. Summary reports were produced to
obtain an overall view of the audit population and to provide a basis
for developing a sampling methodology. For example, all expenditures
over $5,000 were identified to determine the percentage and type of
high-dollar transactions.
The audit team then selected two samples from the population. The
first sample was a dollar unit sample, where every dollar had the same
probability of being chosen; the second was a directed or judgmental sample, selecting records from the high-dollar transactions. During
the conduct phase, the local office provided a copy of the data that it
used to produce billing statements for each client. The audit team compared the data extracted from the headquarters’ financial system with
the local office’s data to verify the integrity of each client’s bill and to
identify unrecovered expenditures. A 100 percent verification of transactions in the headquarters’ financial system, but not in the local database
(potential unrecovered expenditures) was performed. A sample of the
44
Internal Audit
transactions in the local system that were not in the headquarters’ financial system (potential erroneous recoveries) was also reviewed.
During the on-site visit, the local database was also used to produce a judgmental sample. In particular, expenditures were sorted and
summarized by client and by type of expense (material or labor). All
cleaning projects that had material costs, but no direct labor costs, were
reviewed. Further, the audit team performed limited testing of the validity of the local system’s data (edit and validation checks) and reviewed
the completeness and accuracy of the administrative overhead charges.
Much of the initial analysis was conducted at headquarters, including selection of sample transactions. This meant that the on-site time
was spent conducting analyses rather than selecting samples; therefore
the disruption to the client was kept to a minimum. The comprehensive
analysis that was performed on-site was only possible with the use of
the computer and appropriate audit software. Further, the speed and
detail achieved in identifying data errors enabled the local office to take
corrective action before the audit team had left the site.
In Case Study 8, the direct and unrestricted access to the data and its
immediate analysis, screening, and testing allowed the audit team to also ask
what-if questions and to view the data comprehensively and interactively. In
this way, audit teams can reduce audit time significantly and produce audit
results that are more reliable and much more comprehensive and exhaustive
with modern audit software.
Standardized Extractions and Reports
Often, similar information is required for diverse audits. Sometimes the only
variable that changes is the location or branch. Rather than writing new
programs to extract the information each time an audit begins, it is often
more efficient to develop standardized reports. Of course, modern audit
software facilitates such designs and customizations in various ingenious
ways. Audit software can be used to create executable jobs (also called
scripts or macros) to perform repetitive tasks, such as combining monthly
files to create a year-to-date picture at any point in time.
The standardized reports can be used by auditors to access the key information systems, such as finance, personnel, inventory, payroll, payables,
and compensation and benefits. Various types of standard reports can be
developed, including high-level summaries and detailed listings of transactions meeting certain thresholds. High-level summaries will give the auditor
an overview of the audit entity for use during the planning phase. Detailed
Audit Technology
45
reports will more likely be required at the conduct phase to review specific
issues or concerns.
When starting to build standard reports, it is a good idea to obtain
a copy of the data dictionary, preferably in electronic format, and ensure
that you have an adequate understanding of all the data fields. A good
understanding includes knowing:
What kinds and types of data are stored in the system?
What possible values do the fields contain?
Where did the data come from?
What information is derived from the data and what does it mean?
How is the data administered, protected, and secured?
How is the data and the information used by (senior) management?
This knowledge will help you in designing report contents and layout
formats based upon your own data naming conventions. The information
gathered can go considerably beyond the data stored in the original computer files, and the extraction routines can easily access more than one type
of data file.
If appropriate, consider developing a catalog of standard reports for use
by all auditors. The catalog could list all standard reports (purpose, layout,
description, and possible uses) and provide a sample printout for each type
of report. This type of documentation is useful to all auditors, but particularly to new audit staff who are trying to develop an understanding of the
various application systems. Of course, by knowing the information requirements of the client’s management, it will be possible to generate various
management reports with the same ease and to suggest even better ways of
keeping informed. Today’s audit software was designed as meta-software,
such that it provides the same or better answers to critical questions about
organizations and their data (Will [1996]). In organizations where auditors
are using CAATTs effectively, the clients often also acquire audit software
to be used as a management tool after the audit is completed.
Information Downloaded from Mainframe Applications
and/or Client Systems
Many corporations have large centrally managed mainframe applications or
enterprise-wide systems. The detailed transaction files for any given year
may be so large that frequent access through the mainframe computer system would be costly and time-consuming. With the increase in storage available on LANs and even microcomputers, auditors can download gigabytes
of data and have the detailed transactions on the audit LAN or a specialized
46
Internal Audit
CAATTs workstation. Another option is to create views of the data by summarizing the information on key fields and downloading the summaries to
a microcomputer. Thus, instead of taking hours to access, read, and extract
information (usually requiring knowledge of mainframe operating systems
and extraction tools and therefore requiring programming staff—with the
usual backlogs and delays), the summarized data is available in seconds or
minutes, in an easy-to-use format on the microcomputer.
Case Study 9: Detail and Summary Data
The summarized data on the microcomputer can be used by auditors
for planning and trend analysis. For example, one organization created
three different views (summaries) of their financial data.
Summarized Information Available on the LAN
Mainframe File—detailed transactions
Dept
Account
Amount
Pers
Pers
...
Pers
...
Pers
Ops
Period
Trans #
Salary
Salary
2,100.23
2,435.37
09/09/2004
09/09/2004
123P0234
123P0235
Salary
1,982.20
09/09/2004
123P0236
Salary
Salary
2,985.34
1,432.78
09/09/2004
09/09/2004
123P9964
128RO456
PC File—Summarized by Department, Account, and Period
Dept
Account
Amount
Period
Pers
Ops
...
Salary
Salary
1,463,445.78
5,672,129.54
09/09/04
09/09/04
Count
731
3,245
The detailed files (more than 2.3 gigabytes—nine million
records—in size for each year) took more than one hour to read using
a mainframe extraction tool that was only understood by IT specialists.
The views created for the auditors contained eight years worth of data,
16 gigabytes of storage space on the mainframe, but only 14 megabytes
of disk space in summary format on the microcomputer.
In Case Study 9, summary files can be used by audit teams during
the planning phase to get a snapshot of the current data and to examine
trends over the last eight years of financial information (by resource
Audit Technology
47
code, by responsibility center, etc.). Other financial summaries can be
created to provide budget, commitment, and expenditure information for
each responsibility center. Also, summaries of information from other systems, including the personnel and inventory systems, may be created and
downloaded.
Case Study 10 is another example that illustrates the usefulness of maintaining summary files.
Case Study 10: Use of Summary Data
Summary information from the pay system was used for an audit of
overtime to easily determine the salary and overtime totals by location.
The percentage overtime/salary helped auditors to identify locations
with high levels of overtime use, such as overtime more than 10 percent
of total salary. These locations had a higher risk of poor management
of overtime and salary budgets.
The audit of hazardous materials used a summary of inventory holding by locations to determine the total value of hazardous materials at
all locations and to help the auditors decide which warehouses should
be visited and inspected. A large volume of a variety of hazardous materials represented higher levels of environmental and health and safety
risks.
Case Study 10 illustrates summary files that are easily accessible through
audit software and depict the whole audited organization or specific facets of
it. These summary files provide all audit teams with quick access to several
years’ worth of data in a format that is readily understandable, and is easy
to use—all without the help of programming specialists or the associated
mainframe computing costs. Abnormal trends or overly large values may
indicate higher levels of inherent risk, requiring audit attention.
This greatly improves the planning phase of the audit, allowing the
team leader to quickly size the audit entity and view the audit universe. This
can assist in both the development of the annual audit plan, including the
identification and assessment of risk, and the planning for a specific audit
(see later in this chapter, see also the section on Continuous Auditing).
Having several years’ worth of data during the preliminary phase of the
audit means that trend analysis can be performed, helping to further define
specific lines of inquiry for the conduct phase. Previous years’ data do not
change and can be stored on the LAN. Current-year data can be summarized
and downloaded as often as necessary (daily, weekly, monthly). Thus, the
48
Internal Audit
summary files even can be kept current with standardized audit software
applications.
Electronic Questionnaires and Audit Programs
An electronic questionnaire can range from a simple form used to capture
user input electronically to a complex interactive form leading the user
through the relevant questions or sections, based on the answers supplied.
Electronic questionnaires can be used for several purposes. For example,
they can be used to survey clients or to create standardized audit programs
to be used by several auditors.
Visual Basic and Delphi are two microcomputer-based tools that allow
auditors to rapidly develop electronic questionnaires. The questionnaires
can be used when performing interviews or can be used by the client. The
fact that the questionnaires are in an electronic format means that they can
be easily sent to the client by e-mail, on disk, or through an Internet or
intranet site. The questionnaires can also be programmed so that the output
can be directed to a printer or saved in a file for further analysis using data
analysis software.
With modern audit software, detailed audit programs that involve many
steps (some of which will or will not be followed depending on the results of the previous step) can be partially automated. This has enormous
advantages when dealing with multisite audits being conducted by several
audit teams. The development of an audit program in electronic format can
help ensure consistency across sites. Further, if the subject area is complex
and the decision tree has many possible branches, it may be difficult to
ensure that all the auditors are fully conversant with all aspects of the audit.
An electronic audit program will lead the auditors through each step and
automatically jump to the appropriate question.
For example, in an audit of overtime, the electronic audit program uses
the answer to the question, “To which union does the employee belong?”
to determine the proper overtime rates and criteria for the remainder of the
audit program. The portion of the audit program dealing with shift work
would be ignored if not relevant for that union.
Another advantage of using an electronic audit program is its ability to
capture data in a file for further analysis by the auditor. Client surveys can be
sent to the users directly, via e-mail, or on disk. The completed questionnaire
files can be returned to the auditor via the same means. All of the completed
questionnaires are readily available for electronic analysis. Thus, instead of
having to review perhaps hundreds of paper questionnaires that had been
completed manually, the auditor can simply use audit software to analyze
the results electronically.
Audit Technology
49
Case Study 11: Data Capture Options
In an audit of a workforce adjustment program, the electronic program
captured information on employees who had been laid off. Three audit
teams were conducting concurrent audits at different locations. Each
night the data files were uploaded to the corporate headquarters and
combined into a single database that was analyzed for specific trends
and issues. When required, changes were made to the audit program,
and the new version was sent to the audit teams for use for the remainder of the audit. As a result, the manager responsible for the audit
was able to monitor the progress of the audit (number of employee
payouts reviewed), determine interim results, and ensure that all audit
teams were following the new audit program, electronically. (See later
in this chapter, the section on Expert Systems for more information on
automated flow and control of audits.)
Control Self-Assessment
The idea of control self-assessment has been around for many years. However, the concept is seeing a resurgence in use, partially because of support
it is receiving from technology. Self-assessment and facilitation software can
help auditors to facilitate self-assessment sessions. The software can assist
auditors in encouraging the participants from the operational area that is being audited to determine which controls are important and how well these
controls are functioning.
One approach to control self-assessment starts with the definition of
the primary objective of the entity and the statement of the supporting
objectives. An auditor, leading the self-assessment session, captures the
results of the participants’ discussion using a computer connected to an
LCD panel. Facilitation software often can allow participants to contribute
anonymously to the discussion. The participants can readily see their input
and often feel that it is recognized as more important and relevant to the
process when it is actively captured and displayed on the screen.
The self-assessment software also allows the participants to use voting
pads to rate items being discussed, such as their level of agreement with
the statement “The controls are working effectively.” The results of the
voting are anonymous and can be displayed in graphical format in real time.
This highlights the control successes (strengths) and obstacles (weaknesses).
Auditors can easily capture and consolidate the participants’ ratings of the
desired and actual level of effectiveness for each control objective—the
50
Internal Audit
difference representing the opportunities for improvement. The graphing
of all participants’ responses to control questions immediately highlights
differences in opinions and facilitates open and honest discussion.
The interactive nature of the tool and the graphical support provided
by self-assessment and facilitation software can contribute directly to the
success of the self-assessment sessions. Also, the results of the upfront
evaluation of the controls can help focus auditors on specific areas of
higher risk.
Parallel Simulation
As explained in Chapter 1, the use of parallel simulation, a technique
whereby the auditor simulates the functioning of a system or portion of a
system, can be very effective in identifying errors in the original system. The
results of the simulation are compared to the original system and any discrepancies are noted. Case Study 12 illustrates the use of parallel simulation.
Case Study 12: Insurance Premiums
At one organization, the auditors wanted to verify the calculation of
insurance premiums to be paid to moving companies to cover the loss
or damage of furniture for employee moves. First they obtained copies
of the source code and developed a good understanding of the routine
that calculated the insurance premium. The main cost driver of insurance
was determined to be the weight of the goods being moved. The formula
to calculate the insurance premiums included the distance of the move,
the weight of the goods, and other factors.
Next, the auditors used their own software to write a job to simulate the application’s calculations of the insurance premiums. They then
obtained the move data file, ran their job, and calculated the premiums.
By comparing the simulation’s results with those of the actual application, the auditors discovered that the weight of the car was being
added to the household goods and the insurance premiums were being
erroneously calculated using the combined weight (goods and car). The
production system was including the weight of the employee’s car under
both Household Goods and Vehicles. As a result, the total weight of the
goods (one of the variables in the premium calculations) was overstated
by the weight of the vehicles being moved. A modification was made
to the production program, which reduced the total premiums paid by
almost 30 percent.
Audit Technology
51
Any module of the application system being audited can be tested
through the use of parallel simulation. This also can often be done quickly
through the use of fourth-generation languages on the microcomputer. In
some cases, spreadsheet software has been used in a parallel simulation
exercise. The fact that the simulation does not require data entry screens or
nicely formatted output makes the process easier. The simulation uses the
same data as the production system, and the electronic comparison of the
results (i.e., production versus simulation) quickly identifies any errors.
Electronic Working Papers
In recent years, a lot of emphasis has been placed on electronic working
papers. Some of the large accounting firms have developed and are selling electronic working paper packages. While these packages use different
software and can be customized, most contain similar modules, including
a standard format for working papers, a standard format for a report, a
reference directory, and a methodology directory.
The basic capabilities of most electronic working papers packages include:
Quick and reliable replication of databases and documents across one
or many servers
Automatic routing of information
Support for unstructured data types (text, graphics, spreadsheets,
flowcharts, etc.)
Ability to create forms or standard templates for working papers
(memos, reports, worksheets)
Enforcement of a standard methodology/approach to the conduct of
audits
Automatic naming and management of files, solving document management and version control issues
Interactive working paper supervisory review
Multiple views of data (audit in-progress, recommendations by group,
audit phase, etc.)
Easy access to, and sharing of, all relevant data for auditors working
off-site
Electronic working papers standardize the formats of many of the required elements of an audit, making it less time-consuming for each auditor.
The software contains automatic routing capabilities (e-mail) usually with a
sign-off feature. Thus, the draft report will be automatically routed to the
team leader, and once signed off, to the audit manager, and so on up the
chain. Electronic working papers software also allows the auditor to establish links between various files or even between paragraphs within separate
52
Internal Audit
files. Thus, for example, step 5.1.a of the methodology, “Ensure the accuracy of the time reporting data,” can be linked to the test performed, which
in turn can be linked to the working papers file containing the results of the
test. This is particularly useful for the manager who is performing a review
of the working papers. By simply clicking the mouse on step 5.1.a of the
methodology, the manager can review the test. Another click will display
the results.
Several useful areas where the functionality of electronic working papers software can have a significant payback are:
Audit procedures
Best practices
Company policies
Control questionnaires
Issue tracking
Reference materials and documentation
Report tracking
Risk assessment
Working papers
Follow-up on audit recommendations
While some of the features of electronic working papers can be implemented using a standard word processor that supports templates and
hypertext, the full functionality requires more sophisticated software that
includes interfaces to audit software for data access, analyses, screening,
testing, and reporting.
Data Warehouse
A data warehouse is an extraction of existing operational data that is optimized for use by end users. Basically, it is a collection of data that is used
for decision-making support rather than for operational support. The information contained in a data warehouse is typically used to analyze trends in
data. The information derived from the data warehouse is used to support
long-term decisions rather than short-term or immediate decisions. It can
be used to answer questions like “What is the long-range demand forecast
for a certain product?” rather than “Should we manufacture 2,000 or 3,000
of brand X?”
Often the data warehouse is developed for use by senior management,
but it also can be extremely useful to auditors. If a corporate data warehouse
does not exist, the audit department can develop its own data warehouse.
In these cases, the audit-developed data warehouse can often form the basis
for the corporate data warehouse or an executive information system.
53
Audit Technology
Finance
Marketing
Personnel
Inventory
Manufacturing
Data
Warehouse
Marketing
Succession planning
Manufacturing schedule
Business planning
EXHIBIT 2.2 Business Application Data Warehouse Datamarts
Data warehouses are developed to allow users to have easy access to
the data in order to examine trends and perform what-if analysis.
The underlying business systems may be difficult to use or not in a
format that supports what-if analysis, or they may be live production systems
that do not support direct queries or are slow (long response times). The
data warehouse takes users from an environment where they have to spend
80 percent of their time trying to find and extract the data and 20 percent
of their time analyzing it, to one where 80 percent of their time is spent in
the analysis and only 20 percent in finding and extracting data.
The data warehouse is usually developed along subject lines such as
personnel, material, or facilities. The data represents a snapshot in time and
provides users with an integrated view of the data.
A data warehouse contains information extracted from a variety of business applications. Often, specific views, or Datamarts, are developed for
specific users (see Exhibit 2.2).
Application systems collect and store data to support the specific business applications. The application provides edit checks, entry screens, and
standard reports as well as information processing capabilities. The information contained in the business applications is extracted and integrated
into a data warehouse. The business applications are still used to support
the immediate requirements of their respective business operations, but the
data warehouse allows for the processing of a wide variety of integrated
information to support management decision making.
The basic methodology that should be employed to develop a data
warehouse consists of the following steps:
1. Data Model. Determine what information is required to support the
decisions that need to be made.
2. Data Sources. Determine the current applications that contain the required information.
3. Physical Database. Determine the type and structure of the database to
contain the data.
54
Internal Audit
4. Extraction and Transformation. Develop programs to extract the required data from the various business applications and transform the
data into a format that is compatible with the data warehouse structure.
5. Populate Data Warehouse. Run the extraction and transformation programs and load the data in the data warehouse.
6. User Tools and Training. Develop appropriate tools, such as query
capabilities, and provide users with the required training.
Audit can contribute to the development of effective data warehouses by
ensuring the integrity of the business systems and the information contained
therein. In order for the data warehouse to be successful, the underlying
business application must contain complete and accurate data. Further, audit
can influence the data warehouse development if it has knowledge of the
basic business systems. The users must have a good understanding of the
data and its meaning, and they must have easy access to the data warehouse.
In addition, the data warehouse must contain enough data to add value to
the decision-making process, but not so much that it slows down the user
response time. Audit, through its use of the key business systems, can
provide advice to the developers of the data warehouse, by defining critical
data sources and identifying potential errors. Finally, audit can review the
integrity of the data warehouse by comparing the data contained therein
with the underlying business systems.
The development and use of a data warehouse by audit can greatly
improve the capabilities of audit to provide management with useful recommendations. Further, the development of a data warehouse provides
audit with a useful tool for performing trend analysis and for conducting
risk analysis. The results of these analyses would help audit to focus its
resources on areas of risk and materiality, leading to more value-added
audits.
Data Mining
Once a company has developed a data warehouse, the possibility of using this data to answer complex problems becomes a reality through the
application of data mining techniques. The term data mining comes from
the notion of being able to drill down into the data to obtain more detailed
information. The user begins with a high-level view of the information and
can then go a step deeper into the actual data for selected criteria and areas.
For example, the auditor may be reviewing trends in production costs by
assembly line. This may lead to the desire to review a particular assembly
line’s production costs by month, which in turn may lead to the examination of the detailed cost items for a particular month. The auditor used the
55
Audit Technology
Select
Data
Warehouse
Selected
Data
Transform
Mine
Assimilate
Cleansed
Data
Facts
Trends
Models
Information
Graphs
EXHIBIT 2.3 Data Mining Processes
notion of data mining, digging deeper into the details along specific lines
of inquiry (see Exhibit 2.3).
Many audit software packages offer this type of functionality, and some
allow the auditor to examine the information interactively, making data mining a hands-on activity and providing quick response times. More business
applications are being developed, which allow the production or business
managers to use data mining tools to analyze operations (see Exhibit 2.4).
It is important for audit to be aware that data warehouse and data mining do present problems/issues as well as opportunities. Data warehouse
systems rely on business systems to supply the raw data for input. This
raises problems in that the databases are dynamic and tend to be incomplete, noisy, and large. Other problems arise as a result of the adequacy and
relevance of the information stored in the business systems. The business
systems are designed to support specific operational concerns and may not
contain all the information required to support data mining. For example,
the data may not support the proper diagnosis of malaria if the patient
database does not contain the red blood cell count—a critical field in diagnosing the disease. Audit must be careful to ensure that inclusive data,
errors in data elements, missing data, and other problems related to data
integrity, timeliness, and completeness do not lead to invalid or overlooked
relationships and conclusions.
Warehouse
Mining
Decision Support
Architecture
Patterns
Reports
Consolidation
Modeling
Graphics
Cleansing
Statistics
Standard Queries
Multidimensional
Analysis
Data
EXHIBIT 2.4 Decision Support
Knowledge
Decision
56
Internal Audit
Software for Audit Management and Administration
Internal auditors looking for ways to add value to their organizations are
becoming more creative and resourceful in finding ways to make maximum
use of a critical resource. CAATTs help auditors conduct audits in today’s
electronic age, and they can improve the audit function. Audit managers
can apply software to help them focus on areas of risk, manage their scarce
resources, and monitor the operations of the organization. The range of tools
available to audit management continues to grow and improve. Computers
have also become an indispensable management audit tool.
In order to provide a conceptual frame of reference for the variety of
software support that is available to audit managers and administrators, and
is applicable to their challenging tasks, this section begins with the concept
of an audit universe and concludes with that of an audit early warning
system.
Audit Universe
Few, if any, audit departments have the resources to audit every aspect of the
company. Nor do many companies require every aspect of every operation
to be audited every year. Thus, audit management must decide what should
be audited and when to conduct the audit. In order to allocate limited audit
resources appropriately, audit management must have a means of defining
the audit universe. This means identifying risk factors, establishing audit
priorities and frequencies based on a relative risk ranking, developing and
maintaining an audit plan, and preparing activity reports. This approach
is required for both the current year and for long-range audit planning.
Computerized tools exist to assist audit management in defining the audit
universe and in assigning risk to each of the components. A simple audit
universe can be developed using spreadsheet or database software. Each
row in the spreadsheet, or each record in the database, represents an audit
entity. For each entity, the audit would identify the risks. By assigning
risk scores and multiplying the risk scored by the weighting factor, each
auditable entity can be assigned a total risk score. The entities with the
higher risk would be audited first.
Commercial audit universe software packages offer more features and
functionality than simple spreadsheet and database software, such as reporting capabilities and a structured format to defining the audit universe.
Examples of audit universe software include ADM Plus and AutoAudit.
One of the main advantages of this type of software is that the information is reusable and reduces the time required to update the audit plan for
the next year. Thus, management can deal conveniently and explicitly with
issues such as audit coverage, cycle time, risk, and materiality.
Audit Technology
57
Audit Department Management Software
Audit department management software, such as Audit Leverage, enables
all internal audit department data (e.g., Annual Planning and Budgeting,
Timekeeping, Staffing and Scheduling, Audit Histories, Work Papers, Audit
Program Templates, Review Notes, Audit Report Generation, Tracking of
Findings, Recommendations, Management Action Plans, and Follow-up) to
be stored in one truly integrated and secure database solution. The result is
that auditors spend less time on work paper documentation and administrative tasks and more time completing audits and performing macro-level
analysis and monitoring of risk and control issues.
Typically, audit department management software allows auditors to
work either in the office or offline. It enables teams of auditors to work
remotely in the field and then synchronize with each other or with the
central server, enabling managers to review the workpapers without visiting
the site.
Software such as Audit Leverage allows you to do more with fewer audit
resources and is flexible enough to adapt to your audit process, methodologies, and risk criteria, without your having to spend money on software
customization.
E-mail
Electronic mail (e-mail) is an excellent vehicle for communication within
the audit organization and with audit’s clients, because it is faster and more
flexible than traditional mail. Within the audit organization, e-mail can be
extremely useful when trying to keep in touch with auditors who are working off-site. Today, the ability to send and receive information in electronic
format is almost essential. Auditors working at client sites do not have to
be isolated from their headquarters. Off-site auditors can simply use their
laptops to dial-in and receive or respond to their messages. E-mail can virtually eliminate the problem of telephone tag and also provide a physical
record of the communication for future reference.
File Transfer Protocol (FTP)
File Transfer Protocol (FTP) is a standard Internet protocol that enables the
exchange of files between computers on the Internet. Like the Hypertext
Transfer Protocol (HTTP), which transfers Web pages and related files, FTP
is an application protocol that uses the Internet’s Transmission Control Protocol/Internet Protocol (TCP/IP) to provide Internet users with access to
files on connected servers. As a user, you can use FTP to update, delete,
rename, move, and copy files at a server located anywhere on the Internet.
58
Internal Audit
This allows an auditor working at a client site to retain electronic access
to headquarter’s information and support. Previously, if an audit team discovered that vital data files were missing, they had to return to headquarters
to get the needed information. Now, with FTP, auditors are able to request
and receive information in electronic format in a matter of minutes.
Additional travel costs can be avoided and the disruption to the client
kept to a minimum. Instead of traveling to a client’s site for a preliminary
survey, the auditors can now do much of their analyses at headquarters
before they go to their client’s office. Once at the client’s site, if clientspecific information is needed but not available, it can be sent to the auditor
electronically by staff at headquarters.
Another use of FTP software is to produce a daily consolidated progress
report by the daily capture of the actual results from each site. Each night,
the audit results from each site can be uploaded to headquarters, combined
into a single database, and processed to produce various status reports. For
example, one company found this extremely useful when trying to size the
total dollar amount of a certain type of error across several regional offices
to determine if additional testing was required. By comparing the results
from various sites, the team leader was also able to identify anomalies at
specific sites and redirect the audit according to the new-found insights.
Case Study 13: Multisite Audit
The working papers of the on-site team were sent back to the audit supervisor for review, prior to the team leaving the client site. The project
leader easily reviewed the working papers daily and provided additional
instructions to the audit team via a modem. This was particularly useful
when trying to manage a concurrent, multisite audit project with changing audit requirements or criteria. Each audit team sends the results of
their work back to the audit supervisor, and once the supervisor has
reviewed the work, the comments are sent back to the audit teams.
Access to external databases is another valuable use of FTP capabilities. Using a microcomputer, auditors can have easy access to reference
materials such as governmental regulations; corporate policies, procedures,
and regulations; audit guides and methodologies used by other companies;
and so on. For example, U.S. Government Accounting Office (GAO) audit
guides, methodologies, and other reference materials are available on the
Internet.
Audit Technology
59
The Internet also provides access to journals, newspaper databases, and
a wide variety of other information, including audit software suppliers, as
well as e-mail to other auditors. Access to these sources of information can
greatly reduce the time required to perform the initial research during the
audit planning phase or to address compliance issues during the conduct
phase. In particular, the auditor in the field can access all relevant regulations and references, whether or not they are available at the regional
office.
Today, organizations concerned about the potential exposure of being
on the Internet are creating corporate-wide intranets with the same features
as the Internet, but within the physical confines of the corporation.
Intranet
The computing pendulum has swung from centralized computing to standalone computing and back to centralized, or at least distributed, computing.
It went from mainframe computing to personal computing on stand-alone
microcomputers and then back to where all employees are connected to
distributed systems. Local area networks (LANs) connect employees in the
same work group or same location to each other. Metropolitan area networks (MANs) expand this connectivity to all employees within a geographic location (often a city), and wide area networks (WANs) take this a
step further by connecting employees in many cities.
The Internet has been a well-known source of international connectivity
for research. While it has been around for many years, only in the last ten
years has its use expanded rapidly in the business area. This has opened
up many new opportunities for businesses and has also spawned a new
technology—the intranet. An intranet is basically an Internet that exists
within the physical and logical control of an organization. The establishment
of an intranet allows the corporation to create an Enterprise Wide Web,
linking information from all branches, locations, departments, and so on. It
also protects the corporation from external hackers, since the only access
is from persons physically within the corporation. However, some intranets
are using trusted firewalls to provide external users with secure access to
the corporate intranet on a special-case basis.
All company employees have access to corporate information such as
personnel policies and job postings. The audit organization will have access
to a wide variety of corporate information, including corporate policies,
procedures, regulations, and other performance information. The intranet
could also provide auditors with easy access to financial statements and
business plans and those of every division. Audit can also use the intranet
as a tool to market audit services, publish best practices and audit plans,
60
Internal Audit
and showcase significant results achieved by audits. It can also be used as
an efficient means of acquiring and disseminating business intelligence.
All documents on the corporate intranet are searchable. Therefore, auditors can use it to search for documents based upon keywords and then
use the electronic links to other documents. The hypertext links (document
linking) capabilities of the intranet can be useful to audit in several other
areas; for example, you could link the findings to the detailed working papers. Simply clicking on the finding statement would send the user to the
supporting documentation. Another click brings you back to the original
finding statement. Also, the table of contents for each document can be
set up with hypertext links. Click on an item in the table of contents and
automatically jump to that section.
Audit could also use the corporate intranet to set up internal newsgroups
to discuss specific issues with auditors from other branch offices or with
clients throughout the organization who have a similar interest. It is an
excellent way of gaining and sharing expertise.
Finally, an intranet offers e-mail capabilities to the entire organization.
Auditors can send and receive information, including data files, from branch
offices when conducting on-site reviews. Teams working at client sites will
also still have access to all corporate files (policies, audit programs, etc.) on
the intranet.
Databases
Microcomputer-based Database Management Software (DBMS) provides a
means of storing, organizing, and retrieving data records. The software also
provides facilities for inquiring against the records stored and for producing
standard reports. Some databases also include a programming language
so the auditor can manipulate the data directly. Even more conveniently,
modern audit software interfaces with a rapidly growing number of DBMS,
so that knowledge can be applied directly to various data management and
administration tasks, including the audit.
There are many possible applications of database software in managing
and administering audits. For example, databases can be used to create the
audit universe to support the developing, managing, and administering of
the audit plan. By establishing a database that describes all of the organization’s auditable units, audit management can evaluate the many factors that
determine whether or not an area will be audited. The database could contain one or more records per auditable unit, detailing all factors involved in
arriving at priority, risk, time, and volume indicators for audits of that unit.
It then becomes relatively simple to analyze the data and to determine and
outline the audit plan.
Audit Technology
61
A DBMS can also be used to record and analyze audit skills for each
auditor. This can be used to determine staffing for each audit and for training
requirements. Another use for database software is the tracking and billing
of auditor time against various projects. For example, each auditor’s time
can be coded against the client and the hourly rate defined. Of course, the
number and type of databases is only limited by the imagination of the
developer, but the availability of managerial and administrative computer
support makes it even easier to remain “on top of things” in any and all
audit situations.
Groupware
While networking connects hardware, software, and data, groupware connects people. Groupware allows any member of a group or organization to
contact and work actively with any other member of the same group. Group
members can work with the same information simultaneously, ensuring that
all members are informed of changes and updates. The store-and-forward
capability eliminates the need to arrange meetings to discuss issues.
Some audit organizations use groupware software to discuss audit recommendations with the client. An added advantage is the capability for
auditors and their clients to review findings with a view to arriving at workable solutions in a forum that allows members to contribute to the discussion
anonymously. Of course, some of the functions offered by groupware exist
already in ordinary e-mail, but the groupware market is evolving rapidly.
This should provide interesting options, especially for managing and administering audit teams and departments. For example, international auditing
firms have developed and are marketing their own groupware-based audit
management and administration systems.
Electronic Document Management
Electronic forms, version control, workflow, and groupware are all pieces
of an electronic document management system. However, the most basic
elements are the creation, use, storage, and retrieval of electronic pieces of
information. The applications supporting electronic document management
include office automation suites (word processing, graphics, and database),
text search and retrieval software, and document management software.
The office automation suite allows users to create, access, and distribute
documents, and document management software performs version control.
The utility of this type of software is obvious to any auditor who has
written an audit report and the associated draft reports. However, the software is also useful in maintaining control over electronic working papers,
particularly if more than one auditor is working on the same audit.
62
Internal Audit
Electronic document management software is also useful to auditors
accessing and using company policies, procedures, and operating procedures. Often it is important to know which version of the policy was in
place at the time of the audit. Changes to policies and procedures must also
be recognized and any standard audit programs changed to reflect the new
procedures.
Electronic Audit Reports and Methodologies
Most audit organizations are already using word processing software to produce the final versions of their audit reports. However, many often fail to
fully capitalize on the fact that the information is now in electronic format.
Too often the electronic version of the report is only used to produce the
paper version of the audit report. The final report and the audit methodologies are buried in the working papers, often filed away, so that they are of
little or no use to anyone else.
All documentation relevant to a particular audit should be kept in a single folder or directory during the audit. Using standard naming conventions
for folders and working paper files can make it relatively easy to distinguish
between various types of files such as reports, interview notes, and data
and other files.
The audit reports and associated methodologies can be made more usable by collecting the reports and methodologies and giving all auditors
read-only access to the electronic versions. The first step in accomplishing
this task is to collect all final versions of audit reports and methodologies
according to standardized naming conventions. Next, place them in specific directories on a microcomputer or on a LAN server. For example, you
could establish two directories: one called Final Reports, with subfolders for
detailed reports and for executive summaries, and the other called Methodologies, containing all the relevant audit programs and methodologies. By
establishing and enforcing a file naming convention to relate audit reports
to audit programs and methodology, it is easier to understand both audit
reports and audit approaches. In this way, it is easy to flip from the audit
findings to the steps or procedures followed by the audit team and vice
versa. The whole audit methodology can also be organized into modules,
eliminating procedural confusion, duplication, and inconsistencies.
Once the standard naming conventions are established and the reports
and methodologies are placed in the appropriate directories, the electronic
versions of these files can serve other purposes. For example, many word
processing packages have built-in text search and cut-and-paste capabilities, or you can purchase specialized software to perform these functions.
Specifying the keywords of interest to you will enable you to electronically
search through thousands of pages of text in minutes. This will also help in
Audit Technology
63
conducting follow-up reviews by allowing you to easily find the original recommendations, management responses, and the associated audit programs
for any audit without having to request the paper files or search through
mounds of working papers. Because the audit report and the audit program
have standard names, anyone searching the audit report would easily be
able to determine which audit program and data files were used and vice
versa.
The planning process can also be greatly improved; within minutes, all
auditors can search through previous audits to determine whether something similar has occurred somewhere else in the organization. If a finding
is relevant, the auditor can search through the methodology used by the
previous audit team and electronically cut-and-paste audit lines of inquiry
into the current audit program. Research time can be reduced from days to
hours, and audit programs can be standardized to serve the whole organization rather than just a specific audit.
Additional advantages can be obtained by releasing audit reports in
electronic format. Using communication lines, the reports can be distributed
faster and easier than on paper. Further, if instead of retyping the client’s
comments you simply request all responses to be in electronic format, you
can then electronically cut-and-paste them into your report—saving time
and reducing the risk of misinterpreting the clients’ comments. It has been
estimated that 80 percent of what is entered into a computer came from
a computer in the first place. Add the cost of data entry errors to the cost
of reentering the information, and you can see why electronic capture of
information can be extremely cost-effective.
Finally, most software applications support linked files. For example,
the chart in the final report can be hot-linked directly to the spreadsheet
containing the data. Updated data in the spreadsheet will automatically be
reflected in the report—ensuring that the report always contains the most
recent chart.
Audit Scheduling, Time Reporting, and Billing
For large audit organizations, scheduling audits can be difficult. The assignment of auditors with the appropriate skills to audits can be a complex task,
but becomes easier with scheduling software. If scheduling is not difficult
enough, try to manually calculate the impact of slippage in the first quarter
on the remainder of the year’s audit plan. The use of information technology
in developing and managing the audit plan can help identify opportunities
for improvements, and when and where to use external consultants. Further,
appropriate scheduling software can permit management to make changes
to the plan and determine the overall effect.
64
Internal Audit
The computer can also be used to capture actual hours of work; to
calculate billable hours, using the actual rates; and to produce the audit
service invoice. Further, time reporting software, such as TimeSheet Pro,
can be used to analyze the audit function by tracking the hours spent on
types of audits or by audit phases. This information can help to improve
the audit planning process, enabling management to make more accurate
estimates of the time needed to conduct each type of audit in the future.
Project Management
To be effective, audit management must plan activities to make the best use
of available resources. Work must be monitored to ensure that it is being
carried out according to plan, and any variances should be recorded to
determine the effect on outstanding plans. There are two levels of planning:
strategic and tactical. In the audit environment, strategic planning is used
to establish the areas that will be subject to audit over a specified period.
Tactical planning is performed for each individual audit to specify the steps
to be carried out in the audit program.
Project management software, such as Harvard Total Project Manager,
can be used to improve the process of planning, whether it involves all
audits to be undertaken in a year or a single audit with several phases.
All audit activity can be defined, along with details of the audit resources.
Activities can be linked to show the interrelationships, and resources can
be allocated to each activity.
Most project management software supports the production of PERT or
Gantt charts and allows the user to determine critical paths and the effect of
slippage. The ability to measure the effect of slippage in one audit project
on the entire audit plan can help audit management determine whether
additional—perhaps contracted—resources are required or whether other
projects can be adjusted to make up for the slippage.
Extensible Business Reporting Language (XBRL)
XBRL is a platform-independent means of identifying, extracting, and representing financial data and other business information in whatever way the
user requires. Using XBRL, organizations can capture financial information
at any point in the business cycle, from the creation of invoices and orders to the collection, aggregation, and reconciliation processing performed
by their financial departments. XBRL is also a specialized business reporting
language for existing and emerging financial and business reporting requirements, such as regulatory filings, statements, and corporate reports. It makes
the analysis and exchange of corporate information easier to facilitate, as
well as more flexible and reliable.
Audit Technology
65
XBRL is basically three things: (1) a community of people and organizations, (2) a set of rules for developing identifiers for business reporting
languages, and (3) a specialized business reporting language for existing
and emerging financial and business reporting requirements.
XBRL International is a consortium of people and organizations who
have come together to improve the flow of financial information from organizations to capital markets. It includes representatives from all of the stakeholder communities affected by corporate reporting. Members include the
companies themselves, their trading partners, internal and external auditors
and accountants, regulators and government entities, data aggregators, the
investment community, academic institutions and researchers, consultants,
and software developers. Together, the consortium members are developing
solutions for creating, publishing, and consuming financial data.
XBRL is also a language for capturing financial information throughout
a business’s information processes. The information can be captured at any
point in the business cycle—from the initial creation of invoices, orders, and
other documents and actions, through to the collection, aggregation, and
reconciliation processing done in the financial departments, and eventually,
to the reporting formats such as regulatory filings, statements, and corporate reports. The goal of XBRL is to make the analysis and exchange of
corporate information easier to facilitate, more flexible, and more reliable.
It does this by tagging each segment of computerized business information with an identification code or marker. The ID markers stay with the
data when it is moved or changed, no matter how the data is formatted or
rearranged.
XBRL offers many benefits to internal and external auditors, and now is
the time to jump on the bandwagon. Currently, for financial information to
become reusable, more often than not, there is a need for auditors to search
and manually input information into different software. This may be more
efficient than using paper, but the improvement is one of speed rather than
substance. The adoption of XBRL will reduce mechanical data entry, eliminate entry errors, encourage more analysis of data, facilitate comparisons
against external data, and provide greater transparency. XBRL should subsequently affect the quality and quantity of financial reporting data. As a result,
it is also a critical tool for audits of the key provisions of the Sarbanes-Oxley
Act (SOX), specifically the review of management assessment of internal
controls (Section 404) and Section 409’s requirements for real-time reporting. In addition, it will enable powerful efficiencies in internal reporting
systems and due-diligence for audits of mergers and acquisitions.
Auditors need reliable information on a timely basis, and they want it
in language that can be understood and in a format that can easily be used
for additional analysis. Since XBRL can be integrated into existing financial
and accounting software, it allows for electronic exchange. Virtually any
66
Internal Audit
software product that manages financial information can use XBRL for its
data export and import formats, thereby increasing the potential for full interoperability with other financial and data analysis applications. This significantly streamlines the preparation, dissemination, and analysis of financial
and compliance reports. XBRL also facilitates paperless financial reporting,
supports the single-entry of financial information that can then be used for
a wide variety of purposes and recipients, and increases the transparency
and timeliness of reported information. Effectiveness is increased because
data in XBRL format can be retrieved more easily and can be analyzed with
greater accuracy. XBRL provides more relevant and reliable interorganization exchange of information by allowing for technology independence, less
human involvement, and more reliable and efficient extraction of financial
information. XBRL makes financial information more readily available by
providing faster, more accurate electronic searches for information because
each instance of information is identified specifically through the attached
label.
Auditors will benefit from increased possibilities for automated analysis,
the more frequent release of information, and the receipt of information in
an electronic, reusable format. XBRL enables auditors to access financial
reports in a matter of seconds and move the data to analytical software
with literally a click of a mouse. Auditors will be able to tailor searches
for multiple company data and export the collected information easily into
a spreadsheet for further analysis. This will give auditors access to industry benchmarks, more accurate financial information, and make it easier to
segregate the information for trend analysis and continuous auditing. This
is possible because each piece of data is identified with an XBRL tag, so
comparisons and calculations can be automated when comparing one company’s operation with another’s or intracompany comparisons from period
to period.
By creating a standard computer markup language for government
agencies, organizations, auditors, regulators, and financial statement users,
XBRL will enhance the availability, reliability, and relevance of financial
reports. The use of the XBRL format can standardize all aspects of the
electronic financial reporting process, thus auditors will have online, realtime access to standardized financial information. XBRL also encourages
and facilitates the use of continuous auditing and Web-based audit programs for standards-based financial statement reviews. By integrating data
analysis software programs into accounting functions, XBRL allows auditors to extract, analyze, and interpret audit evidence and to detect unusual
transactions or patterns of transactions to deter potential fraud. Continuous
auditing, supported by the XBRL format of financial data, can increase substantially the efficiency and effectiveness of the audit process, resulting in
cost savings for auditors and their clients.
67
Audit Technology
User
User
Interface
Rules
Base
Knowledge
Engineer
Expert
Inference
Engine
Expert
System
EXHIBIT 2.5 Components of an Expert System
Expert Systems
An expert system can be defined as a computer program that guides a
nonexpert user according to a set of rules to arrive at a particularly critical
outcome. The components of an expert system are shown in Exhibit 2.5.
Typically, an expert system requires that:
There is an easily defined problem.
The problem can be solved analytically.
The problem has a limited domain.
The problem is relatively static.
The use of such expert systems has declined dramatically during the last
six to eight years due to major methodological limitations (Fetzer [1990]);
however, an audit can employ expert system methodology to maintain
consistency across audits or at various sites.
Case Study 14: Audit of Hazardous Materials
In performing an audit of hazardous materials, many factors were
involved in determining whether or not the materials were being
properly stored and handled. The health and safety requirements varied
depending on the volatility of the materials and a number of other
factors. Some chemicals had to be stored in dry areas, others were
extremely toxic—or even cancer-causing—and required handlers to
wear protective gear. The result made the audit much more dangerous
than a usual inventory audit and more confusing for the auditors.
68
Internal Audit
Dealing with chemical compounds with names difficult to pronounce,
and even to spell, was going to be a challenge, and a chemical specialist
was hired to provide advice on the audit program. Using a set of rules
developed by the specialist, an expert system was developed to lead
auditors through a series of questions, ultimately providing a measure of
the appropriateness of the storage and handling procedures. Thus, the
on-site auditors did not have to possess an expert level of knowledge
of all possible hazardous materials they might encounter, as this was
handled by the expert system. The system also ensured that all sites
were audited with the same level of consistency and completeness.
Expert systems are not easy or inexpensive to develop, but for repeat
audits of high risk or importance, they can be a useful alternative. For
simpler problems, programming tools, such as Visual Basic, can be used
to design an elementary expert system that leads the auditor through a
series of questions, capturing and evaluating the input before branching
to the next appropriate question (see previous section in this chapter, on
Electronic Questionnaires and Audit Programs). Alternatively, expert system
shells are available, making it easy to establish the rules (knowledge-based)
and provide an inference engine as well as a user-friendly interface.
