1 the continuous auditing methodology for web-release – an ecam prototype using object-oriented...
Post on 19-Dec-2015
213 views
TRANSCRIPT
1
The Continuous Auditing Methodology for Web-Release – An ECAM Prototype
Using Object-Oriented Technology
The Continuous Auditing Methodology for Web-Release – An ECAM Prototype
Using Object-Oriented Technology
Chi-Chun Chou, Assistant ProfessorDepartment of Accounting
Chung-Yuan Christian University22 Pu-Jen, Pu-chung Li, Chung Li,
Taiwan, Republic of ChinaPHONE: 011-886-3-4563171(ext.)5316
FAX: 011-886-3-34372092E-mail: [email protected]
2
Continuous Auditing as the Solution to Web-Release Assurance
Continuous Auditing as the Solution to Web-Release Assurance
WE NEED WEB-RELEASE, BUT HOW TO CONTROL THE ASSURANCE PROBLEM?
Is Continuous Auditing the SOLUTION? Our Preliminary Analysis Indicates:
Ceteris paribus, given the appropriate technology, the total economic welfare under continuous auditing will never be less than the real-time auditing, and the real-time auditing will never be less than the traditional periodical auditing, regardless of their information environment type.
3
But, how to Conduct it ?But, how to Conduct it ?
Thinking on the Basic Requirements Analyzing the Conceptual Model Identifying the Implementation Tools Realizing the ECAM System
4
Basic Requirements
Basic Requirements
AUTOMATION is the KEY to Continuous Auditing!
To Make Data MACHINE-READABLE is the KEY to Automated Data Extraction!
The MACHINE-EXECUTABLE PROCEDURES to Read and Analyze Data is the KEY to Automated Data Analysis!
Detail Requirements: OLCT: Propositions 3-1 to 3-5 CSTM: Propositions 3-6 to 3-7
5
Machine-Readable Data
Machine-Readable Data
How to Read? Requiring the knowledge of Data Schema Design
Wait and Wakeup Threads (Non-Semantic Daemons) Requiring no knowledge of Data Schema Design
Semantic Intelligent Agents -> Mission Impossible! PRE-ARRANGED Data: Standard Data Interface (ex: XML-Based Format) Embedded Event-Triggering Methods (ex: OO-Based EAM Gateway)
What to Read? Can we use INTERNAL CONTROL INFORMATION? The “Hooked” Balance-Related Transaction Data
When to Read? On_Updates of the INTERNAL CONTROL Configuration On_Posted of each Transaction
Where to Read? URI of INTERNAL CONTROL Configuration Data URI of Transaction Data
6
Machine-Executable Procedures
Machine-Executable Procedures
How to Perform? Event-Triggering Threads (ex: OO-Based Audit Patterns)
What to Perform? Workflow-Based Control Testing Logic Automated Transaction and Balance-Related Testing Procedures
Error-Detecting Procedures Error-Correcting Procedures
When to Perform? On_Retrieval of the updated INTERNAL CONTROL Configuration On_Retrieval of each Transaction Data
Where to Perform? Continuous Auditor’s Server
7
On-Line Control Testing
On-Line Control Testing
Idea: Let Client’s System Setting Talks:
Obtaining Control Configuration Data Directly from the Client’s System Setting -> Workflow Control Data
Benefits: More Direct Results: No more Testing Data Method Easier to achieve Continuous Monitoring Exact Tie-in to the Substantive Testing
Determinants of a Successful OLCT The availability of control configuration data The reliability of system application components The reusability of OLCT mechanism
8
Analyzing Steps for OLCT
Analyzing Steps for OLCT
Identify the Testing Objectives of OLCT, restricted by: High measurability of the control element Low “pervasiveness” of the control element High feasibility to facilitate control testing by computer
Identify the System Control Evaluating Model Tie-in to the Substantive Testing Patterns Considering the Influence of Client System on OLCT
Availability of Control Configuration Data Maintenance of Control Data Availability Reliability of System Application Components
Data Model Requirements for OLCT Continuing Availability of Control Configuration Data The Maintenance and Reusability of OLCT Mechanism
9
Continuous Substantive Testing Model
