icai-4
TRANSCRIPT
-
7/29/2019 ICAI-4
1/55
1
One day seminar on
IS Audit a Practical approach
and CAAT
on
17 July 2004, New Delhi
By
A.Rafeq, FCA, CISA, CQA, CFE, Bangalore
-
7/29/2019 ICAI-4
2/55
2
Learning Objectives
Why CAATs?What are CAATs?
Benefits and Features of CAATs
How to use CAATs? Using CAATs Case studies through
demo of CAAT Software
Strategies for using CAATsMyths and Pitfalls of CAATs
Questions
-
7/29/2019 ICAI-4
3/55
3
Another category of software that isrelevant to 21stcentury auditors are Audit
Automation software which are used for
making the audit more efficient andreusable such as planning to electronicworkpapers
Examples of these include PWCsTeamMate and Methodwares suite ofsoftware such as Audit Builder, COBIT
Advisor, etc.
What Are CAATs? (contd)
-
7/29/2019 ICAI-4
4/55
4
Why Automate The Audit?
Todays computer systems process far more data thanever before and the increased processing volumes hasrendered the process of traditional audit samplingtechniques far too risky and insufficient to drawreasonable conclusions from such small samplesespecially from large populations
Certain computerized processes produce intermediateresults which are not output as hard copies and,therefore, the only way to test the integrity of a multi-step process is to review the information that is passedfrom step to step using automation
Many of the internal controls in todays businessprocesses that have been traditionally handled by manualcontrols are now performed by computer systems
-
7/29/2019 ICAI-4
5/55
5
Types of CAAT Tools
Audit Software
These are software that have been designed withthe auditor in mind and are able to producereports and analyses that are highly audit-centrice.g. produce summaries, stratification of data,
statistical sampling and computations that arenormally pursued by auditors
Can easily produce PC-readable files that can beimported/exported into popular applications
software such as Microsoft Excel, Lotus 1-2-3, etc. Examples of such tools are ACL (Audit
Command Language), IDEA (Interactive DataExtraction & Analysis), SoftCAAT and CA-Panaudit Plus
-
7/29/2019 ICAI-4
6/55
6
Types of CAAT Tools (contd)
Report Generators/Report Writers
These are designed primarily to extract data foroutput into easily readable and understandableformats for normal consumption by end-users
Although not designed with auditors in mind,these tools can be useful in extracting relevantaudit information
Most report writers are designed as part of the
application such as accounting application or ERPand, therefore, integrate seamlessly with theunderlying applicationExamples of such tools are Microsoft Access,
CA EasyTrieve, SAS, Monarch, etc.
-
7/29/2019 ICAI-4
7/557
Business Intelligence Software These represent a new breed of report writing
software designed to extract useful analyses formanagement consumption
They are normally sold independently of theapplications from which they are designed to readdata from and are supposed to be easy to usewith features such as drag-and-drop
Examples of such software are Business Objectsand Seagate Crystal Reports
Types of CAAT Tools (contd)
-
7/29/2019 ICAI-4
8/558
Platform Specific Retrieval SystemsThese are usually security-oriented and
written by the platform vendor or thirdparties to extract useful security-related
or administration-related informationExamples of these are Axent ESM (Enterprise
System Manager), Intrusion Security Analyst
(formerly Kane Security Analyst), ISS Internet
Scanner and tools from the Microsoft WindowsNT/2000 Resource Kit
Types of CAAT Tools (contd)
-
7/29/2019 ICAI-4
9/559
Using CAATs in Business Audits
In a business audit, most of the auditareas are strictly to do with financial andoperational risks which are not IT-based
However, since most of an organizationsdata is stored in digital form and residesin computer systems, a business auditor
would do well to know how to obtain theaudit evidence he/she requires directlyfrom the source i.e. the computersystems
-
7/29/2019 ICAI-4
10/5510
Business auditors need to overcome their
phobia of computers and technology andunderstand that IT processes merely replacemanual processes and not change them
Most accounting-based business processesare relatively simple and represent store-and-retrieve type of function where accountingtransactions do not undergo any significant
transformation such as complex computationsbut are merely input into the system andeither reclassified, summarized or grouped inanother form with minimal computations
Using CAATs in Business Audits (contd)
-
7/29/2019 ICAI-4
11/5511
Process of extracting information fromcomputer is relatively easy because itinvolves understanding where the inputdata has been stored in the system and
merely using the right tools to extractthem for audit purposes
Involves understanding the logical
architecture of the applications datastructures and knowing where these dataare stored
Using CAATs in Business Audits (contd)
-
7/29/2019 ICAI-4
12/5512
Know what tools are available for dataextraction and how to use them
Modern-day PC-based applications have
plenty of connectivity features like ODBC(Open Data Base Connectivity) driversthat come bundled with operatingsystems such as Microsoft Windows thatwill allow you to connect quite seamlesslywith most popular databases
Using CAATs in Business Audits (contd)
-
7/29/2019 ICAI-4
13/55
13
Are Computers vulnerable?