Audit Early-Warning Systems
Audit organizations, in an effort to act as early-warning systems for senior management, need to know when problems or opportunities arise that
require decisions. This entails the use of a reporting system and the establishment of warning levels. Most organizations have more than enough
reporting systems, but these present two problems. First, they can overload management by creating too much detailed information, most of it
irrelevant. And second, they can provide too little useful information, highlighting certain information, but missing other critical business information
altogether (Oxenfeldt, Miller, and Dickenson [1981]).
If audit wants to develop a warning system, then it must do the following: (1) identify the key information systems to be monitored; (2) identify
the criteria for anomalies (good or bad) that are of interest; (3) describe
the symptoms of the anomalies; and (4) establish indicators for the anomalies. Finally, target and warning levels must be established. When the levels
move significantly far away from the target and reach the warning level,
an exception report is automatically generated. Upon receipt of the exception report, audit management can decide to investigate the problem or to
monitor the results more closely to see if the condition is an aberration and
Audit Technology
69
will thus correct itself. By developing warning systems, audit can be more
selective in the audits and the timing of these audits and, therefore, use its
resources more productively.
Warning systems can be developed one at a time and used as another
source of information when evaluating risk and materiality. They can be
entirely automated or simply periodic snapshots, which are used to generate
trends for comparison with projections or with data from previous years.
Continuous Auditing
In the 1980s, the notion of continuous monitoring was first introduced to
auditors. The basic premise of continuous monitoring was the ongoing use
of data-driven attributes to draw conclusions concerning risk in a subject
area. The results were used to determine where an audit was required and
to focus the audit on the areas of greatest risk. Unfortunately, auditors were
not ready—they lacked the tools and necessary data access—or willing to
embrace this idea at the time. Now, however, there is a proliferation of
information systems in the business environment, giving auditors and managers easier access to more relevant information. Further, the rapid pace
of business requires a prompt response to issues. This, in conjunction with
SOX Section 409’s requirement for disclosure to the public, in a rapid and
current basis, material changes to financial conditions or results of operations, changes in auditing standards, and the evolution of audit software
are persuading auditors to adopt new approaches to assessing information for audit purposes. There is a demand for independent assurance that
control procedures are effective and that the information produced for decision making is both relevant and reliable. In many instances, the need for
high-quality information for decision making in the highly volatile business
environment is greater than the need for reliable historical cost-based financial statements. If a company cannot adjust to the changing market, and
technological and financial conditions, it will not be in business for long.
The environment, technology, and audit standards are driving auditors to
make more effective use of information and data analysis and encouraging
auditors to adopt continuous monitoring. This has produced a shift in the
focus of internal audit activities.
However, many auditors are still resistant or confused about continuous
monitoring, so it has not become widely implemented or accepted by the
profession. One of the main reasons for the reluctance is the term monitoring, which is seen as a management function. The second barrier is early
attempts to apply continuous monitoring to both instantaneous auditing (a
review of transactions in real time) and to the notion of ongoing or frequent,
but not real time, audits. Real-time analysis is still beyond the capabilities of
70
Internal Audit
many audit organizations. To address these concerns, proponents of continual monitoring have modified the original intent to one that is used to identify systems or processes that are experiencing higher-than-normal levels of
risk, such as where the values of the performance attributes fall outside the
acceptable range. In this context, continuous monitoring measures specific
attributes that, if certain parameters are met, will trigger auditor-initiated actions. The nature of these actions will vary depending on the risk identified
and ranges from sending an e-mail to the manager to a rapid-response audit
of the area. For example, the financial system may notify the auditors of any
journal vouchers over $250,000. What they do will depend on whether or
not this is seen as a single item of concern or more of a systemic problem.
The audit profession still has problems defining the parameters and assessing the importance of continuous monitoring. As a result, few auditor
organizations have adopted even the basics of continuous monitoring. In
addition, the ability to monitor transactions in real-time is still not always
easy or even feasible. To help overcome some of the problems with continuous monitoring, I propose that auditors consider the notion of continuous
auditing, a similar, but more powerful approach to identifying and assessing
risk. I define continuous auditing as follows:
Continuous auditing is any method used by auditors to perform auditrelated activities on a more continuous or continuous basis. It is the
continuum of activities ranging from continuous control assessment to
continuous risk assessment, all activities on the control-risk continuum.
Technology plays a key role in automating the identification of anomalies, analysis of patterns within the digits of key numeric fields, analysis
of trends, detailed transaction analysis against cutoffs and thresholds,
testing of controls, and the comparison of process or system over time
and/or against other similar entities.
Continuous control assessment refers to the activities used by auditors
for the provision of controls-related assurance. Through continuous
control assessment, auditors provide assurance to the audit committee
and senior management as to whether or not controls are working
properly by identifying control weaknesses and violations. Individual
transactions are monitored against a set of control rules to provide
assurance on the system of internal controls and to highlight exceptions.
A well-defined set of control rules provides an early warning when the
controls over a process or system are not working as intended or have
been compromised.
The extent to which audit is required to perform continuous control
assessment activities will depend upon the degree to which management is performing its responsibilities around continuous monitoring. A
Audit Technology
71
strong management monitoring system will decrease the amount of detailed testing audit must perform to provide assurance on the controls.
Continuous risk assessment refers to the activities used by auditors to
identify and assess the levels of risk. Continuous risk assessment identifies and assesses risk by examining trends and comparisons—within
a single process or system, as compared to its own past performance,
and against other processes or systems operating within the enterprise.
For example, product line performance would be compared to previous
year results, as well as assessed in context of one plant’s performance
versus all others. Such comparisons provide early warning that a particular process or system (audit entity) has a higher level of risk than
in previous years or than other entities. The audit response will vary
depending on the nature and level of risk.
Continuous risk assessment can be used in a large-scope audit to
select locations to be visited, to identify specific audits or entities to be
included in the annual audit plan, or to trigger an immediate audit of
an entity where the risk has increased significantly without an adequate
explanation. It can also be used to assess management’s actions, to see
if audit recommendations have been properly implemented and are
reducing the level of business risk.
Continuous monitoring is the process that management puts in place
to ensure that its policies, procedures, and business processes are operating effectively. Management identifies critical control points and
implements automated tests to determine if these controls are working
properly. With continuous monitoring, these tests are performed on an
ongoing basis (usually daily) to address management’s responsibility to
assess the adequacy and effectiveness of controls. The managementmonitoring function is often closely tied to key performance indicators
(KPIs) and other performance measurement activities.
The techniques of continuous monitoring of controls by management
may be similar to continuous auditing. In the event that management performs continuous monitoring on a comprehensive basis across all key business process areas, internal audit can significantly reduce the extent of
detailed testing procedures related to continuous auditing. Instead, audit
can evaluate the management-monitoring process and then rely upon the
output of the continuous monitoring system. In areas where management
has not implemented continuous monitoring, more detailed testing, in the
form of continuous auditing techniques, will be required by audit.
Continuous auditing is a unifying structure or framework that holds
risk assessment, control assessment, audit planning, digital analysis, and
the other audit tools and techniques together. It supports the macro-audit
issues, such as using risk to prepare the annual audit plan, and micro-audit
72
Internal Audit
issues, such as developing the objectives and criteria for an individual
audit. The main difference between the macro- and micro-audit levels is
the amount of detail that is considered. The annual audit plan requires
high-level information to establish the risk factors, prioritize risks, and set
the initial timing and objectives for the planned set of audits. Individual
audits start with the risks identified in the annual audit plan, but use digital
analysis and other techniques (e.g., interviews, control self-assessment,
walk-throughs, questionnaires) to further define the main areas of risk and
focus the risk assessment and subsequent audit activities.
Continuous Auditing versus Continuous Monitoring
There are also a number of differences between continuous auditing and
continuous monitoring. The main differences are:
Continuous auditing recognizes and acknowledges that monitoring is a
management function, not an internal audit function.
The frequency of continuous auditing is based on the assessed level of
risk and is not continuous unless the level of risk justifies a real-time
analysis of transactions.
Continuous auditing uses not only the comparison of both individual
and summarized transactions against cutoff or threshold values, but also
the comparison of an entity against other entities (e.g., one operational
unit to all other operational units) and a time-wise comparison of the
entity against itself (e.g., the entity’s performance over the last five years
compared to its current performance).
Continuous auditing also allows auditors to follow up on the implementation of audit recommendations.
Continuous auditing is used by audit to determine if risk is at a level
where audit intervention is required. It is not a form of monitoring that
would determine if operations are functioning properly (management issue).
Continuous auditing allows auditors to quickly identify instances that are
outside the allowable range (known thresholds) and those that can only
be seen as anomalies when compared to other similar entities or when
viewed across time (unknown thresholds). Simply knowing that an audit
entity processed a journal voucher that is greater than a cutoff amount will
not help auditors to gauge whether or not the entity has improved in its use
of journal vouchers. However, it does not have to involve real-time analysis
of transactions.
Continuous auditing seeks to measure not only transactions against a
cutoff but also the totality of the transactions. This allows you to test the
consistency of a process by measuring variability of each dimension. For
Audit Technology
73
example, the consistency of a production line can be tested by measuring the
variability in the number of defects. The more variability in the number of
defects, the more concerns about the proper functioning of the production
line. This premise can just as easily be applied to the measurement of the
integrity of a financial system by measuring the variability (e.g., number
and dollar value) of the adjusting entries over time and to other similar
entities. The concept of variability, over time, and against other audit entities
is the key differentiating factor in continuous auditing versus continuous
monitoring or embedded audit modules.
Auditors need to be considering questions like: How many journal
vouchers were processed this year? What percentage was above the threshold amount? How does this compare to last year and to other audit entities?
And, Can we tighten the criteria and lower the cut off value? Answering
these questions will allow auditors to develop dynamic set of thresholds
that provide a better idea of the direction in which the organization is
headed, rather than simply identifying a transaction that failed to meet a
static cutoff value.
Finally, continuous auditing supports the automation of follow-up of
audit recommendations. With continuous auditing, auditors can track specific data-driven measures of performance to determine if management has
implemented the agreed-upon recommendations and if they are having
the desired affect. Tracking performance over time is critical to ensuring
that the organization is being successful in meeting established goals and
in identifying additional actions to be taken. It is an integral element of
performance measurement and continued improvement in operations. Audit, through continuous auditing, can assess the quality of performance
over time and ensure the prompt resolution of identified problems. Further,
once the risks related to an activity are identified and activities to reduce
such risks are undertaken, the review of subsequent performance (continuous auditing) can gauge how well the mitigation efforts are working. As
the actions of an organization become more observable, continuous auditing facilitates the implementation of ongoing quality improvement and
assurance.
The data-driven predictors of performance must be responsive to
changes in performance, provide an early warning when performance
is deteriorating, be easy to use, and not be resource intensive. They
should help an organization answer three basic questions if the indicator
goes “red”:
What happened?
What is the impact?
What are we going to do about it?
74
Internal Audit
Example of Continuous Auditing: Application to an Accounts
Payable Department
While continuous auditing can be used in any area of the organization, a
simple example involving accounts payable will illustrate the differences and
strength of this approach. The example assumes that there are numerous
separate accounts payable processing centers, of different sizes, performing
similar functions. The example will be used to discuss four main aspects:
1. Identification and assessment of risk related to the accounts payable
processes
2. Identification of trends related to performance and efficiency
3. Identification of specific anomalies and potential frauds
4. Tracking of the implementation of audit recommendations and their
effect on accounts payable operations
In each case, the analysis would consider trends over time and compare
the accounts payable sections to other accounts payable sections. Benchmarking against external A/P operations adds another dimension to the
examination.
RISK IDENTIFICATION AND ASSESSMENT A wide variety of data-driven and
non-data-driven risk factors should be included in the initial risk assessment.
A comprehensive evaluation of business performance looks at cost, quality, and time-based performance measures. Cost-based measures cover the
financial side of performance, such as the labor cost for accounts payable.
Quality-based measures assess how well an organization’s products or services meet customer needs, such as the average number of errors per invoice. Time-based measures focus on efficiency of the process, such as
the average days to pay an invoice. It is also possible to determine, for
each A/P section, the types of transactions and dollar amounts for each.
For example, look at the number of correcting journal entries and manually
produced checks; these are indicators of additional workload. The analysis
will also tell you how many different types of transactions are being processed. Generally speaking, there is more complexity in operations when
more transaction types are processed. You can also examine organization
structure—reporting relationships, number and classification/level of staff,
length of time in job/retention rates, and training received (these should be
available from the HR system). The combination of this type of information
with the transaction types and volumes can help identify areas of risk, such
as a lack of trained staff to handle complex transaction types.
75
Audit Technology
TRENDS IN PERFORMANCE AND EFFICIENCY When considering A/P, trends will
easily identity performance and efficiency concerns.
For example, for each A/P operation, continuous auditing can easily
determine:
Number and classification/level of accounts payable staff
Number of invoices processed by each user (either end of the spectrum
[too many or too few] can increase risk)
Average dollar cost to process an invoice
Average number of days to process a payment
Percentage of invoices paid late; percentage paid early (particularly
telling if early payment discounts are not taken)
Percentage of adjusting entries
Percentage of recurring payments or Electronic Funds Transfer (EFT)
payments
Percentage of manual checks
Percentage of invoices that do not reference a purchase order
Percentage of invoices that are less than $500 (purchase card could be
more efficient and less costly)
Efficiency measures allow you to compare one audit area to another in
a variety of ways, as Exhibits 2.6 to 2.8 show.
The use of trends can help not only to identify problems, but also to
recognize areas where improvements have been made. Exhibit 2.8 shows
that Division D still has the highest percentage of invoices without a purchase order reference, but it has made considerable improvements over the
previous year, whereas Division G’s percentage has gone up.
# of transactions
14,000
12,000
10,000
8,000
6,000
4,000
2,000
0
A
B
C
D
A/P Office
EXHIBIT 2.6 Average Number of Transaction per User
E
F
G
Dollars
76
Internal Audit
16
14
12
10
8
6
4
2
0
A
B
C
D
E
F
G
A/P Office
EXHIBIT 2.7 Direct Labor Cost per Transaction
IDENTIFICATION OF ANOMALIES OR POTENTIAL FRAUD Within A/P, possible
anomalies and measures of potential fraud include:
Duplicate payments (should include a comparison to previous years to
see if operations are improving)
Invoices processed against purchase orders that were created after the
invoice date (backdated purchase orders)
Number of invoices going to suspense accounts
All functions performed by each user to identify incompatible or lack
of segregation of duties
Vendors that were created by, and only used by, a single accounts
payable clerk
Instances where the entry user is the same as the user who approves
payment
Instances where the payee is the entry or approving user
Percentage
30
25
20
15
10
5
0
A
B
C
D
A/P Office
FY 06/07
E
F
FY 07/08
EXHIBIT 2.8 Percentage of Invoices without a Purchase Order Reference
G
77
Audit Technology
Duplicates in the vendor table or vendors with names such as C.A.S.H.;
Mr.; Mrs; or vendors with no contact information, phone numbers, or
other key information
TRACKING OF RECOMMENDATION The final area of continuous auditing is the
tracking of recommendations. The aim is to determine if management has
implemented the recommendations and if the recommendations are having
the desired effect. Possible measures include:
Evidence of increased used of purchase cards for low-dollar transactions
(reduction in percentage of invoices less than $500 and increase in
percentage of purchase card payments less than $500)
Reduction in duplicates in the supplier master table
Decrease in the number and dollar value of duplicate invoices
Improvements in the days-to-pay figures (reduction in late payment
charges and more opportunities to take early payment discounts)
Improved operations (lower cost per invoice, more use of EFT payments)
Exhibit 2.9 shows how continuous auditing can be used to determine
whether or not A/P operations in each division has successfully implemented the recommendations calling for purchase cards to be used for
low-dollar transactions.
Stages of Continuous Auditing
Continuous auditing starts with the selection of audit projects, continues into
the conduct and reporting phase, and culminates with the ongoing monitoring and follow-up activities. All stages of the process should be risk-based
Percentage
40
30
20
10
0
A
B
C
D
A/P Office
FY 06/07
E
FY 07/08
EXHIBIT 2.9 Percentage Purchase Card Use Invoices under $500
F
G
78
Internal Audit
and, to the maximum extent possible, data-driven. The basic implementation strategy must include a consideration of the risk, an assessment of
the baseline assurance, the design of the predictive indicators, monitoring
for changing conditions, and follow-up as required. More detailed steps
include:
Audit plan preparation and planning phase
Identification of categories/areas of risk
Identification of sources of the data to support risk assessment
Understanding of the data and an assessment of its reliability
Assessment of the levels of risk
Prioritization of risk
Selection of audit projects
Audit conduct phase
Integration of audit procedures and technology
Definition of relevant variables (predictors) to be measured
Definition of the criteria for these variables to be used to predict outcomes
Definition of the desired traits for the variables (normal range, anomalies)
Measurement of the variables (predictors)
Assessment of the predicted level of risk
Follow-up audit activity as required
Revision to variables that will be measured, criteria, and the traits
The implementation of continuous auditing will place certain demands
on the auditors. The audit organization will be required to develop and
maintain the technical competencies necessary to access and manipulate
the data in the myriad of information systems. If the auditors are not
already using data analysis techniques to support audit projects, the audit group will have to purchase analysis tools and develop and maintain analysis techniques. The implementation of continuous auditing will
also require the adoption of the concept by all persons within the audit
organization.
Monitoring and review is the final component of an effective control
framework (the Committee of Sponsoring Organizations’ five elements of a
control component). It is a key ingredient in an organization’s continuous
improvement process and helps to ensure that the organization implements
effective processes and tools to monitor and review relevant data. An
effective monitoring and review environment uses both periodic reviews
and those undertaken by internal and external audit, as well as built-in
Audit Technology
79
review mechanisms and internal review measures. Continuous auditing
will support and strengthen the monitoring and review environment in an
organization. Finally, it will help focus the audit effort but will not obviate
management’s responsibilities to perform a monitoring function.
One of the current, and most visible, drivers for continuous auditing
is the high cost of regulatory compliance. In the United States, a Financial
Executives International survey (Financial Executives International [2005])
pegged the cost of SOX compliance at an average of more than $4 million
per organization. Since most of these costs were related to manual, peopleintensive processes—based on use of internal resources and external
consultants—it is no surprise that an AMR Research study (AMR Research
[2005]) found that key technologies can be used to reduce compliance costs
by upwards of 25 percent. Continuous auditing can provide the necessary
support to comply with SOX Section 404 by assisting auditors in the following areas:
Determining the key controls and finding the balance between preventive and detective controls
Determining whether deficiencies are material or not
Integrating internal audit into the business processes to assess both
emerging risks and control deficiencies
Designing tests of IT and financial controls
In addition, an important step in reducing the cost of complying with
SOX is more reliance on the work performed by a competent and independent internal audit function (Doyle, [2005]).
Continuous Auditing Template
Auditors wishing to develop a continuous auditing program will need to
carry out these tasks:
Secure data access and maintain data quality:
Develop and maintain access to key application systems.
Understand the applications.
Assess data integrity and reliability.
Develop and maintain analysis skills and tools:
Purchase analysis tools (software and hardware).
Develop and maintain analysis techniques.
Share skills within your audit organization.
80
Internal Audit
Anticipate all exceptions:
With the area selected, identify the most critical reports to execute.
Review the processing flow and past audits.
Study best practices in the industry and secure insights from external
advisors.
Bring the key players together. Enlist the support of operation management to discuss the following:
The objective of the program or organization
An assessment of the effects of these risks, and what factors can
increase risk
Tools currently used to monitor risks
The planned versus actual involvement of all pertinent personnel, in
order to detect weaknesses
The process of creating a monitoring report
Prioritize and plan audit frequency:
Use risk analysis to select high-priority areas.
Determine which exceptions should be investigated and consider issues
of timeliness versus effectiveness.
Schedule audits and continuous auditing frequency in accordance with
risk and time issues.
For each target, execute the plan:
Select a suitable target for continuous auditing.
Define entities and categories to be evaluated (account, and departments).
Run the analysis and calculate the indicators.
Compare results to previous periods as well as to similar entities within
the organization.
Publish your results:
Make results known to appropriate management.
Monitor and evaluate effectiveness of continuous auditing process.
Sarbanes-Oxley
Corporate scandals and failures severely damaged investor confidence in
the late 1990s. The Sarbanes-Oxley Act (SOX), named after Senator Paul
Sarbanes and Representative Michael Oxley, came into force in July 2002.
Its principles supported three main objectives: integrity, reliability, and accountability. SOX was created to ensure that financial records were complete
Audit Technology
81
and accurate (integrity), that the information was reliable, and that management would be held accountable. By doing this, SOX’s authors hoped to
instill investor trust and confidence.
SOX introduced major changes to the regulation of corporate governance and financial practice, and set deadlines for compliance with the
eleven “titles.” This caused great anxiety in the business world as companies struggled to meet the deadlines; the most important sections are usually
considered to be 302, 401, 404, 409, 802, and 906. In addition, an overarching institution, the Public Company Accounting Oversight Board (PCAOB),
was also established by SOX, to provide guidance and assess compliance.
The following summarizes the main requirements of the important compliance sections; however, anyone wishing to fully understand the compliance
requirements should consult the full text of the Sarbanes-Oxley Act.
Important SOX Sections
SECTION 302 Section 302 deals with the requirement for periodic statutory
financial reports to include certifications. Briefly, the certification must state
that the report is accurate, complete, not misleading, and fairly represents
the financial conditions of the organization; and it has been reviewed by
the signing officers (usually the Chief Financial Officer and Chief Executive
Officer). Since the CFO and CEO are responsible for the internal controls,
they must also certify that these controls have been reviewed within the last
90 days. Further, Section 302 requires that all control deficiencies, significant
changes to the controls, and related frauds must be disclosed.
SECTION 401 Section 401 discusses the need for financial reporting to be
transparent. Quarterly and annual reports must be accurate and presented
in a manner that conforms with generally accepted accounting principles
(GAAP). These reports must include all material off-balance sheet liabilities,
obligations, or transactions, and any relationships that could have a material
impact on the current or future financial condition of the company.
SECTION 404 Section 404 states that the scope and adequacy of internal
controls and procedures for financial reporting must be published in the
company’s annual report. The annual report must also include a statement
regarding the effectiveness of the internal controls and procedures.
The annual report must also contain a statement from the registered
accounting firm that attests to and reports on the effectiveness of the internal
control structure and procedures for financial reporting.
82
Internal Audit
SECTION 409 Section 409 deals with the reporting of material changes in an
organization’s financial condition or operations. It states that the information
must be disclosed to the public in a timely manner (rapid or current basis).
These disclosures should be easily understood by the public and be supported by quantitative (graphs) and qualitative information as appropriate.
SECTION 802 Section 802 discusses the fines and/or imprisonment (up to
20 years) for altering, destroying, or changing documents or tangible objects
with the intent to affect the outcome or progress of a legal investigation.
This section also imposes fines and/or imprisonment (up to ten years) for
the failure to maintain audit or review papers for a period of five years.
SECTION 906 Section 906 discusses corporate responsibility for financial
reports and outlines the criminal penalties the CEO and CFO could face for
certifying a misleading or fraudulent report.
In the first few years, compliance with SOX legislation seemed to be
a daunting task to many. However, those companies that addressed its
requirements methodically found that compliance with SOX can be planned
and implemented in a manner that not only meets the requirements but
also helps improve operational efficiency and effectiveness. In many cases,
auditors were asked to take a lead role in developing the necessary response
to SOX. Further, organizations that integrated their financial statement and
audits of internal controls over financial reporting achieved even greater
efficiencies.
In response to concerns over the cost and effort required to comply
with SOX, both the Securities and Exchange Commission (SEC) and the
PCAOB offered additional guidance in the form of PCAOB Auditing Standard
No. 5 (AS5) (PCAOB AS5 [2007]). This standard was written to reduce the
overall burden of compliance, while addressing the main areas of financial
risk. AS5 encouraged both management and auditors to use their judgment
and develop a top-down approach to assessing risk. According to AS5,
auditors should use a top-down approach to assess and select controls to
be tested. Beginning at the financial statement level, auditors should develop
an understanding of the overall financial risks and controls over financial
reporting. They should start by focusing on the entity-level controls and then
work down to the significant accounts, disclosures, and assertions. Finally,
auditors should select for testing those controls that significantly address the
risk of misstatement.
Instead of trying to identify and assess every possible fraud scenario,
companies are encouraged to use informed judgment in developing a process of assessment that is realistic, defensible, and supported by a reasonable level of evidential matter. This means that the documentation and
Audit Technology
83
testing of controls can be tailored to a company’s own operations, risks, and
procedures. The general intent of AS5 was to ensure that the compliance efforts were focused where they would do the most good, and that the process
did not unduly interfere with the production of reliable financial statements.
The Role and Responsibility of Internal Audit
SOX Section 404 clearly states that management, not audit, is responsible for the system of internal controls. In fact, internal audit is considered
part of an organization’s internal control system. However, internal auditors
have an important role in evaluating the adequacy and effectiveness of the
control systems. The internal audit function provides senior management
and the audit committee with independent assurance that the controls, risk
management, and governance systems are working. Because of the unique
position of the Chief Audit Executive, the internal audit function often has
a significant monitoring role as well.
Under Section 404, management must assess the effectiveness of a company’s internal controls over financial reporting and must include the assessment in its annual report. In addition, under Section 302, management
must report whether the assessment has identified any material control deficiencies that could impact the company’s financial statements.
Internal audit has a different role to play. Typically, internal auditors are
encouraged to use a standard control framework such as the Committee of
Sponsoring Organizations’ (COSO) Internal Control–Integrated Framework
(ICIF). The ICIF goes beyond the SOX requirements and covers all aspects
of internal control, not just control over financial reporting. It states that an
internal control is a process, affected by an entity’s board of directors, management, and other personnel. Further, it promotes a process designed to
provide reasonable assurance regarding the efficiency and effectiveness
of operations, the reliability of financial reporting, and compliance with
applicable laws and regulations. The achievement of these objectives improves performance, profitability, the safeguarding of assets, and leads to
more reliable financial statements and compliance with applicable laws and
regulations.
The COSO framework describes the five related components of internal
controls:
Control environment. This includes integrity, ethical values, management’s style and philosophy, and the competencies of the entity’s people. The control environment sets the tone and is the foundation for
the other components on internal control.
Risk assessment. The process of identifying and assessing the risks to
the achievement of corporate objectives. It also provides valuable input
into the management of these risks.
84
Internal Audit
Control activities. The policies and procedures, at all levels of the organization, in place to ensure that management directives are followed.
Control activities include formal approvals, authorities, separation of
duties, and reconciliations.
Information and communication. The processes to ensure that information is captured, synthesized, and communicated in a manner that
is timely and helps people to carry out their responsibilities. It includes
internally and externally generated information, and must occur at all
levels of the organization.
Monitoring. The processes that assess the quality of the management
control framework. This includes ongoing monitoring activities and specific evaluations, such as audits. The feedback from the results of the
monitoring processes is used to improve the system of controls.
COSO guidance gives internal auditors a framework upon which they
can tailor their approach to the assessment of internal control over financial
reporting. Because the needs of smaller companies can vary significantly
from those of larger companies, auditors should consider the most efficient
and effective manner of assessing risk. The COSO framework does this by
allowing them to select the principles that best fit their company’s circumstances. It provides management and internal audit with a tool to use in
determining the appropriate level of internal controls over financial reporting. However, it is important to note that the framework can only provide
reasonable—not absolute—assurance, and that any control testing is at a
point in time.
According to the guidance, smaller public companies may strengthen
internal controls by broadening the pool of audit committee members, using
controls built into accounting software, leveraging management monitoring,
and outsourcing some activities. This new guidance provides a tool for
management to use in determining the appropriate level of internal controls
over financial reporting for smaller businesses. The document is intended for
use by board members, senior management, other personnel, and external
auditors. The key is to identify and assess the appropriate financial risks.
Risk Factors
SOX requirements are focused on financial reporting; therefore, the auditor’s
objective is to express an opinion on the effectiveness of the company’s internal control over financial reporting. Auditors must also consider whether
identified errors are one-time failures or systematic deficiencies, such that
the internal control system no longer provides reasonable assurance that
material errors will be prevented or detected. To do so, the audit must
obtain sufficient evidence about whether or not material weaknesses exist.
Audit Technology
85
PCAOB AS5 states that the risk factors to be assessed are those that
are indicators of the susceptibility of the account, disclosure, or assertion to
misstatement due to errors or fraud. This refinement means that there is no
need to assess and test every control—only those where the inherent risk
of an error exists, that could lead to a material misstatement, are considered
reasonably possible. This requires auditors to understand the nature of the
business environment, the organization’s operations and process, and to
consider sources of potential misstatements.
In the first year of SOX, auditors were often testing controls that were
not considered key because the controls did not prevent or detect material
errors. By focusing the testing and evaluation on relevant entity-level controls, auditors can spend less time on control testing and achieve greater efficiencies. Additionally, efficiencies can be obtained by integrating financial
statement audits into audits of the internal controls over financial reporting.
Instead of trying to identify and prevent every conceivable fraud, A5
encourages companies to use a risk-based approach to determining where
to improve controls. This includes employing tactics to reduce the pressure,
opportunity, and rationalization elements of fraud. Management should consider (1) changing performance bonus policies to eliminate the pressure to
commit fraud; (2) performing continuous monitoring of the use of management override of controls; (3) setting the tone at the top with ethical
behavior; and (4) developing fraud-awareness programs to help prevent
fraud. At the same time, auditors need to be cognizant of the approaches to
identifying and assessing fraud risk.
Detecting Fraud
Auditors are generally concerned with the evaluation of controls for the
efficient and effective use of company resources. Sound controls are an
essential part of any defense against fraud, but they may not be working as
intended or may no longer be adequate. Reorganization, business reengineering, or downsizing can seriously weaken or eliminate controls, while
new information systems can present additional opportunities to commit
or conceal fraud. Auditors must also be constantly aware that mandated
controls that are nominally in effect might be poorly enforced or otherwise
irrelevant.
Auditors and fraud investigators must be conversant with the key conditions for detecting fraud. There are five such conditions:
Determining the organization’s risk of fraud by studying its operational
and control environments to identify risk categories and exposures
Assessing the risks and exposures
86
Internal Audit
Examining the risks and exposures from the fraudster’s perspective, to
determine what he or she can control or manipulate to make the fraud
possible
Thoroughly understanding the symptoms of fraud and data sources that
may contain those symptoms
Being alert to the occurrence of symptoms and knowing how to look
for those symptoms in the data
Once these conditions are met, it becomes easier to deter, investigate,
and report detected fraud and create new controls to detect any reoccurrence.
Determining the Exposure to Fraud
Auditors must be aware of the areas where their organization could be at
risk and the possible impacts. Auditors must understand the various sources
of risk and exposure that confront the organization, from the highest to the
lowest levels. Risks that are poorly managed or not mitigated are an exposure that can be manipulated to benefit the fraudster. The prevention and
detection of fraud will be improved by a thorough understanding of what
could possibly happen to the organization in the normal course of operating
its business, or as the result of some other unusual event. However, simply
identifying all of the possible exposures, given the likely lack of resources
to deal with them, is not sufficient. In order to focus audit attention and the
prevention and search for fraud, auditors must not only identify, but also
assess and prioritize the risks.
The first step is to develop loss scenarios that will define the types of
fraud risk to which the organization may be exposed. Typical risk categories
include the external environment, legal, regulatory, governance, strategy,
operational, information, human resources, financial, and technology issues.
The development of risk categories can help identify and assess the risks.
The assessment of risk includes the examination of the controls in place
to mitigate against various risks, such as monetary loss, theft of assets, and
loss of proprietary data. Auditors must examine the operational environment
and its internal controls to identify where weaknesses and deficiencies can
leave the company exposed to fraud. Under SOX, the primary fraud risks
relate to financial reporting, and the system of internal controls must be
carefully evaluated and tested to ensure it is working as intended. Processes,
control points, key players, and risks must be carefully reviewed. Fraud is
often largely a crime of opportunity, so the opportunities must be found
and, if possible, eliminated or reduced.
Two widely distributed audit standards address exposure concerns directly. The Institute of Internal Auditors’ (IIA) Statement on Internal Auditing
Audit Technology
87
Standards No. 3 (SIAS 3), Deterrence, Detection, Investigation and Reporting
of Fraud, requires auditors to have sufficient knowledge of possible frauds
to be able to identify their symptoms. Auditors and fraud investigators must
be aware of what can go wrong, how it can go wrong, and who could be
involved. Also, the AICPA’s SAS 99, Consideration of Fraud in a Financial
Statement Audit, was developed to assist auditors in the detection of fraud.
It goes further than its predecessor, SAS 82. New provisions include:
The need for brainstorming the risks of fraud
Emphasizing increased professional skepticism
Ensuring that managers are aware of the potential of fraud occurring
Using a variety of tests
Detecting cases where management overrides controls
In most companies, the areas of highest risk involve the general ledger
(GL) and revenue recognition. The GL is dynamic and requires adjustments,
and revisions to accounts balances can be performed by authorized individuals. However, concerns can arise when management overrides the journal
entry or revenue recognition policy or strongly encourages others to do the
same; or journal entries can be deliberately split to bypass financial controls.
Looking at risk from a top-down approach may mean that current practices need to be revised. Auditors should consider the risk factors, including:
Size and composition of the account
Volume of activity
Complexity and variability of transactions
Nature of the account, disclosure, or assertion
Accounting and reporting complexities
Existence of third-party transactions
Significant changes from the prior period
Testing for automated controls normally consists of one or more of the
following:
Control system walkthroughs to confirm the existence and adequacy
of adequate control documentation and to assess whether the design
meets the control objectives
Processing of a sample of transactions to confirm that the control is
operating effectively
Examining related application code, including the configuration of control parameters
88
Internal Audit
Using audit software to test control rules (e.g., testing that transaction
debits balance to credits, or searching for journal vouchers over the
maximum amount permitted)
Using audit software to perform parallel simulations of key portions
of the applications processing, such as the use of ACL to age open
accounts receivable transactions and compare with system-generated
reports
Auditors should consider the risk factors for fraudulent financial reporting and theft described in SAS 99. These can be used as a basic model
for assessing the risk of fraudulent financial reporting. The risks outlined
in SAS 99 include factors such as management conditions, the competitive
and business environment, and operational and financial stability. The risk
factors for theft include employee relationships, internal control, and the
susceptibility of assets.
The AICPA’s Audit Standards Board has also issued eight Statements
on Auditing Standards (SAS) dealing with the assessment of risk in financial
statements. SAS 104 to 111 cover a wide range of topics including reasonable
care, auditing standards, and evidence, and form a comprehensive set of risk
standards. Together they provide guidance to assist the audit in determining
the risk of financial misstatement caused by error or fraud. The standards
support the design and performance of audit procedures aimed at detecting
risk. In particular, they encourage auditors to develop an understanding of
the audit entity, the system of internal controls, and the associated risks.
Through this enhanced understanding and improved procedures, auditors
can perform a more rigorous assessment of the risks.
Additional information on how to define and assess fraud risk can be
found in the book Computer-Aided Fraud Prevention and Detection: A Stepby-Step Guide, also by David Coderre.
SOX Software
Initially, companies tended to view SOX compliance as either a financial
reporting problem (Are the controls in place to ensure that we have not
materially misstated our finances?) or an IT problem (Do we have access to
the data we need to ensure compliance?). In fact, it is both. To ensure that
internal controls are working, auditors need to drill down into transactionlevel data, and IT needs to make this data accessible. SOX demands that
cross-organizational teams be involved in the compliance process. Many
companies realized that the rules required changes in both the IT and application infrastructures that support the business and the business processes.
SOX teams often result in management, audit, and the IT department being
involved in compliance discussions.
Audit Technology
89
Since the Sarbanes-Oxley Act was enacted in law in 2002, audit and assurance software vendors have introduced new SOX tools or repositioned
existing products for the SOX market. Considerable confusion existed in
the marketplace as security, change management, and many other types of
software firms marketed their products as SOX solutions. Typically, these
products assisted IT departments in partially achieving specific control objectives, such as ensuring system security, but none were end-to-end solutions, and none were intended to comprehensively manage the controls
documentation, assessment, and remediation processes required by SOX.
The challenge for auditors in understanding SOX compliance software is
that solutions can range from relatively simple spreadsheets to highly complex solutions, such as software to reengineer all business processes.
Companies are spending more on IT, business-process change, corporate governance, and/or consulting as a direct result of compliance with
SOX. And more companies are using enterprise resource planning (ERP)
systems or enterprise performance management tools not only to meet SOX
requirements, but also to improve their own visibility into business operations. In 2004, most companies relied primarily on existing tools, particularly
Microsoft Word, Excel, and Visio, to achieve SOX documentation compliance (2005 Buyer’s Guide [2005]). For the most part, they decided to wait
until after the first year of compliance to implement SOX solutions.
But this trend changed quickly, and software spending, roughly $2
billion in 2003, tripled by 2006, and is expected to continue to increase
as companies gain a better understanding of their corporate governance
requirements. To reduce the high labor costs associated with the compliance
effort, more and more companies and audit departments are turning to
software products that combine flexibility and power, allowing them to
read and analyze data stored in a myriad of application systems.
Technology spending accounts for 28 percent of the $6.1 billion being
spent in 2006 on SOX compliance, according to AMR Research. Companies want to use technology to lower the cost of compliance by building
repositories of control documentation and data about compliance testing
and assessments.
SOX software typically provides a capability for documenting the review
of risks and controls over financial reporting and other operating risks, and
for presenting this analysis to the external auditors. According to PCAOB
Auditing Standard No. 2 (AS2), SOX software should include the definition
of material accounts and disclosures from your financial statements, risk
templates, controls review, discussion and follow-up of an action plan, and
a complete framework for risk analysis. It should address the areas of risks
and controls, and issue management. It should be capable of documenting issues, tracking remediation efforts, and maintaining accountability and
continuity on specific task items.
90
Internal Audit
There are several SOX tools, such as Risk Navigator, Enterprise Risk Assessor (ERA), ControlCase, Methodware, SarbOxPro, and OpenPages. Most
SOX software products support the requirement to document a business process and to identify the associated risks and controls. They should assist the
auditor who is performing tests of controls and documenting and reporting
the results of these tests. Often SOX software will include a library of risks
and controls that can be shared across the organization, allowing users to
create a central repository of risk assessment and control records, both entity
and activity based. This allows multiple users to track changes, share authorship, and distribute consolidated risks across the organization—reducing the
amount of control and test documentation and making it easier to maintain
the necessary documentation. The software should prevent unauthorized
access and should track the history of control tests. Further, most SOX
applications will analyze the underlying data, using pivot tables, to show
trends over time. Typically, the applications are also equipped with a variety
of graphical displays including color-coded “heat maps” of risk areas.
A key to meeting the Sarbanes-Oxley Act’s requirements is to understand not only what software is out there, but also what is really needed. In
addition, it is possible to start small and incrementally improve the level of
technology-based compliance. Auditors must know how to use technology
to reduce the amount of paper pushing, to automate routine tasks, improve data analysis, and continuously assess and identify risks and control
deficiencies.
Assessment of IT Controls and Risks
One of the problems non-IT auditors experience is trying to determine when
and how to test IT controls and risks. For decades, auditors have audited
“around the box,” satisfying themselves that the controls at either end of
the computer application were working and assuming that the application
controls were adequate. The only auditors who even dared to look at the
application controls were IT auditors; however, the audit world has changed
significantly in the past few years.
No longer are IT and business risks considered as separate entities. Auditors are encouraged to consider IT risks as business risks and to develop
a more integrated approach to auditing. The COSO model for technology
controls risk assessment component examines entitywide risks. It espouses
the integration of IT and business risks, and encourages auditors to identify IT controls that operate in high-risk business areas/functions. Further,
SOX stresses the requirement for all auditors to understand the business
and IT-related risks and controls with respect to financial reporting. While
IT general controls and processes do not have a direct impact on financial
Audit Technology
91
statements, deficiency in these controls could result in material misstatements. Therefore, under SOX, business and related IT controls are important components of the assurance that financial reports and disclosures are
accurate and timely.
SOX section 404 requires the CEO and CFO to report annually on the
effectiveness of the internal controls over financial reporting. A substantial portion of the SOX Section 404 compliance costs are related to the
assessment of IT controls over the protection of data and programs from
unauthorized changes. This has lead may auditors to realize that, with the
proliferation of application systems supporting all aspects of the business,
auditors need more proficiency in determining which IT controls need to be
considered. Auditors must have a sound methodology in place to help them
determine the scope of IT risks that should be considered, as well as the
related control activities necessary to mitigate them. Without a rationale for
evaluating possible IT risks, there is an increased likelihood that the level
of control testing will be either too little or too much.
How then do auditors determine the relevant IT controls and risk and
whether they are perform too much or too little testing? Auditors can look
for guidance in several publications from the IIA. In particular, they should
keep in mind the importance of considering both the application and general computer controls. The IIA guide on information technology controls
states that the objective of application controls is to ensure (1) that data is accurate, complete, authorized, and correct; (2) that it is stored and processed
properly; and (3) that all output (such as financial statements) is accurate
and complete. Application controls maintain a record that tracks the data,
from input and storage, through processing and output (IIA—GTAG 1, Information Technology Controls [2005]). The application controls include input
controls, processing controls, output controls, integrity controls, and audit
trail.
In addition, auditors must consider the information technology general
controls (ITGC), which apply to all system components, processes, and data.
The ITGCs include controls over user access, the system development life
cycle, change and configuration management, physical security controls,
and system and data backup and recovery (IIA GTAG 8, Auditing Application Controls [2007]). The application and general controls form a large part
of the overall business controls, and auditors must, therefore, understand
both the business processes and IT applications and controls in order to
identify the key controls where a weakness or deficiency may result in a
material financial statement error.
The PCAOB has provided additional guidance in the form of Auditing
Standard 5 (AS5). This standard encourages auditors to use a top-down,
risk-based approach and to focus their compliance efforts on those areas
that present the greatest risk of fraud. Further, Auditing Standard 2 (AS2)
92
Internal Audit
encourages auditors to start by evaluating and understanding the entitylevel controls, such as governance, standards, policies, and procedures, and
to identify significant accounts, locations, and assertions. The next step in
the top-down approach is to determine which business processes could
affect these significant areas and to identify the points at which material
misstatements or fraud could occur. This will assist the auditor in focusing
on the key application and general controls rather than assessing all systems
and their controls.
Another important source of direction is the IIA’s guide to the assessment of IT risks and Controls (IIA, Guide to the Assessment of IT Risks
[GAIT] [2007]). While GAIT is not a control framework, it does provide auditors with guidance on the scoping of the IT general controls, assisting them
in determining what should be included when they must provide assurance
that the internal controls over financial reporting are adequate.
GAIT provides a principles-based approach to examining IT risk and
controls that makes it easier for non-IT auditors to understand how business
process and how the related IT systems can affect the accuracy and timeliness of financial reporting. According to GAIT, the greater the potential
impact, the more the auditors need to include the IT system in the scope of
the work performed to certify the financial statements. For example, auditors
should include controls over the proper operation of IT applications and the
protection of both the data and the application programs from unauthorized
change of systems, particularly if the IT system outputs are a material input
into the financial reporting process.
The principles-based approach encourages auditors to examine IT risks
and controls from a top-down perspective, starting by considering which
business processes should be included. By identifying the business processes with the highest risk of impacting the financial statements, auditors
can focus their efforts on identifying the key controls and the amount of
testing required to provide assurance regarding the accuracy, completeness,
and existence of the transactions. A key control is one that, if it fails, has at
least a reasonable likelihood that a material error will occur in the financial
statements (IIA—SOX Section 404 [2008]).
GAIT also encourages auditors to examine the different types of
controls—preventive, detective, and corrective—and the degree to which
these controls are either automated or manual. A higher level of assurance can be attributed to automated detective controls if they are working
properly.
Defining the Scope
Auditors must define the key controls that should be included in their assessment. There are two main approaches to defining the scope of controls.