Continuous Substantive Testing Model
Idea: Transaction Testing REPLACES Balance Testing
Obtaining and Analyzing the Transaction on Timely Basis Automated Transaction Testing BASED on Control Testing
Benefits: Easier to achieve Real-time Audit Reports Automation Decreases the Operational Costs Exact Substantive Testing according to the OLCT Patterns
Determinants of a Successful CSTM The availability of transaction data The comprehensiveness of CSTM mechanism The reusability of CSTM components
10
Analyzing Steps for CSTM
Analyzing Steps for CSTM
Identify the Testing Objectives of CSTM Identify the Continuous Substantive Testing Model Considering the Influence of Client System on CSTM
Continuing Availability of Transaction Data
Data Model Requirements for OLCT The Comprehensiveness of CSTM Mechanism The Maintenance and Reusability of CSTM Components
11
Realizing ECAMRealizing ECAM System Architecture of ECAM OOAD is the Best Solution! Implementation Tools: Prototype Demonstration:
http://chichun.ac.cycu.edu.tw/research.htm Concluding Remarks and Future Study
12
The Comparisons of Three Audit Approaches
I1 I2 I3 I4 I5 I6 I7 I8
Efficiency Indicators
ExpectedPerformance (%)
CAu / PullCAu / PushRAu / PullRAu / PushPAu / PullPAu / Push
High
Low
Medium
13
Determinant Factors for an Efficient OLCT
L ow High
The reliability of system application components
Expected risk of assessing control
risk too low
High availability of control configuration
data / High reusability of OLCT mechanism
High availability of control configuration
data / Low reusability of OLCT mechanism
Low availability of control configuration
data / High reusability of OLCT mechanism
Low availability of control configuration
data / Low reusability of OLCT mechanism
High
Low
14
System Control Evaluating Model using ICDL
DIST1 stands for the least deficient situation that we call “inconsistency”. Using ICDL words, DIST1 collects the inconsistent deficiencies describes as follows: “For each (nl, rk) in {PC} under auditing, it is found a corresponding pair (nl, rk)* in {PC*} and each nl in (nl, rk) will be identical to nl* in (nl, rk)*. However, there exists some rk is not equal to rk*.”
)(DISTw) (DISTw) (DIST w DIST_TOTAL 332211
DIST2 is the moderate case of deficiency that we call “incomprehensiveness” deficiency. Using ICDL terms, DIST2 is the case when each ni in {PC} has an identical node ni* in {PC*}, there exists some rk* in {PC*} but rk*not in {PC}.
DIST3 has the worst situation is the “incompleteness”, represented by DIST3, which means there exists some nl* in {PC*} but nl* not in {PC}, as well as its related preconditions rk*. This deficiency might increase the possibility of fictitious transactions so that a serious further investigation on the existence assertion might be necessary.
15
C o n tr o l P la n s , C o n tr o l O b je c tiv e s , C o n tr o l T e s t in g a n d T ie d -in S u b s ta n tiv e T e s t in g fo r S a le s O r d e r C r e a tio n , P e r m is s io n a n d M a in te n a n c e
Operational Control Objectives Control Objectives of Information Processing For SO Inputs For SO Updates
Present and Missing Control Plans (Triggering Preconditions) Ensure
Operational Effectiveness
Ensure Operational Efficiency
Ensure the Security of Resources
IV IC IA UV UC UA
Auditing
Control Testing Methods and the Impacts on Substantive Tests if Control
Plans NOT Implemented P-1: Logs of 4 Ws when any user logs in to input / update any records in SO
P Need not to do further substantive tests (Mandatory)
M-1: SO Creation Condition Checking (1. User’s Authorization; 2. One-to-one related to UnRecorded Customer Order;)
M M M M 1. check if UserID is legal; if not, start CORRECTIVE process;
2. check if SO is one-to-one related to CO; if not, start CORRECTIVE process;
M-2: SO tightly turned-around from CO and Product: (1. SOLineItemQuantity = COLineItemQuantity; 2. SOPrice = StandardPrice±5%; etc.)