Audit Technology
93
The first is consistent with the top-down approach and starts with the identification of the key GL accounts that make up each line in the financial
statement. Auditors should assess each account and determine if it is significant. For the significant accounts, it is important to identify the business
processes that generate the transactions and to determine the underlying information system. The key controls to be assessed will be those that address
the integrity of the key transactions (IIA—SOX Section 404 [2008]).
The second approach to determining the key controls that should be
considered starts with identifying the financial statement assertions. AS5
requires that relevant assertions must be assessed. The assertions suggested
by AS5 include:
Existence. Verify that assets or liabilities exist and that transactions occurred during the reporting time period.
Completeness. All transactions and accounts are included in the financial
statement.
Validation. Appropriate amounts have been used.
Rights and obligations. Verify they exist and are for the proper period.
Disclosure. Financial statements are properly classified, described, and
disclosed.
One approach to identifying key controls relevant to these assertions
starts by listing all risks that may prevent the assertions from being satisfied
and identifying the controls that address the risks. A second approach identifies the material transactions that affect the assertions and identifies the
appropriate controls over these transactions. In either case, by determining
the relevant assertions, auditors can identify the associated accounts and appropriate key controls. This supports auditors in determining the scope—the
material transactions together with the business process and the automated
and manual controls—to be assessed (IIA—SOX Section 404 [2008]).
GAIT Principles
GAIT is a principles-based approach and is strongly linked to the IT-related
sections of the COSO internal control objectives. The four principles define
the set of IT assets (applications and business processes that depend upon
these applications) and the transactions that affect those assets. Defining
the relevant IT assets helps auditors determine the scope of IT risks, controls, and processes that must be assessed to provide the required level of
assurance.
The first principle is an extension of the top-down risk-based approach
promoted in AS2. In particular, auditors are encouraged to consider the risks
related to the IT general controls for accounts deemed to be significant. A
94
Internal Audit
top-down risk assessment should be used to identify the areas that are most
prone to fraud or financial errors, and then the relevant application controls
should be evaluated. This leads to the second principle, which discusses
the IT general control processes that also need to be tested. Consistent with
Section 404, auditors are directed to assess risk in those IT general controls
where impairment to the application system’s functionality could result in
material errors in the financial statements or in fraud.
The third principle discusses the areas where IT general control risks
could exist. GAIT encourages a layered approach, examining risks in application code, databases, operating systems, and networks. However, the
auditor must also test system processes, network scans, and the change
management, system operations, backup and recovery, capacity planning,
and physical security. However, in doing so, GAIT encourages auditors to
consider the controls as a whole, rather than the individual controls (principle 4). Taken in their totality, the IT general controls and processes should
support the business process and, indirectly, contribute to sound financial
statements.
Traditionally, auditors were able to ignore the IT systems and audit
“around the box”; however, the integration of, and dependence of business
processes on, IT means that this is no longer an option. GAIT assists auditors
in determining when it is appropriate (and preferred) to address the IT
controls and processes directly. With a clear understanding of the business
processes and the related IT systems, auditors can use the GAIT principles
and structured approach to scope in or out application systems (IT assets).
For those applications that are scoped in, the methodology can help auditors
focus on the specific IT transactional processes that need to be assessed and
the key risks and controls.
Auditors wishing to know more about the assessment of IT controls and
risks should refer to the IIA’s Guide to the Assessment of IT Risks (GAIT).
Governance, Risk Management, and Compliance (GRC)
Corporate failures and scandals over the past few decades have resulted
in reforms, regulations, and laws aimed at improving transparency and accountability in today’s business environment. More than ever, organizations
are being challenged to conduct operations in a manner that not only meets
objectives, but also addresses compliance and the expectations of stakeholders. In response, high-performing companies are integrating their governance, risk management, and compliance (GRC) activities to make them
more efficient, effective, dependable, and legally sound. The basic components of an integrated GRC process are the identification and assessment of
Audit Technology
95
risks and controls; however, without a robust governance model and the
proper tone at the top, GRC will not meet its expectations.
Governance is a difficult concept to grasp. I like to use the analogy
of driving a taxi (the organization) that contains several passengers (the
stakeholders), not all of whom want to go to the same destination. The
driver (management) must:
Know where the passengers (e.g., investors, business partners, public)
want to go and how they would like to get there (understand their
motivations and expectations)
Respect the rules of the road (laws and regulations)
Monitor the taxi’s gas, oil, temperature, brakes, etc. (internal operations)
Consider the road conditions and actions of other drivers (external
environment)
By addressing all of these factors, the driver will ensure that the taxi
makes it to its final destination (meets the desired goals and objectives).
Looking at it from the corporate perspective, management plans, directs, and organizes the activities of the organization to provide reasonable
assurance that the stated goals and objectives will be met. Management is
also responsible for the ongoing health of the organization and is accountable to the owners, stakeholders, regulators, and public. To deliver on these
accountabilities, senior management develops, implements, and maintains
processes to ensure that financial and operating information is accurate and
timely, and that the organization uses its resources efficiently and effectively.
In addition, management is responsible for the identification, assessment,
and management of risks, as well as compliance with ethical norms, rules,
laws, and regulations. Lastly, assets must also be properly safeguarded.
When all of these processes are working together, the achievement of goals
and objectives is possible.
Management also develops and maintains the tone of the organization,
including the organizational culture and ethical responses to stimuli. These
form the basis of the GRC assurance functions that, until recently, have been
separate from the main business functions and decision-making processes.
From an audit perspective, a periodic review of the GRC processes, and
implementation of required modifications, will help the organization adjust
to changing internal and external conditions (IIA Practice Advisory 2100-1:
Nature of the Work [2001]).
Audit needs to ensure that GRC is treated via an entitywide approach.
This will support good governance, the ongoing assessment of the risk
management framework, and compliance with applicable laws and regulations. The notion of entitywide controls is not a new concept. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission
96
Internal Audit
introduced its Internal Control Framework in 1992, more than fifteen years
ago. The concepts of risk management and compliance are not new either,
but the past decade has seen a much greater focus on risk and compliance. Regulations and acts, such as Sarbanes-Oxley and Basel II, have had
a huge impact on organizations on a global basis. Compliance costs alone
have risen sharply with the ever-increasing volume of rules and regulations.
However, the main reasons for the increased cost are operational inefficiencies: the efforts to comply have often resulted in duplication because
of silo mentalities and approaches. This has caused many organizations to
look beyond the compliance requirements and regard GRC as an integrated
process.
Treating GRC as a single process requires careful analysis to ensure the
proper integration, across organizational functions. The cost and effort of
combining the GRC activities are huge, and, while the benefits are significant, they are not easily derived. It is important to involve a cross-section of
the organization’s people and to use consistent technology and data. Additionally, the GRC process must be robust enough to deliver on, and remain
flexible enough to adjust to, new and changing regulatory requirements.
Many challenges are inherent to integrating the GRC processes. One
of the most critical steps is understanding what information needs to be
collected and monitored in order to implement an effective and efficient
GRC process. Many companies collect and store a vast amount of financial,
human resources, and operational data. Understanding which information
can support ongoing GRC efforts is not an easy task. Audit can make a
significant contribution because the process will require cross-functional
cooperation and a common understanding of the need for, and importance
of, GRC. In addition, auditors can help organizations develop a common
language for GRC and ensure that the GRC processes are incorporated into
the core business processes and management decision-making processes.
Linking the GRC and business processes will reduce the data collection and
analysis requirements.
Traditionally, governance, risk, and compliance were handled in separate departments: Legal addressed the legal and regulatory risks; the Chief
Compliance Officer addressed compliance issues; the Chief Financial Officer addressed the finance risks; and the Chief Risk Officer independently
addressed enterprise risk management. The result was a significant duplication of effort—with some processes and procedures being assessed three
different times and varying standards and terminology being applied by the
separate reviewers. But an integrated approach to managing the GRC requirements of the organization, with a common taxonomy and an integrated
review schedule, can maximize not only the GRC processes, but also can
improve operational efficiency and effectiveness. An additional benefit of
an integrated approach is the change from a reactive response mind-set of
Audit Technology
97
assembling teams of people to respond to a specific crisis to a proactive
process that seeks to identify potential risks, and critical compliance issues
and controls, before the crisis happens.
Internal Audit’s Role in the GRC Process
The GRC process should be enabled by a collective suite of management
processes and controls that set strategic direction, objectives, plans, and
priorities. Implementing an integrated approach will bring internal audit,
human resources, finance, legal, procurement, information technology, and
other stakeholders together with a common goal: identifying potential risks
and the controls necessary to manage those risks. The GRC process provides
an oversight function to ensure that management’s direction, plans, and
actions are appropriate and responsible; audit’s assessment of this process
will provide the necessary assurance to internal and external stakeholders,
and help the organization meet its regulatory requirements.
Internal audit performs an independent assessment of the management
GRC processes to determine whether there is reasonable assurance that the
overall goals and objectives will be met. To do this, internal auditors must
consider emerging areas of risk, the effectiveness of management’s monitoring programs, and the adequacy of management’s response to identified
risks. Internal auditors should use a systematic approach to the evaluation
of risk management, control, and governance processes. They should also
assess management’s performance in carrying out assigned responsibilities.
The purpose of an audit of the GRC process is to provide reasonable assurance that these processes are functioning as intended and will contribute to
the achievement of the organization’s objectives and goals. GRC audits can
also provide management with workable recommendations for improving
the effectiveness and efficiencies of operations.
As a primary task, audit should seek to ensure that the integrated GRC
process builds on existing frameworks and processes rather than inventing new procedures and processes. Typically, auditors will have already
examined the risk management practices of numerous areas of the organization, either during audits or as part of the process to develop the annual
risk-based audit plan. Knowledge of existing risk management processes is
important to identifying the key players, the areas not currently being assessed, and areas of duplication. Auditors can use this knowledge to assist
management in reducing both the resistance to change and the duplication
of effort by ensuring that GRC processes are aligned with existing organizational competencies, processes, and structures.
Audit review can help ensure that the GRC activities use a common
language and approach that encourage integration and collaboration. For
example, consistent definitions for likelihood and impact will allow the
98
Internal Audit
comparison of differing types of risk across the organization. Audit can also
assess the degree to which the GRC processes are integrated and duplication
is avoided. Risk information should be shared and communicated to all areas
of the organization, reducing gaps and overlaps. Audit should also be aware
of the schedule of risk management activities. Synchronizing risk activities
with the planning cycle can lead to quicker risk-intelligent decisions that
are supported by timely information and analysis. Finally, audit can help
ensure that the GRC activities are embedded in the key business processes
and procedures. GRC should not be a necessary evil or an extra step that
is taken simply to comply. Audit can assess the degree to which GRC has
become institutionalized and is part of the decision-making and strategic
planning processes.
The scope of GRC audits requires a disciplined approach that seeks to
provide assurance regarding the adequacy and effectiveness of risk management, control, and governance processes. In assessing GRC processes,
it is useful to consider the following standard definitions for adequacy and
effectiveness:
Adequacy. Refers to the plan and design of the GRC processes. Adequacy seeks to determine if management has put into place plans
that are designed so as to provide reasonable assurance that the
goals and objectives of the organization will be met efficiently and
economically. The plans should provide assurance that the organization’s activities and process are timely, accurate, and economical,
using resources that are commensurate with the risk exposure.
Effectiveness. Refers to the degree to which the GRC processes contribute to the achievement of the organization’s goals and objectives. Effectiveness seeks to measure the impact that the risk management, control, and governance processes have on the organization’s overall performance.
A GRC audit seeks to provide reasonable assurance that the processes
and activities are cost-effective and designed and implemented to reduce
risks to an acceptable level. Historically, this type of internal audit has often
been called a management control framework (MCF) audit. It examines the
totality of business systems, operations, functions, and activities and the
processes management have established to manage them. The MCF audit
considers whether the cross-functional activities are operating together to
achieve the established objectives and goals. A GRC audit should accomplish
the same objectives.
The comprehensive scope of GRC audits allows auditors to provide reasonable assurance that (1) management has designed and implemented an
effective system for identifying, assessing, and managing risk; (2) the system of internal controls is adequate and operating as intended; and (3) the
Audit Technology
99
overall governance process is working properly. While audit has been performing integrated GRC audits under various names for years, only recently
has management integrated the governance, risk, and compliance processes
and procedures. Previously, these management functions existed under separate organizational silos, making it difficult for audit to provide reasonable
assurance that GRC processes were adequate and effective. However, the
integration of GRC processes has provided internal audit with a single point
of contact and has improved management’s accountability for addressing
audit recommendations.
The assessment of the GRC activities and processes should include a
review of the risk management and the system of internal controls. The
Chief Audit Executive (CAE) should develop a risk-based audit plan that
ensures the sum total of the audit activities will be sufficient to evaluate the
effectiveness of the risk management and control processes. The coverage
of the annual plan should address all key operating units and business
functions. In performing the planned audits, the risk management processes
should be assessed during the conduct of individual audits and through an
audit of the risk management process itself. Finally, the annual plan should
be reviewed continually to ensure that it addresses changes in the internal
and external risk environments.
Identifying and Assessing Management’s Risk Management Process
As part of the GRC process, audit should consider the potential for internal or external changes to negatively impact the organization’s performance.
This requires auditors to assess the adequacy of management’s risk management processes. Are these processes sufficient, and are they responsive to
risks that could affect the assets, reputation, and ongoing operations of the
organization? The IIA professional standards state that risk management is
a key responsibility of management. Management is responsible for designing and implementing adequate and effective risk management processes
(IIA Practice Advisory 2110-1: Assessing the Adequacy of Risk Management
Processes [2001]).
At the same time, internal audit has a role to play in assessing and
improving the methodologies and controls employed by management to
address risks. In particular, internal auditors should provide management
with assurance that management has established risk tolerance levels and
performs ongoing monitoring activities to reassess the risk processes and
effectiveness of controls. Audit should provide assurance that management’s
processes ensure that risks are properly identified, assessed, and managed.
Internal auditors should recognize that the risk management process
will vary from organization to organization. They must consider the size
and complexity of both internal and external environments, as well as the
100
Internal Audit
organization’s culture, business objectives, and management style. Further,
the risk management costs should be commensurate with the underlying
risk. In evaluating the risk management process, audit should consider
the organization’s risk appetite; the effectiveness of management’s riskmitigation and control-monitoring activities; and the timeliness, appropriateness, and completeness of actions taken to address identified risk.
Assessment of Internal Control Processes
As new regulations requiring senior management to document and attest to
the effectiveness of the control environment and the accuracy of the information contained in financial reports are enacted, CEOs and CFOs are turning
to internal audit to assist in complying with these regulations. Although management is responsible for the assessment of the control processes in their
respective areas, internal and external auditors provide assurance about the
effectiveness of the control processes. The IIA Practice Advisory 2120 states
“audit should assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous
improvements” (IIA Practice Advisory 2120.A1-1: Assessing and Reporting
on Control Processes [2001]).
The combination of all audit work performed during the year should
contain sufficient information to permit the CAE to provide an opinion on
the overall state of controls. This opinion should address the degree to
which the internal control processes ensure (1) the accuracy, timeliness,
and reliability of financial and operational information; (2) that operations
are performed in a manner that is efficient and contributes to the effective
attainment of desired results; (3) that assets, including personnel, are properly safeguarded; and (3) that the organization complies with applicable
laws, regulations, and contracts (IIA Practice Advisory 2120.A1-1 [2001]).
The challenge for internal audit is to consolidate the many audit activities performed during the year to arrive at a holistic opinion on the
state of the risk management and controls processes of the organization.
In forming this opinion, the CAE must consider the extent to which audit
has identified significant control weakness and management’s response to
the audit recommendations. Were the audit findings understood by management, and was the implementation of management action plans given
sufficient priority? In short, did management adequately address the audit
findings? In addition, the CAE must determine if these weaknesses were
isolated instances or an indication of a systemic problem.
The pressure on audit to do more with less is increasing. Perhaps the
most difficult challenges are for audit to provide timely assurance on the
effectiveness of internal controls, to better identify and assess levels of risk,
and to quickly highlight noncompliance with regulations and policies.
Audit Technology
101
GRC Software
Computer-assisted audit tools and techniques (CAATTs) can assist auditors
in performing many types of audits, including financial, operational, compliance, and GRC audits. In particular, they can assist in performing an
analytical review of the GRC processes, tests for compliance with general
and application controls, and trend analysis to identify emerging areas of
risk. In fact, the audit evidence may be largely based on data analysis;
therefore, it is important to ensure that the tests are properly planned and
executed.
During the planning phase of the GRC audit, the auditor should consider
the audit team’s knowledge of the underlying systems and the analysis
software. The auditor must also consider the efficiency and effectiveness of
electronic analyses over manual methods, the integrity of the information
system, and its data (IIA Practice Advisory 1220-2: Computer Assisted Audit
Techniques [2005]). Finally, it is important to assess the integrity, reliability,
and appropriateness of the analyses before relying on the results.
Leading organizations are leveraging technology to integrate the vast
array of GRC activities. As a result, more software companies are developing GRC audit software. GRC software can support the dismantling of
organizational silos by enforcing the use of a common taxonomy, encouraging ownership and accountability for risk processes, and enforcing the
use of a framework for a common risk management approach. GRC software, such as Paisley’s GRC Solutions, provides a common point of entry
and a single data model that can be shared by internal audit, risk management, and compliance teams. GRC software enables common definitions
and organizational reporting structures, which reduce duplication and help
ensure consistency and efficiency.
An integrated GRC platform addresses the full range of risks (regulatory,
HR, financial, and operational) as well as SOX compliance and internal audit
requirements. It typically supports processes related to the documentation
and testing of controls, the identification and assessment of risk, and the
ongoing assessment of GRC and related internal audit activities.
GRC software unifies risk and control activities to ensure the effective
documentation and sharing of information to serve the needs of varying
stakeholders. This encourages ownership and accountability while facilitating the identification, assessment, and monitoring of key risk information. For example, Protiviti’s Governance Portal provides a single, consistent source of risk and control information; the ability to assign risk and
control to operational objectives; and linkages between global and processlevel controls. The Portal also provides workflow processes to simplify the
process of documenting and testing controls, the tracking of remediation
efforts, and ongoing accountability for the GRC activities. It streamlines the
102
Internal Audit
assessment process and facilitates management of the large volumes of data
required to keep all GRC processes up-to-date.
Auditors should be aware of, and constantly assess, their requirements
and the emerging capabilities of GRC software.
Summary and Conclusions
Many software vendors are willing to sell their packages to any user (even
such critical, discerning, and skeptical ones as auditors!). Many such packages are specifically designed to perform audit or audit-related tasks. These
software packages can be used to assist not only audit management but
also individual auditors and whole audit teams, if they have the conceptual
understanding and imagination required to make creative use of the technology. In fact, the issue is one of mind-set rather than technology. The
type of microcomputer CAATT employed is only limited by the imagination
of the user. As the use of microcomputers becomes more prevalent in audit organizations, new tools and techniques will continue to be developed.
What seemed to be “Star Wars” technology yesterday is already commonplace in many organizations. In the early 1980s, a microcomputer with 20
Megabytes of hard disk space and 624K of RAM felt like overkill. Today,
microcomputers have more power than early minicomputers and support
peripherals such as tape drives, CD-ROMs, DVDs, and more.
What does the future hold? No one can be sure, but auditors had better
be positioned to take advantage of what is offered, if they expect to be
recognized as value-adding partners in the organization. Making productive
use of computer resources to provide critical and constructive assessments
of the organization’s structure and performance is now a task for all auditors.
CHAPTER
3
CAATTs Benefits and Opportunities
T
his chapter discusses the benefits of CAATTs and the steps that can be
taken to capitalize on them, both for audit organizations and mainstream
organizations. The benefits of information technology are found in all phases
of the audit process, from planning through to reporting, as well as in the
administration of the audit function itself. The case studies in this chapter
show how the use of automated tools and techniques has improved the
value, efficiency, and effectiveness of the audit function. Because results
will vary for each organization, the examples focus on the techniques rather
than the results achieved.
The first section discusses the rationale and inevitability of CAATTs; the
later sections describe the benefits of their application to audit. The final
sections discuss recognizing opportunities for the use of CAATTs and the
transfer of audit technology.
The Inevitability of Using CAATTs
The use of the computer in audit is no longer an option—it is a necessity.
For example, primary audit skills may now include the ability to perform
background research using database search queries and the navigation of
the Internet (Alexander [1995]). Thus, embracing the use of automated tools
and techniques offers auditors numerous benefits while planning and conducting audits and reporting audit results. For example, CAATTs can be
used to:
Increase audit coverage by evaluating a larger audit universe
Improve the integration of audit skills (for example, accounting skills
with financial system information skills)
Increase the independence from information system functions (programmers)
Foster greater credibility for the audit organization
103
104
Internal Audit
Increase the cost-effectiveness through the development of reusable
computerized techniques
Improve the management of the audit function
Improve the structure of the audit organization (reengineering)
Provide real-time audit opinions
Virtually all business organizations are now using, and are somewhat
dependent upon, computer systems. The widespread use of technology has
changed the internal audit environment and poses new challenges and opportunities for internal audit organizations. Today’s auditors face an abundance of options, with software products ranging from data analysis and
fraud detection to tools that facilitate compliance with the Sarbanes-Oxley
Act (Jackson [2004]). Obviously, the application of CAATTs to audit can
improve the quality of an audit dramatically. The challenge to auditors,
therefore, is to determine how the electronic aspects of the data can be
used as an advantage rather than a liability.
Using audit software requires more effort than simply going out and
buying an appropriate package. Finding the best way to equip the audit staff
and accomplishing this within budget can be a difficult task (Jackson [2004]).
You must be able to identify opportunities for the application of CAATTs.
A basic starting point would be to consider any task that is currently being
performed manually as a candidate for automated tools and techniques.
However, every effort should be made to reengineer the audit process.
CAATTs offer audit management an opportunity to review critically, not just
how audits are being performed, but what steps are being done and why.
Data analysis and audit software, in particular, have been used successfully as audit tools for many years. Initially, the use of these packages was
confined to financial areas. Auditors used audit software to perform tasks
such as verifying trial balances and selecting random samples of financial
transactions. More recently, audit is applying CAATTs to audits in nonfinancial areas as the utility and use of CAATTs continues to expand. Almost
15 years ago, a survey of auditors reported that 93 percent of respondents
felt that the role of computer technology is likely to increase greatly over
the next five years. The survey also identified mission-critical software as
software most needed and depended upon by internal audit to achieve its
goals and fulfill its mission. The top three mission-critical software categories
were: word processing, spreadsheet, and data analysis/extraction (Prawitt
and Romney [1996]). With the increase in technology and the timely reporting requirements of Sarbanes-Oxley, computer technology plays an even
greater role today.
It is up to the auditor to determine how CAATTs can be used to support
the objectives of each audit. More and more auditors are stepping outside
traditional boundaries associated with the use of CAATTs and seeking new
CAATTs Benefits and Opportunities
105
ways to use these tools to improve their efficiency and effectiveness. With
auditors increasingly being asked to make critical evaluations and decisions
in real time, it is fortunate that audit software can support them in this
endeavor. The interactive nature of CAATTs can assist organizations that
must meet the Sarbanes-Oxley requirement for disclosure to the public in a
rapid and current basis of material changes to financial conditions or results
of operations—an impossible task without the aid of data analysis.
The tools allow auditors to react to what the data is telling them. For
example, Will and others have been discussing the idea of auditing as “listening to the data.” The best uses of CAATTs will most often result when
there is a healthy interaction between the auditor, the data, and the audit software, requiring a natural auditor/information systems interface (Will
[1983]). Thus, the ability to ask questions and obtain appropriate answers
and follow newly discovered paths to their conclusion is a major advancement of audit technology, particularly during the last 15 years.
The New IM Environment
For many years, hardware and software were treated as separate departmental responsibilities—they even had distinct procurement functions and
support organizations. Those responsible for hardware and software had
little to do with the business data stored in the applications, and even less
contact with manual, noncomputerized business operations. Today, Enterprise Information Management (EIM) includes the hardware (IT), the software and business applications (IS), the management and administration of
the data in business terms, the preparation and distribution of information,
and the business processes.
Thus, there has been a change in how information is viewed and treated.
It is now commonly valued as a strategic resource, and all the tools and
skills required to manage that resource are typically brought under one
authority. It is therefore time that auditors also change the way they look
at information and utilize all the information technologies represented by
CAATTs.
The New Audit Paradigm
Everyone has heard the phrases “if it ain’t broke, don’t fix it” and “don’t reinvent the wheel.” These adages are useful to remember, but too often we
find ourselves constrained by mental barriers that we create for ourselves.
Methods that worked well in the past become entrenched in our way of
thinking. Sometimes this is good; past experiences can help us avoid pitfalls
106
Internal Audit
and maximize the use of our time. However, strict reliance on past experiences can result in trying to force familiar solutions to different problems
or cause us to overlook new or more efficient approaches to old problems.
Even when we utilize our standard tools, such as data analysis and audit
software, we must try to find new approaches to address new situations.
Data analysis and audit software provide us with an opportunity to be more
creative in our approach to problem solving. A shift in the audit paradigm
and a corresponding change in the meaning of CAATS to Computer-Aided
Audit Thought Support has been suggested (Will [1995]). This knowledgebased approach to accounting, controllership, and auditing demonstrates
that the available audit software does not only become smarter with use,
but also makes the auditor/user smarter as well.
Case Study 15 shows how analysis software can be used in a new way.
It is an example of an approach to source code review, which is possible if
the new audit paradigm of thought support is adopted.
Case Study 15: Source Code Review
A new financial system was being developed, and audit had been conducting a System Under Development Review. To date, the review had
concentrated on the project management aspects of the development
project and an assessment of the adequacy of the identification of user
requirements. Now audit was performing a rudimentary review of a
computer program. The program contained more than 370,000 lines
of source code and, in order to reduce the time and effort involved,
the auditors decided to use data analysis software to identify the logic
points, such as the “IF/ELSE,” “FOR,” and “DO CASE/WHILE” statements. First an electronic copy of the source code was obtained and
all “IF” or “DO CASE” statements were extracted (depending on the
programming language used, other logic statement types may need to
be identified). This provided the auditors with all the key decision or
logic points in the program. Printing out the statement, line number,
and page number allowed the auditors to easily locate the appropriate
block of source code for each of the “IF” or “DO CASE” statements
on the hard-copy version when more details were required. With this
information and the system flowchart and narrative, the auditors were
quickly able to understand the basic flow of the program and select
the lines they wanted to review in detail. In this manner, the task of
analyzing hundreds of thousands of lines of code was considerably simplified, and the auditors were able to focus on key logic points in the
program.
CAATTs Benefits and Opportunities
107
This approach could also be used intelligently by auditors to identify
all “ASSIGN” or “LET” statements for critical variables such as “LET
DEPOSIT AMT = DEPOSIT AMT + 100.00” or “ASSIGN OVRTME RATE
= OVRTME RATE+.20” or to extract all comment statements. It is also
easy to calculate the percentage of comment lines compared to the total
number of lines of code. This percentage can be compared to industry
standards, providing a measure of the source code’s understandability
and maintainability. If you do not have data analysis software, most
word processors or text search software packages can be used to search
for a given string.
Most audit software packages and a number of utility-type packages
can also be used to compare two files. This capability can help review two
versions of the source code, line by line. The official version can easily
be compared to the working version (i.e., the version used to generate
the object code) to identify discrepancies. Within minutes the auditor can
identify new, changed, or deleted lines of code. By joining the two text files
using the line number as the key field, the official and working source code
copies can be combined into one file. This file would contain two fields:
the first field containing the official version of the code for that line, and the
second field containing the working version of the code for the same line
number. A simple command to list the record if field 1 is not equal to field
2 will identify all lines that have changes, additions, or deletions—not only
once, but every time this programmed approach is used.
Case Study 16: Analyzing System Logs
The technique described for reviewing source code can also be used to
analyze various mainframe system-generated log files such as the Job,
Problem, Change, and Configuration logs. Analyzing these files can provide audit with a great deal of useful information. For example, by using
the Problem Log, the auditor can track the history of a specific problem,
including the dates and nature of the corrective responses taken.
The repair/replacement activity and times for various pieces of
equipment can be determined as part of an audit of backup and recovery or as part of an audit of purchasing practices. The auditor can
also use date and time information to calculate the mean time to failure
for specific pieces of equipment. The Configuration Log can be used
to review the history for a specific piece of hardware, identifying all
changes or modifications.
108
Internal Audit
System activity can be examined by analyzing Job or Operator logs.
Auditors can search for attempted security violations or failed logons and
use the time and date information to identify patterns or trends. For example, it would be easy to determine if invalid password responses between 1:00 A.M. and 2:00 A.M. were higher than at other times of the day.
Job submissions can be reviewed by program name, programmer
name, and type of activity to identify potential inappropriate use of
the computer resources. Jobs can also be examined to review the time
submitted and the CPU utilization in order to identify jobs that are using
large amounts of resources. These may be inefficiently coded and could
be using more resources than required. At one installation, a job that ran
for more than six hours was reduced to less than two hours, simply by
changing the input order for two databases that were being compared.
The main point being illustrated in Case Studies 15 and 16 is that data
analysis, various utility-type packages, or text search software can be used
to review virtually any type of file. The review can easily be repeated,
particularly if a script or macro is created that can be rerun any time and
anywhere. The search for specific strings like “access refused” or “invalid
password” can easily be performed using the computer. Instead of having
to read through thousands of lines of text, the auditor might only have to
review a hundred lines or less. Using these techniques is similar to receiving
a printed list with all the important lines highlighted for you, but with the
added advantage that all nonhighlighted lines have been deleted. The key is
to think about the audit problem in a new way and recognize that modern
audit technology facilitates this shift in the audit paradigm.
Other case studies in this chapter cover a variety of types of audits
including financial, personnel, and inventory audits. They demonstrate not
only the flexibility and power of CAATTs, but also the intellectual power
gained (or expected of) any auditor using CAATTs and modern audit
technology.
Expected Benefits
According to the System Auditability and Control (SAC) report produced by
the Institute of Internal Auditors Research Foundation (IIA [1991]), the use
of information technology in audit offers numerous benefits:
Improved efficiency and effectiveness of individual audits and of the
audit department
CAATTs Benefits and Opportunities
109
Ability to evaluate a larger universe and increase audit coverage
Increased analytical capabilities
Improved quality of activities performed during the audit
Consistent application of audit procedures and techniques
Increased cost-effectiveness through the reusability and extensibility of
computerized techniques
Improved integration of financial/information systems audit skills
Increased independence from information systems functions and greater
credibility for the audit organization
Greater opportunities to develop new approaches
Better management of audit data and working papers
The implementation of CAATTs can benefit any audit department, regardless of its size or current technology. The degree or level of CAATTs
may vary considerably, and still the organization will gain certain efficiencies. It is not necessary to develop complex audit routines, embedded audit
modules, or employ programmers. Simple uses of the computer can achieve
a quick payback in time and resources. In fact, many significant benefits can
be obtained at a marginal cost. The advantages realized from using CAATTs
range from saving time to being able to perform an analysis that would have
been next to impossible to do manually. Finding time to think critically is
another significant benefit.
The benefits of CAATTs can occur at all stages of the audit (planning,
conduct, reporting, and follow-up. The benefits can also be accrued during
more efficient management of the audit process. Studies done by the Canadian Institute of Chartered Accountants (CICA [1994]) and the EDP Auditors
Association, Toronto Chapter (EDPAA [1990]) also discuss the benefits of
using CAATTs.
Planning Phase—Benefits
Risk analysis and audit universe software can assist management in selecting
areas to audit and in identifying and assessing initial risks and determining
preliminary objectives. A proper risk analysis of the audit universe directs the
scarce audit resources to the areas deserving the most attention. However,
during the planning phase of an audit, the audit program is not cast in stone;
so the objectives, scope, and lines of inquiry can still be modified. The audit
project leader must be able to see the big picture. Decisions made at the
planning stage often set the direction for the early part of the audit and
are usually critical to the ultimate success of the project. Accessing historical
data for the client area, previous audit reports, and results can help focus the
audit. The ability to easily reuse all (or part) of previous audit programs can
significantly reduce the planning time, while maintaining high-quality audits.
110
Internal Audit
Case Study 17: Research and Development Audit
During an audit of research and development activities at a major laboratory, the auditors were unsure as to which projects they should review
first. In order to determine the financial risks of each project, the audit team extracted data from the three separate cost-tracking systems.
Using the project code as a key, the three files were then matched to
create a single record of information for each research activity, providing financial information on labor expenditures, materials and parts,
and specialized equipment-on-loan. The resulting data helped the audit
team identify the total financial cost, highlighting projects with high risk
and materiality. This allowed them to make a more informed choice as
to which research projects should be reviewed.
The matching of the data also allowed for a comparison of the
integrity of the three independent sources of data. The resulting files
were also of interest to senior management and were handed over at
the end of the audit. The analysis produced a significant savings of time
and effort since the audit team was able to focus its activities on projects
based upon a realistic consideration of the risks and materiality.
As shown in Case Study 17, CAATTs can be used to improve the research
performed during the planning phase to improve audit effectiveness. Risk
and materiality considerations can also be evaluated in deciding whether
or not an audit should be conducted. Text search and retrieval capabilities
can identify previous audit programs and findings, which may identify lines
of inquiry for the current audit, thereby reducing the planning time. Further, initial data can be gathered electronically and analyzed to determine
significant lines of inquiry.
Case Study 18: Audit of the Personnel Function
For an audit of the personnel function, an electronic questionnaire was
sent to personnel officers across the country via e-mail. The officers completed the questionnaire and e-mailed their responses back to the audit
department. The data collected from questionnaires was used during the
preliminary survey phase of the audit to identify trends and potential areas of risk. The results of more than 320 responses to 60 questions were
further analyzed and summarized using audit software. The analyses
identified specific lines of inquiry for the conduct phase of the audit.
CAATTs Benefits and Opportunities
111
Audit-related databases containing previous findings and audit programs can reduce the time required to develop an audit program and can
provide new auditors with a better sense of corporate history. Further, more
focused planning will scope the audit more accurately, reduce the overall
resource costs, and improve the allocation of resources to projects, thereby
decreasing nonproductive time and increasing audit effectiveness and
efficiency.
Case Study 19: Inventory Controls
An audit of the controls over inventory purchases, handling, and distribution used the computer to identify the location of the warehouses
and to calculate the total value of their inventory. Data was also extracted to determine the amounts purchased and the distribution and
use of the inventory. The analyses helped the auditors decide which
locations should be visited, the types and quantities of items expected
to be found at each warehouse, and the purchase, redistribution, and
inventory turnover patterns and rates for each warehouse.
Many organizations have built electronic working papers that contain
references such as federal regulations, sample audit programs for various
types of audits, and other useful information. These can be easily incorporated into the current audit program, saving the auditor much time. Other
companies have developed extensive intranets that provide auditors with
instant access to corporate policies, procedures, business plans, and more.
The intelligent use of company intranets preserves and enhances corporate
memory and can be used by audit to become more efficient and effective.
Using the Internet, auditors can conduct research around the world to
search for background information, pertinent research studies, and even
audit programs developed by other auditors. In minutes, auditors can perform worldwide searches, consult other audit organizations, and examine
best practices, dramatically reducing the planning phase of the audit. For
example, searching the Internet prior to one audit found a study on Best
Practices for Invoice Processing and a report by the National Performance
Review on cutting government red tape. The ideas contained in these documents were useful and innovative, allowing the auditor to make better
recommendations.
During audit planning, with the support of CAATTs, auditors can formulate hypotheses, develop tests, and evaluate results quickly and easily.
This allows the team leader to develop a better audit program that supports
relevant audit objectives.
112
Internal Audit
Conduct Phase—Benefits
CAATTs provide a means to be flexible and innovative in the performance
of audits. The application and use of interactive tools and techniques during the conduct phase can help auditors to adjust their initial approaches
in response to real-time findings. They allow the auditor to apply thinking
and reasoning, rather than adhere to a strict predetermined set of manual
audit steps. The auditor is free to follow new lines of inquiry, often leading to unexpected findings. These capabilities maximize the auditor’s time,
particularly during the conduct phase of the audit.
Traditionally, CAATTs have seen more use during the conduct phase
than any other phase of the audit. The use of technology supports improved
data analysis, increased audit coverage, better use of audit resources, continuous auditing, and improved results.
Data Analysis
CAATTs have been used to select statistical samples or to improve the
effectiveness of a judgmental or directed sample. Now, microcomputerbased automated tools can also perform 100 percent verification of the
transactions to assess the total risk and materiality of the audit findings.
Many tasks such as sorting, merging, and comparing can be performed by
the computer in a fraction of the time it would take to do manually.
Case Study 20: Audit of Gasoline Costs
As part of an audit of gasoline costs, financial transactions for gas purchases were selected and reviewed to determine if sales tax had been
paid correctly. The audit identified a significant amount in overpaid tax
and, because of the timely identification of the error, the company was
able to recover the overpayment.
Increased Coverage
Advances in audit technology, including knowledge-based systems, can provide audit organizations with the ability to conduct audits that were not
previously possible. Systems containing millions of transactions or business
applications with numerous remote locations are difficult, if not impossible,
to audit using manual methods. Reviewing hundreds of thousands of transactions manually could take weeks of audit time. With computers, one can
113
CAATTs Benefits and Opportunities
analyze, look for trends, sort, compare, and verify hundreds of thousands
of transactions in minutes.
Case Study 21: Interest Charges on Overdue
Accounts Payable
The company was having a problem with interest charges on overdue accounts payable. Invoices were paid at approximately 50 invoiceprocessing offices, which were spread across the country. The audit
objective was to review the invoice-processing procedures to find ways
to reduce the interest costs being paid on overdue accounts.
The auditors used the headquarters’ financial system to identify all
invoices with late-payment charges. Summarizing the data, they determined the:
Total interest paid over each of the last four years
Amount of interest paid at each invoice processing office
Number of days overdue (30, 60, 90, and 120) and the total dollar
value of the interest charges for overdue payments
Average number of days it took to pay an invoice
A review of interest charges on overdue payments calculated the
average number of days required to pay an invoice in various payment offices. This review identified the invoice-processing offices that
were taking long periods of time to pay invoices and thus were incurring unnecessary interest charges. The analysis also showed that three
invoice-processing offices were responsible for 94.5 percent of the late
payment charges, warranting further attention from audit.
Days Aged: Summary of Payments on Overdue Accounts
Percentage
Number of
Transactions
Number
Amount
Interest Charges
Dallas
New York
Houston
Washington
Boston
Chicago
190
416
30
104
1
5
25.47%
55.76%
4.02%
13.94%
0.13%
0.67%
61.28%
24.97%
8.30%
2.40%
1.78%
1,27%
396,703.23
161,667.78
53,751.95
15,509.93
11,550.00
8,205.52
Totals:
746
100.00%
100.00%
647,388.41
Office
114
Internal Audit
The audit team also calculated the overall average time to process an
invoice and the average processing time for each invoice processing
office. Further, it was determined that a small number of large-dollar
invoices were incurring the majority of the interest paid. The analysis
showed that 1.6 percent of the invoices that were paid late accounted
for more than 37 percent of the interest charges.
Interest Charges at Dallas Office
(Summary of Days Aged and Payments on Overdue Accounts)
Days
0 to 29
30 to 59
60 to 89
90 to 120
over 120
Total:
Percentage
Number of
Transactions
Number
Amount
98
60
11
19
2
51.58%
31.58%
5.79%
10.00%
1.05%
26.07%
21.53%
5.61%
10.81%
35.97%
103,430.06
85,428.58
22,259.33
42,873.09
142,712.17
190
100.00%
100.00%
396,703.23
Interest Charges
At the Dallas office, two late invoices resulted in interest payments
totaling more than $142,700, about 36 percent of the total interest paid
at that office.
The auditors selected the top three interest-paying invoice offices
for their on-site review and selected a sample of transactions handled
by these invoice-processing offices. This led to the discovery of inefficiencies in the invoice payment process and also identified instances of
over and underpaid interest.
This on-site review determined that all invoices were processed
on a first-come-first-served basis. As a result, a large-dollar invoice would be processed later than a number of small-dollar invoices, simply because the small-dollar invoices had been received
first. The audit recommended that high-dollar invoices (more than
$50,000) be processed first and that less attention be focused on
the low-dollar/low-risk invoices. The auditors also suggested that additional staff be hired during year-end, the peak invoice-processing
period.
By sorting the charges by industry sector and by supplier, the audit
also identified business areas where interest charges were a problem
CAATTs Benefits and Opportunities
115
(e.g., storage and moving charges). The audit recommended the development of a process to monitor large-dollar invoices and regular reports
on the amount of interest charges incurred by each invoice-processing
office.
As a result of the implementation of the audit recommendations, the
invoice-processing time was improved, and interest charges on late payments were reduced by almost 75 percent in the first year and dropped
a further 10 percent the next year. The savings in the first year more
than paid for the audit costs, and the savings continued to be realized
in future years.
The use of the computer in Case Study 21 allowed the auditors to
perform most of the required analysis without even leaving the audit office.
The results of the analyses were used to select the sites for the on-site
work, thereby reducing travel costs and the time required to perform the
audit. Computer analyses were also responsible for isolating the systemic
problems related to processing invoices in the order of arrival (first in, first
out). Given the large number of invoice-processing offices and the number
of invoices processed at each office (more than 100,000 per office), the
audit could not have been performed as quickly, easily, or with the same
degree of accuracy, comprehensiveness, and success without the aid of
computer-based analysis.
The proper consideration of risk and materiality means that audit coverage is the intelligent assignment of audit resources, not simply an audit
of every operation every two years. Some areas may warrant a higher frequency, others a lower one. Automated early-warning systems and risk
analysis software can focus audit attention on the areas of greatest concern,
thus improving audit coverage.
Better Use of Auditor Resources
Increasingly, the knowledge and skill level of auditors is rising to keep
pace with the complex demands of comprehensive audits. Automation
will allow the auditor to spend more time on activities requiring the application of auditor judgment. By having the computer handle repetitive
tasks, the use of the more expensive auditor resources can be maximized. (Also, freeing auditors from routine tasks can increase job satisfaction.)
Case Study 22 shows how a manual task can be made easier through
the use of automation.
116
Internal Audit
Case Study 22: Confirmation Letters
In previous years, the production of confirmation letters had taken more
than two weeks. Now, using audit software, the names and addresses
of all clients are extracted from the customer database directly to a
Word secondary merge file. The names and addresses are then merged
with a standard confirmation letter to automatically create individualized
confirmation letters.
Improved Results
Audit software enables the auditor to conduct a thorough analysis of all
transactions within shorter time frames. In minutes, volumes of data can
be sorted, matched, recalculated, and analyzed to identify the causes of
problems or errors. Log files maintained by modern audit software allow
results to be easily reviewed for accuracy. Scripts or macros can also be
created to make the analyses and tests replicable. And statistical sampling
can be performed, limiting the amount of audit testing while maintaining
valid, supportable results.
Using CAATTs during the conduct phase allows auditors to make better,
more critical, and informed decisions, while increasing their efficiency and
effectiveness.
Reporting Phase—Benefits
During the reporting phase, the use of automated tools can result in more
effective audit reports with fully developed statements of significance. Sample error rates can be extrapolated to the entire population; presentation
software can be used to prepare the results for final debriefing; graphics
software can be used to produce tables and charts, which can be included
in the final report; and word processing software can be used to produce
the final reports.
The end result is a report that is more accurate, complete, timely, and
easier to read and understand. This directly contributes to the overall acceptance of the audit findings and the image of the audit organization. Further,
methodologies, findings, and final reports can be captured in audit knowledge databases, providing auditors with access to the information. This can
improve the planning process for other audits and assist in the follow-up
audits.
CAATTs Benefits and Opportunities
117
Case Study 23: Findings Database
Audit management felt that they were contributing to the company’s
continued well-being by conducting timely and important audits.
However, they were having difficulty in managing and following up
on the results. To assist audit, they developed a findings database to
track management responses to significant recommendations. Audit can
now easily review the status of all management actions and institute
follow-up audits if required.
Follow-up audits can access the original audit’s findings, recommendations, and final report; the current status of management actions;
and the original audit program. Further, audit management also sends
quarterly reports to the audit committee and senior management outlining the number of findings and the status of the action plans. The
development of the findings database has improved the quality of the
audit function.