M M M M M M M 3. check if SOLineItems = COLineItems; if not, start CORRECTIVE process;
4. check if SOLineItemQuantity = COLineItemQuantity; if not, start CORRECTIVE process;
5. check if SOPrice between StandardPrice ±5%; if not, start CORRECTIVE process;
M-4: SO Permission Condition Checking (1. User’s Authorization; 2. ToPermit SO; 3. Querying on SO Permission Policies)
M M M 6. check if there’s permission process; if not, start CORRECTIVE process;
7. check if UserID is legal; if not, start CORRECTIVE process;
M-5: SO Permission Policy Setting (1. CreditLimitPolicy isNotNull; 2. CreditLimitPolicy.CreditLimit > SOAmount ; 3. SOLineItemQuantity = COLineItemQuantity; 4. SOPrice between StandardPrice ± 5%; etc.)
M 8. check if CreditLimitPolicy Null; if Null, auditor creates the standard CreditLimitPolicy;
9. check if CreditLimitPolicy.CreditLimit > SOAmount; if not, start CORRECTIVE process;
M-6: Quick Response between: 1. CO Creation and
SO Creation; 2. SO Creation and Permission; 3. SO Update Notice and SO Update
R Need not to do further substantive tests
M-7: SO Update Condition Checking (1. User’s Authorization; 2. ToUpdate SO.CorrectionNotices exists; 3. Querying on SO Policies)
M M M M M 10. check if there’s update process; if not, start CORRECTIVE process;
11. check if UserID is legal; if not, start CORRECTIVE process;
16
A SSIG N va lues T OSO .A T T R IB U T E S
W A IT F O R C O
SY ST E M .A SSIG N C O .A T T R IB U T E S T OSO .C O N T R O L L E D _A T T R IB U T E S.
SY ST E M .C H E C K PR E C O N D IT IO N S FO RSO .C R E A T IO N
D IS M A T C HH A N D L IN G
1
2
3
Y E SN O
4
5
Y E SN O
6
SY ST E M .C H E C KC O N FIG .SO _C R E A T IO N
P ro c e d u ra l S o lu t io n (1 )
V A R SO _C rea teB yC O
SO _C on fig_C h eck(){If SO _C rea teB yC O = true th en SO _C rea teB yC O (C O .A ttr ibu tes) else SO _C rea tion ()}SO _C rea teB yC O (N ew _A ttr ibu tes) { ... }SO _C rea tion () { ... }
O b je c t -O rie n te d S o lu t io n
SalesConfigSO_Config_Check(SO_CreateByCO) get
SO_CreateByCO
SO_CreateByCO(CO.Attributes) SO_Creation()
call call
M o d u la r S o lu t io n
If Sa lesC on fig .SO _C rea teB yC O = true th en SO _C rea teB yC O (C O .A ttr ibu tes) else SO _C rea tion ()
in h e r it
SalesConfigSO_Config_Check(SO_CreateByCO)
SO_CreateByCO(CO.Attributes) SO_Creation
()
Component
Other Config
C o m p o n e n t -b a se d S o lu t io n
C o m p o n e n t D a ta b a se
re u se
su b c la sse sa b stra c t c la sse s
re u seC o m p o n e n t R e tr ie v e r
D B M S
re t r ie v e
SO _C on fig_C h eck(){If Sa lesC on fig .SO _C rea teB yC O = true th en SO _C rea teB yC O (C O .A ttr ibu tes) else SO _C rea tion ()}
SO _C rea teB yC O (C O .A ttr ibu tes) { ... }
SO _C rea tion () { ... }
g e tB yD B M S
P ro c e d u ra l S o lu t io n (2 )
d e p e n d -o n
s ta te p a t te rn
G en ericD o cu m en t
id : in t
c reate () : vec to rc reateB y(O th erD o cA ttrib u tes : vec to r)ge te rs() : vec to r