The reporting phase can be made less time-consuming and more informative and clear through the use of CAATTs. Future audits can benefit
from the knowledge gained by current audits, and audit can improve the
management of audit findings and recommendations.
Administration of the Audit Function—Benefits
Tools are available that permit more effective management of day-to-day
work, management of information on performance versus plans, and timely
reporting on the status of in-progress, planned, and completed audit work
(EDPAA [1990]). Tasks previously done manually are now supported electronically. Project management software, risk analysis and audit universe
tools, and groupware can reduce the time and effort required to manage an
audit or the entire audit function.
Automated time-tracking and billing systems can be used for invoice
purposes and to track the performance of the audit organization, audit
teams, and individual auditors. Even the review of audit working papers can
be made more efficient through the implementation of electronic working
papers, which manage documents, perform version control, and support
hypertext links.
CAATTs can also be used to support audit project leaders in managing
their audits. The consistency of an audit conducted simultaneously at several
locations by different sets of auditors can be a major concern for the project
118
Internal Audit
leader. Further, the requirement to make changes to the audit program can
force the project leader to consider pilot audits, lengthening the planning
phase. The difficulty for the project leader to review ongoing results and
provide each team with advice and direction when required can be almost
insurmountable if attempted without CAATTs.
The use of technology can help overcome these concerns. Historical
data, initial extracts of critical information, the ability to query data files and
examine results, can all help the team leader establish appropriate lines of
inquiry. In some cases, questions may arise that were not identified during
the initial risk assessment. The project leader, armed with the results of
preliminary analyses, can safely proceed with the development of an audit
program, confident of the direction the audit will be taking. Sufficient analyses can be done during the planning phase to determine the population,
the sampling approach, and other key factors that will also impact on the
resources required to perform the audit.
Further, specific audit sites, sample transactions, and other relevant
information can be determined, saving time and money. The value of this
type of approach can be seen in Case Study 24.
Case Study 24: Audit Program Administration
As part of a countrywide, concurrent, multisite audit of branch operations, five audit teams were being sent to different sites. The audit
project leader wanted to ensure consistency across sites and maintain
control over the audit.
During the planning phase, the project leader performed an initial analysis of the data extracted from key business systems for each
branch. Based on the results of the analyses, the project leader developed a series of questions that, when answered by the auditors on-site,
would address the audit’s objectives. Visual Basic, an object-oriented
programming language, was used to develop an electronic questionnaire that led the auditors in the field through the steps in the audit program, skipping questions or even sections depending on the answers
to previous questions. For example, the series of questions related to
automated application controls would be automatically bypassed if the
answer related to “Type of operations—manual or automated?” was answered “manual.” The program produced a data file for each completed
questionnaire, including a unique identifier, a time and date stamp, the
initials of the auditor and branch location.
CAATTs Benefits and Opportunities
119
Because the results were to be collected and processed each night
by the project leader, a program was developed to assist the teams in
uploading their results to headquarters. Each night, the five on-site audit
team leaders connected their laptops to the corporate intranet and ran
the program. All of the day’s data files, updates made to any of the
previous day’s data files, and the working paper files were uploaded
and combined into a single database. This file was used to produce a
summary report that quickly showed the project leader the overall status
of the audit. The database was also used to provide details on the current
status of each audit team and to identify systemic weaknesses occurring
across all sites. This helped keep all teams informed of the preliminary
results. The project leader also reviewed the uploaded working paper
files and electronically sent each team additional instructions as required.
Case Study 24 is an example of a simple expert system that can be used
to support the management of the audit. The automated audit program reduced the workload of auditors by guiding them, step-by-step through the
audit program in a logical and controlled fashion and by automatically producing the required data files. The program also helped the project leader
to ensure consistency across the five audit teams and in the coordination
and analysis of the final results. The use of an intranet and FTP software
facilitated the transfer of the data, allowing the project leader to review all
data files and working papers and to easily monitor the progress and quality
of the work of all the teams.
Reduced Costs
Ultralight portable computers with Inter/intranet capabilities and printers
can increase the effectiveness and efficiency of the field audit activity. Auditors can carry the required audit software and hardware to field offices. By
obtaining field data prior to leaving headquarters, the audit team can conduct a preliminary analysis of the field operations. Auditors can even select a
statistical or directed sample before leaving the office and send a request to
the field office to pull the required transactions. As a result, more field time
can be spent conducting analyses of the transactions rather than selecting
and pulling samples. In the event that additional information is needed from
headquarters, auditors can download the data from headquarters directly to
their portable computers.
120
Internal Audit
Case Study 25: On-the-Road Auditing
Headquarters’ auditors performed many audits at the local or branch
offices. Audit senior management wanted to take advantage of computerized tools and techniques to improve the efficiency and effectiveness
of these audits.
A few years ago, the first attempts at automating the audit function focused on the analysis of the local offices’ data at headquarters
during the preliminary phase of the audit. To the maximum extent possible, data for a particular office was extracted from the central mainframe, downloaded to the microcomputer, and analyzed by the auditors
prior to leaving headquarters. Using this data, summary reports, detailed analyses, and the sample selection transactions were performed
at headquarters. These initial attempts at automating the audit function
achieved significant improvements in the efficiency and effectiveness of
the audit assignments.
Today, auditors working at remote offices are equipped with laptop computers. These laptops are loaded with software for automated
working paper generation, data analysis, telecommunication, flowcharting, and accessing the Internet. The auditors have all the necessary tools
and the data files from the preliminary analysis to perform any additional
analysis and to keep in touch with headquarters. FTP software is used
to transfer data files between headquarters and the local office, to send
the working papers back to headquarters for supervisory review, and to
access reference materials in remote databases. The project leader can
easily review the working papers—daily, if necessary—and is able to
provide additional instructions to the audit team, again electronically via
a modem. This is extremely useful when dealing with more than one
audit team conducting concurrent audits at different sites.
The main benefits from the on-site use of laptops include the improved
efficiency and effectiveness of the audit through the on-site analysis of data,
access to remote libraries and databases, the receipt of timely instructions
from the project leader, a reduction in the length of the disruption to the
client, and a reduction in the hotel and meal allowance costs as a result of
performing the preliminary analyses at headquarters.
Increased Performance
Computers can do many tasks better, faster, and easier than a person can
perform manually. Sorting, searching, performing repetitive calculations,
CAATTs Benefits and Opportunities
121
aging, and so forth are ideally suited to automated tools. For an inventory
audit, the average turnover was calculated for thousands of items of stock.
Calculating the inventory turnover rate for all items in a warehouse could
involve weeks of auditor time and effort, but only minutes of computer
time. Several hundred items proved to have a very long turnaround time
and were discovered to be of no use. By identifying these obsolete items,
the audit reduced the overall inventory storage costs. In addition, once
standard routines have been developed, they can be reused at minimal cost
and with significant savings in time.
Case Study 26: Environmental Audit
The company was concerned with the potential damage to the environment caused by the disposal of environmentally hazardous materials. One of the audit’s objectives was to review the controls
over the procurement, distribution, storage, and disposal of hazardous
materials.
During the planning phase of the audit, data was obtained from
the inventory system, which contained information on all items held at
every warehouse across the country. To identify the audit population,
all transactions related to the purchase, transfer, storage, and disposal of
hazardous materials were extracted from the system and several reports
were produced.
The first report identified the quantities and type of dangerous goods
stored at each warehouse. The second calculated the difference between
current stock levels and maximum levels to highlight items that were
candidates for disposal because they had stock levels higher than the
maximum. And the third identified the top five sites that had disposed
of hazardous materials in the past year, potentially creating an environmental problem.
The results of these initial analyses were used to select sites for the
on-site phase of the audit and, based on the types of goods held at
each location, to determine applicable government regulations. Using
the Internet, the audit team accessed and downloaded all applicable
storage and handling information from a site containing government
environmental regulations.
The auditors were able to identify the high-risk/high-materiality sites
and generated transaction lists for the on-site manual review. The computer analysis was also used to identify sites where no hazardous materials were stored. These sites were removed from the list of sites to
122
Internal Audit
be visited, avoiding needless travel time and costs. By obtaining the appropriate environmental regulations in advance of visiting the sites, the
auditors were also better prepared to review the management of hazardous materials. As a result of the audit, local management was able
to minimize the risks associated with hazardous materials and prevent
further environmental problems.
Increased Time for Critical Thinking
Saving time for thinking is probably the greatest benefit of CAATTs (Will and
Brodie [1991]). An auditor’s greatest asset is the ability to review information
critically, determine cause and effect, and arrive at objective recommendations, which can be implemented and will address the problems at hand,
not simply the symptoms. Then audit recommendations can address restructuring the organization or any of its systems.
If auditors are bogged down with manual and nonproductive tasks,
such as manual completion of timesheet data for each 15 minutes spent
on a project, manual review of paper-based working papers, using adding
machines to calculate trial balances, and so on, they will have little time
left to reflect on the information and arrive at the significant issues. The
use of information technology can free the auditor from the routine tasks,
maximizing the time they can spend on thinking.
Case Study 27: Paper File Review
A possible incident involving fraud was brought to the attention of the
audit manager. Allegations about kickbacks had surfaced and needed
to be examined carefully. All paper files related to several large-dollar
contracts were seized, and the audit team was attempting to reconstruct
events that occurred over a period of several years, by examining paper
files, letters, and other correspondence. The auditors had access to two
file cabinets containing all the key hard-copy documentation, but were
experiencing problems coping with the sheer volume of paper information. Every time they needed an answer to a question, they had to
search through mounds of paper. In the process of considering their
problem, they realized that the computer could be used to simplify the
file review process.
123
CAATTs Benefits and Opportunities
The auditors spent the next week electronically entering key information about each piece of correspondence into a text file, such as file
number, date, to, from, title, and keywords describing the context of the
correspondence. When they were finished entering the data, the auditors
were in a position to review all correspondence from various perspectives. Using the computer, they sorted the information into chronological
order, identifying the logical flow of correspondence related to specific
topics, by subject. They also identified all correspondence to or from
specific individuals, as well as all correspondence between any two
individuals. Further, they identified all correspondence that referenced
specific keywords, for example:
Correspondence Sent by “Jones”
Originator
Recipient
Date
Description
Jones
Jones
Jones
Polaris Expenditures
Reply to Stroby Incident
Reply to Stroby Incident
Black
Smith
Smith
03/01/2004
03/02/2004
04/13/2004
Correspondence Related to “Polaris”
Originator
Recipient
Date
Description
Coderre
Black
Black
Jones
Williams
Black
Polaris Exp and Time Table
Polaris Expenditures
Polaris Expenditures
Polaris Expenditures
Polaris Expenditures
Time Table—Polaris
Black
Williams
Jones
Black
Black
Coderre
04/17/2004
03/03/2004
03/03/2004
03/12/2004
04/21/2004
04/16/2004
The ability to search and sort volumes of data on multiple values
(date, subject, to, from, etc.) was greatly enhanced through the use of
the computer. Now, questions could be answered quickly and with
assurance that all relevant files had been considered. Answers to a
wide variety of questions could easily be determined without having
to manually search through all the files over and over again. Detailed
information related to a specific question was easily extracted from
the manual file when required, using the file number as a reference.
The days spent performing the data capture were more than recouped
through the enhanced ability to analyze the information electronically.
CAATTs can be used to perform routine functions or activities that are
better suited to computers, allowing the auditors to exercise audit judgment.
124
Internal Audit
The use of automated tools and techniques in audit can result in many
benefits:
Increased audit quality
Identification of materiality, risk, and significance
Increased efficiency and effectiveness throughout the audit process
Better audit planning and management of audit resources
The credibility of the audit function can be enhanced through improvements in the ability to access, analyze, and use data effectively. The integrity
of audit results can also be made more reliable by using computers to assess the full impact and significance of findings. Finally, the ability of the
auditors to conduct audits in today’s electronic environment will improve
dramatically. As a result, the audit division will be made more appealing,
making it easier to attract and retain qualified audit staff.
Recognizing Opportunities
The following outlines the basic steps that should be followed in determining how automated techniques can be applied to an audit. Naturally, these steps only present a starting point for a critical examination
of the information. A similar approach can be used to identify opportunities for improvements in the exercise and administration of the audit
function.
1. Identify the goals and objectives of the audit. This step is no different
than what would be done for any audit, whether the computer is used
or not. The main difference is to avoid being constrained by old modes
of thinking. Identify what needs to be accomplished, not how this will
be done. The how can be determined at a later stage.
2. Identify what information will be required to address the objectives and
determine the possible sources of the information. Try to find automated
sources of information. Start by assuming that the information exists in
electronic format, and where possible:
Identify the owner of the information
Determine the possible sources and who is responsible for them
Obtain all necessary documentation
3. Obtain access to the information, in electronic format. This can be done
in several ways, such as:
Obtain physical and logical access to the client system and sign-on
as a user
CAATTs Benefits and Opportunities
125
Obtain access to the actual application files and extract and prepare
the data for use with the audit software
Obtain copies of reports—where there is a printed report, there is
likely an electronic system that generates the report. If possible, obtain
electronic copies of these reports.
Electronically capture screen images and use the information with
your audit software
4. Verify and develop a good understanding of the data. This requires that
the auditor:
Develop an understanding of the key data fields and data elements
Ascertain the timeliness of the data—determine if the information is
current and how often it is updated
Determine if the information is complete and accurate
Verify the integrity of the data by performing various tests such as
reasonability, edit checks, comparison with other sources, previous
audit reports, etc.
Check control totals (number of records, totals of key fields) and
dates
Obtain management agreement that this data can be used to address
the audit objectives
5. Develop an understanding of an application. Whether you are auditing an application or simply using the data from the application as
part of an audit of an operational area, you must develop a certain
level of understanding of the application and the business it supports.
This may be time-consuming, but if the application is going to be
used to support other audits, the benefits are well worth the effort.
A basic understanding can be obtained from the existing documentation by:
Reviewing general system description documentation such as
user and programmer manuals, system flowcharts, copies of input documents, sample output reports, and descriptions of the
controls
Interviewing system users and programmers
Reviewing standard reports and exception reports
At times, a more in-depth knowledge of the system is required to support an audit’s objectives. This can be accomplished by:
Analyzing detailed system flowcharts and/or a narrative of the data
flows
Examining copies of all input and output documents
Studying record layouts for all data files with detailed field descriptions and explanations of possible values for each field
Performing transaction counts and exception and summary reports
126
Internal Audit
6. Develop an analysis plan. This analysis plan will outline the:
Reason for conducting the analysis including a statement of anticipated results (Why?)
Specific audit objective to be addressed by the analysis (What?)
Sources of the data to be used for the analysis (Where?)
Types of analysis that will be performed by the audit team (How?)
The analysis plan should be reviewed and agreed to by the team
leader and approved by the audit manager. All potential problems, such
as access to data, should be identified and potential solutions evaluated.
The analysis plan serves as a guide and provides a framework for the
audit team. It is not meant to constrain audit judgment. As the analysis
progresses, the audit team may take unforeseen avenues. Therefore, the
analysis plan should be considered as a living plan that is adjusted when
appropriate to audit opportunities in general and the use of CAATTs in
particular.
Transfer of Audit Technology
Once the audit organization has embraced the use of automated tools and
techniques, it will be better positioned to have a major impact on the
operations of the organization. This can include the provision of tools and
techniques to the clients.
Traditionally, whether to ensure independence or for other reasons,
many audit organizations have attempted to maintain their distance from
the client. More recently, audit sees the client as more of a potential beneficiary of audit’s services. Audit reports are becoming much less compliance oriented and are focusing on ways to help the clients improve
the overall operations. In some cases, this has meant reducing unnecessary controls. Auditors are trying to keep pace with the organization as a
whole and are interested in assisting clients in improving their efficiency
and effectiveness. This can take many forms, from the development of selfassessment tools to the transfer of knowledge and audit-developed tools and
techniques.
With more internal audit groups using the computer as an audit tool,
the opportunities to transfer the knowledge gained by the audit teams to
the client have increased. Often, due to operational constraints or other
factors, the client does not have the time or resources required to develop
new or improved management systems. Also, the unique role played by
internal audit allows it to cut across traditional boundaries or organizational lines, obtaining different perspectives on issues. In some cases, the
audit team may have a more pressing requirement for specific data than
CAATTs Benefits and Opportunities
127
the client, forcing the team to gather or develop new sources of information. Regardless of the reasons, the audit team may obtain information that
is not only useful for the audit, but also relevant to the client’s ongoing
operations.
In addition to the audit report, the transfer of the knowledge and data to
the client should be considered as an audit product. For example, one audit
team performing an audit of a computer application built a test deck to test
various edit functions of the system. The test deck successfully identified
several flaws in one of the main program modules of the client application and led to the identification of weaknesses in several controls over
the completeness of the data. After the audit, the auditor’s test deck was
provided to the client and is still being run to test all modifications to the
application. In another case, a new tracking system had just been developed
for a high-profile project. Because the auditors required data from previous
years, they collected information from a variety of manual sources, creating
three years worth of historical data. At the end of the audit, the historical
data was provided to the client, who used it as part of a regression analysis
to project future costs. In still another example, the auditor’s combination
of three separate databases provided management with a unique view of
the operations and was considered so important by the client that a new
relational database structure was developed to capture similar information
on an ongoing basis.
In each of these examples, the auditors used the automated tools and
techniques primarily to address their own objectives. However, the information they collected or the analyses they built were also provided to the client
at the completion of the audit. The transfer of this type of information is
often of immediate value to the client. Future audits can benefit from these
new systems or reports by reducing the audit time in the years to come.
Audit organizations that have embraced the use of CAATTs should ensure that they have installed processes to transfer the knowledge gained
during the audit to the client. The transfer of the audit developed tools and
techniques should be seen as one of the products of the audit. In some audit
organizations, the process of audit technology transfer has been formalized
and is incorporated as one of the steps in the audit process, requiring audit
teams to plan for and track instances of technology transfer.
Summary and Conclusions
The productivity improvements that can be realized through the development and use of CAATTs will only succeed if the required management and
auditor commitment exists. This will likely require a different mindset in
order to break old paradigms and modes of thinking. Further, a mixture of
128
Internal Audit
IS and audit expertise is highly desirable in establishing effective CAATTs
and creatively determining how the computer can be used to accomplish
audit objectives. Also, as is the case whenever something new is being introduced, communication will be a key to success. Communication between
the auditors and the IS support section and between management and the
support section are particularly important.
Auditors cannot be expected to obtain maximum benefits from CAATTs
unless they have received sufficient IS training. Auditors must be comfortable with the technology. Finally, even if several persons are devoted to
the task of implementing the automated tools and techniques, the process
is still fairly time- and effort-intensive. Gaining an understanding of what is
required, how to deliver it, and bringing everyone up to speed will not be
accomplished overnight.
For many audit organizations currently using CAATTs, there is still more
work to be done. The integration of computers into the audit process, from
project initiation to the final reporting stage, is an evolutionary process—not
merely a single step of purchasing hardware and software. There will be a
requirement to change the way audits are conducted and even the types of
audits performed. However, the adoption of automation will enable audit
organizations to make more efficient use of all available sources of data,
allowing them to plan, conduct, report, and monitor audits more effectively.
After all, economy, efficiency, and effectiveness (the three Es) apply to audit
organizations as well as to their clients.
CHAPTER
4
CAATTs for Broader-Scoped Audits
I
n Chapter 3, case studies of the possible use of CAATTs in support of
various types of audits were presented. The examples went beyond the
typical financial audit examples to encourage all auditors to think about new
uses for technology. This chapter takes the auditor into the nontraditional
use of CAATTs by presenting additional case studies. The hope is to push
the envelope even further and show the reader some new ways CAATTs
can be used in audits with a wider scope.
In the first section, Case Study 28 shows how CAATTs can be used to
support all phases of the audit process, from planning to reporting. While
for some organizations this information may not be new, others may still be
limiting their use of CAATTs to the conduct phase. This example encourages
auditors to rethink their old audit methods and approaches.
The second section discusses the issue of value-for-money auditing. The
use of CAATTs under these circumstances is presented in Case Study 29.
This example shows how a standard inventory audit can be transformed
into a value-for-money inventory audit. It includes an illustration of how
audit software can be used to identify obsolete inventory items, saving the
company storage costs and generating additional revenues.
The third section presents audit involvement in assessing corporate
reengineering activities, such as downsizing. The case studies 30 to 32 show
how audit can use CAATTs to contribute to the success of these corporate
initiatives.
Finally, the topic of benchmarking is discussed, with a comparison of
benchmarking and audit. Case Study 33 highlights the differences between
audit and benchmarking.
Integrated Use of CAATTs
As CAATT software is developed and introduced to auditors, more integration of the software into the audit process is required. This integration
129
130
Internal Audit
involves the use of CAATTs throughout the audit process, from planning to
reporting and even to the administration of the audit function.
In isolation, the use of CAATTs can be effective in reducing the manual tasks associated with specific aspects of the audit. However, a more
integrated approach to the use of CAATTs will help maximize their potential benefits. Previous examples in Chapter 3 described ways in which
automated tools and techniques supported internal audit projects, making
them more efficient and effective through the use of microcomputer-based
CAATTs. For the most part, however, the use of CAATTs in Chapter 3 focused on the data analysis requirements of the audits.
Case Study 28 shows how a number of different types of audit software
were employed to support an audit. The techniques used on this audit
included text search, simple cut-and-paste operations, statistical and directed
sampling, and the use of telecommunications and other software. The intent
is to show how audit teams can pull it all together and make even better
use of all the general-purpose and audit-specific software at their disposal,
not just data analysis software. This example illustrates how a variety of
CAATTs can be used throughout the audit process, improving the efficiency
and effectiveness of the audit. The aim is to encourage auditors to adopt an
integrated approach to the use of technology in support of the entire audit
process.
Case Study 28: Management of Commissions
and Bonuses
The audit department was asked by senior management to review the
compensation system for sales staff—in particular, the payment of commissions and bonuses.
During the planning phase, the audit team used text search software to review prior audit reports and programs to determine if issues
related to the management of commissions and bonuses had been dealt
with in any previous audit assignments. The team also used the Internet to search for and retrieve copies of relevant audit programs used
by auditors from other companies. Several sites containing free audit
programs were visited in addition to a general Google search. The team
electronically cut-and-pasted selected portions of these audit programs
into the audit program they were developing for the audit.
Next, they electronically reviewed corporate personnel policies on
the corporate intranet to develop an understanding of the rules and
regulations pertaining to the approval of, and compensation rates for,
various bonuses and commissions. Relevant sections of these policies
131
CAATTs for Broader-Scoped Audits
were cut-and-pasted into the background working papers of the audit,
including the sections on commission schedules and preconditions for
bonuses. The audit team also used flowcharting software to record the
approval process and the controls over payments.
Still, during the planning phase, the audit team extracted data from
the compensation system in order to determine the commission and
bonus payment patterns of the corporation. Reviewing the total of these
payments for the past five years, by region, allowed the auditors to identify trends by bonus type and month, and to determine which regions
had the largest total payments of commissions and bonuses.
The team also used detailed transactions from the compensation system to select a statistical sample of transactions related to commissions
and bonuses for the on-site review. A dollar unit sampling methodology
was employed to select a sample of payments, which were downloaded
to a microcomputer.
Finally, several analyses were performed on the detailed transactions to identify a judgmental (directed) sample for further review. In
particular, using criteria established by the audit team and senior management, one analysis identified all employees, by geographic area, who
had received commissions or bonuses amounting to 20 percent or more
of their regular salary figures.
Sales Staff with Commissions and Bonuses ≥ 20% of Salary
Name
Area
Bonus
Salary
Percentage
Jones
Black
Smith
Williams
Cantel
Coderre
Bobins
North
East
West
East
North
West
South
7,115.50
7,341.00
10,445.25
12,572.34
13,927.01
15,279.01
13,854.27
35,000.00
35,000.00
35,000.00
41,000.00
35,000.00
35,000.00
25,000.00
20.00
21.00
30.00
31.00
44.00
44.00
55.00
Total
80,534.37
Next, the auditors performed an analysis to identify all branches
with significant increases over last year’s budgets for commissions and
bonuses. Totals by branch, by sales area, and other criteria were produced and reviewed. The results of these analyses were used to select
more transactions for the directed sample.
For all employees selected in either the statistical or judgmental
sample, basic tombstone data was extracted from the personnel system,
including job title, job classification, work location, supervisor, and basic
132
Internal Audit
rate of pay. The compensation system was also used to determine the total commissions and bonuses paid to each employee in the two samples,
by year, and for the past three years. The sales system was used to identify the annual sales volume for these employees for the past three years.
As a result of using CAATTs to extract and analyze data from various
systems, the audit team had a complete picture of each employee in the
two samples before the audit team had even left the office. The use of
technology during the planning phase also helped them to develop an
audit program quickly, review pertinent corporate policies, and select
statistical and judgmental samples for further review.
The corporation had several plants and branch offices located across
the country. Since the conduct phase of the audit called for on-site file
reviews, the audit team was split into four teams: three would travel to
the remote offices and one would conduct a review of headquarters’
payments and coordinate the aggregation of the results.
To help ensure consistency across audit teams and to guide the
auditors through the complex audit program and criteria related to
the payment of commissions and bonuses, an electronic audit program
was developed using Visual Basic. Tombstone information for each employee selected in the statistical and judgmental samples, such as yearly
salary, total commission, total bonuses, position title, supervisor, and
branch, was read into the electronic audit program. A single computer
screen presented the information to the auditors for easy review. The
audit program also led the auditors through a series of questions and
branched to different sections of the audit program according to the
auditor-supplied answers. For example, the audit program branched to
different sections based on the answer to the question “Is the employee
directly involved in direct sales activities?” Additional information was
provided to the auditors in help files, and pull-down menus were employed to simplify the task of completing the responses for each of the
required fields. The electronic audit program was also used to capture
information obtained and conclusions drawn during the on-site manual
review of the files. Information captured included evidence of management review, reason for and the type of commission or bonus, and the
auditor’s opinion as to the appropriateness of the payment. Finally, the
electronic audit program saved all the information in a data file, which
could be analyzed using data analysis software.
The three on-the-road audit teams were equipped with laptops with
Internet connections. Each night, the data files for the transactions reviewed that day and the associated working paper notes were sent via
FTP to the audit office, where they were analyzed by the project leader.
The project leader reviewed each of the files for completeness, combined the data files into a summary file, and performed various analyses
CAATTs for Broader-Scoped Audits
133
on the file, such as summary by branch, across branches, by sales area,
and by product. The summary file also allowed a comparison of the results obtained by each team and an analysis of the overall results, such
as total dollars of commission or bonuses deemed inappropriate versus
the total payments reviewed. The project leader also used e-mail to send
additional instructions out to the audit teams. In one case, the project
leader used FTP to send the teams a modification to the electronic audit
program to handle a special set of circumstances at one of the branch
offices.
During the reporting phase, presentation software was employed to
develop slides to graphically illustrate the main audit findings and recommendations for the exit interviews. The final report was prepared
using word processing software, and the findings were stored in a
database of findings, which could be accessed by all audit teams in
the organization. The details of the audit program were also placed in
a centralized directory for use by other audit teams.
In Case Study 28, CAATTs were employed throughout the audit process
from the beginning of the planning phase (Internet, electronic search, cutand-paste, flowcharting, and trend analysis) to the conduct phase (statistical
analyses, judgmental samples, matching of files, e-mail, file transfers, programming, and data analyses) through to the reporting phase (presentations,
graphics, word processing, databases). Neither expensive/sophisticated
tools and techniques, nor full-blown automated working papers were employed, yet the audit was still able to achieve significant benefits through the
integrated use of CAATTs. In addition, consistency was maintained across
the audit teams and data analyzed quickly and effectively.
Automating bits and pieces of the audit process can achieve significant benefits. Sorting, searching, and sampling are examples of data analysis functions that often use CAATTs. However, other automated tools and
techniques can assist auditors in performing many different tasks. Communication, background research, working paper preparation, and many other
audit tasks can also use technology. Collectively, the integrated use of a
wide range of CAATTs can maximize the efficiency and effectiveness of the
entire audit process such that the whole is greater than the sum of its parts.
Audit management and auditors should be examining all of the tasks
they are required to perform as part of an audit. Many of these tasks can
benefit from the application of technology at a minimal cost. Audit management should also be examining the administrative tasks they perform to
manage and administer the audit function to determine how best to apply
CAATTs in these areas.
134
Internal Audit
Value-for-Money Auditing
In many organizations, tick-and-bop and compliance auditing are being
supplemented or replaced by comprehensive audits and value-for-money
audits. Today’s auditors must not only strive to assess the internal control
frameworks and protect corporate assets, but must do so with a view to
adding value to the organization’s bottom line. The notion of adding value
is not new to internal audit but is still not universally accepted. Adding
value can have many facets and will likely have a direct influence on the
objectives of every audit. More than ever, audit needs to develop objectives
and related lines of inquiry to assess and make recommendations upon
value-for-money (VFM) issues. This requires audit to adopt a new method
of auditing and often a new set of tools and techniques.
For example, in order to examine VFM issues, an inventory audit’s
objectives must be expanded to include steps to determine whether or
not the inventory manager is taking into account VFM considerations when
procuring and storing inventory. The audit objectives should include steps to
identify ways for the company to reduce inventory costs, while maintaining
quality service to its clients. As part of a VFM review, the auditor should
examine best practices in the implementation of the most efficient means
of inventory management to improve cost savings for the organization and
ways to enhance levels of service for the customer.
The value-added inventory auditing example encourages auditors to
use the power and flexibility of CAATTs to expand the traditional scope
and objectives of their audits. It uses an inventory audit with a value-formoney audit perspective as an example of the approach and benefits of
this type of thinking. Case Study 29 shows how the objectives of a standard
inventory audit can be expanded, from a simple verification of the inventory
levels through a physical count of the inventory on hand, to include an
examination of the efficiency and economy of the inventory management
system.
Value-Added Auditing of Inventory Systems
Companies wishing to remain competitive in today’s marketplace must be
able to hold fewer inventories, fill orders more quickly, turn stock over more
frequently, and obtain replenishment supplies significantly faster than their
competitors. To address VFM concerns, audits of inventory management
are attempting to identify items in inventory where supply does not match
demand, items are obsolete or unusable, or items are procured uneconomically. These questions cannot be addressed simply by performing physical
inventory counts. True VFM inventory audits will require the auditor to
identify possible cost savings in several areas.
CAATTs for Broader-Scoped Audits
135
Data Analysis in Support of Value-Added Inventory Auditing
SUPPLY NOT MATCHED TO DEMAND To identify items where there is more
supply than demand:
1. Use inventory database to identify items with:
Current stock levels greater than the maximum stock levels
Stock levels on hand that would satisfy several years worth of use
Low turnover rates
2. Examine the use of automatic reorder flags and the reorder levels—these
may be based on historical values which are now inaccurate.
3. Compare reorder levels with turnover rates for items with automatic
reorder flags and items with low turnover rates. Should the reorder
quantity be set at 100 if it took five years to use 25 items?
4. Discuss with supply managers the likelihood of these items being used
and/or the plans to dispose of them.
5. Compare supply/demand levels at the warehouse with levels at other
locations.
6. Visit supply depots to inspect items that have been in storage for an
extensive period of time with little or no demand.
To identify items that are in short supply at one location, while in a
surplus situation at other locations:
1. Compare turnover rates by item by location.
2. Examine short-order or quick-response requests and, for these items,
determine inventory levels at other locations.
3. Check for automatic reorder flags and reorder levels and minimum and
maximum stock level quantities.
OBSOLETE INVENTORY To identify items that are no longer in use:
1. Identify equipment that has been declared obsolete and, for each
piece of equipment, identify the items (parts) that support the obsolete
equipment.
2. Extract current inventory levels, total value for inventory, and storage
requirements for items/parts supporting obsolete equipment.
3. Determine if items have possible uses elsewhere. In many inventory
system files, there is a field that provides details on the equipment that
uses the given part. For example, a type of spark plug may fit into
several different engines, only one of which was declared obsolete.
Therefore, before the inventory of spark plugs can be declared obsolete,
all engines that could use that spark plug must be obsolete.
136
Internal Audit
4. Check for automatic reorder flags and reorder levels and minimum and
maximum stock level quantities. For example, a part that used to fit into
four pieces of equipment, three of which have been declared obsolete,
should have the reorder and minimum stock levels adjusted.
INVENTORY NOT USABLE To identify items that are no longer usable:
1. Check for shelf-life flags and extract items that have been stored for
periods longer than stated shelf life.
2. Sample inventory items that have been stored for long periods of time
and may no longer be usable. The time frame will vary depending on
the type of item and must be determined by the audit team.
3. Examine items declared as write-offs or not repairable for causes.
4. Ensure that the automatic reorder flag is turned off and that minimum
stock level quantity is set to zero for obsolete equipment. For example,
too often the excess obsolete stock is discarded, and the automatic
reorder routine kicks in and orders more stock.
UNECONOMIC PURCHASES To identify items with poor gross margin:
1. Compare purchase price and storage costs with selling price. Audit can
also factor in space requirements, special storage conditions, etc., when
calculating the cost of maintaining these items in inventory.
To identify items not procured economically (best price, economic order
quantity):
1. Compare statistical sample of items purchased to determine if other
suppliers have better prices.
2. Review contracts for price breaks and economic order quantities for
comparison with actual quantities ordered.
Each of these issues can be addressed with modern audit software,
because all conditions are not only identifiable with reference to electronic
data, but can also be used to filter and screen the data files, with ad hoc or
standard steps in batches, prior to physical inventory counts.
Inventory Management Practices and Approaches
Inventory management practices will vary from industry to industry, but
audit can play a role in helping to identify the areas for improvement.
Several approaches to inventory management can be employed.
CAATTs for Broader-Scoped Audits
137
Supplier parks shift responsibilities for storing and managing inventory
to suppliers. This concept involves a much closer association between the
organization and its suppliers. Close partnering between a company and its
prime suppliers can reduce inventory levels to a minimum, while remaining
responsive to demand.
The just-in-time inventory concept strives to order items closer to the
demand time. This keeps inventories low, causes stock to turn several times
a year, while filling orders within weeks and maintaining good customer
service. Vendor-managed inventory (VMI) takes the just-in-time inventory
concept one step further, advocating the use of timely information to lower
inventory levels at all points on the supply chain. VMI looks across the supply chain and its inventory profile to remove inventory holdings throughout
the chain. It is an integrated inventory management concept that begins with
the consumer at the point of purchase. The point-of-sale data is automatically transmitted all the way through the supply chain to suppliers, retailers,
and manufacturers. In essence, it is quite simply a smooth and continuous
flow of items through the supply chain to the ultimate consumers, which is
matched to consumption.
A number of companies maintain a huge inventory at centralized warehouses that, in turn, supply retail stores or smaller depots. A large retailer
may employ an inventory management practice of buying and storing supplies at both wholesale and retail locations to ensure items are readily
available to customers. However, these inventory management methods
can mean that inventory is maintained at the warehouses years in advance
of when the items are actually needed. Storing inventory at many different
locations may result in inventory that turns over slowly, thereby producing large amounts of old, obsolete, and excess items. Audit can research
best practices and work with their clients to establish and then monitor
appropriate performance measures.
Inventory costs such as storage space ($/sq. ft.), personnel to manage
the warehouse, computer systems, and computer time and even the opportunity cost of tying up capital are significant. According to one study,
the standard cost of maintaining inventory ranges from 10 to 20 percent
of the purchase value of the inventory. Other studies report even higher
percentages (up to 30 percent of purchase cost). For purchase decisions,
some inventory control points use a percentage of the item’s value, which
can be in the range of 18 to 22 percent of the purchase value. Thus, if a
company has $1 million in excess or obsolete inventory, the annual storage
cost alone would be in the range of $180,000 to $220,000.
Excess inventory slows down the response time to valid requests for
items, making it difficult to fill legitimate orders within the set performance
measures or even leading to the construction of new warehouse facilities to
138
Internal Audit
store the obsolete items. And customers may move their business elsewhere
if their requirements are not being met in a timely and dependable fashion.
Possible Areas for Audit-Suggested Improvements
Inventory audits have been a part of internal audit for many years. However, in today’s cost-conscious environment, internal audit should be trying
to add lines of inquiry and objectives to not only assess proper controls
over the physical security of inventory, but also to find ways for the organization to improve its management of inventory. In this way, internal
audit can contribute to the bottom line of the company and add value to
client operations. Therefore, the audit scopes and objectives for standard,
yearly audits should be reviewed to determine if they could be expanded
to include lines of inquiry related to VFM and best practices. Contributing
to the bottom line will ensure that audit adds value to, and is perceived as
a vital part of, the organization—and not seen simply as an administrative
overhead.
Audit recommendations must be based on realistic requirements and
must be tailored to the specific client operations. The following section
discusses areas where audit should consider looking for potential improvements in their inventory system.
Better computer and communication systems offer inventory managers
better visibility of products as they flow from supplier to consumer. Audit
should examine using automation to determine if:
Inventory managers have 100 percent visibility of stock held in warehouses, being moved to and from warehouses, and at the retail level
up to the point of sale.
Inventory managers can determine an item’s status at any time, including its demand history.
Staff ranging from order-entry clerks to company executives can obtain
an item’s status, enabling them to forecast requirements, accurately plan
the reorder of replenishment stock, and tightly manage and control
inventory.
Improved methods of managing, ordering, and paying for items can
also reduce lead times in the process and improve responsiveness to client
needs. Audit can include lines of inquiry to determine if:
Electronic data interchange could be used to speed up purchase orders,
bill payment, and shipping documents, as well as the rate at which
inventory flows through distribution centers; for example, existing
CAATTs for Broader-Scoped Audits
139
technology such as bar codes and scanners make the electronic transmission of point-of-sale information to inventory managers possible.
Inventory managers are able to monitor goods passing through distribution centers, locate goods in warehouses, and eliminate the need to
physically count inventory or manually keypunch inventory data.
Point-of-sale information is shared with suppliers and carriers to enable
them to better forecast their own requirements and meet the organization’s needs.
Inventory managers practice total asset visibility and electronic data
interchange to virtually eliminate the situation in which additional stock
is ordered at the wholesale level while excess inventory is held at the
retail level.
Finally, audit can use the Internet to research new inventory management techniques and best practices to ensure management is aware of inventory practices such as just-in-time inventory, supplier parks, and vendormanaged inventory. Audit can assist in the implementation and monitoring
of these techniques by documenting the current practices and flows, identifying costs and opportunities, and comparing the results under the new
practices with those under the old practices. Companies using the most
aggressive inventory management practices no longer store inventory in intermediate locations at all. Now, their suppliers deliver inventory only when
needed. Organizations have reduced their hardware inventories by as much
as 80 percent using aggressive inventory management techniques. Studies
have estimated that the potential inventory savings in the U.S. retail sector
alone can be as high as $50 billion annually with a 50 percent reduction
in systemwide inventories. Audit can help the inventory manager share in
these benefits by conducting appropriate examinations of current inventory
practices.
Case Study 29: Identifying Obsolete Inventory Items
Inventory storage costs were getting out of hand even though the company was employing a new inventory management technique. The approach to managing inventory had been in place for about a year, but
the promised decreases in the inventory carrying costs were not as high
as expected. The inventory manager took an unusual step and asked internal audit to perform an audit of the largest warehouse. The manager
hoped that audit could shed some light on the issue of inventory costs.
Typically, the auditors performed a standard inventory audit, comparing
the inventory levels from the inventory system with the stock on-hand.
140
Internal Audit
This approach was primarily concerned with the controls over the security of the physical assets. However, management’s concerns about
cost savings presented the auditors with a different objective. As a result, the auditors decided to conduct other tests of the inventory in
addition to verifying the inventory levels. The main objective was to
determine if and how the overall inventory management costs could be
reduced.
As a first step in the audit process, the auditors extracted and downloaded information from the inventory application to a file on the microcomputer (INV.FIL). The inventory system contained detailed information on each item held, including current inventory levels and the
piece of equipment the item supported. For example, the warehouse
might have 2,500 spark plugs (item # SP1283), which might fit into one
or more engines (equipment # M308 and M611).
Item
Item #
Equipment
Equip’t #
Spark Plug
Spark Plug
Flange
···
Transistor
Transistor
Transistor
Resistor
SP1283
SP1283
MI23F1
Engine - M308
Engine - M611
Engine - M612
SP1280
SP6000
T54921
D502T5
D702T1
D702T1
R812R6
Circuit
Circuit
Circuit
Circuit
12AG45
14AF46
18AG23
14AG45
Board
Board
Board
Board
As part of the review over the security of the inventory, a random
sample of items was chosen. The auditors compared the actual inventory
levels with those on the inventory system.
The auditors hoped to use the inventory data to identify all items
(parts) that supported equipment that was not being used anymore.
Such items would no longer be of use to the company, but would still
be incurring an inventory carrying cost (estimated at 15 to 25 percent
of the original purchase value). Items no longer of use should have
been removed from the inventory when the supported equipment was
declared obsolete, decreasing the overall inventory levels and reducing
the storage and inventory management costs. By removing these items
from the inventory, the inventory carrying costs could be reduced, and
the company might even be able to sell some of the obsolete items to
other companies or for scrap.
141
CAATTs for Broader-Scoped Audits
For example, if a particular piece of equipment was declared
obsolete, then all the items that were used to maintain the piece of
equipment would not be required anymore unless the parts supported
another piece of equipment as well. Thus, if Circuit Board 12AG45 was
no longer required, Transistor D502T5 would be obsolete, because it
was only used as a component for that particular circuit board. However, if Circuit Board 14AF46 was declared obsolete, Transistor D702T1
would still be required, because it is also a component for Circuit Board
18AG23.
The auditors obtained a file (OBS.FIL) containing information on
each piece of equipment that had been declared obsolete during the
last three years.
List of Obsolete Inventory (OBS.FIL)
Equip’t
Equip’t #
Date
Circuit Board
Circuit Board
···
Spark Plug
12AG45
14AF46
95/03/31
95/11/21
91AX23
93/02/12
Using audit software, the auditors joined the complete inventory
holdings file (INV.FIL) with the file containing the obsolete equipment
list (OBS.FIL) to create a new inventory file showing all potentially
obsolete inventory items (POT OBS.FIL). This file contained a record
for each item in inventory, with a new field called OBS FLAG attached
to each inventory record. The OBS FLAG field had a value of “Y” if the
“Equip’t #” field on the inventory file matched with a piece of equipment
in the obsolete equipment file and had a value of “N” if there was no
match between the inventory and obsolete equipment files. Stating it
another way, a value of “Y” in the OBS FLAG field meant that the
supported equipment had been declared obsolete; a value of “N” meant
that the equipment was still in use.
For example, if Circuit Boards 12AG45 and 14AF46 were in the obsolete equipment file because they had been declared obsolete, then inventory records for Transistors D502T5 and D702T1 and Resistor R812R6
in the joined file would have a “Y” in the OBS FLAG field. However,
if Circuit Board 18AG23 was still in use, then Transistor D702T1 would
have an “N” in the OBS FLAG field for the inventory record with equipment # 18AG23.
142
Internal Audit
List of Potentially Obsolete Inventory Items (POT OBS File)
Item
Item #
Equip’t
Equip’t #
Obs Flag
Spark Plug
Spark Plug
Flange
···
Transistor
Transistor
Transistor
Resistor
SP1283
SP1283
MI23F1
Engine - M308
Engine - M611
Engine - M612
SP1280
SP6000
T54921
N
N
N
D502T5
D702T1
D702T1
R812R6
Circuit
Circuit
Circuit
Circuit
12AG45
14AF46
18AG23
14AG45
Y
Y
N
Y
Board
Board
Board
Board
Now the auditors could identify all items that were no longer of use
because they only supported obsolete equipment. The first step was
to remove all records for items that supported a piece of equipment
that was still in use, such as Transistor D502T5. In order to do this, the
auditors created a field (OBS) that contained a “0” if the supported piece
of equipment was obsolete (OBS FLAG=Y) or a “1” if the supported
piece of equipment was still in use (OBS FLAG=“N”).
List of Potentially Obsolete Inventory Items with Obsolete Indicator
(POT OBS File)
Item
Item #
Equip’t
Equip’t #
Obs Flag
Obs
Spark Plug
Spark Plug
Flange
···
Transistor
Transistor
Transistor
Resistor
SP1283
SP1283
MI23F1
Engine - M308
Engine - M611
Engine - M612
SP1280
SP6000
T54921
N
N
N
1
1
1
D502T5
D702T1
D702T1
R812R6
Circuit
Circuit
Circuit
Circuit
12AG45
14AF46
18AG23
14AG45
Y
Y
N
Y
0
0
1
0
Board
Board
Board
Board
Next, the file POT OBS.FIL was summarized on Item Number, totaling the number of records for each item, the value of field OBS, and
the total value of the inventory held for each item.
A new file (POT OBS SUM.FIL) was created, containing a single
record for each Item Number with a field Tot Cnt, showing the total
number of records that were summarized; a field Obs Cnt, showing the
total of the value of the OBS field; and the field VALUE, calculating the
Quantity * Unit Price for each item in inventory.
143
CAATTs for Broader-Scoped Audits
Summarized List of Potentially Obsolete Inventory Items
(POT OBS SUM File)
Item #
Item
Tot Cnt
Obs Cnt
Tot Value
D502T5
D702T1
···
MI23F1
R812R6
SP1283
Transistor
Transistor
1
2
0
1
14,398.00
24,576.00
Flange
Resistor
Spark Plug
1
1
2
1
0
2
1,581.45
7,333.23
21,009.10
The value of the Obs Cnt can only meet one of the following three
conditions: Obs Cnt is equal to “0”; Obs Cnt is equal to Tot Cnt; or
Obs Cnt is greater than “0” and less than Tot Cnt. The following discusses the meaning of each possibility:
Obs Cnt=“0”. The items where Obs Cnt = “0” only contained inventory records with field OBS = “0” (OBS FLAG=“Y”). These items
only support obsolete pieces of equipment and, thus, can be declared obsolete. In this example, items D502T5 and R812R6 can
be declared obsolete because they do not support any equipment
currently in use.
Obs Cnt = Tot Cnt. Records where Tot Cnt equals Obs Cnt are
items where OBS always equals “1” (OBS FLAG = “N”), meaning
the support equipment is not obsolete. Flange MI23F1 and Spark
Plug SP1283 are examples of items that are required since they only
support equipment still in use.
Obs Cnt > 0 and Obs Cnt < Tot Cnt. Records where Obs Cnt is
greater than “0” and Obs Cnt is less than Tot Cnt, are items that have
records with OBS equal to “1” (OBS FLAG = “N”) and records with
OBS equal to “0” (OBS FLAG = “Y”). These items support both
obsolete and in-use equipment and therefore cannot be declared
obsolete. In this example, Transistor D702T1 supports equipment
that is still in use (Circuit Board 12AG45) and equipment that has
been declared obsolete (Circuit Board 14AF46). These items are still
required; however, management should review the reorder levels
and the inventory on-hand levels to determine if these can be adjusted to lower levels because the items no longer support as many
pieces of equipment as they did initially.
144
Internal Audit
In Case Study 29, the auditors enhanced a standard inventory audit
to provide the inventory manager with useful information concerning the
utility of the inventory. Using ACL on a microcomputer, the auditors were
quickly able to review thousands of items in inventory and identify whether
they supported in-use, obsolete, or a combination of in-use and obsolete
equipment. For all items that only supported obsolete equipment, the current inventory was sold or scrapped and the automatic reorder flags were
set to “N”. For items supporting both obsolete and in-use equipment, inventory and reorder levels were reviewed and set to levels appropriate with
the decreased demand.
The results of the audit provided management with sufficient information to decrease the overall inventory levels, thereby reducing the inventory
management cost of the organization significantly. The timely identification
of obsolete items increased the potential resale value of these items, generating more revenue than would have been realized if the items were sold
for scrap. These savings alone paid many times over for the cost of the audit
software used.
Audit should always be aware of how easy it is to modify or enhance
current audit programs to provide better information to management and
create value-added audit opportunities. The use of the computer and audit
software can produce significant results.
Audit and Reengineering
Audit may be involved in the evaluation of reengineering initiatives at the
request of senior management. Recent economic conditions have forced
many companies to consider shutting down parts of the organization. In
many cases, as illustrated in Case Study 30, audit has played a role in
reviewing the results of the closures.
Case Study 30: Store Closure
The audit examined the controls over the activities associated with the
closure of a retail outlet. The audit team wanted to determine if the inventory of goods were being properly safeguarded during the closure so
as to prevent theft or losses and that the inventory and office equipment
were sold at an appropriate price.
During the planning phase, the audit team extracted information
from the inventory system for the retail store being closed. The audit
team used the data to perform three initial analyses. First, the total
CAATTs for Broader-Scoped Audits
145
quantity and dollar value of the inventory and equipment at the store
was calculated. Next, three lists of detailed transactions were produced.
For the first initial analysis, auditor-defined criteria were used to identify
equipment thought to have a high risk of theft. This included highdollar, new technology and portable items such as computers and cash
registers, which might be attractive to thieves. The second report listed
a random sample of inventory items, and the third identified all items
that had already been sold for less than market value.
Data analysis software allowed the audit team to perform the preliminary analyses required to identify the audit population and to select
sample transactions for review. As a result, the on-site work was more
effective and efficient, reducing the disruption to the client. Not surprisingly, the analyses identified several systemic control weaknesses in the
store closure process.
The audit software programs developed for the store closure audit
were successfully reused for other store closure audits, reducing the
planning phase for subsequent closures by more than 50 percent and
contributing to the safeguarding of valuable corporate assets. Given the
large number of items in the inventory (1,033,000 plus), the use of the
computer was essential to the audit.
At other times, the company’s financial future depends on the successful
implementation of reduction or downsizing initiatives. While often outside
the traditional audit coverage, audit can contribute to the success of the
program. Again, CAATTs can be used to support the audit of a reduction
program, as shown in Case Study 31.
Case Study 31: Review of a Downsizing Program
The company established a downsizing program to streamline the number of employees by offering cash incentives to those willing to take
early retirement or be laid off. The audit reviewed the overall efficiency
and effectiveness of this program.
A search of the findings database revealed that a branch office had
conducted an audit of a divisional reduction program. Several lines of
inquiry were extracted from the audit program and used as part of
the corporate-wide audit. The information required to determine if the
corporate downsizing program had achieved its goals was contained in
146
Internal Audit
several different information systems. In particular, the auditors had to
extract information from the downsizing tracking system, the personnel
information system, and the payroll system. A combination of the data
from these systems was used to obtain a complete picture of all aspects
of the reduction program.
The downsizing tracking system was used to identify the audit population (i.e., all employees who participated in the reduction program
by accepting the cash incentives and leaving the company). The employee numbers of these individuals were used to extract information
from the personnel information system, such as each employee’s:
Job classification and level
Salary
Number of years of service
Department
The data from the personnel information system was then used to
analyze the impact of the downsizing program. The auditors identified
by department the number of employees prior to, and after, the implementation of the downsizing program and compared these numbers
with the total number of employees in each department who had left
under the program. This quickly highlighted departments where there
had been hiring activity during the time the program was in force. For
example, the auditors found one department that started with 200 employees, ended the year with 180 employees, but had 35 employees
accept cash settlements. This meant that the department hired 15 people during the same period that the company was trying to reduce its
overall numbers.
One of the audit objectives was to determine if the downsizing
program was being properly administered and monitored. Another objective assessed whether or not the program was creating problems,
such as a shortage of employees with certain types of skills, or if it was
having a negative impact on employment equity initiatives by releasing
a higher number of female employees.
To answer these objectives, the auditors identified all employees
who had left the company and categorized them by age, gender, job
classification, and other categories. By reviewing the data in aggregated
format, the auditors obtained an overall picture of the program’s impact.
In particular, they noted that there were many entry- and senior-level
engineers, but very few middle-level engineers—a potential problem in
the short term.
The auditors also used the employee identification numbers to extract the amounts of each cash settlement and the total cost of all cash
CAATTs for Broader-Scoped Audits
147
settlements from the payroll system. Key fields such as years of service/employment and age data from the personnel information system
and yearly salary amounts from the pay system were used by the auditors
to perform a 100 percent verification of the cash settlement calculations
and entitlements paid to each employee under the reduction program.
Instances of overpayments were easily identified and recovery action
taken. As well, the auditors identified employees who were underpaid
and ensured that the checks were sent to them.
The audit was successful in providing senior management with an
assessment of the impact and the effectiveness of the downsizing program, as well as the total cost of the program. To combine and analyze
data from three systems would not have been practical without the use
of automated tools and techniques.
In other reengineering cases, management may be concerned about
legal requirements and corporate policies on issues such as employment
equity and fair hiring practices. As in Case Study 32, audit may be asked to
review the progress toward the goals of these types of programs.
Case Study 32: Fair Practices Program
The audit evaluated the promotion and hiring practices of the organization to determine the progress made toward the achievement of employment equity objectives (fair promotion and hiring practices). The
auditors searched the corporate policies and procedures directory and
found excellent background material on the corporate objectives of the
fair practices program. These objectives were cut-and-pasted into the
working papers and formed the basis of the audit program.
The auditors obtained hiring and promotion data from the personnel
database for the current year and the previous four years. Using this data,
they conducted a detailed analysis of trends in the hiring and promotion
of employees. During the preliminary analysis phase of the audit, the
total number of promotions was calculated for each department. Next,
the number and percentage, compared to the total of promotions, were
calculated by ethnic origin, gender, and physical disability, for each of
the last four years. The overall percentages were compared to the target
levels stated in the fair practices standards for the company.
The analysis enabled the auditors to obtain an overview of the
progress towards fair hiring practices achieved by each department over
148
Internal Audit
the last four years. In departments that had not achieved the objectives
or standards, a further analysis was performed to examine the related
data by job category and level (supervisory/nonsupervisory). This highlighted specific job classifications where the progress toward fair promotion practices was below company standards. In these cases, a follow-up
was conducted on-site with the staffing section to review the underlying reasons. Next, all hirings were examined using a similar type of
analysis.
The analyses performed by the auditors allowed them to focus their
attention on the more time-consuming, manual portion of the audit in
the high-risk departments. It also enabled the auditors to give management an overview of the progress to date and conduct trend analysis for
the future. The use of the computer significantly reduced the time involved and simplified the audit process, while maintaining or improving
the results.
Pressures on organizations to be more effective will also have an impact
upon the types of activities undertaken by audit. Senior management will
expect audit to contribute by assessing important corporate programs. This
in turn will cause audit to evaluate its current methods, tools, and techniques. In many cases, CAATTs will play an important role in assisting audit
to discharge its duties and in contributing to managerial knowledge.
Audit and Benchmarking
The ultimate effect of auditing is, of course, the adjustment of the organization to the critically relevant findings of the auditors as empowered, key,
value-adding personnel (Will [1995]). This recognizes the fact that information systems are the other side of the organizational coin—that information
is a strategic resource; that organizational structures have to support desirable organizational behavior; that auditors are part of the management
team; and that management must reengineer the organization in order to
adjust to environmental changes. But where does audit and reengineering
fit into the organization?
Benchmarking has rapidly become one of management’s favorite
reengineering tools. Companies from IBM and Xerox to the mom-and-pop
operations on the corner have participated in benchmarking exercises. But
where do benchmarking and internal audit stand? To understand the answer to this question, you must understand the basics of each, including
their differences and similarities:
CAATTs for Broader-Scoped Audits
149
Benchmarking is a continuous and formal process for measuring work
processes and functions of organizations that are acknowledged leaders,
representing best practices, for organizational improvement.
Internal audit is an independent, objective, assurance, and consulting
activity designed to add value and improve an organization’s operations.
It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve effectiveness of risk management, control, and governance processes.
The two activities have many similarities, but there are also several
fundamental differences between them.
The first stage in benchmarking is the identification of the key players,
their requirements, and the definition of the processes to be benchmarked.
Benchmarking can be internal to the organization, within the competitive
industry, or functional/generic in nature and outside the industry sector
entirely. Benchmarking also often includes a partner from an external organization.
In contrast, internal audit’s client is the company’s senior management
and does not include external organizations. Another important distinction
is that the client’s requirements may drive the benchmarking schedule, the
scope of the activities, reporting format, and so on. Auditor independence
from these types of influences remains a key aspect of internal audit.
The second stage in benchmarking is the formation of the benchmarking
team, which usually includes a project manager, a benchmarking facilitator, and members of client operations. Internal audit teams may also have
project leaders and subject matter experts, but they do not always contain
individuals from the client operations. As more audit departments embrace
the ideas of collaborative audits, staff from the client areas are becoming
more involved in the audit process. However, at times, the issue of audit independence may override the desire to involve persons from the client area.
The third stage is the identification of benchmarking partners. This
could include outside experts, researchers, consultants, and other organizations such as competitors, universities, research establishments, and
governments. The team searches for best practices within the company,
within the industry sector, or even worldwide. While many internal auditors
may perform similar steps when researching performance standards, audit
usually only considers industry-or company-based norms.
The next stage in the benchmarking process is the analysis of information. The information-gathering activities may include telephone calls,
meetings, interviews, surveys, publication and media searches, and data
collection and analysis. A successful benchmarking exercise will include
a thorough analysis of the current conditions and the identification of the
performance gap, the difference between the current performance of the
organization and the performance level of the benchmarking partner. In
150
Internal Audit
many ways, the activities performed by internal audit are consistent with
these benchmarking activities. Auditors’ skills in conducting analytical reviews and control framework assessments and techniques (such as Pereto,
Cause-and-Effect, and Fishbone) can be extremely useful to benchmarking
teams.
The final stage of benchmarking is the writing of the benchmarking
report, communication of the findings, and the identification of recommendations. The main deliverables are similar to the internal audit reporting
phase, except that the benchmarking report is often shared with the benchmarking partners, even when the partners are external to the organization.
In some organizations, internal audit is using audit reports that identify
efficient and effective operations as standards or models for other client
areas. Some internal audit organizations are also employing the concepts
of partners, best practices, and generic research during operational audits.
In other organizations, internal audit is an integral part of benchmarking
teams, participating fully in all stages of the process.
Whether benchmarking is simply the latest management buzzword—a
new name for an old idea—or a new and useful management tool for making significant improvements, internal audit must understand the basics of
benchmarking to effectively audit and participate in benchmarking activities. Internal audit can take a proactive approach to benchmarking to the
benefit of the company. Remember, there is no single path to success, but
you won’t get there by sitting still either!
Case Study 33: Audit versus Benchmarking
Senior management at ABC Corporation was not happy, although the
employees seemed happy. The billing system’s error rate had increased
despite spending thousands of dollars on new color terminals, ergonomic furniture, and a newly designed office layout for the data
entry section. The president decided the answer lay in benchmarking
with a local utility company, one of the world leaders in data entry. A
benchmarking team was established, with representatives from the IS
group and data entry staff.
After several weeks of performing an internal review of the billing
application, including reviewing source documents, types of data to
be entered, screen layouts, and uses of color to highlight key fields,
the benchmarking team felt ready to approach the utility company. At
the end of their study, the benchmarking team determined that the
utility company performance gains were achieved through the introduction of new technology and the development of an employee training
CAATTs for Broader-Scoped Audits
151
program. Since ABC Corp. had already upgraded its computer hardware
and software, the benchmarking team felt that training was the missing
ingredient.
The company’s training officer assured them that a quality training
program had been developed and that all data entry operators had
participated. However, a retraining program was initiated, and all data
entry operators received an additional two days of training. Everyone
was convinced that the project was a success; however, the statistics
for the next month showed that the error rate was still as high as it
had been prior to retraining. The benchmarking exercise was declared
a failure.
A short time later, a routine audit was performed on the billing
section. Of course, the auditor noticed immediately that the error rate
was significantly higher than a year ago. On questioning the head of
the input section, the auditor learned that new computer terminals and
office furniture had been purchased. In fact, the entire workspace had
been reorganized, with input from the employees. As a result, everyone
was much happier with the working conditions and motivation was
high.
The auditor obtained the detailed error data and began analyzing
the information. The first issue that stood out was that 87 percent of the
errors were attributed to 12 percent of the operators. When management
heard this, they were ready to fire all of the operators involved, but the
audit director asked them to wait until the audit was completed, and a
three-day extension was given.
The auditor reviewed the test scores from the training course and
examined the detailed transactions from the previous day. Two of the
clerks had consistently high error rates, and the rest showed an increase
in the afternoon. The auditor spent the next afternoon in the invoiceprocessing section and still did not know what was causing the errors to
increase. The operators were working as hard as in the morning, their
concentration had not lessened, and even the average time to process
a bill was comparable.
On Wednesday morning, although it was another rainy day, the
auditor was optimistic. Interestingly, the data from Tuesday had very
few errors. The overall error rate for the clerks in question was not
significantly different from the error rate for the other operators, but
still the auditor did not know the cause for the change. The error rate
associated with Wednesday’s data was no higher than for the other
operators. After a pleasant walk at lunch, the auditor went back to
the invoice-processing section, with only half a day left to arrive at
an explanation before these operators would be fired. The auditor got
to the floor just after one o’clock and suddenly knew the answer. An
152
Internal Audit
extension of one more day was requested to check a few figures and to
prepare the final report.
As expected, the error rate in Thursday’s data was higher than company standards. However, as a result of the audit, no operators were
fired, and the error rate was reduced to a new low. The total cost was
$500 to have the movers come in and rearrange the furniture so that the
afternoon sun did not reflect off the screens. Another minor change to
the billing program helped the two color-blind operators reduce their
error rates on key fields that had been highlighted using red or green
lettering.
In Case Study 33, why did benchmarking fail where audit succeeded?
The benchmarking team was too anxious to find the answers outside of the
company. As a result, they failed to fully analyze the internal data for cause
and effect. The auditor, on the other hand, focused on the internal data,
used analytical tools and critical skills, and also had a bit of luck with his
observations.
This fictitious example is not meant to present benchmarking in a bad
light, but to stress the importance of performing a thorough analysis of
the current conditions. These analyses are supported by audit software,
and often internal auditors have a great deal of expertise and can make a
valuable contribution to benchmarking activities.
Summary and Conclusions
The use of technology and audit software is no longer constrained by hardware platforms, application systems, or types of audits being performed.
The economic pressures in the business world and the benefits that can be
accrued in all phases of the audit process and the administration of the audit
function demand that audit management maximize their use of CAATTs. Audit organizations and auditors must challenge the status quo and search for
new ways to perform standard tasks. They must also look for new opportunities for audit to contribute to the well-being of the organization. Modern
audit software can assist audit in changing and producing better results.
As management continues to adjust to the economic, political, and
business pressures outside and within the organization, audit will be asked
to do more and to do it more efficiently and effectively. Are we up to the
challenge, or will we be outsourced? The use of CAATTs and innovative
techniques may be the most important factor in answering this question.
CHAPTER
5
Data Access and Testing
A
s pointed out often in this book, data access, verification, and testing
are the crucial activities of modern auditors who want to add value to
their clients by assessing and guaranteeing the credibility of the information generated or provided by means of computers. To accomplish this,
auditors must first apply their critical mentality to the data underlying the
information.
For many years, accessing and using data has been the domain of
the computer audit specialist, primarily because of the technical knowledge
required to use CAATT software. However, developments in computer technology and CAATT software have placed the responsibility clearly on the
shoulders of the general auditor. This means that all auditors must have a
better understanding of data access methods, data integrity, and the use of
CAATTs.
The first part of this chapter discusses the various conditions for accessing data. Then the assessment of the data reliability precedes the decisions
about the amount, direction, and intensity of any testing to be performed.
This is followed by a topology of data tests that modern analysis software
and technology support, and by a discussion of the potential problems
associated with the incorrect use of CAATTs.
Data Access Conditions
The client may be internal to the organization, at a regional office, or external to the company. The data may be on a mainframe, minicomputer,
or microcomputer system. Regardless, at some point in time, all auditors
using CAATTs will be required to obtain access to client data. A problem
in accessing client data was one of the main barriers to the widespread
use of CAATTs. However, new techniques allow for the efficient and easy
access to and transfer of client data. While there is no single method for
accessing client data, there exist several possibilities. With careful planning
153
154
Internal Audit
and a good understanding of the options, most auditors should have little
problem in obtaining the data they require.
There are three main options for accessing client data, each with their
own problems and opportunities. The first is a traditional one and requires
using the client’s computer facilities. The second is to download the data
from the client’s system to the auditor’s computer and perform the analyses
there. The third is to use mass storage devices (nine-track tapes, cartridges,
CD-ROM, optical disks, etc.) attached to a microcomputer that runs powerful
audit software.
Prior to choosing between the client’s and auditor’s facilities, auditors
will probably consider the pros and cons of using mainframe versus minicomputers versus microcomputers. Another consideration is the types of
electronic data to be accessed. The last and least major consideration is the
availability of software for audit purposes.
Mainframe versus Minicomputer versus Microcomputer
One of the first decisions that an internal audit organization considers when
deciding to implement CAATTs is: What type of computer is available and
should be used? From the early 1960s through the 1980s, there was little
choice. The data and the required tools existed only on the mainframe
and minicomputers. Auditors would ask the respective programmers to run
specialized reports to extract information. In some cases, standard reports
were run regularly, while in other cases ad hoc reports were written to
satisfy specific audit requirements. In the late 1980s, as a result of increases
in the processing speed, storage capabilities, and the development of new
tools, the microcomputer became an increasingly viable alternative to the
mainframe computer.
In comparing the mainframe, minicomputer, and microcomputer environments, a number of issues should be considered. The following briefly
outlines some of the advantages and disadvantages of using the microcomputer for audit purposes. They reflect the mainframe and minicomputer environments and concentrate on recent, major changes in audit
technology.
Portability of Programs and Data
Data and audit programs are portable, so the CAATTs and specific analyses
can be run or rerun on any microcomputer. The portability of the data
and programs is particularly attractive to auditors who are on the road and
need to bring the data to the client site or back to headquarters. It is also
useful for auditors who are conducting audits at various locations. Standard
audit programs (scripts and macros) can be stored onto a microcomputer
Data Access and Testing
155
and brought to the new site. Data are extracted from the local systems
and processed by audit software, ensuring consistency across operations,
regardless of the computing environment of the local office. Audit programs
are reusable, since no matter where the data came from, the same software is
used by the audit team, and the audit programs can also be easily modified.
Limitations to Using the Microcomputer
As the power of the microcomputer increases, the distinction between it
and the mainframe becomes less and less clear. Twenty years ago, it was
easy to provide a definition that separated the two computer platforms. The
old definitions referred to physical size, supported peripherals, and speed.
However, the microcomputers of today have become extremely powerful,
supporting a variety of peripherals such as tape readers, CD-ROMs, and
tape cartridges. Ironically, mainframes have become so small in size that
the distinction is further blurred.
More recent definitions attempt to define computers by the function
they perform; for example, a microcomputer can be described as:
a computer that is part of an individual’s office equipment and is used
to increase the individual’s personal productivity by automating all or
part of their work function.
This definition applies equally to office workers, managers, and internal
auditors. In particular, auditors must carry out reviews of the operations of
the business. All such operational reviews will contain the same basic steps:
planning, research (education), identification of procedures, identification
of internal controls (or lack thereof), testing controls, and reporting findings and recommendations. These are the areas where auditors and audit
management can use technology to increase individual productivity and
organizational effectiveness.
Auditing cannot be automated—it remains fundamentally based on critical thinking. However, many audit functions can be performed more efficiently and effectively with the aid of the computer. Still, many auditors feel
that there are a number of barriers to using microcomputers in audit. To
address this issue, common concerns are discussed as follows. (See also Will
and Brodie [1991], who argue convincingly for the use of microcomputers
in auditing.)
Processing Speeds
Similar to the limitations on storage, microcomputers do not process data
with nominally the same speed as the mainframe. Jobs may still take longer
156
Internal Audit
to run; however, the rapid development in chip design is constantly improving on microcomputer processing speeds. Using microcomputer audit
software, you can already process in excess of 50,000 records per second,
and the speed is increasing. The total elapsed time may be less on the
microcomputer, since numerous mainframe jobs may have to compete for
CPU resources and peripherals.
Single Tasking
In the early 1990s, most microcomputers were single tasking and only one
job could run at any one time. The microcomputer was unavailable for other
use until the current program had ended. This was a limitation of the basic
operating system of the microcomputer. Some earlier operating systems, like
UNIX or its derivatives, allowed for multitasking, and today Windows NT
and Windows XP operating systems permit true multitasking. For example,
a simple script or macro can be written to combine all the monthly files
into a single file for the year. The job can run in the background, while the
auditor is working on the final draft of the audit report in Word.
Inability to Deal with Complex Data and File Structures
Early audit software was only able to read a few types of files. Today,
audit software will accept various types of data (EBCDIC, ASCII, numeric,
zoned, binary, Packed, Floating Point, and more). It can read complex file
types including variable-length records and multiple record type files, as
well as standard fixed-length records. Electronic data is, of course, one of
the prime audit objects. The variety of file and data types that can be found
in client databases and information systems is immense and can only be
understood in an historical perspective. Many organizations have systems
that were developed 15 to 20 years ago, and such systems present auditors
with unique challenges. The issues are conveniently captured in terms of
legacy versus modern data.
LEGACY DATA The term legacy data refers to the multitude of files and data
types created over the last 30 years by programmers using programming languages such as APL, BASIC, COBOL, and FORTRAN. The data is sometimes
contained in diverse Database Management Systems (DBMS)—for example,
hierarchical, networked, and relational—and runs on a variety of machines
and platforms. Support for such legacy systems may be weak, with corporate knowledge and documentation severely lacking, or even nonexistent.
However, legacy systems often perform functions vital to the organization,
such as customer billing or payroll, and must be maintained for operational reasons. As such, they contain relevant and useful data for audit
Data Access and Testing
157
purposes. Since these systems have not been redesigned and rewritten in
more modern programming languages, data access and analysis can pose
some real problems for auditors. The systems are often not supported by
query capabilities and only produce very specific reports or output. Thankfully, modern audit software is capable of handling a variety of data types.
For example, data from a system developed on a Unisys system in MAPPER
or that uses COBOL repeating fields can be downloaded and analyzed by
microcomputer-based audit software.
MODERN DATA The term modern data is used to denote the fact that the application system uses a primary data structure (e.g., linear record, relational
table, etc.) supported by a DBMS to maintain and administer the data. The
systems are also supported by query languages and report writers, making it easier for auditors to access and use the data. However, data variety
and inaccessibility are still a problem for many auditors. Interestingly, although identified early as one of the major problems facing auditors (Will
and Supper [1975]), many systems are still being developed without any
consideration to audit’s access requirements. Fortunately, current audit software addresses the problem by providing audit with access to practically
all legacy and most modern data structures. Since the data access problems
have been largely overcome, auditors can use audit software to perform
analyses, whether the data reside on a legacy or a modern system.
Client Facilities
The use of client facilities is an option that should be carefully considered
from two viewpoints. The first is one of availability of client software. The
auditor may be allowed to use software that already resides on the client’s
system, which offers some advantages. In particular, the client applications
may already have query capabilities that the auditor can use. In other cases,
the client may have report writers or specialized software that the auditor
can use to access the data directly. For example, the client’s application
may already be supported by Structured Query Language (SQL) capabilities
or an ad hoc reporting function that would make the task of accessing
complicated databases easier and less time-consuming. In these cases, the
auditor does not have to contend with downloading the data. However, the
main drawback is the potential for a loss of independence. If the auditor
is using extraction routines or standard reports that were developed by the
client, how can he or she be sure of the integrity of the results?
Further, using client software to perform extractions and analyses means
that the auditor must have, or develop, sufficient expertise with each client’s
software. This may require proficiency with a variety of software packages,
most of which were not designed specifically for audit purposes and which
158
Internal Audit
may be difficult to use. Should auditors spend their valuable time programming and waiting for debug and test results prior to finally executing the
special-purpose program?
A second option is to load the audit software onto the client’s computer
system. While this addresses some of the earlier concerns such as familiarity
with the client’s software, it raises new issues as well. The clients may not
be inclined to allow unknown software to be loaded onto their computer
system. Furthermore, the audit software may not be compatible with the
client’s environment or may disrupt production jobs. And the auditor may
require help in loading the software on the client’s system. For these reasons,
unless the client site is audited on a regular basis and the software retained
on the system, the idea of loading audit software on the client’s computer
is often not viable.
The use of the client’s facilities poses more than a simple problem, and
the solution may compromise an auditor’s independence to the extent that
the data testing may not be undertaken. Fortunately, the option of using the
auditor’s facilities has improved over the last 15 years.
Auditor’s Microcomputer-Based Facilities
The personal computer (PC) has revolutionized, democratized, and globalized modern computing and is no longer the toy it was when first introduced. The PC has become a vital part of many business operations.
In fact, coupled with the development of audit software, auditors are now
(and for some, for the first time ever) capable of performing their work
comprehensively, independently, and professionally.
Rather than performing the analysis on the client’s system, often the
preferred option is to extract the data to a file and download the file to
the auditor’s microcomputer. Many computer facilities come with standard
utilities that the auditor can use to make copies of data files. However,
sometimes it may be necessary to have the client perform the extraction
and download. In these cases, the auditors must be confident that the extraction and download has been performed to their specifications. Auditors
should critically review the jobs written by the client and, where possible,
compare the results of these jobs with control totals, standard reports, or
other independent sources of information.
The option of downloading client data to the auditor’s microcomputer
is becoming much more feasible than it was in the 1980s. Today, microcomputers are better equipped to handle the volumes of data that may be
required for a large audit. There exist more options for accomplishing the
download. In the early 1980s, the primary option was the use of terminal
emulation software such as Kermit or Xtalk and a controller card such as
an IRMA board. Now, microcomputers support a variety of transportable
Data Access and Testing
159
media including DAT drives, 32-channel tape cartridges, memory sticks, external hard drives, and CD-ROMs. Each of these media hold hundreds of
megabytes of data, making access to, or the transfer of, even large data files
a distinct possibility.
Local area networks (LANs) often have built-in gateways and mainframe terminal emulation capabilities that allow microcomputers to connect
directly to the mainframe systems and allow the direct downloading of data
files to microcomputers. Once the data is downloaded, microcomputers, especially those with the latest chips, have more processing power and speed
than mainframes did 10 to 15 years ago. So there is no need to worry about
processing capabilities anymore, considering the variety and power of the
software available on microcomputers today.
In the case of DBMS, a number of options can be employed to access
directly or create indirectly the relevant data files for downloading. Most
DBMS applications have utilities that support the extraction of data to a flat
file. Most audit software also supports Open Database Connectivity (ODBC)
compliant databases, so SQL queries can be written to extract the data. Some
audit software has built-in interfaces to ERP systems and, if all else fails,
another option is the generation of a report that is captured in a file and
then downloaded and analyzed as if it were a data file. The extraction of the
required data no longer remains an issue. However, ensuring the accuracy
of the extracted data, once downloaded, is still extremely important.
Data Extraction and Analysis Issues
The first step in employing CAATTs as an audit tool is obtaining access to
and analyzing the client data. This includes not only physical and logical access to the data, but an understanding of the data, an ability to use the audit
software, and, from time to time, support from technical specialists. All these
issues must also be considered in the context of the objectives of the audit.
As recently as 15 years ago, the options for transferring data from mainframe to microcomputer were few and often slow. Communication software brought data down using SNA gateways at 2400 baud. Today, not
only have the options increased, but so has the speed at which data can
be downloaded. In addition to downloading data, you now have the option of processing CD-ROMs, external hard drives, memory sticks, and tape
cartridges directly with the microcomputer. For example, in one organization, a production job copies the inventory database to a file at the end
of each month. The file is sent to the internal audit server via file transfer
protocol (FTP). Since the inventory system is live, the monthly file provides
audit with a snapshot in time and can be used for trend analysis and other
tests. In another organization, CD-ROMs, with detailed transactions from the
160
Internal Audit
financial system, are produced quarterly and sent to the audit department.
In another, ODBC is used to extract hundreds of gigabytes, which are then
stored on an external hard drive.
Accessing the Data
Many audit departments do not have any access to the company’s electronic
data. With advancements in technology, both hardware and software, this
is rarely a technical issue anymore. Audit software can read and analyze
most data structures, and microcomputers can handle large volumes of data.
Sometimes, lack of access is a result of the client’s reluctance to provide audit
with access to the application systems rather than a lack of technology.
Support from management may be needed for audit to obtain physical
and logical access to the required information. This may require a strongly
worded statement from senior management to the effect that “auditors will
be given access to any and all application systems and information required
to perform their duties.” For key application systems, whose information is
regularly required by audit, this would mean read-only access at all times.
For other less-used systems, the access may be granted on an as-required
basis only. For example, audit may always have access to the inventory
system, but may only require temporary access to the hiring data in the personnel system while auditing the company’s progress toward employment
equity in hiring practices.
Audit organizations that have secured management support and direction regarding access to systems and information should ensure that the
client is well informed of audit’s access rights and requirements.
No matter how the data file is created, the auditor should consider the
following when obtaining access to, or downloading, client data:
Obtain client agreement that the requested data can be used to address
the audit objectives.
Obtain a listing of required tables, key fields, and the logical and physical database structures.
Obtain copies of record layout and definitions of all fields and ensure
that you have a good understanding of the data. The record layout will
describe each field and provide information concerning the starting and
ending positions and the data type (numeric, packed, character, etc.).
Obtain a printout of the first 100 records in the data file and compare
this to a printout of the downloaded data. This can be useful when
building a format file for the downloaded data.
Obtain look-up tables for all fields stored as coded values and explanations of all possible values for coded fields.
Data Access and Testing
161
Obtain the range of valid values and the edit checks for each field. This
information can be easily used to verify the contents of each field and
test edit checks.
Verify data for completeness and accuracy, including checking the field
types and formats, such as identifying all records with an invalid date
in a date field.
Produce control totals on the mainframe and compare with totals of the
downloaded data to ensure all records have been properly extracted
and downloaded and that the downloaded file was properly analyzed
and interpreted. This establishes the basis for extensive tests of the data.
Check original reports against independently produced audit information in order to evaluate the extent to which the original purposes have
been or are being met.
The main goal is to ensure that the downloaded data file contains all
the information needed to perform the audit, that its structure is known,
that the files are clean, and that the audit team knows all formalities about
them. If these conditions are met, the auditor can safely proceed with an
assessment of the integrity of the data.
Data Storage Requirements
It is still true that the hard disks on microcomputers are limited in capacity,
although not as limited as ten years ago. Disks of 300 gigabyte (three hundred billion bytes) in size are readily available, even on laptop computers.
However, the physical size of hard disks is still fairly limited when compared with mainframe disks. Therefore, considering the vast quantities of
data that the auditor needs to analyze, it may not be practical to transfer all
of the required data from the mainframe.
Case Study 34: Processing Multireel Volumes of Data
About ten years ago, auditors of a European bank were forced to process millions of transactions stored on many reels of nine-track magnetic
tapes with microcomputers and an attached nine-track tape reader, running under innovative audit software. They were asked to prove to
top management and to the MIS department that internal audit was
and could continue to be technologically independent while saving
costs, improving their services, and providing information not available
through the MIS department. They did it, of course, using the powerful
features of modern audit software. Today, they could do it even more
162
Internal Audit
easily and quickly, because the software has become more user-friendly
and handles multivolume and continuous multirecord processing with
control breaks and intelligent record selection automatically.
Alternatively, a sample number of transactions can be downloaded and
reviewed with the audit software. If the review proves fruitful, a program
could be written on the mainframe to perform the same analysis. Some audit
software runs on microcomputer, mainframe, or client-server platforms, so
the audit program can be uploaded to the mainframe and run, with little or
no changes to the code.
Case Study 35: Processing against a Sample File
The inventory system contained millions of transactions, requiring more
hard disk space than the auditor had available. CPU time was also very
expensive, because a service bureau was used for processing. Rather
than using the mainframe to analyze the millions of records in the
database, the auditors first extracted a random sample of 200,000 transactions. They used their own microcomputer to test a number of their
hypotheses on the sample file. When they had debugged the programs
and were satisfied with the results, they uploaded the analyses to run
them on the mainframe against the complete database. In this way, they
reduced the overall service bureau costs by developing their analyses
on the microcomputer and still were able to perform a 100 percent test
of the data.
Analysis of Data
Audit software permits auditors to interact directly with the data with minimum knowledge of specialized programming techniques. Most audit software packages have a user-friendly interface and are menu-driven. Auditors
can analyze data files using a declarative language rather than a procedural
programming language. Certain functions are automated to the extent that
one command can be used to carry out a fairly complex task. For example,
auditors can calculate averages, means, and other meaningful values simply
by running a statistical analysis using audit software (see Exhibit 5.1).
Audit software must be very powerful, allowing fairly complex applications to be written, even to the extent of simulating the processing portions
of a production program to verify that processing of the data has been
accurate and complete (see Parallel Simulation in Chapter 2).
163
Data Access and Testing
EXHIBIT 5.1 Statistics on Payment Amount
Number
Positive:
Zeros:
Negative:
Totals:
Abs Value:
Range:
4,670
9
304
4,983
Total
Average
15,906,511.96
3,406.11
−24,780,513.74
−8,874,001.78
40,687,025.70
11,248,084.00
−81,514.85
−1,780.86
Highest 5: 5,176,542.00, 1,146,200.00, 725,000.00, 360,000.00, 357,000.00
Lowest 5: −6,071,542.00, −5,176,542.00, −4,974,042.00, −1,146,200.00,
−1,146,200.00
Risks of Relying on Data—Reliability Risk
CAATTs can be used to improve the efficiency and effectiveness of most
audits. With CAATTs, financial, personnel, inventory, and other data can
be used to select a sample, perform 100 percent examination of the data,
examine trends, and conduct detailed analyses and much more. But obviously, the utility of these tools and techniques is dependent on the integrity
of the data. The Canadian Institute of Chartered Accountants has produced
a document that discusses the application of audit software in the context
of audit risk (CICA [1994]).
The auditor’s concerns over data integrity (or lack thereof) will change
in complexity and nature, depending on whether the computer application
is being audited or the application’s data is merely being used to support an audit. The audit of a computer application will typically contain
steps to assess the integrity of the application, including the completeness, timeliness, and accuracy of the data. However, there are many times
when an auditor is only using the data from an application to review a
client’s operations. In these cases, the audit program may not include all
the audit steps necessary to fully assess the integrity of the application’s
data.
In either case, the auditor’s concerns over data integrity will be proportional to the reliance placed on the data analyses. Therefore, the auditor
must assess the integrity of the data before using the data. However, how
and to what degree must the integrity be examined? How much is too much
(over-auditing), and when is it not enough (under-auditing)? The answers
to these questions can be determined by first assessing the risk of relying
on the data analyses (i.e., the reliability risk), and second, determining the
amount of data testing that must be completed (GAO [1991]).
164
Internal Audit
EXHIBIT 5.2 Factors Affecting the Risk of Relying on the Data
Reliance on the Data
Knowledge of System Reliability Risk
Sole support for audit
recommendations
None
Limited
Extensive
None
Limited
Extensive
None
Limited/extensive
Used in combination with
other information
Used as background only
High
Medium
Low
Medium
Low
Very Low
Low
Very low
Of course, auditors should never assume that the computer-based data is
reliable. Steps must therefore be taken to provide reasonable assurance that
the results of the data analyses will be valid. The evaluation of the integrity
begins with an assessment of the reliability risk. This risk is dependent on
the auditor’s reliance on the data and on the auditor’s knowledge of the
system:
Reliance on the Data + Knowledge of System = Reliability Risk
The more reliance the auditor is going to place on the results of the data
analyses and the less experience the auditor has with the system, the higher
the risk of drawing inappropriate conclusions (GAO [1991]). Conversely,
the lower the intended reliance on the data, and the better the auditor’s
knowledge of the system, the less critical the risk becomes. The relationship
between these variables can be shown in Exhibit 5.2.
Let us now look in more detail at the two factors determining reliability
risk: the auditor’s reliance on the data and knowledge of the system.
Reliance on the Data
The first way to reduce the reliability risk is to reduce the auditor’s dependence on the data and on the analyses performed. To do this, the auditor
should strive to use other information sources, such as management reports and previous audit results, when planning an audit and evaluating
the results of any analysis performed. Where possible, the auditor should
seek independent verification of the analysis results by reviewing existing
reports, such as standard user reports, control totals, exception reports, and
error and problem logs. By supplementing the auditor’s analyses with other,
independent, sources of information, the auditor can increase the reliability
of the opinion formulated through the analysis performed for the audit. This
will reduce the risk of drawing inappropriate conclusions.
Data Access and Testing
165
Knowledge of the System
A second way to reduce the reliability risk is to increase the auditor’s understanding of the data and the application. An incomplete or inaccurate
understanding of the system, its data inputs, and its information outputs can
lead to false reliance and erroneous conclusions.
Case Study 36: Debits and Credits
One company’s financial system stored all transactions (debits and credits) in a single transaction file. The auditor was examining the debits for
a specific account. But instead of selecting only the debit transactions,
all transactions for the account were extracted. Three days into the audit
the auditor learned of the mistake.
As illustrated in Case Study 36, the main defense against misunderstanding is knowledge. The auditor can gain knowledge of the audited system by
reviewing system documentation and by talking to the system’s users and
programmers. However, this does not guarantee that the data processed by
the system are reliable. If the system has limited or no documentation, or
if no one seems to know much about it, then the auditor can develop a
better understanding of it by working with the data directly. The auditor
can review the data by producing high-level summaries or detailed listings
of the data. This could include stratifications of the data on key fields to
determine the ranges of their values, the production of summaries in tabular
or graphical form, and possibly the use of overview reports on the one hand
and detailed scans of the data on the other.
Once the reliability risk is established, the auditor must determine the
amount of additional data testing that must be performed in order to confirm
the risk assessment. This is accomplished by coupling the degree of reliability risk (High, Medium, or Low) with the assessment of the system controls
(Strong, Adequate, or Weak). The combination of these two variables will
determine the extensiveness of the specific data testing required:
Reliability Risk + Control Assessment = Amount of Data Testing
If the reliability risk is high and the controls are assessed as being strong,
then the amount of data testing would be less than if the controls were
assessed as weak (GAO [1991]). In general, the weaker the application’s
controls, the more testing required (see Exhibit 5.3).
166
Internal Audit
EXHIBIT 5.3 Determining the Amount of Testing Required
Reliability Risk
Assessment of Controls
Amount of DataTesting Required
High
Weak
Adequate
Strong
High
Moderate
Low
Medium
Weak
Adequate
Strong
High to moderate
Moderate to low
Low
Low
Weak
Adequate
Strong
Moderate to low
Low
Very low
Assessment of the Internal Controls
There are two basic approaches to assessing the strength of the internal controls. The first, a system review, directly assesses and tests the
controls. This usually involves a review of the general controls and the
application-specific controls. A review of the general controls could include reviewing system documentation and the physical and logical security, as well as organizational controls such as the separation of duties.
The test of the application controls could include reviewing the source
code, verifying input to source documents and output reports, comparing
batch and control totals, and using test data, parallel simulation, or other
tests.
The second approach, a limited review, involves examining the major controls, reviewing the data for reasonableness, and validating the edit
checks. Often a limited review can be performed to determine whether the
data can be used for CAATTs purposes. During this type of review, the
auditor should endeavor to identify the sources of data errors.
The application’s data can be corrupted on input, during processing, or
at the output stage. Input errors related to accuracy, timeliness, and completeness can be found by comparing the data to source documents. The
processing errors can be identified through parallel simulation of all or certain processes. Output errors can be found by comparing input documents
to output reports and through the comparison of the results of the parallel
simulation with the system output results.
Critical data testing continues to be one of the main occupations of
auditors, whether the data is contained in manual files or electronic systems.
However, when using data, auditors must also be careful to distinguish
between the amount, direction, and intensity of the data testing.
Data Access and Testing
167
New Topology of Data Tests
Assessing the reliability risk of an audit in terms of the testing to be done
requires that the auditor address the threefold nature of data: its syntactic, semantic, and pragmatic dimensions (Will [1996]). This recognition will
guide the auditor in terms of the direction and intensity of the required
tests. It will also facilitate the rational definition of tests, their possible automation, their use for different types of audit, and their impact on audit
opinions.
SYNTACTIC TESTS Syntactic data tests recognize data as collections of symbols according to bit coding conventions in general and specific data structuring options. Syntactic data errors may be a result of improper data entry
(failure of the edit checks) or data manipulations by the application (processing errors). Syntactic tests analyze the data with respect to their internal
consistency and coherence. In performing syntactic tests, the auditor may
verify that all values conform to the field type (e.g., a date field should only
contain valid dates) and sort order. The auditor may even recompute certain
derived values such as total price (Quantity * Unit Price). Another example
is the equality of debit and credit entries in a double-entry bookkeeping
system.