se tte rs() : vec to r
S alesO rd er
G en ericD o cP o licy
state : in t
ge tS tate ()se tS tate ()
G en ericD o cC o n tro lle r
p o licyID : in t
u se rC h eck(u se rA u th o rity)c reateC h eck(state : in t) : b o o lean
1 ..1
0 ..*
1 ..1
0 ..*
S O C o n tro lle r
0..*
1..1
0 ..*
1 ..1
1 ..1
0 ..*
S O D ele te
S O A ccess
d e p e n d -o n
S O In se rt
S O C reate
S O C rea teB y C O Q T Y S O C rea teB y C O IT E M
S O ID G en P o licy
Illustration of Five Types of Client’s Control Designs for OLCT Consideration
17
Company 1
Control Configuration
System Components
System ReliabilityCertification Authority
Server
Generic AUPatterns
Auditor's ASP Serverfor ECAM Clients
C3
C6
C1
C4
C5
C2
C3
C6
C1
C4
C5
C2
PublicSystem
ReliabilityDatabase
Company 2
Control Configuration
System Components
Company 6
Control Configuration
System Components
Company 3
Control Configuration
System ComponentsCompany 4
Control Configuration
System Components
Company 5
Control Configuration
System Components
Other Auditors
Using ASP Services
Control Configuration
System Components
Control Configuration
System Components
An ASP Framework for ECAM
18ECAM Data Model Client System Data Model
Class Diagram – an Illustration of ECAM Data Model
19
System Design
Approach
Client System ECAM
Audit RiskAvailability of Control
Configuration Data[1]
Maintenance of Control
Data Retrieval
Maintenance of OLCT
and CSTM Mechanism
Reusability of OLCT
and CSTM Mechanism
Continuing Retrieval of Transaction
Data and Control Data
Transaction Data
Accessibility
Reliability of System
Components
Pure Procedural Low Low Low Low High Low Low High
Procedural System with DBMS
High Low Low Low High High Low High
Modular System High Medium Medium Low High High Low Medium – High
Component-Based System
High High High Medium High High Medium Medium
Object-Oriented System
High High High High High High High Low
Audit Risk Induced by Various System Design Approaches
20
Illustration of the Transaction-Basis Testing Scheme
21
W W W u sers
A u d ito r
P resen ta tion L ayer
D a ta A n a lysis L ayer
D a ta C ap tu rin g an dP rovision L ayer
U ser In terface(a la rm s o r excep tion rep orts)
D ataC o llec to r an d
C ap tu rer
(tran sac tion d a ta ,in tern a l con tro l d a ta ,fin an c ia l s ta tem en ts
an d o th er ev id en ce )
A u d ito r 's C o n tiu n o u s A u d itin g S y stem
A u dit D a tabases(au d ited / u n au d ited d a ta , in tern a l
con tro l, c lien t / p seu d o rep orts)
R ep o rtin g a n dD issem in a tio n
S ystem
C o r p o r a te 's T r a n sa c t io n P r o c e ss in g S y ste m
(O -3 ) con tin u ou sfeed b ack s
(8 ) m o n ito r in g o n a c o n t in u o u s b a s is
C o rp o ra te 's W W W S erver
(1 2 ) is su in g a n d a tta c h in gc o n tin u o u s a u d it r e p o r t to
c lie n t's r e p o r ts
O u ts id e P a r t ie s ' P u b lic o r W e b D a ta b a se s(V e n d o r , C u sto m e r , B a n k , e tc .)