It is important to note that syntactic errors may suggest semantic and
pragmatic errors. On the other hand, the absence of syntactic errors does
not mean that the data are semantically and pragmatically acceptable and
reliable.
SEMANTIC TESTS Semantic tests compare the data with their source documents; for example, verifying transactions against the original vouchers. Semantic testing uses criteria such as adequacy, completeness, timeliness, and
accuracy. Typical tests may include testing for gaps or duplicates, calculating
aged accounts receivable, or performing tests to establish that all customer
names represent living customers and not duplicates or pseudonyms.
Semantic data errors may pass syntactic tests. For example, missing
records may not fail the syntactic test for internal consistency, but may
indicate problems in the pragmatic domain.
PRAGMATIC TESTS Pragmatic tests seek to verify that the data is a true representation of reality. Not only are the assets properly identified (a valid
control number), correctly classified, and valued (agree with source documents), but they are also real assets rather than expressions of nonexistent
capital and wealth. For example, sampling may help identify pragmatically
168
Internal Audit
risky data and support confirmations of accounts receivable or physical
inventory counts.
The intensity of the testing can be classified with respect to the reliability
risk associated with each type of error. For example, the internal control of
an application system may be judged to be very strong, but if the source
documents contain errors or are not well controlled (e.g., lost or entered
twice), then the data still will not have a high degree of reliability. Therefore,
the evaluation of data integrity will require the auditor to consider the three
facets of data testing—syntactic (internal consistency), semantic (consistency
to source documents), and pragmatic (true reflections of reality)—when
assessing the reliability risks, examining the strengths of the controls, and
formulating an audit opinion.
Reducing Auditor-Induced Data Corruption
To minimize the risk of auditor-induced data corruption, audit software
provides read-only access to the files. The auditor may only copy or extract
data into special audit files, yet these activities may still result in errors. In
general, the more operations performed on such data by the auditor, the
greater the chances are of auditor-introduced errors.
Errors can occur when the data is extracted from the application to
create a file for further analysis. The extracted data is often converted from
one format to another; for example, from a zoned decimal field to numeric
or from EBCDIC to ASCII. And errors may be introduced if the auditor
incorrectly defines the record layout to the audit software. Possible errors
include missing fields, fields defined in the wrong order, incorrect field
types, or shifted decimal points. These types of errors will invalidate the
results of any analysis performed by an auditor.
As stated before, there are a number of things you can do to help reduce the likelihood of auditor-introduced errors. First, use the application
to create control totals, such as total number of records and total dollars,
and compare these with the totals calculated using the extracted file. Obtain
copies of the record layouts and printouts of the first 100 to 200 records and
compare them with the results obtained by the analysis software. Compare
auditor-generated reports with standard reports produced by the application. Download the data in its original, native format, without translation,
when downloading data from the mainframe to the microcomputer. Most
microcomputer-based data analysis packages support various data types
including ODBC and mainframe formats. For example, audit software packages also support the automatic creation of file formats for COBOL files and
the direct use of dBASE and other types of files, without having to export,
extract, or create new file formats.
Data Access and Testing
169
Potential Problems with the Use of CAATTs
It has been said that, “to err is human; to really foul things up requires a
computer.” Every day you read in the newspaper about computer errors
costing companies millions of dollars. I would contend that, for the most
part, these computer errors are human errors, efficiently and effectively
carried out by the ever-obedient computer. Thus, the use of CAATTs is not
a panacea to all your problems. In fact, improper use of automated tools
and techniques can cause their own problems. The key to avoiding errors in
the analysis and interpretation of client data is knowledge. This knowledge
comes from training, experience, and technical support from others.
Without an effective Quality Assurance (QA) program and adequate
training for all auditors, the audit organization is at risk. The four common
types of errors made by auditors performing data extraction and analysis
are:
Incorrect identification of the audit population, including missing or
extra transactions
Improper definition of data requirements
Invalid analysis because of misinterpretation of the data, improper logic,
or improper use of the audit software
Failure to recognize CAATT opportunities, resulting in tasks being performed manually rather than electronically
The following examples highlight these types of problems. By reviewing
the types of errors, perhaps you can avoid making similar mistakes.
Incorrect Identification of Audit Population
In reviewing the analyses performed by audit teams, too often it becomes
obvious that many auditors have not spent sufficient time on the identification of the audit population during the planning phase. It follows that
if the audit population is not correctly defined, any subsequent analysis of
the data would not support the objectives of the audit. For example, an
audit may not be assessing all financial accounts, or may only be interested
in certain types of financial transactions. Therefore, the audit team must
establish the criteria that will describe the audit population to be assessed.
These criteria will be used to extract the data to be analyzed.
It is critical to develop a good understanding of the data during the
planning phase. Discussions concerning the criteria for the selection of the
audit population must be given the necessary time and effort to arrive
at the right solution. All possible data sources, identification of key fields
and their meaning, and timing issues must be resolved before starting the
170
Internal Audit
conduct phase of the audit. The audit teams that use this time wisely usually
derive significant benefits from front-end work. Adequate planning helps the
team develop an effective data analysis strategy and ensure that they have
properly identified the audit population. Failure to do so is illustrated in
Case Study 37.
Case Study 37: Financial Audit
In one financial audit, the expenditures at a regional office were understated by more than $5 million. This was the result of the erroneous
assumption that all the financial accounts for the regional office could
be identified by the first four characters of the financial code. While it
was true that most of the financial accounts rolled up, using the first four
characters of the regional office account, this was not always the case.
The financial system had a more complex structure, and the erroneous
assumption falsified the financial picture for the regional office.
In this audit, more than 20 additional financial accounts were missed
by the audit team. These could have been identified by using the financial tables and performing a variety of searches, including financial account code, location, and financial account manager. Alternatively, had
the auditors checked with the controller, they would have been given
the information they required. The failure to correctly identify the audit
population resulted in the conduct phase taking twice as long.
In Case Study 38, a sample of personnel was selected for several regional
offices. However, the auditors incorrectly defined the audit population from
which the sample was selected.
Case Study 38: Personnel Audit
The Corporate Human Resource Information System (CHRIS) contained
at least three fields about the employee’s location, including the:
Administrative location against which the position was charged
Physical location of the employee (where the employee worked)
Reporting location (where the personnel files were kept)
The auditors assumed that the physical location field “LOC” would
identify all people with personnel files located at the regional office.
Data Access and Testing
171
Since they incorrectly used the LOC code, they failed to include people
working at the office, who had a different LOC code, and included
people physically located at the regional office but with personnel files
elsewhere. However, the auditors were not aware of these anomalies,
so they drew a sample of personnel. The result was that some of the
required physical personnel files were located at another site and could
not be verified during the on-site file reviews. The missing personnel
files caused a lot of problems when the auditors tried to extrapolate the
results to the entire population.
Without a proper analysis of the audit population during the planning
phase, inaccurate or incomplete data can be used during the conduct phase
and produce invalid results. Closely associated with the identification of the
audit population is the proper definition of it.
Improper Description of Data Requirements
Almost all CAATTs require access to client data files. Many audit teams have
encountered problems when attempting to access the client’s data because
they failed to properly identify or describe their requirements. The problems
include:
Incorrect statement of audit data requirements, which can result in the
information received not being what was needed
Failure to identify important fields, requiring the auditors to ask for a
second or third extraction
Failure to consider the client’s information system (IS) support unit’s
operational constraints or not realizing that the audit organization has
already placed other requests with the IS support unit; these failures
make any subsequent dealings with this support unit very difficult
Requesting information that the audit organization already has or that
is readily available from another source
Obtaining the information in a format that is not conducive to further
electronic use
Failing to tell the client the file format for the requested data file (such
as ASCII, flat file, delimited, dBASE, fixed record length, etc.)
Auditors must be careful to define their requirements and to determine
the best possible source of data to address those requirements. In many
cases, the answer can be obtained from a variety of sources: one or more
172
Internal Audit
information systems, electronic reports, or files already extracted and available within the audit organization, such as summary extractions.
In one organization, the client provided information that stated that the
budget for the financial account was $100 million. In fact, the budget was
$200 million. In another example, the client stated that the company had
spent $33 million on air travel, whereas the auditors determined that the
actual amount was closer to $54 million. In both these cases, the differences
were attributed to incorrect definition of the auditor’s requirements. But a
great deal of time was spent reconciling the differences in the numbers.
The auditors will not possess knowledge about every system in an organization. Many audit organizations have addressed this problem by creating
an internal Information Support Analysis and Monitoring (ISAM) section,
which is responsible for assisting auditors in defining their requirements.
Part of the ISAM mandate is to be the focal point for all information requests. This will ensure that the ISAM staff and, indirectly, the entire audit
organization, continually improve their knowledge of the company’s main
application systems. As a result, all audit teams should be encouraged to not
only use the support section as a focal point when requesting information,
but also to provide feedback to the ISAM staff on data or systems that may
be of use to other audits.
Often when the IS audit teams perform detailed analyses of the company’s main information systems, little information flows back to the audit
organization. All team leaders and audit managers should ensure that audit
teams, especially IS auditors reviewing applications, provide feedback to the
audit department at the beginning, during, and at the end of the audit. The
feedback can be formalized by creating a lessons learned database and/or
involving the ISAM staff in the audit.
Invalid Analyses
Since audit software has become easier to use, auditors must be even more
careful that the analyses are properly conducted. The auditor cannot assume
that the successful completion of a command or operation means that the
results are correct. The command or operation must be executed in such
a way to produce the desired results. This requires the auditor to have a
higher degree of familiarity with the software than simply knowing that they
must, for example, click here to join two files.
The computer does what it is told and not necessarily what you meant
to tell it. Thus, when auditors are performing detailed analyses, there is
always a risk of making an error. Common types of errors include:
The incorrect definition of the format files for the client data, such as a
shifted decimal point.
Data Access and Testing
173
The improper inclusion or exclusion of data. For example, audit teams
have used duplicate copies of data files in addition to the originals,
double counting all transactions. Others have used records in their calculations that had been marked for deletion in dBASE files, but not
physically removed because the databases had not been packed. Another frequent error is one of timing, the inclusion or exclusion of data
because of cut-off errors and improper syntactic tests.
The incorrect interpretation of the data. Many audit organizations have
seen cases where auditors have made incorrect assumptions concerning the data. The industry is full of examples where an entire series
of accounts or insurance policies were omitted from the audit sample because the auditors assumed all accounts started with a number, failing to review a new series of accounts starting with a letter.
Inventory turnover calculations have been botched by selecting the
wrong date fields, and numerous other errors have occurred in analyses performed by audit teams that neglected to perform proper semantic
tests.
Analyses that are incorrect because the recalculate option was disabled
on the spreadsheet package, formulae were incorrectly defined, or the
purposes of the information were improperly defined for pragmatic
tests.
The incorrect use of “AND,” “OR,” “NOT,” and other logical relations.
The incorrect joining of two or more files. This function often has five
or more different output results depending on what the user specifies
should be done with the unmatched transactions. Also, the results will
differ depending on which is the primary and the secondary file and
whether it is a many-to-one or a one-to-many match.
A solution to reducing these types of errors is to seek independent
verification of results and to compare actual results with expected results.
During the planning phase, all proposed analyses should be properly defined in an analysis plan and reviewed for completeness, accuracy, and
proper data sources during the conduct phase.
Failure to Recognize CAATT Opportunities
It has been said that, “if the only tool you have is a hammer, all your
problems will look like nails.” CAATTs give you a powerful tool, so you can
use the right tool for the right job.
The failure to recognize opportunities for the use of automated tools
and techniques is the biggest single barrier to the successful implementation of CAATTs. Too often auditors have spent days—in some cases,
even weeks—manually performing tasks that could be performed by the
174
Internal Audit
computer in a matter of minutes. In one case, the audit team spent several
days just trying to list the data in a format that would allow them to visually
compare the data with the data in another file. Using the computer to join
the files together would have saved the audit teams many hours of work.
While the manual comparison of two files could have missed records, the
electronic comparison would be 100 percent accurate and could easily be
repeated.
Not everyone is expected to have the same level of expertise with
audit software tools, but auditors should question any manual manipulation
of data that involves matching, sorting, searching, or repetitive calculations.
The human brain is ideally suited for tasks that require intuitive logic, pattern
recognition, and logical jumps, but the computer is better at routine and
repetitive tasks.
Audit organizations that create an ISAM section and use this section
to assist auditors in developing analysis plans will find that the number of
missed CAATT opportunities will dramatically decrease.
Summary and Conclusions
Many of the early challenges surrounding access to client data have been
resolved. It is easier to access client systems, extract client data, and transfer
those files to the auditor’s microcomputer. The microcomputer, in turn, is
more powerful and capable of handling vast amounts of data. What remains
is the requirement for the auditor to understand the data, the key fields, and
the analysis requirements.
Audit managers should be aware of the potential loss of time due to
incorrect or invalid analysis. They should ensure that each team is given
adequate time to plan for the use of CAATTs. The planning phase should
include the steps necessary to identify possible data sources, to identify the
criteria that define the audit population, and to develop an analysis plan.
History has proven that audit teams achieve better results when they are
supported by someone with audit and computer expertise from the outset
of the audit rather than at a later stage.
Team leaders should encourage team members to adequately document
the analyses performed and to share ideas and methodologies with others.
In particular, any manually performed analysis should be examined closely
to determine if it could not be better performed in an automated fashion.
Given the myriad of sources of information, team leaders should endeavor
to consult with other auditors or ISAM staff to determine the possible sources
of data to support the objectives of the audit.
Team members should review the contents of data files and develop
a good understanding of the data prior to embarking on long, detailed
Data Access and Testing
175
analyses. The use and supervisory review of analysis plans should be encouraged. These plans detail all the analyses to be performed and their
expected results and will help reduce invalid analyses. The use of CAATTs
can bring about significant improvements in the efficiency and effectiveness
of many types of audits. However, the extent to which they can be used effectively must be tempered by knowledge of their limitations and the issues
affecting the individual audit.
The integrity of the data may be the most significant, single limitation to
the use of CAATTs. Only data testing will provide the auditor with a good
measure of the integrity of the data. The auditor can then determine whether
automated tools and techniques should be used to assess the information
generated from them.
As part of the implementation and use of CAATTs, the auditor must
ascertain the degree of reliability, the extensiveness of the integrity testing
to be performed, and ways to reduce errors. There may be times when a
15 percent error rate in the data does not adversely affect the audit results,
but there will be other times when a 3 percent error rate invalidates the
audit findings. However, what constitutes an error is not a trivial question
but one that requires a three-dimensional approach: syntactic, semantic, and
pragmatic.
By following the guidelines in this chapter, the auditor can reduce the
likelihood of over-auditing the data where the controls are strong and the
integrity is judged to be high, or under-auditing the data where the integrity
is questionable. Prudence and probity must be the keywords when using
and relying on CAATTs. By creating an environment that recognizes not
only the potential of CAATTs, but also the unique challenges and requirements of CAATTs, audit can be successful in the implementation and use of
automated tools and techniques for data access and testing.
CHAPTER
6
Developing CAATT Capabilities
A
udit expertise is one of the least defined concepts, and yet companies,
shareholders, stakeholders, and whole societies depend on professionals who audit and report on responsible entities for the benefit of the recipients of accountability information. In addition to professional proficiency,
modern auditors need to possess what has become known as computer literacy; however, with so many computer-literate auditees around, the notion
of computer audit literacy has become such an issue that this book had to
be written.
Professional Proficiency: Knowledge, Skills,
and Disciplines
The use of and dependence on computers in today’s business environment
is no longer an area that can be avoided by the audit profession. Auditing
around the computer is not a viable option for effective audit organizations. In fact, the importance of computerized information and the review
thereof is recognized by the inclusion of Practice Advisory 1220-2 “Computer Assisted Audit Techniques (CAATTS)” published by the Institute of
Internal Auditors (Institute of Internal Auditors [April 2005]). In particular,
the section of the IIA standards that deals with professional proficiency starts
by stating that internal audit staff or consultants engaged by internal audit
should have the knowledge and skills needed to perform the audit function. The standards continue and outline the specific proficiencies needed
to meet audit responsibilities and include the discipline of electronic data
processing.
It is important to think about and to identify the requisite technological
knowledge, skills, and disciplines of modern auditors before we discuss
information technology training in the next chapter. According to the Oxford
177
178
Internal Audit
Dictionary, the following definitions apply:
knowledge
skill
discipline
familiarity gained by experience
practiced ability, facility in doing something
trained condition, mental and moral training
This means that audit technological knowledge, skills, and disciplines
are needed to support modern auditors in their various tasks. In previous
chapters, we stressed the need to access any electronic data and to be able
to analyze and test them in any possible manner in the pursuit of audit
objectives. We also subscribed to the notion that modern audit software
and technology can, will, and should support critical thinking (discovery
mode) and reasoning (judgment mode), the auditors’ two main intellectual
efforts that can guide them also in their critical observations.
The interesting issue now is trying to identify the minimal technological
skills of auditors—clearly a moving target in our rapidly evolving technological environment.
Computer Literacy: Minimal Auditor Skills
In considering the scope and performance of the auditor’s work, we can
find a few important clues again in the IIA Practice Advisories. When discussing the scope of work, the standards include statements to the effect
that internal audit should review the reliability and integrity of information.
The IIA standards note the critical nature of data, the use of data to support
decision making, and the requirement for external reporting. The Statement
on Auditing Standards, Analytical Procedures, SAS 56, states that analytical
procedures can be used to assist in planning the audit steps and the timing
and nature of the work to be done; in performing substantive testing; and
in the conduct of overall reviews.
The standards continue by stating that internal audit should be capable
of reviewing and assessing information systems and that the examination
by internal audit should include an assessment of the timeliness, accuracy,
and completeness of the information, as well as the controls over the data.
The section of the IIA standards describing performance of audit work
also provides direction to auditors, stating that auditors should be able to
access, analyze, and understand the data they need in order to formulate an
audit opinion. SAS 56 encourages auditors to use analytical techniques to
develop an understanding of relationships between various data elements,
both financial and nonfinancial, and to examine the data for trends.
The IIA has also published Implementation Standard 1210.A3, which
states that auditors should have knowledge of information technology risks
and controls and available technology-based audit techniques. In addition,
Developing CAATT Capabilities
179
IIA Implementation Standard 1220.A2, states that auditors should consider
the use of CAATTs and other data analysis techniques.
SAS 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Controls in a Financial Statement Audit, and SAS 80,
Amendment to SAS 31, Evidential Matter, describe both the benefits and
risks of information technology to internal control. SAS 94 provides guidance to auditors in determining the skills necessary to consider the effect
of computer processing on audit. It also states that auditors may not be
able to access certain information for inspection, inquiry, or confirmation
without using information technology. However, the matching of risks with
audit steps will help ensure that exposures are properly considered, and
addressed, by audit.
How then does an audit organization begin to take advantage of
the new technologies and techniques? There is no set answer to this
particular question. While a procedural-type manual cannot be used in
every organization, there are often similar steps that must be covered by
all organizations. In particular, any effort to implement CAATTs should
include the following steps:
1. Development of CAATTs should be planned and supported by senior
management.
2. CAATTs should be linked to the goals and objectives of the audit
organization.
Many organizations have made half-hearted or ill-conceived attempts at
employing automated tools and techniques—and have often failed. When
this happens, any subsequent attempt at implementing CAATTs will likely
face stiff opposition. Many other organizations have audit departments with
long, successful histories, and they may not be inclined to embrace new
technologies or approaches. However, organizations that are continuously
performing self-assessments will see that automated tools and techniques are
essential for audit in the 2000s and beyond. Electronic forms of information
are strategic inputs to the management decision-making process. Audit must
be able to capitalize on the utility and importance and to comment on the
reliability of the information.
Hylas and Ashton (Accounting Review [1982]) reviewed hundreds of
working papers to identify the techniques that had been used to identify
reported financial errors. They determined that analytical review techniques
identified almost 30 percent of all errors reported, making these techniques
the most effective audit technique. The use of analytical techniques, therefore, is a very powerful tool, and in recent years has become more and
more widely used by all auditors.
Before we discuss the steps that can be taken to develop CAATTs capabilities in an audit organization, it is useful to look closer at the requirements
for performing data extraction and analysis.
180
Internal Audit
Ability to Use CAATTs
The ability to use CAATTs effectively requires an easy interface to the data,
a desire to use the technology, and the commitment of senior management.
This may include the provision of training (introductory and advanced),
the development of sophisticated tools, and the development of standard
CAATTs for the main application systems of the organization.
The audit department should work to make it easier for all auditors to
access required information directly, without the involvement of programmers. Several factors that should be considered are the development of
a user-friendly interface for the CAATTs and a menu-driven user-friendly
capability for downloading files from mainframe applications to the microcomputer.
Also, the importance of having all audit teams buy into the concept
of CAATTs cannot be understated. For some, use of the new techniques
and tools will be easy, but for others it will not. Management must show
a commitment to the development and use of CAATTs and promote and
encourage their use.
Access to regularly used data can be made more beneficial and useful
by the creation of summary files. The audit department can develop regular,
monthly, or yearly summaries for the key applications and download these
summaries. The summaries can be used to support audit requirements and
even made available to senior management. If the auditors and management
are on a local area network (LAN), all the summaries will be available to all
workstations on the LAN. Alternatively, one workstation can be designated
as an audit research workstation with all common information loaded onto
it. The summarized file can then be used to identify trends, quantify audit
materiality and population sizes, and support continuous auditing.
Case Study 39: Executive Information System
Audit summarized ten years worth of financial information (each year
containing more than seven million transactions and covering more than
$10 billion in expenditures) by responsibility center and by line object.
The summary file, downloaded to the LAN, was only 20 megabytes in
size. The current year’s data was updated monthly and a menu-driven
query facility was developed. As a result, all auditors had access to ten
years of data, making trend analysis and the sizing of the audit population quick and easy. For example, audit could quickly determine the
total expenditures for telecommunication, for overtime, or for specific
responsibility centers for the last ten years.
181
Developing CAATT Capabilities
Telecommunication Expenditures (2005 to 2008)
Type
2005
2006
2007
2008
Long Distance 41,256.25 43,845.23 52,397.34 53,723.56
Local
121,342.77 122,396.43 134,452.78 133,298.72
Other
5,387.12
5,778.33 11,254.11 11,744.42
The auditors did not require access to the mainframe system and
the mainframe CPU costs, or obtaining this information dropped considerably since the extract was done once a month rather than once for
each individual audit request.
When senior management heard about the system, they immediately demanded access to the data. In effect, audit had developed an
Executive Information System (EIS), which supported audit and management’s requirements for information.
The continued ability to use CAATTs effectively requires audit to search
for new and better ways to conduct audit work. Audit management should
evaluate new software, continue to research and develop ways and means
of obtaining large data files from mainframe systems for subsequent analysis on microcomputers, explore alternative means of improving electronic
communications with audit teams in the field, and provide all auditors with
computer training where appropriate.
Understanding of the Data
Usually the failure to access and use data is more often a result of audit’s
lack of familiarity and understanding of the application systems or a failure
to appreciate the importance of CAATTs than an issue of access. The issues
of familiarity, understanding, and appreciation can be addressed by establishing CAATT working groups. These groups determine which applications
the audit department requires access to and develop a good working knowledge of the applications and their possible importance to audit. The CAATT
working groups are responsible for the identification of the critical applications and for the determination of which information, fields, and databases
are relevant to audit. (Development and use of CAATT working groups is
discussed later in this chapter.)
The working groups should not be the only source of information
concerning useful application systems for audit. All audit staff should be
aware of the importance of identifying electronic sources of information
within and outside the company. For example, auditors doing field work
182
Internal Audit
in branch offices may discover end user–developed applications that could
be of use for subsequent audits of that office. Involving all auditors in
the process of identifying possible sources of information can only help
change the audit paradigm from the old approaches to one that considers
CAATTs.
Analytical Support and Advice
Auditors who are using audit software need to be able to ask questions
and receive technical support. Not every auditor will embrace the new
technology with open arms. While some of the early adopters will be up
and running, others will require ongoing support and advice. In order to
support audit’s use of CAATTs, many organizations have established an
information support, analysis, and monitoring section (ISAM) within the
audit organization. The support activities, such as analysis of complex files,
extraction of data files, and ongoing advice, will be critical to the successful
use of CAATTs by many teams. The ISAM staff should be selected so that
they have a combination of audit and computer expertise. This will give
them a unique perspective on audit automation and CAATTs and make
them better able to support audit’s requirements. (The concept of an ISAM
is discussed later in this chapter.)
Initially, all audit teams will probably need help with the development
of the analysis plan for the audit. This plan will identify the required data,
its source, and the proposed types of analyses that will be performed. Audit teams will also need help in identifying CAATT opportunities. This is
particularly true of areas where automation may not have been considered
before. Consider, for example, an audit of the management of overtime
(e.g., an audit in the personnel area). Most people would envision this audit
requiring the review of hard-copy overtime forms and not see it as a likely
candidate for the use of automation. However, someone with audit and IS
experience might see opportunities for the application of automated techniques. For example, computer-supported analyses for an overtime audit
can not only make a routine audit more effective and efficient but make it
more valuable as well.
Case Study 40: Overtime Audit
The vice president of personnel had noticed that overtime expenditures
were increasing at an alarming rate and asked the audit department to
review the management controls over the use of overtime and assess
the appropriateness of the overtime charges. Pay information related to
183
Developing CAATT Capabilities
overtime expenditures for the previous and current year were downloaded to a microcomputer. The auditor summarized the information by
manager and by individual employee. The auditor produced computer
reports to:
Identify managers with overtime expenditures more than 15 percent
greater than last year’s overtime totals
Highlight all managers with overtime expenditures greater than or
equal to 10 percent of their regular pay budget
Identify all employees with total overtime payments equal to more
than 25 percent of their salary
Overtime by Manager O/T ≥ 10% of Regular Pay
Manager
Emp
Overtime
Regular
Pay %
Production
Personnel
Marketing
Totals
112
181
21
314
523,059.23
841,824.03
121,515.03
$1,486,398.29
3,932,776.25
6,377,454.82
1,012,625.36
$11,322,856.43
13.3%
13.2%
12.0%
The auditors then examined the appropriateness of use and type
of overtime granted (regular overtime, first day of rest, or second
day of rest). First, the auditors performed an analysis that matched
overtime records to the leave system, to determine if individuals were
consistently working overtime on the first and second day of rest,
then taking the next two days off with or without pay. These cases
were examined in detail to see if overtime was being used in an
effective and cost-efficient manner or being abused. Next, for each
employee, the total overtime paid by type of overtime was calculated
to identify instances where individuals were working more overtime on
the second day of rest, at double-time rates, than regular overtime, at
time-and-a-half rates. This served to highlight potential areas where the
management controls over the use of overtime might not be working
as intended or were ineffective.
The results of their analyses were used to select a judgmental sample of managers and individual employees for their on-site review of
overtime usage. In addition, a random sample of all employees who
had received overtime payments this year was selected for review.
In a short time, the auditors were able to review the overtime expenditures at headquarters and several branch offices. The computer analysis helped identify additional lines of inquiry and isolated the higher-risk
areas for further follow-up review and reduced the overall audit time.
184
Internal Audit
Case Study 40 shows the application of CAATTs in an area where it
might not have been obvious. In fact, CAATTs can be a significant support
to audit in many nontraditional areas as long as a true audit attitude exists.
However, initially auditors will need support and encouragement when
applying CAATTs.
Communication of Results
Audit management must be committed to the use of CAATTs and should
be actively promoting their development and use. All audit staff should be
kept informed of new ideas, potential errors, and success stories. Several
different communication tools can be used:
Continuous auditing can be used to test controls and identify changing
levels of risk.
The CAATT working groups should develop catalogs of CAATTs that
explain the applications and provide examples of the types of information available from each specific application.
Audit management can publicize lessons learned, including successes
and failures, which can be used to help the audit organization continue
to learn and grow.
Monthly summaries, briefly outlining the use of CAATTs by each current
audit, can help all auditors see additional opportunities for the use of
CAATTs.
Lunch-and-learn sessions can highlight new audit software and demonstrate their use.
New staff should receive a proper orientation to the CAATT being
employed.
Steps in Developing CAATT Capabilities
The development of CAATTs in an audit organization can be supported
from the outset or actively resisted by the current staff. CAATTs should be
introduced to the organization in a way that does not evoke a negative
reaction. It is important for all steps in the introduction of CAATTs to
be planned and managed. The first step is to assess the organization’s
willingness to accept CAATTs.
Understand the Organizational Environment/Assess the
Organizational Culture
One of the keys to the successful initiation of such a change is managing the
internal inertia and resistance to change while mobilizing people’s desire to
Developing CAATT Capabilities
185
improve the environment and to be innovative and forward thinking. Individuals who try to bring about change in an organization may be perceived
as innovative by some, but, unfortunately, they may be seen as saboteurs of
the status quo by others. Therefore, as a first step in the process, it is important to try to understand how the initiative to automate the audit function
will be viewed, both by audit management and by the organization’s senior
management.
Some people may see any attempt to change the way things are done
as an act of sabotage. If the use of automated tools is seen as an attack
against the status quo, it will be actively resisted, as would any attack on
the well-being of the company. Combating this type of reaction will require
you to form allies who can work on your behalf to bring about changes in
attitudes and to help create opportunities where the benefits of automation
can be demonstrated. Within the audit organization, support from audit
management should be actively sought. In addition, it would be useful for
audit management to cultivate support from among the company’s senior
executives (see Case Study 39). The idea is to have someone from the
outside pushing for the cause on your behalf. Also, seek a single success
first and then push for more.
Thomas J. Peters and Robert H. Waterman Jr., in the book In Search
of Excellence, cite numerous examples of how innovative ideas were made
possible because of the existence of “champions” (Peters and Waterman
[1984]): people who believed that the idea was a good one and fought
to give it a chance. The authors also stress the importance of creating an
environment that supports innovation and tolerates and accepts failure.
Obtain Management Commitment
As with all initiatives, an important step is obtaining management commitment for the project. Often said and not as easily done, management must
be willing to commit scarce time and resources that are necessary to the
development and implementation of CAATTs.
The implementation of automated tools and techniques in the audit
environment will likely involve a change in the basic audit processes and
procedures. Usually audit resources will already be stretched to the limits,
and there will be little or none left over to take on new initiatives. If audit
is on a chargeback schedule, or must pay its own way or is working for
external clients, the question of who will bear the development costs may
be a big one. However, given a bit of freedom, a champion of CAATTs
will find the time and resources required to implement automated tools and
techniques. At some large companies, managers are allowed to spend up
to 25 percent of their resources on their own projects, but are expected
to meet deadlines and resource constraints for formal projects. While this
may not seem to create a good working environment, it allows people the
186
Internal Audit
flexibility to pursue pet projects without having to hide the activity from
senior management. By adopting a similar attitude of tolerance, you may
find that you have auditors who believe in CAATTs and are willing to invest
some of their time and energy in the project. Given an opportunity, good
people always find a way.
Establish Deliverables
It is important to keep a tight rein on management’s expectations, even
when the effort to automate audit is seen as innovative and a good thing.
Many an otherwise successful project has failed because it did not meet
expectations that were overly optimistic and perhaps even unattainable. At
the outset of the project, well-defined deliverables and time frames should
be established and agreed upon. Ascertain what resources (people, hardware, software, etc.) will be given to the project. Since the automation of
the audit function will not likely be the primary task of such resources, you
should determine what priority the effort will be given in comparison to
other projects by the people assigned to the task. In short, answer management’s expectations by having everything clearly stated, in writing and up
front. In particular, the cost/benefit aspects of the effort will be a crucial
factor in management’s decision of whether or not to let you try it.
Set Up a Trial
Obtaining management commitment can be approached from a number of
perspectives. Perhaps the easiest route is to obtain permission to perform a
limited trial of the application of automated tools and techniques to a specific audit. The trial should use an audit as a test case to evaluate both the
savings in time and resources. Since CAATTs can be developed incrementally, start off with simple tools and techniques in order to keep the initial
outlay of resources to a minimum. Many hardware and software vendors
are willing to supply their products and support for an evaluation at little
or no cost. However, some groundwork must be done to prepare the way,
and you should try to create an environment where the trial will have a
high probability of success.
Plan for Success
No one plans for failure, but we often fail to plan for success. Proper
planning will seek to create an environment in which the trial is likely to
succeed. This involves selecting the right people, the right audit, the right
time, and the right tools and techniques.
Ensure that the people on the audit team have a good level of computer literacy, experience with the audit software, and are committed to
Developing CAATT Capabilities
187
making technology work. You may even consider hiring a consultant with
proven expertise. Next, select an audit that has been performed before and
has known costs. Preferably, choose an audit that requires the auditors to
perform tasks that are better suited to automation. Tasks such as sorting, totaling, or comparing two or more sources of information are labor-intensive
when performed manually, but are ideally suited to the computer. Also, the
implementation of CAATTs assists auditors in analyzing data, turning it into
information, and making relevant decisions based upon their analyses.
Finally, be sure the data is readily available and in a format that can
be used by the audit software. While this may seem like you are stacking
the deck in your favor, a trial case is no time to prove that CAATTs can
be used under any and all circumstances. If the pilot is successful, you can
take on more complex or technically difficult projects at a later date. During
the trial, you should strive to create ideal conditions, since the organization
and the team members will still be on the steep part of the learning curve
and can use all the help you can provide.
Track Costs and Benefits
Track all costs, but try to differentiate between costs that were directly
attributable to the specific audit being performed and those that produced
results that can be used by other audits. Stress areas where 100 percent
testing was possible because of CAATTs. Highlight areas where substantial
savings over manual methods are achieved. For example, the preparation
of the trial balance may take three days to calculate manually but only one
hour using the computer. In addition, note areas where the effort can be
improved the next time. For example, if you developed specialized routines
that can be reused by next year’s audit, note the potential future savings.
If the techniques are readily applicable to other audits, this should
also be factored into the cost/benefit analysis. Be sure to highlight areas
where other audits will be able to benefit from the work completed in this
audit. Some outputs from the trial may only be valid or useful for that audit;
others may produce savings in other audits. If you had to access and analyze
the corporate financial system, part of the cost should be charged against
the trial audit, but it should be formally recognized that any future audits
requiring access to similar information will benefit from the work already
performed.
Lessons Learned
At the end of the trial period, prepare a simple statement of what worked
and what did not work. Outline the lessons learned, stating where automated tools and techniques can be used and what could be improved upon
and how. Do not downplay problems that occurred, but focus on their
188
Internal Audit
resolution and ways to ensure that future CAATT activities can avoid the
same problems. Also, highlight the things that worked well and were of
particular value. The lessons learned also provide an opportunity to discuss
the soft benefits or intangibles, which may not have been reflected in a hard
cost/benefit analysis. Note how the use of CAATTs allowed the auditor to
perform the audit more efficiently and effectively. Also note areas where the
audit team was able to adjust the initial audit program and make a better assessment than by simply following a manual audit program. Finally, outline
how the concept of CAATTs fits with the goals and objectives of the audit
department and the entire organization. If the initial trial of CAATTs was
successful, audit management should be interested in expanding the use of
computers to other audits. Senior management may also be interested in
the capabilities (see Case Study 39).
The next problem to overcome is the fact that not all auditors have
the same degree of familiarity or competence with computer hardware and
software. Nor will all auditors openly welcome the introduction of information technology. You will be faced with a different type of inertia and,
to some degree, fear. As pointed out in Chapter 1, there is an information
technology continuum, and some auditors will be at the introductory stage
as frightened, new users, whereas others will be at the advanced stage as
experienced users who are driving the audit organization into new areas
of automation. The expectations and requirements of both these types of
auditors will have to be managed.
Organize Working Groups
The underlying philosophy behind the suggested approach to the development of automated tools and techniques is the provision of data, tools, and
support to enable the auditors to conduct their own analyses. Auditors must
be able to pose questions and obtain answers and must be able to interact with the data. This approach requires a conscious and deliberate move
away from a strictly centralized support operation where an IS specialist
receives auditors’ requests for information, writes the required code, and
hands them printed reports. One can see the transition to a more hands-on
approach, starting with computer literacy; moving to the development of
standard CAATTs, with extraction and download capabilities; and finally, to
data analysis and automated tools and support for the auditors. The idea is
to have CAATTs support and enhance the thought processes of the auditors. Thus, auditors can develop new lines of inquiry on-the-fly and use the
computer to evaluate results. They can interact with the data and develop
a better understanding of the information.
Developing CAATT Capabilities
189
In order to manage this process in the most natural way for a constantly
learning organization and its members, the formation of working groups
has proven helpful.
Computer Literacy Working Group
One of the first steps in the development of automated tools and techniques
for audit should be the establishment of a computer literacy working group.
The aim of the working group is to increase the knowledge and comfort
level of all auditors and audit management with respect to computers. The
working group will be responsible for the identification, development, and
delivery of computer literacy seminars. These computer literacy courses
should not be long or intensive (approximately one to two hours each).
The major goals of these seminars are to increase the awareness of the
potential of using the computer as an audit tool and to make the auditors
more familiar with the computer. The courses can be developed in-house or
instructors may be brought in. Ideally, hands-on training will be included.
A basic computer terminology course may be needed to provide the
foundation for further learning. In particular, everyone should have a good
understanding of the concepts of field, record, and file and what they represent in terms of knowledge elements. In today’s information technology
age, this may seem obvious, but it is often not the case. Some people are
isolated from technology or have had little or no exposure to the basic
concepts. (Almost half of the DVD players in people’s homes are flashing
12:00 because the owners do not know how to set the time.) Even regular
users of some software packages do not always have a good grasp of the
underlying concepts. Any attempt to use client data files will quickly make
these gaps in understanding painfully evident. It is better to address them
in the early stages of automation than to incur the negative feedback and
the accompanying setbacks months down the road.
Additional things that should be covered by an introductory course
include concepts such as sort, select, logic statements (“AND,” “OR”), if
clauses, import, export, download, extraction, record layout, file structures,
naming conventions, and standard extensions. With each concept, examples
relevant to audit should be used to bring home the salient points. Literacy
training that uses company data files and audit-specific examples will not
only improve the computer literacy of the auditors, but also introduce them
to the corporate data sources and corporate files that they will be using
during the actual audits.
Other literacy seminar topics could include spreadsheet, presentation,
flowcharting, database, and project management software packages. Each
literacy seminar needs to be only a few hours in length and should contain
190
Internal Audit
examples to emphasize how the software can be used in support of audit
requirements. Ideally, an example of how the software was used to support a
recent audit would be presented as well. In some organizations, the seminars
were offered during lunch-and-learn sessions.
Case Study 41: Computer Literacy
In one audit organization, ten in-house presentations covering different
software packages were given to a total of 230 persons. Some people
attended all ten sessions; others only attended two or three. Despite the
number of people involved, the person-cost of this activity was only
80 days, including employee attendance and course development time.
At the end of the year, every auditor had a good basic knowledge of
computers and various audit-related software packages.
Once the basics have been covered, emphasis can be placed on building
a good working knowledge of these tools. Many companies offer two- to
three-day courses on most software packages. Computer-based training,
videos, and in-house courses should also be considered. Chapter 7 covers
information technology training for auditors.
CAATT Working Groups
Once management has committed to the idea of CAATTs, the audit organization must begin to develop or expand its knowledge and expertise with
the company’s information systems. One approach is to establish a working
group that will take on the task of acquiring the necessary familiarity with
the corporation’s applications and developing the tools to be used by the
auditors.
The initial task of this working group is to determine which application
system will be investigated first. Often, the financial system is chosen because the use of automated tools and techniques in the finance area is more
readily obvious and because of the large number of audits of, or using,
financial information. The development of automated tools and techniques
for the payroll, inventory, personnel, and other applications often follow
at a later date. After selecting the information system to be investigated,
the working group should decide who will be on the CAATT development
team for the selected application. In the case of the financial system, the
Developing CAATT Capabilities
191
development team will likely contain a mix of financial auditors, general
auditors, and IS specialists.
The goal of the CAATT development team is to gain sufficient knowledge about the application to enable them to find ways for the information
system to be used more effectively by audits. In order to do this, they must
develop a detailed understanding of the application system, its data fields
and sources, and the potential uses for audit. Typically, the development
team will:
Obtain copies of record layouts, database definitions, data dictionaries,
and other system documentation
Develop various reports (standard and ad hoc) and compare these with
independently produced reports
Develop extraction capabilities so that specific transactions can be identified and selected
Develop download capabilities so the data can be further analyzed
using audit software on the microcomputer
The results of the working group’s efforts must be communicated to the
rest of the audit organization. One method is to produce a CAATT manual
for the specific application, outlining the results of the team’s efforts. This
manual should contain a description of the application, an explanation of
the key fields and other audit-related information, samples of the standard
reports, and details on how to obtain a standard or ad hoc report.
After completing the development of the CAATTs for the selected application, the first development team should be dissolved and a new team
constituted so that auditors with different skill sets and expertise will be
involved in the development of CAATTs for the next application. For example, in the case of the personnel system, auditors with experience in
personnel should be on the development team, in addition to general and
IS auditors.
Information Systems Support to Audit
Audit organizations seeking to derive the maximum benefit from automation, must have, or obtain, a working level of expertise with information
technology (IT) including hardware and software. The audit organization
cannot rely on outside consultants or programmers from the data processing area. Long backlogs within the data processing shops are too often still
the norm.
Audit management must also be very concerned with the issue of
audit independence. Reliance on programmers from outside the audit
192
Internal Audit
organization can jeopardize the independence of the audit results. Investigations into potential wrongdoing or other sensitive audits may raise confidentiality concerns. Since audit may have unique requirements, or the need
to combine information from various systems (combining mainframe and
microcomputer data), the required skills may be outside of the traditional
programming areas, making reliance on system programmers an even less
viable option.
Given the nature of today’s decentralized processing, the programmers
responsible for the payroll system may have little or no experience with the
software used for personnel systems. The company may have an Enterprise
Resource Planning (ERP) system as well as several legacy systems. Therefore, if an audit team wanted to extract all personnel records to compare
the information with the payroll system, it may be difficult to find someone
in the organization with the required combination of skills. As a result, that
expertise should rest with individuals within the audit organization. This
would also allow audit to search for new opportunities for audit use of the
technology, not simply to automate what was previously done manually.
The successful introduction, implementation, and support of CAATTs
in audit will require a combination of audit and IT expertise. There are
two basic approaches to achieving this: (1) bring in programming experts
and develop their auditing skills or (2) develop the information systems (IS)
skills in an auditor.
Using an IS specialist will make some advances in automating the audit
function, but there is a risk of many missed opportunities. The programming
expert often does not have a sufficient appreciation of the role of audit
and, therefore, may miss opportunities to apply CAATTs to audits. In most
organizations that have implemented CAATTs, the biggest challenge is the
identification of areas where automated tools and techniques could have, or
should have, been applied, but were not. Traditional areas, such as finance,
may be well served, but nontraditional areas are neglected because the
application of technology to audit may not seem likely at first.
Alternatively, the skill levels of IS auditors and the option of developing
IS skills can be viable and successful. The IS auditor may already have
significant experience with several of the client applications and already
understand the goals and objectives of the audit department.
Whichever approach is chosen, the outcome must result in IS and audit
skills existing in one or two individuals within the audit organization. This
skill combination will allow them to examine electronic information with
both an auditor’s perspective of the potential uses and an analyst’s view of
how to extract, analyze, and use the information.
Many audit organizations have formalized the information support function by creating an ISAM section within the audit organization. This group
is distinct from the IS audit group in that it operates as a support service to
Developing CAATT Capabilities
193
the entire audit organization. The ISAM section should consist of staff with
excellent IS skills and audit experience. The main goals of the ISAM are to:
Provide internal auditors within the audit organization with guidance
and assistance in obtaining and analyzing automated information required to plan, conduct, and report on audits effectively and efficiently
Provide senior management in the audit organization with feedback on
the integrity of the data analyses performed by audit staff
The ISAM would also perform more complex analyses upon request and
promote more effective and efficient planning, conducting, and reporting
of audits.