(O -1 ) onau d ito r'sreq u ests
(O -2 ) fu rth erreq u ests an d
resp on ses
B r o w se o rN a v ig a te
R a n d o m ly
A u d ito r 's M o n ito r S y stem
(2 ) f ilte r /im p o r t d a tac o n tin u o u s ly
O th erT ra n sa c tio n
M o d u les
P a yro llC yc le
F in a n c in gC yc le
A cq u is itio nC yc le
R even u e C yc le
M a n u fa c tu r in gC yc le
(3 ) d a ta / m e ssa g ec o m m itm e n t
In te rn a lC o n tro l
S tru c tu reM o d u le
(1 ) im p o r t ICstr u c tu r e
c o n tin u o u s ly
(4 ) r e tr ie v eu n a u d ite d d a ta
(5 ) a u d it in g / c o r r e c t in g(1 0 ) p se u d o r e p o r tin g ¡@
(6 ) c o m m ita u d ite d d a ta
(7 ) d isp la ya u d ite d r e su lts
A u dit R u le B aseS ystem
(in tern a l con tro l ob jec ts ,p o licy ob jec ts , co rrec tin g /
p seu d o-rep ortin g ru les)
(9 ) f in a n c ia lr e p o r ts
(1 3 ) jo in -d isc lo sef in a n c ia l r e p o r ts /a u d it in g r e p o r ts
o n W W W
(1 1 ) g e n e r a t in g p se u d o r e p o r tsim m e d ia te ly
D ata S ou rces
Illustration of CSTM Processes
22
GeneralLedgerSystem
Sales Updates
AR UpdatesReporting
System
DisclosureSystem
Partial Client's System
Accounting Module
AccountingReports
General Ledger Information
InformationUsers
Web Releases
InternalControl
CapturingSystem
InternalControl
TemplateSystem
InternalControl
EvaluationSystem
Internal Control Template Information
Collected & ConvertedInternal Control
Information
OpinionIssuingSystem
ContinuousAuditing Reports
ReportJudgement
System
DisclosureNotice
TransactionMapping to
InternalControlSystem
Accounting Datawithin Reporting Period
Mapping ResultsEvaluations of
Internal Control
Judgement Results onClient's Report
AccountingReceivable
System
Sales System
PurchaseSystem
AccountingPayableSystem
CashDisbursement
SystemPurchase Updates
CashReceiptsSystem
CR Updates
ControlTrackingSystem
InventorySystem
Acqusition Module
Sales Module
Inventory Updates
CD Updates
AP UpdatesCD
Updates
CR Updates
Sales and PurchaseTransaction Data
within Reporting Period
External Continuous Auditing Machine
Sales Updates
MaterialityTrackingSystem
Purchase Updates
<-- On Period Basis -->
<-- On Instant Basis -->
<-- On Instant Basis -->
<-- On Instant Transaction Basis --><-- On Instant Transaction and
Period-End Basis -->
(At Period End)
Internal Control 4W's Information
<-- On Event-Driven Basis --> <-- At Period Endor Real-time Basis -->
Materiality Criterion
(1)
(2)
(3)
(4)
(5)
Auditor'sMonitor(6)
(7)
(8)
(9) (10)
(11)
(12)
(13)
Exceptional Alarm
Auditor's Opinion
Online Control Testing System(OLCT)
<-- On Instant Basis -->
Note: the shadow parts are implemented in the later prototype system
23
Development Process
Development Tools Internet Resources
System Control Analysis
ICDL, IDEF3 Bailey et al. (1985), http://www.idef.com/
OOAD UML, Rational Rose 2000 http://www.rational.com/rose/
Middle Ware for Audit Objects
1. IBM San Francisco Framework 1.402. IBM San Francisco Application Development with CBO Labs3. IBM San Francisco Code Generator
http://www.ibm.com/Java/Sanfrancisco/
Application Development Kits
Java Development Kit 1.1.7, Borland Jbuilder 3.0 Professional http://java.sun.com/products/jdk/1.1/docs/http://www.borland.com/jbuilder/
Web Client and Server Program
HTML 4.0, JavaScript, Java Applets, Java Servlets and Java Server Pages
http://java.sun.com/products/servlet/http://java.sun.com/products/jsp/http://java.sun.com/
Application Server
IBM WebSphere Application Server 2.0 http://www-4.ibm.com/software/webservers/
Database Server IBM SF Posix Store http://www.ibm.com/Java/Sanfrancisco/
Web Server Microsoft Internet Information Server 4.0 http://www.microsoft.com/technet/iis/default.asp
Operating Platform
Microsoft NT 4.0 http://www.microsoft.com/technet/winnt/default.asp
Summary of the Analysis, Design and Implementation Tools for ECAM Prototype