The resource cost of IT support is not overwhelming. In one audit organization, two people supported the information requirements of 70 auditors.
This group more than paid for itself, introducing productivity increases in
all phases of the audit process.
Case Study 42: The Changing Role of the IS Auditor
An IS auditor was hired primarily to conduct audits of the company’s
computer systems. As a secondary duty, the IS auditor supported the
seven field auditors with their information requirements. This support,
which included developing ad hoc and standard audit software applications, vastly increased the productivity of the field auditors in a very
short time. Moreover, after the IS auditor supplied the field auditors with
crucial information that was not available before as it was buried in the
data files, the controller noticed the change and asked a few questions.
Audit management also expressed an interest in transferring the IS auditor’s knowledge to the field auditors. After she had trained the field
auditors in the use of the audit software, she developed standard applications for the controller with the same intuitive audit software. This
provided the controller with critical, previously unknown information.
In fact, the controller became so informed that both the CEO and the
chairman of the board noticed and asked for the reasons behind this
surprising new state of enlightenment.
The final result: The IS auditor is now working on an Executive
Information System (EIS) that is based on the audit software applications.
The EIS will provide access to all electronic data in the corporation
and will be accessible by senior management and audit management.
Audit management has also formalized the information support function
provided by the IS auditor, making this task a full-time position.
194
Internal Audit
As indicated in Case Study 42, while the number of people required to
support the ISAM function is not large, the level of the individuals within the
group must be sufficiently high to allow them to perform the tasks required.
These positions cannot be staffed at junior auditor levels. The ISAM staff
will be required to question the analysis plans developed by team leaders,
to perform quality assurance reviews of analyses performed by audit teams,
to drive the use of CAATTs by the audit department, to be proactive and
forward thinking, and to have a good view of where the audit organization
is trying to go in terms of automation and how to get there from here.
In order to be able to develop an environment that supports the creation
and implementation of CAATTs, it will be necessary for the ISAM to satisfy
several objectives. Initially, staff time in an ISAM function will be divided as
follows:
30% providing ongoing support and advice on defining criteria for the
audit population and identifying possible sources of information to
satisfy audit requirements
25% building standard reports, performing downloads and developing
new techniques, obtaining access to new sources of information, and
evaluating new audit software tools and techniques
20% performing complex analysis of client data files and developing a
good understanding of the data in support of specific audit objectives
25% performing quality assurance reviews of analyses performed by
various audit teams
As the use of CAATTs becomes more accepted and integrated into the
audit processes, the percentage of staff time will change. Less time will be
spent on providing support and advice and more time will be spent on
performing complex analyses. Ideally, there will be a switch from ISAM
staff-driven analyses to auditor-driven analyses.
The audit organization should develop a strategy that centers on a fourpronged approach to information support with the:
1. Provision of standard CAATTs for use by auditors with little or no IS
experience
2. Development of a user-friendly interface to provide auditors with easy
access to the mainframe and the development of a menu-driven system
to allow auditors to perform their own analysis and print their own
reports
3. Provision of data and tools to auditors that will give them control over
the data and the ability to perform their own analyses. This includes a
facility to download data from the mainframe to the microcomputer.
Developing CAATT Capabilities
195
4. Provision of the services of specialized audit staff to perform complicated analyses and to conduct Quality Assurance reviews on behalf of
the audit organization
The ISAM is established as the focal point for information systems support and expertise. This group is expected to play a key role in negotiating
access to information systems. As a result of the mixture of IS and audit
skills, the ISAM can bring about significant improvements in the automated
analyses of data for audit purposes and reductions in turnaround times. Audit staff would no longer deal directly with programmers, who might have
a tendency to code requests exactly as presented by the auditor, rather than
offer suggestions related to audit objectives. Typically, auditors tend to have
insufficient knowledge of the application and technology, and the programmer has little or no knowledge of audit methodology or the functional area
under review. As a result, the programmer may add limited additional value
to the process. The ISAM staff, however, will be able to offer audit-related
improvements, asking the appropriate questions of the auditor requesting
the report or data to ensure that the request is not only fulfilled, but is
relevant to the audit in question. Further, since the ISAM is part of the audit department, independence is maintained and the knowledge acquired
remains with the audit department.
Assure Quality
CAATTs can significantly improve the operation of the audit organization
and the results of the audit work. The use of audit software to perform
analyses of client data can quantify errors, identify dollar savings, or provide
the auditor with improved insight into the client’s operations.
Initially, the analyses will have to be reviewed as the tools and techniques will be new to the organization and the auditors will still be on
a learning curve. As the use of CAATTs increases, quality will remain an
important issue because more reliance will be placed on the results of the
analyses, and these analyses will likely become more and more complex.
A good Quality Assurance (QA) methodology and adequate training and
support to the auditors will provide management with the required level
of comfort, and CAATTs will enhance the reliability and usefulness of audit
findings.
Simply providing auditors with the data, the tools, and the necessary
training does not guarantee success. As discussed in Chapter 5, errors of
interpretation, logic, performing downloads, extracts, selecting samples, and
so forth can, and do, occur. The potential for error is high unless the use
of CAATTs is properly managed. The credibility of CAATTs and that of the
196
Internal Audit
audit function itself may be at stake. It would be a shame to go to all
the effort of obtaining access to client data, purchasing audit software, and
performing detailed analyses of the data only to find out that you had used
“AND” instead of “OR” when performing the initial extract of the data from
the mainframe application. The use of CAATTs will always require senior
management to ensure the quality of the analyses performed.
Waiting until the manager performs the working paper review is not effective in reducing the negative impact of these types of errors. A more
proactive approach involves the development and implementation of a
methodology for conducting ongoing QA reviews of the data analyses performed by audit staff. This QA methodology will help ensure that the results produced by the CAATTs are valid. The more reliance is placed on
automated tools and techniques, the more the reliability of the analysis performed must be ensured. The main purpose of the QA program is to provide
a mechanism for assuring the accuracy of the analyses performed for audit
purposes. This will permit audit management to place more reliance on
the analyses and capitalize on opportunities for gains in effectiveness and
efficiency.
Quality Assurance Methodology
The first line of defense against improper results being released to clients
is the auditor performing the analyses. Every auditor has a responsibility to
ensure the integrity of the proposed analyses and the validity of the logic
employed. The audit team leader is the next line of defense. The team leader
should be aware of and review the planned analyses, as well as carefully
examine the results obtained. The audit manager, as part of the planning
process and during the file review toward the end of the audit, should
be concerned with the nature of the analyses and the reasonableness of
the results. Senior management is responsible for ensuring that the proper
controls over data and analysis integrity exist and are working as intended.
The roles and responsibilities can be further defined as follows:
Auditors are responsible for establishing an analysis plan outlining the
audit objective to be addressed and the specific analyses to be performed, and for maintaining proper documentation to support the analyses performed. Auditors are also responsible for performing the analyses and reviewing and assessing the results.
Team leaders are responsible for approving the analysis plan and for
reviewing documentation, analyses, and results.
Audit managers are responsible for ensuring that the analyses have been
adequately planned and reviewed for completeness and accuracy.
Developing CAATT Capabilities
197
Senior management shall, at its discretion, request a QA review of the
analyses performed by an audit. This review will include a review of
the criteria to the selected audit population, the analysis plan, the documentation detailing the analyses performed, the analyses performed,
and results obtained.
Information Support Analysis and Monitoring (ISAM) will conduct and
report on reviews as requested by senior management. In addition, the
ISAM will conduct QA reviews that they feel are appropriate, based on
the complexity of the analysis or the significance of the potential error.
There are three basic types of controls for data analysis: preventive,
detective, and corrective. The QA methodology should contain a mix of all
three types of controls:
Preventive controls reduce the frequency of errors in the analyses performed by the auditors.
Detective controls do not keep errors from happening, but, rather, highlight them after the fact and help prevent them from occurring in the
future.
Corrective controls assist in identifying and determining the causes of
and correcting errors or omissions in the analyses.
Preventive Controls for CAATTs
The most basic type of preventive control is knowledge. The auditors involved in the analysis of data files must have a good understanding of the
data files and the audit software, which is gained through training and experience. Many audit organizations offer new staff training in audit, but few
offer the new auditor any training aimed at understanding the main information systems used by the organization. How many audit organizations have
a good understanding of the financial system of the company? How many
audit organizations are using standard reports that were developed by outside consultants, without understanding how they work or knowing what
types of transactions are being selected or, worse yet, without maintaining
the automated routines when modifications are made to the application? In
these cases, outsourcing of audit may happen by default.
All general auditors should receive IS training, including computer literacy and specialized training on the audit software package. Required IS
training should be identified as part of the performance review process and
should be properly planned. Ideally, the training on the audit software will
be conducted using data from the company’s applications and will address
audit-type issues.
198
Internal Audit
Earlier in this chapter, the utility of establishing CAATT working groups
to determine which applications will be supported by CAATTs was discussed. The working groups are also responsible for developing and communicating an understanding of the applications. This includes identifying
the main fields and providing definitions thereof, ascertaining the update
schedule (to ensure you have the most recent data), and determining the
source and use of the data contained in the application.
Experience with the company’s applications can be gained through exposure to these systems. Further, the production of CAATT catalogs, which
describe the main systems (finance, pay, inventory, personnel, and other
applications), by the CAATT working groups will be invaluable. The ISAM,
if it exists, should also discuss all aspects of the data extraction and download with the audit team at the time the request is placed and when the file
is made available to the audit team, to ensure that tests for syntactic errors
are performed.
Another preventive control is the ongoing involvement of individuals
with expertise in audit and informatics. As mentioned, this can be accomplished by the establishment of an ISAM with a mandate to provide ongoing
support and advice. This group should be involved in discussions concerning the approach the audit team will be taking in analyzing the data files.
They should also be involved in the initial extraction and download, ensuring that all the required records are extracted and that the audit team has
a good understanding of the data files. The involvement of the ISAM can
correct potential problems before a great deal of time has been spent on
the analysis and before invalid audit results are released to the client.
In audit organizations that have a formalized support unit, the unit is
usually involved at the beginning of the audit. The ISAM will review the
audit objectives and the audit plan to ensure that not only has optimum use
been made of the technology, but that the proposed analyses are complete
and accurate. If the analysis is standard and can be used over again, either
for other audits or for a different time frame (next year or next month), the
required commands can be captured in a script or macro. Audit software
packages allow you to capture a series of commands and run them as a
batch file. This ensures the consistency of the analysis across auditors and
across time.
Detective Controls for CAATTs
The main feature of a detective control is the comparison of what happened
with what was supposed to happen. In most cases, this implies comparing
the results of the analyses with the expected results or with another source
of information. Detective controls are particularly useful in two areas: extraction and download of files and data analyses.
Developing CAATT Capabilities
199
One potential source of syntactic errors is the extraction and download
of files from the mainframe to the microcomputer. From time to time, errors in the communication software or hardware will cause records to be
dropped or data to be corrupted. In addition, the interpretation of the data
types by the audit software may not agree with the mainframe application.
One of the basic detective controls—an obvious one to auditors—is control
totals. Verifying the number of records, total dollars, file size, and so on of
the microcomputer file with the mainframe file will provide an indication of
the integrity of the downloaded file. Where possible, you should check all
downloads against a system report. This can be a standard report produced
by the application or an ad hoc report run for audit.
For example, in performing a review of overtime payments, the auditor
could:
Extract all overtime payments from the pay system and run a report to
summarize overtime payments by division using mainframe software
Download the extracted file and produce a summary by division and
compare the results with the report produced on the mainframe
Compare the summary report with a standard report produced by the
pay system for management
Notwithstanding the fact that CAATTs promote the use of the computer
to help automate syntactic controls, they can be useful to check a sample
of transactions against the manual records in order to test semantically for
correspondence to reality.
As a general rule, whenever possible, seek independent verification
of the results of the audit analyses. You can even share the results with
other auditors or the application programmers to ensure that you have
not overlooked any material. The ISAM can also be a valuable resource in
ensuring the validity of the logic employed.
A second type of detective control is peer and management review
of the analysis. Most audit software packages have a log feature, with all
commands and the results of the commands captured in a log file. This log
file can form a part of the working papers for the audit and the integrity of
the analyses can be reviewed by examining the log file.
Corrective Controls for CAATTs
It is important to ensure that not only is optimum use made of the technology, but that the proposed analyses are complete and accurate. Generally
speaking, it is better to prevent and detect errors close to their source. When
errors are made, the underlying causes should be determined and corrective
action taken to prevent the errors from occurring again and again.
200
Internal Audit
The ISAM can be instrumental in identifying the underlying causes of
recurring problems. These types of problems can be highlighted via regular
communication with the auditors. Further, a training course can be tailored
to address specific issues that have been identified as a source of errors. For
example, if the financial system has been incorrectly used for a particular
reason, this could be addressed when training on the system is delivered to
new auditors.
The QA methodology and the associated reports will also serve as a
corrective control. All results of QA reviews should be available to audit staff.
Quality Assurance Reviews and Reports
At the request of senior management, a review of the logic supporting
the analysis conducted for a given audit should be undertaken. This will
be limited to commenting on the syntactic accuracy, not the semantic or
pragmatic sufficiency of the analysis performed. The results of all formal
QA reviews requested by senior management should be presented to senior
management, and the results of file reviews should be discussed with the
audit teams and the appropriate audit manager. It is clearly important to
realize the three dimensions of controls and tests, as the direction and
intensity of the tests are different for each.
Summary and Conclusions
There is no single approach to the development of CAATTs that will work
in every audit organization. The unique operating environment, level of
knowledge of the staff, and the requirements of the organization will affect
what, when, and how something is to be audited. However, the following
steps should be considered when developing CAATT capabilities:
1. Define the current IT environment, including hardware, software, policies, knowledge levels, and expertise of audit staff. Also, consider the
current attitudes in the IT area of the company, which may give an
indication of the support (or lack thereof) for CAATTs
2. Define the future IT environment, with consideration given to the computer platform (mainframe, midrange, and microcomputer), operating
system (MVS, DOS, Windows, and Macintosh), interfaces (IMS, DB2),
organizational changes (structure, reporting relationships, etc.), and required levels and IS skills of audit staff
3. Identify the auditor’s toolset (e.g., laptop, desktop, standalone, or LAN).
Define the basic software tools (e.g., word processing, spreadsheet,
database, data extraction and analysis, presentation, flowcharting, time
Developing CAATT Capabilities
4.
5.
6.
7.
8.
9.
201
and project management, communications), specialized audit software,
and other capabilities that are required
Identify audit management tools (e.g., risk analysis, budgeting, audit
universe, time reporting, audit tracking, and follow-up and project management capabilities)
Identify other requirements (e.g., e-mail, reference libraries, access to
external databases, Internet access, specialized equipment [color printers, fax, modem, etc.], storage medium, and capacity)
Identify training requirements, (e.g., who should receive training, how
much and how quickly, and which type of training [in-house, external,
instructor-led, video, computer-based])
Determine support requirements (e.g., hardware, software, and problem
solving)
File management (e.g., establish policies for determining the official
version, backup and restore, clean-up procedures at end of audit, file
naming conventions, data security, virus protection, and external access
via modem)
Quality assurance (e.g., establish a policy to help ensure that data analyses are planned and reviewed for accuracy, completeness, and relevance)
Any audit department interested in pursuing additional areas of CAATTs
should also consider the:
Establishment of an audit research workstation with specialized peripherals and audit software
Development of audit methodology and findings databases and electronic working paper software
Creation of a software library with specialized software programs
Improved access to information from external sources, such as Internet
access
Communication and feedback mechanisms, such as CAATT manuals
(with description of the tools and techniques and information about
the application system), a newsletter outlining data analysis successes
and failures, and flashes to highlight specific items of importance to the
audit organization
Development and delivery of in-house courses, beyond computer literacy, to improve the ability of all auditors to use automated tools more
effectively
The productivity improvements that can be realized through the development and use of automated tools and techniques will only succeed if the
implementation of CAATTs is properly planned and executed. Initially, it
202
Internal Audit
may be necessary to develop and cultivate the required management and
auditor commitment. In addition, the audit organization may be required
to adopt a different mind-set and to break old paradigms and modes of
thinking. As is the case whenever something new is being introduced, communication is a key to success. Communication between the auditors and
the ISAM and between management and the support section are particularly
important. Everyone should have a clear understanding of the goals and objectives of CAATTs. Both management and auditors should know what will
be expected of them and what part they will play in the development and
implementation of automated audit tools and techniques.
Auditors cannot be expected to obtain maximum benefits from CAATTs
unless they have received sufficient training. They must be comfortable with
the technology before they can apply it successfully. Further, a mixture of
IS and audit expertise is highly desirable in establishing effective CAATTs
and in creatively determining how the computer can be used to accomplish
audit objectives.
The path to automation is littered with failed projects—projects that
failed to plan to succeed. As the saying goes, “no one plans to fail, they just
fail to plan.” Given the benefits that can be obtained and the requirement
to develop automated capabilities, audit organizations must take on the
challenge of developing CAATTs.
CHAPTER
7
Challenges for Audit
A
fter having explored the opportunities and benefits of the application
of modern audit software, conceptually and with case studies, it seems
only fair to conclude with a discussion of some of the challenges facing
audit. The first part of the chapter explores the issue of the survival of
the audit organization itself and concludes with the individual auditor’s
requirements for training.
This chapter discusses the necessity for audit to become a learning
organization and to continually strive to improve its service to the client.
The first section discusses the need for audit to adopt a new paradigm, to
be empowered through the ability to access and use data, and to ensure the
skill levels of all auditors can face the tasks. The final section offers some
concluding thoughts and recommendations.
Survival of Audit
Audit is under more pressure than ever before. From sources outside the
company, including stakeholders and investors, there has been an increase
in the number of lawsuits for negligent performance of duties. From within
the company, there is an increased demand for efficiency and effectiveness.
Increased coverage and more cooperative audits are also desired by many
clients.
Forces within the internal audit organization are also at work. The issues
of compliance versus comprehensive auditing, control self-assessments, and
outsourcing have touched many auditors and will continue to bear upon
the audit organization and the audit profession itself.
Having lived through a reorganization, a corporate downsizing initiative,
and a reengineering exercise does not make one an expert in organizational
survival, but it does give one a unique perspective. The business world is
becoming more competitive, leaving less room for nonproductive overhead.
As a result, audit must continue to evolve and really pay its way by reviewing
203
204
Internal Audit
the appropriate areas and demonstrating its worth to the organization. This
requires highly skilled individuals using modern auditing techniques and
approaches.
Fortunately, audit technology is up to the challenge. More than ever
before, auditors have a significant yet underused arsenal of tools at their
disposal. Prices of hardware and software have decreased at the same time
as the power and utility of the technology has increased. What remains
is for auditors to change their mode of thinking and embrace the new
technologies and auditing approaches.
It has been said that if you only maintain the skills you have today,
without improving or growing, you will be obsolete in five years. This is
true for auditors and for audit organizations. Growth and learning are, quite
simply, an issue of professional and organizational survival.
Audit as a Learning Organization
Today, organizations are endeavoring to maintain their competitiveness,
innovation, and effectiveness through organizational learning. A learning
organization is an organization that deliberately builds structures and strategies in order to increase the likelihood that organizational learning will
occur (Dodgson [1993]). Organizational learning is affected by the organization’s structure, strategies, environment, culture, and technology. Learning
is a dynamic activity that emphasizes the need for continual change; it is
as essential for organizations as it is for individuals. While the concept of
organizational learning was developed to apply to entire corporations, it
applies particularly well to audit.
Learning is not a passive activity. Organizations must actively seek out
opportunities to learn. There are four main activities that contribute to organizational learning: knowledge acquisition, information dissemination, information interpretation, and organizational memory (Huber [1991]).
Knowledge Acquisition
Knowledge acquisition is the accessing of key information sources and the
retrieval and manipulation of the data contained therein. CAATTs support
these activities by providing the means to conduct research; to store, manage, process, and retrieve information; and by providing capabilities for the
interpretation, reformulation, and critical evaluation of information.
The audit organization must also strive to learn more about its own
operations. How well is it serving its clients and senior management? What
areas does audit need to place additional emphasis on (e.g., training, resources, etc.)? In particular, the development of an audit universe and risk
Challenges for Audit
205
analysis models helps an audit organization learn more about client operations and about its own skills and capabilities.
Information Dissemination
Information dissemination is the sharing of organizational information
among its employees. This sharing further encourages learning and understanding by all involved. Information systems, such as e-mail, document
delivery systems, groupware, and workflow systems, facilitate the sharing of
information. These systems also support feedback and review mechanisms
as well as collaboration between auditors and between auditors and their
clients.
Information Interpretation
Information interpretation is the conversion of raw data into actual, useful information and the establishment of meaning in context of the organization’s
operations. This is accomplished by selecting, screening, using, evaluating,
and comparing data from various sources and by matching the auditor’s
understanding of the resulting information with the originator’s intended
meaning and end user’s interpretation.
Audit software is ideal for these purposes. It allows auditors to interact
with the data and develop a deeper understanding of the information. During the course of audits, this understanding is put to the test as auditors use
the information they have gained to assess operational business areas.
Organizational Memory
Organizational memory or corporate knowledge is the storage of knowledge
for future use. Organizational memory plays an important part in organizational learning by allowing members to learn from past events. Thus, a
major challenge for audit organizations is creating organizational memory
and making it readily accessible to all auditors.
Methodologies, audit programs, lessons learned, review results, analytical tools and techniques, and other information must be easily accessible
by all auditors.
Information technologies such as intranet and hypertext are catalysts
that facilitate the creation of such organizational memories and improve the
ability of the organization to learn from its successes and failures. But technology cannot, in isolation, ensure that organizational memory is sought out
and acted upon. The organizational structure and culture must encourage
and support both the creation and use of organizational memory.
206
Internal Audit
The development and use of CAATTs enables audit organizations to
engage in continuous learning. CAATTs directly support knowledge acquisition, information dissemination, information interpretation, and organizational memory. CAATTs can increase information sharing, communication,
and understanding and can improve the quality of decisions made by the
audit organization.
Audit will contribute to the continued growth and the usefulness of the
audit organization by:
Developing information repositories
Using software tools and analysis techniques more efficiently and effectively
Providing all auditors with information support and analysis assistance
Developing specific applications to support the core audit business
functions
The use of CAATTs can help ensure that the audit organization is continuously learning and improving and is helping the entire organization to
learn.
New Paradigm for Audit
The types of audit support and the capabilities of modern audit tools have
grown and improved faster than organizations have managed to adapt to
and make maximum use of them. Today, two different paradigms seem to
coexist for the use of audit software: Computer-Assisted Audit Techniques
(CAATs) and Computer-Aided Audit Thought Support (CAATS).
The emphasis of this book has been on the need for audit to shift from
Computer-Assisted Audit Techniques to Computer-Aided Audit Thought
Support. The first paradigm merely involves the automation of manual tasks,
while the second paradigm enables the auditor to use more judgment and
exercise critical thinking (Will [1995]). Consequences of each paradigm are
briefly discussed as follows.
Computer-Assisted Audit Techniques
The consideration of audit software as a means of defining and executing
Computer-Assisted Audit Techniques (CAATs), rather than as a new
approach to audit, is building on a paradigm that was developed for
manual audit approaches. The approach simply automates and applies
manual techniques to large mainframe computer environments. The CAATs
do not have any methodological implications for auditing. Audit programs
Challenges for Audit
207
use computerized techniques, but remain fundamentally the same as when
performed manually.
Computerizing traditional manual audit approaches ignores the risks
and misses the opportunities provided by the electronic nature of the data.
Also, the approach does not capitalize on the advances made in computer
technology. Moreover, it increases the actual costs of auditing and seems
to ignore the opportunity costs associated with the use of mainframe
computers.
Clearly, the rapid expansion of computer technology into all aspects of
the business world has had a major impact on internal audit. User-friendly
microcomputers, easy-to-use software, end user computing, and the networking of microcomputers, locally and globally, with each other and with
mini and mainframe computers, have changed the business environment.
But not all audit organizations have fully accepted the challenges and benefited from the opportunities inherent in the technology.
Computer-Aided Audit Thought Support
There are increased demands on audit to perform rational and critical assessments of all aspects of the business. This, in turn, is forcing audit to
conceive of and apply audit software primarily for the support of critical
minds rather than as the mindless application of automated techniques.
A distinction can be made between the context of discovery (the invention of hypotheses and theories, apart from any concern for their origin or
for their form) and the context of justification (the evaluation of hypotheses
and theories on the available evidence in light of the rules of deduction and
induction). More than ever before, auditors must be able to operate in the
context of discovery and that of justification.
Since auditors must justify an opinion, they work both in discovery and
in justification modes. To do so, they need to be able to identify appropriate
data holdings and understand the associated file structures and meaning of
the individual data elements. They must also be able to define and then test
various hypotheses in an iterative and interactive fashion.
Audit software provides opportunities for creating new or for using
existing file descriptions for various database and file structures with diverse
data types. This facilitates independent access to all data as raw evidential
material by audit, without the involvement of computer programmers.
In order to test data and information, auditors must be able to (re)define
the conditions and the rules under which the data entered into the application system were manipulated and transformed. Modern audit software
provides virtual (computed) field definitions and numerous functions for
the interpretation and logical or mathematical extension of actual data, including error conditions.
208
Internal Audit
These auditor-computed fields and definitions can be stored as separate
knowledge files for use in different contexts. This provides the auditor with
the ability to maintain and apply sets of common error conditions, extensions, meanings, and special types of data under varying circumstances.
In order to facilitate the confirmation, corroboration, and simulation
of information based on available data, not only are powerful commands
available, but so too are scripts or macros—even interactive ones. The scripts
are flexible and can be easily modified. Using audit software, the auditor
can define scripts that can be executed immediately or in delayed fashion
and with different user interface options.
Due to the interactivity of modern audit software, the results are immediately available to the auditor and can be used without delay. Alternatively,
execution can be deliberately delayed and scheduled at special times to follow up on suspicious conditions. The interactivity also allows auditors to
rethink an approach and to use new conjectures in a creative and critical discovery mode based on one’s imagination, recent hunches, or new empirical
findings. Thus, the auditor is empowered to use audit software in different
ways under different circumstances—when and as the auditor sees fit.
Auditor Empowerment
Within the context of this characterization of auditing and audit software, it
is now useful to distinguish different kinds and degrees of empowerment
of auditors in modern organizations. The degrees of empowerment can be
defined in terms of accessibilities (Will [1995]). If we assume that individuals
in general, and auditors in particular, are naturally critical and intelligent and
know best what is good for themselves and for the organizations to which
they belong, we can identify important resources that are helpful to auditors
and others in their organizations:
Access to microcomputers and computer networks
Access to audit software, which can be applied as a comprehensive
meta-language for independent testing
Universal access to all data and information
Access to education and training in support of critical and relevant
thinking in an information-technological context
Due to the increasing amounts of digitized data and information, auditors need access first to hardware and second to software under their own
control. Third, they require unrestricted access to the data (and the underlying documentation) from the business applications of the audit entity.
Challenges for Audit
209
Access to the data allows the auditors to apply the software critically and
intelligently in order to test the reliability of the information independently.
The ultimate aim is to gain and to communicate knowledge that is
expected and required of auditing as a value-adding activity. Thus, auditors
also need access to the clients whose activities are being evaluated and to
the stakeholders to whom they report. The analyses of the data must be
performed with an understanding of the operational context of the client
operations. Otherwise, the auditors would merely work in the virtual reality
of computer systems rather than within the business or operational reality
under which their clients labor.
Finally, auditors need access to education and training in support of
critical thinking.
Access to Microcomputers and Computer Networks
Since increasing amounts of evidential matter is digitized and under the control of the client, audit requires independent computer hardware to access
the data and to test the information. Of course, since computer hardware
works only with the appropriate software, auditors need independent access
to both.
The microcomputer (r)evolution not only made computing power more
accessible to all, but also the networking possibilities of linking them with
other computers have resulted in wide distribution of computing power
locally, as well as globally. Today, several networks of networks exist and
distribute raw computing power, as well as access to data and information
in multimedia modes of operation even further.
Auditors within the audit organization and auditors in remote locations
or other companies are easily connected to other auditors via computer
networks (LANs and WANs), as well as intranets and Internet.
Access to Audit Software—Meta-Languages
Thinking requires and happens in terms of, and by means of, language.
Meta-languages allow us to make critical and independent assessments of
statements made in object languages. Thus, if we consider accounting as a
formal language, it becomes necessary to use a meta-language for auditing
and control purposes (Will [1983]). Modern audit software is the metalanguage that allows auditors to assess and report on information contained
and manipulated for accounting purposes independently.
As already indicated, audit software provides independent, universal,
and direct access to practically all data generated by means of computers.
Audit software uses a natural language interface, allowing auditors to interact
with the audit software in a language that is similar to their native tongue.
210
Internal Audit
This interface minimizes the linguistic overhead and mental translation effort
required by the users of the software. Auditors can analyze data using audit
software easily using a command structure and syntax similar to their own
language. It also allows the users to apply their natural thought processes
when performing analyses of the data.
Universal Access to Data
Auditors’ effectiveness is not only dependent on their intellectual capacity
and ability to translate their tasks into meta-language expressions, statements, and programs; equally important is easy access to all evidential
matter: data, documentation, comments, information, logs, notes, results,
text, and variables.
Universal access, not only to all files, records, and fields, but literally to
any and every bit (binary digit) of information, is essential for auditors. This
is because the data may represent important evidential matter. Auditors
can have direct access to the data files or indirect access via printouts
of database or file contents. Direct access requires an auditor to have a
good understanding of the file structure. Indirect access reduces the data
definitional complexity but loses some of the technological independence.
As already indicated, in addition to accessing the actual data stored
in files and databases, auditors will want to derive additional data as virtual fields or variables, define error conditions and extensions, and attempt
interpretations of the stored data.
Naturally, the ease and speed with which data and information can
be tested and (re)processed determines the auditor’s efficiency to a large
extent. This explains why modern audit software, rather than the traditional
mainframe-based batch processing, operates in an interactive mode. The
auditor can pose questions directly of the data and obtain near instantaneous
results. The interaction of the auditor with the data is one of the key aspects
of thought support to audit.
In summary, in modern organizations, the empowerment of auditors is
primarily a matter of authorization to buy the inexpensive hardware and
software required to do their job. Using their critical mentality, auditors can
add credibility to the information if they have available audit software—a
meta-language—to test all relevant data and information independently. Of
course, they must also possess unrestricted access to any and all relevant
evidential matter maintained and stored in analog or digital form, along with
a critical mental attitude.
Access to Education, Training, and Research
Despite all efforts to make the powerful audit technology globally available
with intuitive user interfaces and in natural language versions, learning to
Challenges for Audit
211
use it may require formal education and training. Part of this requirement
is the need for auditors to change the way they view the world. The old
paradigms may be deeply entrenched within the audit organization, making it difficult to adopt new approaches and techniques, but they are not
windows to the modern world.
AUDITOR TRAINING The tools and techniques you learned as little as five
years ago may only satisfy a portion of your current job requirements. It
used to be sufficient for auditors to have little or no knowledge of computerized applications. Now, with technology so pervasive in the business
environment, auditors must have at least some degree of computer literacy.
LIFELONG LEARNING With change being the predominant climate of today,
everyone interested in keeping up must become a lifelong learner. Lifelong
learning used to be an attitude or a state of mind of the intellectually curious
who were bored with the status quo in most respects. Today, it is more a
matter of survival.
Applied to auditing, this means that we have to cultivate our naturally
critical attitudes in such a way that our mentality is geared to the success
and survival of our audited organizations. In addition, we must be able to
make the value-adding contributions that are expected of auditors. Management can support this mentality by encouraging auditors to grow with
their job. Formal or on-the-job training, coupled with ongoing support and
encouragement, can help auditors remain current. Auditors can be assigned
to integrated teams, where auditors with different skill sets work together
and learn from each other. The notion of the integrated auditor, unheard
of by many organizations only a few years ago, is not a thing of the future,
but a reality in many organizations.
PROGRAMS AND PROGRESS In order to encourage and facilitate lifelong learning, management must offer staff attractive programs and monitor their professional progress continuously. Then it is possible to suggest upgrading
or professional development opportunities and to design and offer relevant
programs. Management may proclaim that the company’s greatest resource
is its people, but unless they act to develop and retain their employees, it
is only talk. Others have fully recognized the importance of training their
employees and have developed standards for the provision of training (e.g.,
ten days per auditor per year). Training budgets are based upon these standards, and yearly evaluations of work performance are closely linked to
the identification of training requirements for the next year. However, the
identification of training requirements is not as easy as selecting courses
from a glossy brochure.
212
Internal Audit
Skills Inventory
The changing requirements of audit demand that the skills of auditors
change as well. Audit managers must develop an understanding of where
audit is going and what skills auditors will require to get them there. More
often than not, ensuring that auditors have the requisite skills involves the
provision of training. But training dollars are not easily found and, therefore, must be spent wisely. Conducting a needs analysis can help audit
managers do a better job of identifying the training needs of their staff,
thereby contributing to the effective use of their training budget.
The key elements of a needs analysis are to determine:
What skills the auditors have
What skills they need or will need to do their jobs
The difference between the current skills of the auditor and the required
skills represents a training requirement.
A good needs analysis can make training more effective and meaningful.
Proper identification of training requirements can also help employees to be
more productive and happier in their jobs. The proper definition of training
requirements for the organization will help ensure that scarce dollars will
be spent on training that is required, rather than courses that seem attractive
but are not relevant to the auditor’s job.
Needed versus Actual Skills
In a study rating the importance of academic subjects, computer software
and accounting information systems were in the top ten areas where more
education was felt to be needed (Novin and Pearson [1994]). Further, electronic spreadsheets, database management systems, and word processing
were in the top 20 areas where more education was needed. So, the issue
of IT training is not one that was unrecognized, and it is still an important
issue today.
The main objectives of an information technology (IT) needs analysis
are to answer the following questions:
What job-related IT skills do auditors need in order to perform audits?
Which auditors require these IT skills for their jobs?
What should be taught in order for the auditors to master these skills?
Given limited resources and time, which skills should be taught first?
There are several steps involved in conducting a proper needs analysis.
The first is the delineation of the auditor’s job, including the identification of
Challenges for Audit
213
all tasks performed as part of the job. To do this, the audit manager should:
Identify all the tasks an auditor is expected to perform in order to do
the job
Define the IT skills that the auditor must have in order to perform these
tasks effectively
For each auditor, determine the tasks they are performing satisfactorily
and the tasks where the auditor must improve his or her performance
For example, during an audit, one task may be analyzing client data
files. This requires the auditor to have many skills including keyboarding,
an understanding of basic computer terminology and concepts, a workinglevel knowledge of the data analysis software, and knowledge of the client’s
computer applications. If one or more of the required tasks are not performed satisfactorily because of insufficient skills, the analysis of the data
may be inaccurate and, so too, the results of the audit.
Performing a needs analysis for the entire audit organization can be a
daunting undertaking. Analyzing the skills and performance levels of all auditors may take more time than is available. It can be simplified by grouping
auditors into several categories by position (junior auditor, senior auditor,
etc.) and then developing a list of tasks. This list is, quite simply, a list of
all IT tasks that need to be performed in order to conduct an audit. Since
not all auditors will require the same level of skills or even the same skills,
the audit manager can use the task list to determine which auditors require
which skills. Only those auditors performing the tasks need have their skill
levels evaluated for that task.
The first step in developing this list is to identify all the audit positions
that will be analyzed. Next, define all the computer-related tasks appropriate
to an audit. Finally, itemize the IT tasks that are applicable for each audit
position. For example, see Exhibit 7.1.
By completing this type of information for each task and for each audit
position type, the audit manager defines the tasks required to perform the
audit. The next step in the needs analysis is defining the skills an auditor
must have to perform each of the required IT tasks successfully. While
some tasks may only require one skill, others may require the auditor to
have a number of skills (see Exhibit 7.2). Once again, the process can be
simplified by:
Selecting the relevant tasks from the task list for each audit position
Listing all the skills required to perform the task
The information is completed for each audit position to provide an information technology skill profile for the position. For example, see Exhibit 7.3.
214
Internal Audit
EXHIBIT 7.1 Audit Positions
Tasks
Extract data from client system
Develop data format files
Build spreadsheets
Track resources (project management)
Search reference libraries
Review source code listing
Develop system flowcharts
Evaluate system controls
Jr*
Sr*
IS
×
×
×
×
×
×
×
×
×
×
×
Mgr
×
×
×
×
×
×
×
*Note: Jr and Sr positions are non-IS auditors.
EXHIBIT 7.2 Skills
Tasks
Extract data from client system
Develop data format files
Build spreadsheets
Track resources (project management)
Search reference libraries
Review source code listing
Develop flowcharts
Evaluate controls
Uses
JCL
Interprets
Databases
×
×
×
Writes
Programs
Uses
Micro
×
×
×
×
×
×
EXHIBIT 7.3 Skill Profile
Position: IS Auditor
Skills: programming:
— Reads source code listings and follows program logic
— Develops methods to evaluate program integrity
— Maps controls and risks to develop test procedures
— Writes parallel simulation routines using microcomputer programming
language
— Interprets database structures and performs extractions of data for further
testing
215
Challenges for Audit
The next step is to determine the required level of skill for the audit
position. A rating scale such as shown below can be employed to rate each
of the required skills:
0
1
2
3
-
conceptual knowledge only
minimal level of proficiency
working level of proficiency
advanced knowledge and skills
In addition to rating the job requirements, the actual performance level
of the employee for each task must be evaluated. A simple matrix can be
designed for each audit position.
Required versus Actual Performance
The final step is to identify the skills that the auditor requires for the job,
but where the actual level of the auditor’s performance falls below the
job requirements. For example, the position requires the auditor to have a
working level of proficiency in mapping controls and risks to develop test
procedures, but the auditor only has a minimal level of proficiency. The
gap or shortfall may represent an area where training is required; however,
other factors may inhibit employee performance in these areas. Conducting
the needs analysis in conjunction with a performance evaluation activity can
determine the root cause of the gap in performance (required versus actual).
The evaluation process can help the manager decide whether training will
be an effective means for closing the gaps or not (see Exhibit 7.4).
If it is determined that a gap in the auditor’s performance is a result of
lack of training, the next step is to prioritize the training requirements. The
employee’s supervisor can determine which skills are the most critical and
assign the training as high priority for these skills. In the event that some of
the training requirements cannot be satisfied or that the time frame is too
long, the supervisor should try to provide some other form of assistance.
Perhaps an auditor with the necessary skills could work on that phase of the
audit with the auditor requiring training. Many options may be considered
to address the performance gap.
EXHIBIT 7.4 Sample Evaluation Rating
Skill
Programming:
Reads source code and follows program logic
Develops test data to evaluate program integrity
Maps controls and risks to develop test procedures
Required
for Job
Actual
Level
2
3
2
3
3
1
216
Internal Audit
The needs analysis should not be a one-time activity. Once developed,
the lists of tasks and skills will not require a great deal of effort for them to
be kept up to date. Also, the utility of the job profiles can be increased if they
are used as part of the annual performance evaluation process. In addition,
the needs analysis results can be used to develop a core curriculum for IT
training in the audit department. This curriculum would detail required and
recommended courses in the IT area. Further, the skills lists can be used
during the hiring process to screen potential candidates or to provide junior
auditors with an idea of what skills would be required for more senior
positions.
The following presents a proposed set of skills for non-IS auditors who
are required to use automated tools and techniques in performing their jobs.
The second set of skills list the suggested requirements for IS auditors.
Auditor Skills for Using CAATTs
At the introductory level, the auditor using CAATTs should have a good
grasp of IT concepts, such as field, file, record, and an understanding of the
organization’s main applications. The auditor should be aware of the types
of data contained in these applications and their potential use for audit.
At the intermediate level, auditors should have a good working knowledge of audit software. In addition, the auditor should be able to determine
the application-specific criteria necessary to define the audit population.
These criteria are used to extract the records that will be accessed or downloaded to the audit software.
At the senior level, the auditor should be able to formulate an analysis
plan to support the objectives of the audit. This will include determining
the data required (applications and transactions), as well as the analysis
approach (types and nature of the tests to be performed). The senior auditor
should also contribute to the growth of CAATTs in the audit organization
by assisting in the planning and development of new techniques and the
use of new technologies.
IS Auditor Skills
At the introductory level, IS auditors require a basic knowledge of the
underlying principles and features of IS development. They should also
have an appreciation of the business processes that are supported by the
applications. This includes an understanding of basic information systems
security and general and application control concepts and techniques. The
IS auditor should have a good grasp of the audit software and be able to
analyze data extracted from application systems.
Challenges for Audit
217
At the intermediate level, IS auditors should be able to assess the application and general controls relevant to an information system. They should
have a good knowledge of flowcharting and an ability to read source code
and apply audit software for program testing. They should understand IS issues and risks well enough to be able to address the need in audit planning,
testing, analysis, and reporting.
At the senior level, IS auditors should be able to evaluate and design
application control frameworks for major application systems. Further, they
should be able to plan and direct audits of existing systems and systems
under development. They should understand the business components and
information systems technologies sufficiently well enough to be able to
identify threats and vulnerabilities. General and application control implications should be well understood. The senior IS auditor should also be
able to direct, supervise, and provide quality assurance on audit software
applications and analyses.
Training Programs and Requirements
Once the skills inventory is complete, the training program needs to be
designed and planned according to the identified requirements. Since technology is relatively easily learned, it makes sense to distinguish between
conceptual and technical training, in order to develop a balance.
Conceptual Training
Technology is both the cause and effect of changes in auditing, and correspondingly, in audit education and training. Therefore, it is essential that
auditors understand conceptually the fundamental changes in the audit environment and how to react to them. For example, what does it take to
convince oneself that computer-based information is believable? What could
have possibly gone wrong? What, how, and how much do I test for internal
consistency of the information and for its correspondence with reality? What
is required to convince the recipients of accountability information that they
can believe it? What decisions does a recipient of audited information have
or want to make?
The conceptual dimensions of audit education and training are nontrivial challenges and ought to be considered prior to the design of and
participation in training programs. Numerous articles have been written discussing the issue of core competencies for auditors. Virtually every article
written in the last five years has recognized IT as a key audit skill. Not only
do auditors require an excellent understanding of the concepts, but they are
required to be proficient with audit software. However, these are also areas
218
Internal Audit
where many auditors lack the requisite skills, and even educational institutions have failed to deliver courses that meet current audit requirements
(Novin and Pearson [1994]).
Technical Training
Since discussions of technical training have been presented in the previous chapter, it is not necessary to repeat them, except to stress again that
technical training without a conceptual understanding of the audit issues is
frequently a waste of the resources. It is therefore critical to plan the training
in such a way that both aspects—conceptual and technical—are adequately
covered.
Training Options
Among the training options available, we can identify in-house training,
courses through professional associations and educational institutions, and
computer-based or video training.
In-house
One of the best ways to develop conceptual and technical training is to
develop in-house courses and case studies. This ties the technical aspects
directly to the conceptual aspects, using actual data and systems in place
in the organization. Familiarity with data and problems not only makes the
grasp of the technicalities much easier, but also promotes critical thinking
if the findings seem familiar but are in fact unexpected. The use of actual
audit cases and results will help auditors who are new to the technology or
new to the organization to develop a better understanding of the audit and
corporate information technology environments. In addition, it will demonstrate current audit approaches, techniques, and capabilities and provide
participants with a better awareness of the corporate information systems.
In-house training sessions are also an opportunity to bring together staff
from branch offices or staff who are working in different audit disciplines
(finance, personnel, etc.). This is often an excellent chance to share ideas
and information.
Professional Associations
Professional associations offer a number of relatively inexpensive training
courses in which one can meet people with similar problems and challenges.
Challenges for Audit
219
If they are well-designed, they will be conceptually and technically balanced
and integrated.
Professional associations also offer two- to three-day seminars and conferences. These offerings are an excellent chance to become exposed to the
conceptual thinking behind new and emerging ideas.
Finally, attendance at courses offered by professional associations is
sometimes necessary to meet the ongoing requirements for a professional
designation.
Educational Institutions
Educational institutions vary in their training capabilities, but auditors should
not limit themselves only to publicly funded or formally recognized institutions. For example, software companies can offer highly innovative training
in their products in ways that go beyond the mere technicalities. Modern
audit software is a case in point and such an innovation that its capabilities
have hardly been grasped by the majority of auditors. It is therefore essential
to select the appropriate training, not only according to the advertisements,
but according to the educators and trainers involved.
Not surprisingly, a number of educational institutions are also offering
in-house training and are willing to develop special in-house modifications
of successful courses and seminars. They will also develop tailor-made
courses and train-the-trainer sessions that provide in-house trainers with
training and course materials for future in-house sessions. The advantages
of external courses (educational institutions and professional associations)
may include the soundness of the pedagogical approach, the quality of the
instruction and materials, and an opportunity to meet and share ideas with
other professionals from a wide variety of companies.
Computer-Based, Video-Based, and Web-Based Training
Many software and training companies have developed excellent computerbased, video-based, and Web-based training programs. These programs may
be combined with workbooks and computer exercises. There are a number of advantages to computer, Web, and video-based training, including
self-paced learning (students can review the materials at their own pace),
consistency of instruction (every student, whether they take the course today or next year, receives the same quality of instruction), portability (the
students can take the course home with them, use the Internet to access
it while on-the-road, or it can be shipped to a branch office), and cost
(the cost per student, often already fairly low, is reduced each time another
person takes the course).
220
Internal Audit
Web and video instruction is particularly suited to the presentation of
ideas and concepts. Live or animated action can be used to portray complex
ideas more easily than straight text or instructor-led training. Computerbased instruction has the added advantage of allowing the user to interact
with the software in order to obtain hands-on practice.
Summary and Conclusions
The use of IT in audit must be carefully planned and supported by senior management. While CAATTs can produce significant benefits, the improper introduction of technology can also have serious negative consequences. In many audit organizations, credibility is a valued but fragile
commodity. Audit must continually demonstrate the value and utility of
its work by producing high-quality, timely audits of areas of high risk.
The incorrect use of technology could produce erroneous conclusions and
damage the credibility of the audit organization with the client. It could
also make any subsequent attempt to employ CAATTs more difficult. However, the successful use of CAATTs can enhance the credibility of the audit
organization.
The identification of CAATT requirements and the activities conducted
to meet these requirements must be user-driven and coordinated across the
audit organization. The ability to access and process electronic information
from mainframe systems, local systems, and external sources is critical to
the success of many audits. But the audit organization may have a unique
and comprehensive set of requirements for the use of technology to support
its business and strategic functions.
Audit requires support and advice from IS specialists with a working
knowledge of the audit processes. This core of specialists would offer a
single point of contact for all technology-related requests and would ensure
that requests from management and team members are properly addressed
in a timely fashion. Members of this group must be visible to the end
users and knowledgeable of, and responsive to, their specific needs. At the
same time, the group must be proactive in recognizing opportunities for the
application of CAATTs and in marketing existing and new applications of
technology. The IS specialists can also offer support and advice to auditors
who are new to the technology and audit software.
The skills required to remain effective in an increasingly technologically
complex world must be developed, nurtured, and supported. The efficient
and effective use of CAATTs by end users with a variety of computer skills
requires the development of a standard, user-friendly, integrated environment and the provision of specialized training and information technology
support.
Challenges for Audit
221
Auditability is not possible without empowerment and not meaningful
or useful without a critical outlook. Likewise, empowerment is no longer
possible without access to modern computer-based audit technology. Modern audit software was designed to empower auditors to do the job expected
of them. It facilitates critical reviews of accountability information by valueadding professionals who can produce knowledge for rational (re)action
rather than merely providing more information to already confused or overloaded recipients of information.
Understood this way, auditors are indeed key human resources who
must be empowered and expected to produce knowledge because auditing
is (part of) the continuous and necessary research effort to keep expanding
knowledge and preserving truth in order to ensure the success and survival
of our organizations and societies in a competitive world. Audit must live
and grow if our organizations are to remain viable.
Appendices
A. The Internet—An Audit Tool
Appendix A provides the reader with background information on
the Internet and examples on how it can and is being used by auditors.
B. Information Support Analysis and Monitoring (ISAM) Section
Appendix B describes the rationale for, and the main tasks performed by, the ISAM section. The formation of this type of support
group often will be a key factor in whether the attempt to use CAATTs
is successful or not.
C. Information Management Concepts
Appendix C provides definitions for some basic computer terminology from ASCII to WAN. It also describes and presents examples of
various types of commands involving files, such as Join and Merge.
D. Audit Software Evaluation Criteria
Appendix D provides a checklist for evaluating CAATT tools. It is
important that the CAATT tool selected be able to meet an organization’s
needs, now and in the future.
223
APPENDIX
A
The Internet—An Audit Tool
N
o person is an island, and, thanks to the Internet, no auditor need work
in isolation. Whether you are working from your office, your home, or
in the field, via the Internet, you can access and use information residing
on the headquarters’ computer system; obtain reference materials from periodicals, newspapers, and encyclopedias at universities and libraries; and
read databases and other information sources from around the world.
Information superhighways, the World Wide Web, and global networks
have become as much a part of today’s audit vocabulary as control totals
and balance sheets were yesterday. This appendix provides an overview of
this important resource and its use and relevance to audit.
The Internet
The Internet is a constantly evolving group of international computer networks. Since its creation in the 1960s, it has grown exponentially and is
now used by hundreds of millions of people, from those in commercial
and educational institutions to individuals in all sectors of the economy.
As the Internet continues to grow and evolve, many audit organizations
have positioned themselves to use this valuable tool. Auditors from around
the world are finding the Internet or an intranet (i.e., an Internet that is
physically and logically restricted to the corporation) to be a useful audit
tool and one that is becoming more useful every day. In addition, auditors
need to consider the risks presented by their company having Web sites
and Internet connections.
Connecting to the Internet
ONLINE INFORMATION SERVICES Auditors with little computer experience
may choose to start slowly by subscribing with an online information service
such as America Online. These services can provide basic e-mail, access to
225
226
Internal Audit
the World Wide Web, newsgroups, mailing lists, and search engines. Connecting to these services is quite straightforward, even for nontechnical
auditors, and the Windows-based software provided makes it easy to utilize
the Internet.
INTERNET SERVICE PROVIDERS (ISPs) Another way to connect to the Internet
is through an Internet service provider (ISP). An ISP is a company that
maintains a computer (server) that is directly connected to the Internet. An
ISP then allows its customers to access the Internet by connecting to their
server via a high-speed line. An ISP can usually satisfy all of your Internet
requirements, including e-mail. Some ISPs even allow you to create and
maintain your own personal Web page on their server.
DIRECT INTERNET ACCESS Most companies are connecting their local area
networks (LANs) directly to the Internet. So before you investigate online
information services or ISPs, make sure you talk to your system administrator to see if your company or organization already has a direct Internet
connection.
INTERNET WEB BROWSERS Once you are connected, you will need a Web
browser, such as Netscape’s Navigator, Microsoft’s Internet Explorer, or an
independent browser such as Firefox, to find your way around the Internet.
Web browsers are graphical, front-end software that brings Web exploration,
e-mail, newsgroups, and file-transfer capabilities together in an easy-to-use
and seamless integrated package. Web browsers allow you to “bookmark”
sites of interest, making it very easy to find your way back to any particular site.
General Internet Uses
E-MAIL Most auditors consider the ability to share information with others
around the world, through e-mail, to be a significant benefit of the Internet.
I have used e-mail to receive audit programs from other auditors, to obtain
information on risk analysis from an expert in the field, and to simply
correspond with fellow auditors everywhere.
NEWSGROUPS Newsgroups allow users to join in discussions about specific
topics. There are hundreds of audit-related newsgroups on the Internet,
and the number is growing daily. Posting queries to newsgroups gives you
access to advice from thousands of auditors. I have asked questions about
a variety of audit topics, such as telecommunications auditing, and received
completed audit programs in response to my query. Presently, I subscribe
to several newsgroups and maintain an e-mail address list of about 150
Appendix A: The Internet—An Audit Tool
227
auditors. I have helped some fellow auditors and have received help from
others.
LISTSERVERS Listservers are a combination of e-mail and newsgroups. Items
for discussion are sent to every member of the list via e-mail. By subscribing
(sending an e-mail to the list supervisor), you can choose the discussions
in which you want to participate.
WORLD WIDE WEB The World Wide Web (WWW) consists of a collection of
electronic pages that display text and graphics—very similar to the pages of
a book or magazine. Most Web pages also provide electronic links to other
pages and information on the Web, allowing you to easily navigate, or
“surf,” your way around this ever-growing and valuable resource. As the
Web is constantly changing and developing, the best way to utilize this
resource is to set aside time each week just to surf around, even revisiting familiar Web sites, as most sites are constantly being updated and
enhanced.
SEARCH ENGINES Internet search engines are a valuable tool for auditors.
These tools, such as Yahoo! and Google, can search the entire Internet; by
using them, auditors can find information on almost any audit-related subject, audit programs, and current audit-related literature. I have used these
search engines to find specific periodicals; to search for audit programs, best
practices, and benchmarking studies; and to research training courses and
seminars. The search engines rapidly hunt through millions of documents
for user-supplied keywords and return the “hits,” or matches, in order of
their probable relevance.
FORUMS AND MESSAGE BOARDS Forums are one of the oldest communities
on the Internet and date back to the days of bulletin board services. Usually
specialized in one subject, they allow users to share information and ask for
help from other specialists. Forums have moderators that sift through the
information and make sure that all participants are behaving according to
the rules set up by administrators and moderators. Some larger forums take
a lot of time and energy to moderate. Creating a forum is relatively easy, but
the upkeep is more challenging. Professionals often find forums useful in
fact-checking information and discussing ideas. One of my favorite forums
is the user forum maintained by ACL (www.acl.com). It allows users of ACL
services to post and respond to specific questions regarding data analysis
and audit.
CHAT ROOMS AND CHAT PROGRAMS Chat rooms, like forums, usually specialize in one subject. Chat rooms are conducted in real time and have been
228
Internal Audit
integrating voice and video with text. They are a simple way of having a
conference call or video interview. Auditors often use chat rooms as a replacement for the telephone. Some rooms and programs allow one user to
act as a moderator and manipulate documents. It is a cost-effective way to
have a meeting over long distances.
WEBLOGS Weblogs, or blogs, are simply online journals or diaries. Anyone
can start a blog within minutes by going to one of the many providers.
A blog can be hosted on a third-party server or on a private site. The
biggest difference between a traditional journal and a blog is the ability for
readers to comment. One user can leave a comment on an entry of another
user, letting users create a community. It is completely up to the blog’s
owner to moderate the comments. The worldwide blogging community
is often referred to as the blogosphere. The entries can be made public
or shared only with specific users. Many auditors use blogs to share and
debate theories and ideas. It is an effective way to get feedback and advice
from other auditors.
PODCASTS/WEBCASTS Podcasts/webcasts are user-made radio or television
shows. They are mostly used as informational, educational, or news programs. The idea is to create something that people can listen to or watch
on a portable media player. Experts record lectures or experiments and distribute them on a regular basis. Combining recording software with audio
or video chat can create an expert panel from around the world. With a
Web camera and/or a microphone, creating a series of small documentaries
is as easy as knowing your material. The IIA and other audit/accounting organizations offer webcasts on a wide variety on topics. Most are interactive
in that the viewers can ask questions of the experts.
WIKIS Wiki is the Hawaiian word for “fast.” The idea behind developing
this type of software was to have a fast, easy way to edit Web sites. Wikis are
a series of articles, like an encyclopedia, with links to other related articles.
The articles vary in specificity and are all housed on the same site. Users
can edit any of the articles in order to create a communal work. Auditors
can use Wiki software to create dynamic international information projects.
With Wiki software, auditors from dozens of countries could work on a
project, such as updating SOX control documentation, simultaneously.
WEB FEED (RSS/ATOM) Web feeds create a file that lists all updates performed on the Web site. In order to read a feed, a user must subscribe with
a reader program. The feed creates a message, similar to e-mail, that is read
by the reader. Often this message will include a copy or synopsis of the
update. The reader effectively scans each feed looking for a new update.
Appendix A: The Internet—An Audit Tool
229
This is a passive process and holds very little risk for the user. Unlike blogs,
forums, chat rooms, and Wikis, subscribing to a Web feed does not require
you to provide any personal information. Auditors can use feeds in order
to monitor media sources, professional Web sites, and other experts in the
same field.
Useful Sites for Auditors
Many Internet sites contain useful information for auditors. Publishing a
complete list is not feasible, because the number of sites grows by the
minute (and changes frequently). Here are a few:
ACFE, www.acfe.com: the American Certified Fraud Examiners (ACFE)
is a provider of antifraud training and education. The ACFE assists it
members in reducing business fraud and in improving public confidence. The site contains articles and references on fraud detection and
prevention, a bookstore, training, and more.
ACL, www.acl.com: contains useful information on data analysis, including a great user forum and numerous white papers on a variety of
data analysis and continuous auditing topics.
AICPA, www.aicpa.org: The American Institute of Certified Public Accounts (AICPA) serves the auditing and accounting profession. The site
contains links to magazines, articles, standards, training, and more.
Auditnet, www.auditsoftware.net: is an independent community of auditors and financial professionals working together to use technological
tools to improve audit and internal control processes. The site contains
articles and links to other useful sites.
CAATS, www.caats.ca: CAATS is this author’s Web site. It contains links
to articles, training, publications, and consulting services.
Knowledgeleader, www.knowledgeleader.com: KnowledgeLeader is a
subscription-based Web site that provides audit programs, checklists,
tools, resources, and best practices to help internal auditors and risk
management professionals save time, manage risk, and add value.
IIA, www.theiia.org: The Institute of Internal Auditors (IIA) is the global
voice, standard-setter, and professional development and certification
resource for the audit profession. The site contains links to articles,
standards, training, a bookstore, and more.
ISACA, www.isaca.org: the Information System Audit and Control Association (ISACA) has created standards for IS auditing and IS control;
performed pertinent research into the issues challenging our IT auditors; and developed an IT audit certification process. The site contains
links to articles, a bookstore, discussion forums, and more.
230
Internal Audit
Examples of Audit-Related Internet Usage
The following are a few examples of how the Internet was used to answer
specific audit-related questions and the amount of research time used:
A requirement was identified for information pertaining to environmental law on PCBs (two days).
A search for audit programs, one on capital assets and the other on
SAP security, revealed several audit programs, including a separation of
duties (SOD) matrix (two hours).
A study was conducted on best practices in invoice processing (three
days).
Staff carried out detailed research on underground storage tanks (one
hour).
The CFO’s request to see the Federal Registry was satisfied immediately
because the registry is instantly available, as soon as the government
places it online.
There are probably hundreds of other audit-related examples and auditspecific sources of information. Sometimes the most difficult part of a trip
is getting started. Fortunately, many excellent books exist for the beginner,
and almost everyone you meet on the Internet is willing to help. I expect
that many of you have additional sources of audit information, and I hope
that you will share them with others.
APPENDIX
B
Information Support Analysis and
Monitoring (ISAM) Section
T
he success of any effort to develop and implement CAATTs will depend
upon a number of factors. One of the critical factors will be the level
and nature of support provided to the initiative. The support will not only
be required at the outset, but also as audit teams begin to use CAATTs more
and more and often in new areas. The following describes some of the
areas where auditors will need support and outlines the types of activities,
skills, and knowledge that must be brought to bear in supporting the audit
organization’s use of CAATTs.
As outlined in Chapter 6, the formation of a support section (ISAM) can
be instrumental in supporting the use of CAATTs. In order to support the
introduction and use of CAATTs, the ISAM staff will be required to:
Interact with audit team leaders, managers, and senior audit management to provide advice and guidance as to which automated methods
and tools would best assist them in more efficiently and effectively planning and conducting audit assignments and to seek an understanding
of the details of complex audits
Provide feedback to audit leaders and managers on the quality and
integrity of the analyses performed and, where appropriate, the corrective measures to be taken; the QA process can be extremely sensitive,
especially if the QA results indicate that the analyses performed by the
audit team is of questionable validity
Discuss data integrity concerns and access methods with the programmers and analysts of major corporate information systems, as well as
managers of external information systems
Negotiate with company senior management and external sources to
seek their approval to gain or improve access to their information
systems
231
232
Internal Audit
Discuss with client managers methods of improving their operations
and/or systems through the implementation of analysis tools and techniques, initially developed to support the audit of the client operations
Interact with senior management within the audit organization on an
ongoing basis to determine the priorities for information support
Produce oral and written communication to all audit staff to inform
them of, and encourage them to use, CAATTs
Develop scripts to identify and assess risk, even developing continuous
auditing capabilities
The work performed by the ISAM staff will have a major impact on
the functions and processes of the audit organization. To demonstrate
the value and utility of the ISAM, the following list presents its areas of
influence:
Analyses performed directly influence the results and recommendations
of each audit and increase the likelihood that the audit recommendations will produce a positive/meaningful change in the organization.
Recommendations to audit leaders and managers concerning the nature
and types of analyses to be performed directly impact on the audit
methodologies utilized by the audit organization to meet the objectives
established for each audit project.
Information support activities directly influence the scope and objectives planned for each audit conducted.
Feedback provided from the QA function directly impacts on the type,
nature, and extent of analysis required to fully satisfy the audit objectives
and indirectly impacts on the evaluation of the performance of the audit
team by the audit manager.
Timeliness and accuracy of the support and analyses performed impact
on the credibility of each individual audit and of the audit organization
as a whole.
Activities and recommendations concerning access to and use of automated tools and information influence the ability of the audit organization to conduct effective and efficient audits and to provide adequate audit coverage of the broad and complex range of corporate
activities.
Transfer of audit technology and approaches used to analyze client
data and systems directly influences the manner in which corporate
managers monitor, control, and analyze data from end-user and corporate information systems.
The development of continuous auditing capabilities to support the
annual audit plan, the identification of changing levels of risk, and the
tracking of the implementation of audit recommendations.
Appendix B: Information Support Analysis and Monitoring (ISAM) Section
233
The ISAM staff will be required to approach traditional audits in new,
nontraditional ways, searching for the appropriate application of technology
to audit. This will require the ISAM to:
Analyze each audit’s objectives to identify and assess the diverse information support and analysis requirements of all levels of audit staff
Analyze unique and complex problems, often involving more than one
information system, and devising methods of extracting, using, and
presenting information in support of specific audit objectives
Analyze audit-related technologies and techniques for possible application in client operations and manage the transfer of the technologies
and techniques to the client operations
Create innovative and efficient solutions to the audit organization’s
evolving and increasing requirements for access to, and the analysis
of, information
Establish goals and objectives, and continually revise priorities for the
work to be performed by the section in order to respond to audit senior
management and audit-staff requirements.
Continually evaluate alternatives and develop new methods, procedures, and techniques to automate the audit function to produce improvements in efficiency and effectiveness, including the development
of nontraditional approaches to responding to increasingly more complex audit objectives and lines of inquiry
Analyze and develop an understanding of the numerous, complex
mainframe applications to assess their usefulness to audit and to develop methods of obtaining and utilizing information for further analysis and to provide ongoing support to the audit staff requiring the
information
Assess the expertise of each auditor to devise information support and
analysis solutions that are appropriate to the requirements of the audit
and the capabilities of the auditor
The work involves the provision of specialized information support and
analysis services in support of audit activities. It requires a combination of
audit and computer expertise, including knowledge of:
All major corporate information systems, mainframe and microcomputer
operating systems, applications and software, and Database Management Systems (DBMS) to adequately address the audit-related information and analysis requirements
The organizational structure of the company, in particular, the informatics organizations (plans, system design and delivery, and system
architecture areas) to determine appropriate sources of information,
234
Internal Audit
to obtain access to the various applications, and to determine system
interfaces
Current trends in information technology, data analysis and extraction
tools and techniques, and IS auditing
Current and evolving audit problems and issues in the organization
IS support services and information requirements of the individual audit
managers
Internal audit theories, principles, and standards to advise auditors on
computer auditing techniques and to perform Quality Assurance reviews of the work performed by the audit teams
Theories of system analysis, system design, and DBMS to access, develop an understanding of, and use the complex information systems
in the organization
Theories of data analysis, computer auditing, performance management,
and statistical sampling
Methods, techniques, and practices of internal audit, qualitative and
quantitative analysis, and computer auditing to develop CAATTs in support of a wide range of functional audit areas
Methods and techniques of data analysis, IS auditing, computer security,
and system analysis and design; and trends in the computer systems
field
Problem-solving and needs analysis techniques and practices to identify, refine, and address the audit team’s information and data analysis
requirements
APPENDIX
C
Information Management Concepts
T
here are several necessary elements you must have in order to effectively
use the computer as an audit tool: (1) a computer and audit software
(hardware and software); (2) access to the client’s information (data); and
(3) an understanding of what you are trying to accomplish (audit objectives). Also, it is important for auditors to understand that the use of the
computer will not eliminate errors in their logic, but in fact, the computer
may exacerbate these types of errors. Knowledge is the main defense against
unknowingly committing errors. While it is not necessary to be an expert
at computer programming or even to be an IS auditor, all auditors using
CAATTs must have a basic knowledge of data processing. This means that
all auditors must have a good grasp of the underlying concepts related to
the input, storage, and processing of data.
It seems that the terminology related to the computer changes almost
as quickly as the technology of the computer. In fact, it seems strange to
talk about data processing, when the newer buzzwords are information
management and information technology. The good news is that the basic
concepts have remained the same. These underlying concepts are valid
whether you are talking about a simple flat file, complicated databases,
or even Electronic Data Interchange (EDI) and Electronic Funds Transfer
(EFT).
The following list provides definitions and examples of some of the
basic concepts of data processing and some of the newer terminology that
is relevant to audit:
ASCII—American Standard Code for Information Interchange, used by
IBM microcomputers and compatibles to represent individual characters or symbols (see EBCDIC)
CAAT—Computer-Assisted Audit Tools or Computer-Assisted Audit
Techniques
235
236
Internal Audit
CAATT—Computer-Assisted Audit Tools and Techniques, new phrase
for CAAT
Database—A logical collection of files with an organized relationship
between the files
Download—Transfer of data from the mainframe computer system to a
stand-alone microcomputer or a LAN
EBCDIC—Extended Binary Coded Decimal Interchange Code, used by
IBM mainframe computers to represent individual characters or
symbols (see ASCII)
EC—Electronic Commerce
EDI—Electronic Data Interchange. The term refers to the EDIFACT standard data interchange, which includes tenders, orders, invoices,
and payment information. EDI is unique in that one company’s
computer sends the information directly to the trading partner’s
computer.
EFT—Electronic Funds Transfer
Export—Similar to Extract, except that the records are selected and
written in a format that can be read by a different software program.
For example, you can export records from a database package and
put them in a format that can be read by spreadsheet software.
Often data is extracted from a complicated database structure to a
simple flat file.
Extract—To select a subset of the records from the file or database,
based upon user-specific criteria. The criteria can be a random
sample, or it can be based on specific values of given fields, such
as all transactions with amounts greater than $10,000. Extract will
cause another file to be created that can be used for further analysis. It is different from Export in the sense that the format of the
extracted file tends to be the same as the original file or a simple
flat file.
Field—Defined area of a record, containing specific information. In the
telephone book example, there are three fields: name, address, and
telephone number.
File—Collection of records. All the names, addresses, and telephone
numbers make up the telephone file.
Internet—Used to refer to the world’s largest inter-network, connecting
thousands of networks worldwide. The Internet provides users with
many services, including e-mail, file transfer, remote logons, and
text searching.
LAN—Local Area Network, a network of microcomputers covering a
relatively small geographic area (usually not larger than a building)
MAN—Metropolitan Area Network, a network that spans a metropolitan
area (usually smaller than a WAN but larger than a LAN)
Appendix C: Information Management Concepts
237
MODEM—MOdulator/DEModulator, a device that converts digital signals from the computer into analog signals for transmission over
telephone lines and vice versa
Record Layout—Definition of the record providing information related
to the names of the fields, their starting and end positions, and the
types of data contained in each field (character, numeric, etc.)
Record—Collection of fields consisting of information relating to one
area of activity. In the telephone book, the name, address, and
telephone number of an individual constitute a single record.
Select—To choose certain records based upon user-defined criteria.
One or more fields are used to define the user criteria. For example,
select all records where the overtime pay is greater than $1,200.00
and the union status is “No.”
Sort—Arrange the records according to the values contained in one or
more fields (key fields). For example, a telephone book is sorted
on last name and on first name, within last name.
SQL—Structured Query Language, a concise, English-like database
query language for data retrieval, modification, manipulation, and
insertion
Upload—Transfer data file from microcomputer or local area network
to the mainframe computer
WAN—Wide Area Network, a network spanning a wide geographic
area (usually larger than a city)
The following list describes operations that involve the manipulation of
files:
Append—Combine two or more files together to create a file that has
all records from the two original files. The records from the second
file are added to the end of the records from the first file, and so
on. The final file contains: all records from the first file, then all
records from the second file, and all records from the nth file.
Merge—Combining of two files (primary and secondary) in such a way
that the result contains records from both files. It is different from
Append, in that the resulting file’s records are sorted according to
the key field. This means that the records are intermingled, rather
than ordered by file. Usually, both files must be sorted and have
the same record layout. For example, combining records from a
file containing the expenditures for January, by financial account,
with a file containing the expenditures for February, will result in a
file that has the expenditures for January and February, sorted by
financial account.
238
Internal Audit
File 1 – January Expenditures
Record
Acct
1.
A
2.
B
3.
D
Exp
$10.00
$15.00
$25.00
File 2 – February Expenditures
Record
Acct
1.
A
2.
B
3.
D
Exp
$12.00
$13.00
$20.00
Append of Jan and Feb Records
Record
Acct
Exp
1.
A
$10.00
2.
B
$15.00
3.
C
$25.00
4.
A
$12.00
5.
B
$13.00
6.
D
$20.00
File 1 – January Expenditures
Record
Acct
1.
A
2.
C
3.
F
Exp
$10.00
$15.00
$25.00
File 2 – February Expenditures
Record
Acct
1.
B
2.
D
3.
E
Exp
$12.00
$13.00
$20.00
Merge of Jan and Feb Records
Record
Acct
1.
A
2.
B
3.
C
4.
D
5.
E
6.
F
Exp
$10.00
$12.00
$15.00
$13.00
$20.00
$25.00
(Month)
(Jan)
(Jan)
(Jan)
(Feb)
(Feb)
(Feb)
(Month)
(Jan)
(Feb)
(Jan)
(Feb)
(Feb)
(Jan)
Join—Instead of adding records to the end of the first file (Append) or
intermingling records (Merge), the joining of two files adds fields from the
secondary file records to corresponding primary file records. Thus, joining
records from January expenditures with February expenditures, by financial
account, will result in a file with records containing both the January and
February expenditures, for each financial account. Usually, when using the
239
Appendix C: Information Management Concepts
Join command, the user must determine what to do with the unmatched
records (either no secondary record for a primary record or no primary
record for a secondary record). Usually a number of options exist, including:
Final file contains only those primary records that had a match with
the secondary file—records that existed in both the primary and the
secondary file
Final file contains all primary records whether there was a secondary
record match or not; if no secondary record match, fields are zero or
blank filled
Final file contains all unmatched primary records—primary records for
which no secondary record was found
Final file contains all matched secondary records—secondary records
that were matched with the primary records
Final file contains all unmatched secondary records—secondary records
that were not matched with the primary records
All primary file records that did not match with secondary file records
and all secondary records that did not match with the primary file
records
File 1 – January Expenditures
Record
Acct
1.
A
2.
B
3.
D
4.
E
Exp
$10.00
$15.00
$25.00
$14.00
File 2 – February Expenditures
Record
Acct
1.
A
2.
B
3.
D
4.
F
Exp
$12.00
$13.00
$20.00
$32.00
Join of Matched Jan and Feb Records
Record
Acct
Jan Exp
1.
A
$10.00
2.
B
$15.00
3.
D
$25.00
Feb Exp
$12.00
$13.00
$20.00
APPENDIX
D
Audit Software Evaluation Criteria
T
he following criteria should be used as a guide when evaluating CAATT
software. Since many products have similar features, it may be more
appropriate to use a ranking system (1 to 5) rather than simply yes or no.
General Capabilities
Does the software meet a specific, identified requirement?
Is the software compatible with the current hardware?
Is the software compatible with legacy systems and data?
Does the software support required peripherals (tape drives, CD-ROM,
etc.)?
Will the software run on the required platforms (desktop, laptop, mainframe, etc.)?
Does the software process large files (1+ gigabytes), and how fast
is it?
What is the quality of the documentation and the online help?
Does the software support both novice and expert modes of operation?
How does the software rate on ease of use and user-friendliness?
Does the software have a Graphical User Interface?
What are the purchase and ongoing maintenance costs?
Reporting Capabilities
Does the software support user-defined reporting capabilities, such as
setting of page breaks, subtotals, etc.?
Can report definitions be modified and saved?
Can ad hoc reports be easily created?
Does the software support font control and advanced formatting
options?
Does the software support multiple line reports?
241
242
Internal Audit
Graphics Capabilities
Does the software support a variety of graphic presentation styles
(piecharts, histograms, bar graphs, etc.)?
Mathematical Functions
Does the software support mathematical functions (total, average, mean,
mode, standard deviation, stratify, etc.)?
Does the software support sampling (Fixed Interval, Random, Top Stratum, Dollar Unit, etc.)?
File Manipulation Capabilities
Does the software support sorting more than one key field?
Does the software support filtering (selection or exclusion of specific
records based on values in identified fields)?
Does the software support record extraction to create a new file?
Does the software support operations with more than one file (merge,
append, and join)?
Record Definition Capabilities
Does the software read database files directly without conversion or
creating a record layout?
Does the software perform automated conversion of COBOL, AS/400,
and other standard file definitions?
Does the software support record definitions in an interactive mode
(displaying the record, the value of the field being defined according to the field type)?
File Type Capabilities
Does
Does
Does
Does
the
the
the
the
software
software
software
software
read variable-length files?
support EBCDIC files?
support report files?
support multiple record types within a single file?
Programming Capabilities
Does the software permit the creation and running of scripts?
Does the software have a programming language that allows the user
to code complex analyses?
Appendix D: Audit Software Evaluation Criteria
243
Support
Does the vendor have knowledgeable technical support staff, and are
they readily available?
Does the vendor provide a full range of training and consulting services?
Does the vendor have regional support/representation?
Does the vendor issue regular software updates?
Is there a solid company behind the product?
Other Capabilities
Does the software support the creation of mail merge files in your word
processing format?
Does the software create and maintain log files detailing the analyses
performed?
Does the software maintain a history of how each file was created?
Does the software prohibit the editing/modification of the original file?
References
Alexander, K., “Re-Inventing the Long Island Savings Bank’s Audit Department Using New Technologies,” MIS Training Institute, Audimation ’95
Conference, Boston, Mass. 1995.
American Institute of Certified Public Accountants—Statements on Auditing
Standards (SAS):
SAS 56, Analytical Procedures
SAS 80, Amendment to SAS 31, Evidential Matter
SAS 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Controls in a Financial Statement Audit
Baker, Neil, “Opening the Door,” Internal Auditor, Institute of Internal
Auditors, August 2005, pp. 76–86.
Brooks, D., Goldman, M., and Lanza, R., 2005 Buyer’s Guide to Audit,
Anti-Fraud and Assurance Software, Ekaros Analytical Inc., Vancouver,
Canada, 2005.
, IIA Practice Advisory 2100-1, 2110-1, 2120.A1-1, 1220-2.A3.
Canadian Institute of Chartered Accountants, Application of Computer Assisted Audit Tools and Techniques Using Microcomputers, Canadian Institute of Chartered Accountants, 1994.
Canadian Institute of Chartered Accountants, Continuous Auditing, Canadian Institute of Chartered Accountants, 1999.
Coderre, D. G., Computer-Aided Fraud Prevention and Detection: A Stepby-Step Approach, John Wiley and Sons, 2009.
Dodgson, M., “Organizational Learning: A review of some literatures,” Organization Studies, 1993, 14/3, pp. 375–394.
Doyle, S., “Grappling with Section 404,” Internal Auditor, Institute of Internal Auditors, August 2005, pp. 57–61.
EDP Auditors Association, Toronto Area Chapter, Audit Automation—A
Strategic Outline, Toronto, Ontario, EDP Auditors Association, Toronto
Chapter, 1990.
245
246
References
Fetzer, James H. Philosophy and Cognitive Science, New York, NY: Paragon
House Publishers, 1991. (Paragon Issues in Philosophy) pp. xvii and
170, 2nd edition (revised and expanded), 1996. pp. xx and 191.
Filipeck, R., “New Scoping Methodology May Ease Section 404 Audits,”
Internal Auditor, Institute of Internal Auditors, January 2007.
Financial Executives International, Survey on SOX Section 404 Implementation, March 2005.
Hagerty, J., “Sox Decisions for 2005: Step Up Technology Investments,” AMR
Research, January 2005.
Hagerty, J., and Fenella, S., Spending in an Age of Compliance, AMR Research Market Analytix Report, 2005.
Huber, G. P., “Organizational Learning: The contributing processes and the
literatures,” Organization Science, 1991, 2/1, pp. 88–115.
Hylas R. E., and Ashton R. H., Audit Detection of Financial Statement Errors,
Accounting Review, pp. 751–765, 1982.
Institute of Internal Auditors, Global Technology Audit Guides, Altamonte
Springs, FL: GTAG #1, Information Technology Controls, 2005.
Institute of Internal Auditors, Global Technology Audit Guides, Altamonte
Springs, FL: GTAG #3, Continuous Auditing: Implications for Assurance,
Monitoring and Risk Assessment, 2005.
Institute of Internal Auditors, Global Technology Audit Guides, Altamonte
Springs, FL: GTAG #8, Auditing Application Controls, 2007.
Institute of Internal Auditors, Guide to the Assessment of IT Risk (GAIT),
Altamonte Springs, FL, 2007.
Institute of Internal Auditors, Sarbanes-Oxley Section 404: A Guide for
Management by Internal Controls Practitioners, Altamonte Springs, FL,
2008.
Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing, Altamonte Springs, Florida, Institute of Internal Auditors,
2007.
Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing, Altamonte Springs, Florida, Institute of Internal Auditors,
2008.
1220-2: Computer Assisted Audit Techniques, 2005
2100-1: Nature of the Work, 2001
2110-1: Assessing the Adequacy of Risk Management Process, 2001
2120.A1-1: Assessing and Reporting on Control Processes, 2001
2120.A3: The Internal Auditor’s Role in Quarterly Financial Reporting,
Disclosures, and Management Certifications, 2003
Institute of Internal Auditors, Statement on Internal Auditing Standards
(SAIS) No. 3, Deterrence, Detection, Investigating and Reporting of
Fraud, Altamonte Springs, FL, 2007.
References
247
Institute of Internal Auditors Research Foundation, Systems Auditability and
Control Report, Altamonte Springs, Florida, Institute of Internal Auditors,
1991.
Jackson, R. A., “Get the Most out of Audit Tools,” Internal Auditor, Institute
of Internal Auditors, August 2004, pp. 36–47.
Kaplan, J., An Auditor’s Guide to Electronic Audit Resources, Internal Auditor,
Institute of Internal Auditors, February 1995, pp. 22–29.
Kendall, K., “A 10 Step Sarbanes-Oxley Solution,” Internal Auditor, Institute
of Internal Auditors, December 2004, pp. 49–51.
Mair, W. C., Wood, D. R., and Davis, K. W., Computer Control and Audit,
Altamonte Springs, Florida, Institute of Internal Auditors, 1978.
Novin, A. N., and Pearson, M. A., “Educating Internal Auditors,” Internal
Auditor, Institute of Internal Auditors, December 1994, pp. 54–57.
Oxenfeldt, A. R., Miller, D. W., and Dickenson, R., A Basic Approach to
Executive Decision Making, New York, New York, AMACOM, 1981.
Pacini, C., and Brody, R., “A Proactive Approach to Combating Fraud,”
Internal Auditor, Institute of Internal Auditors, April 2005, pp. 56–61.
Peters, T. J., and Waterman, R. H. Jr., In Search of Excellence—Lessons from
America’s Best-Run Companies, New York, New York, Warner Books,
1984.
Prawitt, D. F., and Romney, M. B., “Super Software,” Internal Auditor, Institute of Internal Auditors, August 1996.
PricewaterhouseCoopers, The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act, July 2004, www.pwc.com/images/
gx/eng/fs/insu/rt5.pdf.
Public Company Accounting Oversight Board (PCAOB): Auditing Standard
No. 2, An Audit of Internal Control over Financial Reporting Performed
in Conjunction with an Audit of Financial Statements, 2004.
Public Company Accounting Oversight Board (PCAOB): Auditing Standard
No. 5, An Audit of Internal Control over Financial Reporting That Is
Integrated with an Audit of Financial Statements, 2007.
Ratliff, R. L., Wallace, W. A., Loebbecke, J. K., and McFarland, W. G., Internal Auditing Principles and Techniques, Altamonte Springs, Florida,
Institute of Internal Auditors, 1988.
Tucker, J. J. III, Initial Efforts of Kenneth W. Stringer to Develop a Statistical
Sampling Plan, The Accounting Historians Journal, June 1994.
United States General Accounting Office, Assessing the Reliability of
Computer-Processed Data GAO/OP-8.1.3, 1991.
United States Government Accounting Office, Assessing the Reliability of
Computer-Processed Data GAO/OP-8.1.3, 1990.
Will, H. J., “Audit Command Language (ACL): Consolidated Auditor Support,” Infotech State of the Art Report, Series 8, Number 8: Computer
Audit and Control. Maidenhead: 1980, pp. 267–283.
248
Additional References
, “ACL: A Language Specific for Auditors,” Communications of
the ACM, Vol. 26, No. 5, May 1983, pp. 358–361.
, “The New CAATS: Shifting the Paradigm,” EDPACS, Vol. XXII,
No. 11, May 1995, pp. 1–14.
, “Empowering Human Resources in Information Systems
Auditing” Keynote Address, Proceedings 11th Asia-Pacific Information
Systems Audit and Control Conference, Bali, Indonesia, Sept. 6, 1995.
, “Overcoming the Information Barriers with ACL,” Keynote Address in memoriam of Dr. Klaus-Peter Bauer, Proceedings 2nd German
ACL Congress, Berlin, April 20–23, 1996.
, and Brodie, G., “New Trends in IS Audit: Using the Microcomputer,” Proceedings 7th Asia Pacific Information Systems Control
Conference, Seoul, Korea, October 14–18, 1991.
, and Supper, K., “Audit Features of Database Management
Systems (DBMS): The Non-Existence Proposition,” Legal and Technical
Issues of Computer Auditing, H. J. Will, ed., GMD & U.E.C., St. Augustin,
1975, pp. 73–95.
Additional References
Coderre, D. G., “Seven Easy CAATTs,” Internal Auditor, Institute of Internal
Auditors, August 1994, pp. 28–32.
Coderre, D. G., “Computer Assisted Audit Tools and Techniques,” Internal
Auditor, Institute of Internal Auditors, February 1993, pp. 24–27.
Sawyer, L. B., Sawyer’s Internal Auditing—The Practice of Modern Internal
Auditing, Altamonte Springs, Florida, Institute of Internal Auditors, 1988.
Science Research Associates, The Information Systems Learning Center—A
Management Guide, Toronto, Ontario, SRA, 1983.
Verver, J. G., “Principles of Computer Assisted Audit Techniques,” IIA International Conference, Toronto, Ontario, June 1994.
Index
A
American Institute of Certified Public
Accountants (AICPA), 10
Analysis plan, 126, 196
Analytical support, 182
Anti-virus and firewall software, 39
Application control(s), 40–41, 91, 101, 166,
217
Audit coverage, 103, 109, 112, 115
Audit management, 27, 56, 61, 184,
196
Audit paradigm, new, 203, 206–208
Audit reports (electronic), 62–63
Audit scheduling, 63–64
Audit software:
access to, 209
evaluation criteria, 241–244
generalized, 40
Audit technology continuum, 27–31
advanced use of technology, 30–31
integral use of technology, 29–30
introductory use of technology, 27–28
moderate use of technology, 28–29
Audit universe, 56
Auditor empowerment, 208–209
Auditor training, 211–220
B
Benchmarking, 148–152
C
CAATTs (Computer assisted audit tools and
techniques):
audit population, 118, 121, 169–171
benefits of, 103–124
data requirements, 171–172
definition, 5–6
developing capabilities, 184–189
evolution of, 6–7
inevitability of, 103–105
integrated use of, 129–148
myths, 21–24
opportunities, 173–174, 202, 207, 220
quality assurance, 194–200
roadblocks, 20–25
transfer of audit technology, 28–29
value-for-money, 134–136
working group, 190–191
Computer aided audit thought support, 18,
206–208
Computer auditing:
data-based approach, 15–19
systems-based approach, 12–14
Computer literacy, 178–186, 189–190
Computer assisted audit tools and techniques,
See CAATTs
Computer-based training, 219–220
Conduct phase, 112–116, 129, 133, 170–171,
173
Confirmation letters, 116
Continuous auditing, 28, 30, 66, 69–80
defined, 70
example of, 74–77
stages, 77–79
versus continuous monitoring, 72–73
Continuous control assessment, 70–71
Continuous monitoring, 71–73
Continuous risk assessment, 71
Control self assessment, 49–50
Controls:
corrective, 197, 199–200
detective, 197–199
preventive, 197–198
D
Data access, 40–49, 153–161
Databases, 60–61
Data downloads, 45–48, 159–162
Data errors, 166–168
Data mining, 54–55
Data reliability, 163–166
Data tests:
pragmatic, 167–168
semantic, 167
syntactic, 167
Data warehouse, 52–54
Data mining, 54–55
Downloading, See Data downloads
E
Early warning systems, 68–69
Electronic document management, 61–62
Electronic questionnaires, 48–49
Electronic working papers, 51–52
E-mail, 57
Executive information system, 180–181
Expert system(s), 67–68
Extensible business reporting language, See
XBRL
249
250
F
File Transfer Protocol (FTP), 57–59
Findings database, 117
Flowcharting, 38–39
Fraud detection, 85–86
Fraud risk exposure, 86–88
G
Governance, Risk Management and
Compliance (GRC), 94–102
Grammar checkers, 34
Groupware, 61
Guide to the Assessment of IT Risks (GAIT),
92–94
H
Hands-on approach to audit, 24
I
Information dissemination and interpretation,
204–205
Information Support Analysis and Monitoring
(ISAM), 182–184, 231–234
In-house training, 218
Integrated Test Facility (ITF), 9
Internet, 225–230
audit usage (examples of), 230
chat rooms, 228–229
connecting to, 225–226
e-mail, 226
forums and message boards, 227
internet service provider, 226
listserver, 227
newsgroups, 226
podcasts, 229
search engines, 227
useful sites, 229
weblogs, 228
webcasts, 228
web feed, 228–229
wiki, 228
world-wide web (WWW), 227
Intranet, 59–60
IT controls and risks (assessment of), 90–94,
167
L
Learning organization, 204
Lessons learned, 182–188
Local Area Networks (LAN), 31, 59
M
Mainframe application(s), 45–46
Management software, 37, 57
for projects, 64
Microcomputer, 154–158
Index
P
Paper file review, 122–123
Parallel simulation, 10–11, 50–51
Planning phase, 109–111
Presentation software, 37–38
Project management, 64
Public Company accounting Oversight Board
(PCAOB), 81–90
audit standard 2, 89
audit standard 5, 82, 85
Q
Quality assurance methodology, 196–200
R
Re-engineering (audit and), 144–148
Reasonableness, 11
Reference library, 35
Reporting phase, 116–117
S
Sample Audit Review File (SARF), 9–10
Sampling, 10
Sarbanes-Oxley (SOX), 79–90
compliance software, 88
costs of compliance, 79
incremental compliance strategy, 90
risk factors, 84–85
roles and responsibility of internal auditor,
83
sections, 81–82
Software license checker, 39–40
Source code review, 106–107
Spreadsheet, 35–27
checkers, 36
Standard reports, 44–45
Summary data, 46–47
System Control Audit Review File (SCARF), 9
System logs analysis, 107–108
T
Test decks, 8–9
Text search and retrieval, 34–35
Time for critical thinking, 122–124
Time reporting, 63–64
V
Value-added auditing, 134–135
W
Web browsers, 226–227
Working papers (electronic), 51–52
World Wide Web, 227
X
XBRL, 64–66