Answer Is
Both
Yes And No
-
7/29/2019 ICAI-4
14/55
14
The Yes Part Of It
Environmental Conducive For Crime
No Suspicious Movements
All Data Available At One LocationWeak Pass Word System
Access-easy
-
7/29/2019 ICAI-4
15/55
15
The Yes Part Of It
Audit Trails -Absent
User Activity - No Record
Transportation And Duplication - EasyDeterrents - Absent
Program Controls - Inadequate
-
7/29/2019 ICAI-4
16/55
16
The Yes Part Of It
Process Controls - Ineffective
Input Controls - Insufficient
Audit - InefficientManagers Not Trained In Controls
-
7/29/2019 ICAI-4
17/55
17
The Yes Part Of It
Therefore It Is Easy To:
Alter The ProgramsModify Inputs
Interfere In Process
Change PrintoutsAlter Stored Records
-
7/29/2019 ICAI-4
18/55
18
New Audit Concerns
Theft Damage Destruction EquipmentOf Media Documents
SabotageHacking
Espionage
-
7/29/2019 ICAI-4
19/55
19
How Do They Do It?
Trap Doors
Trojan Horses-
Salami
Spoofing Masquerading
Logic Bomb
Patching Piggybacking
Data Diddling
-
7/29/2019 ICAI-4
20/55
20
How Do They Do It?
Hacking
Asynchronous Attacks
VirusPiracy
Magnets
Traffic Analysis Active Tapping PassiveTapping Emr Scanning
-
7/29/2019 ICAI-4
21/55
21
Lingering Doubts (1)
Can We Assure Ourselves That
The Data Cannot Be Changed
Either During Or After The Audit?
-
7/29/2019 ICAI-4
22/55
22
Lingering Doubts (2)
Can We Assure Ourselves That
There Are No Risks
Of Fraud Or Of Losing Data?
-
7/29/2019 ICAI-4
23/55
23
Lingering Doubts (3)
Can An Accountant Assure TheManagement That
The Financial ;Data Is Secure FromLeakage And The Controls Are Effective
Against Frauds?
-
7/29/2019 ICAI-4
24/55
24
On What Tools Do We DependAt Present?
Inspection Of Books Of Account AtRegular Intervals
A System Of Ticks And Tallies
-
7/29/2019 ICAI-4
25/55
25
The Tools We Depend On
Link Between The Books Of The CurrentYear And The Previous Year
Marks Of Cancellation On The VouchersAudited
-
7/29/2019 ICAI-4
26/55
26
Some Questions (1)
How Do We Use
The Ticks & Tallies
When Hard Copies Are Not Available?
-
7/29/2019 ICAI-4
27/55
27
Some Questions (2)
How Do We Verify The
Castings And Postings
Done By The Computer?
-
7/29/2019 ICAI-4
28/55
28
Some Questions (3)
How Do We Verify Transactions
When There Are No Vouchers
In Online Data Entry Systems?
-
7/29/2019 ICAI-4
29/55
29
Some Questions (4)
How Do We Verify Accuracy AndAuthorization Of
Entries Automatically Generated ByComputer?
-
7/29/2019 ICAI-4
30/55
30
Some Questions (5)
Is It, Or Is It Not, Necessary That WeAssure Ourselves
That The Computer Has PerformedAccurately?
-
7/29/2019 ICAI-4
31/55
31
The Basic Problem
Are Our Tools Enough
For The Audit Of
Computerised Environment?
-
7/29/2019 ICAI-4
32/55
32
Demo of Audit Software
-
7/29/2019 ICAI-4
33/55
33
Case Study 1: Tax Audit
Review of deposits accepted incash>20000
Review of payment in cash > 10000
Review of TDS compliance
Analysis of Inventory
-
7/29/2019 ICAI-4
34/55
34
Case Study 2: Financial audit
Review of Authorisation ofvouchers
Review of discount policy
Compliance with tax rates
sales tax, excise duty, etcAging of debtors
-
7/29/2019 ICAI-4
35/55
35
Case Study 3: Internal Audit
Overall statistical analysis
Identification of exception items
Duplicate payment for invoicesDebtors outstanding beyond credit
period
Age-wise analysis of debtorsAge-wise analysis of inventory
-
7/29/2019 ICAI-4
36/55
36
Awareness and understanding within audit
department Participation and involvement of IT
department Realization that data analysis technologies
depend upon auditors The role of IS Audit specialist vs the
financial/operation auditor Examine Practical Issues
Data accessTechnical difficultiesPolitical considerationsProject championsOngoing support
Tips for using CAATs
-
7/29/2019 ICAI-4
37/55
37
Define criterion
Evaluate different options
Choose based upon criterion
Ease of use
Audit support
File size limitations
Automation capabilities
Data access
Speed of operation
Evaluate Alternatives
-
7/29/2019 ICAI-4
38/55
38
-
7/29/2019 ICAI-4
39/55
39
Use of CAATs
CAATS can greatly enhance effectiveness and efficiencyin the audit process during the planning, field work, andreporting phases
An auditor can use CAATs to perform tests that wouldnormally be impossible or time-consuming to perform
manually For example, sorting, calculations, matching, and extracting
CAATs can allow an auditor to interrogate and analyzedata more interactively, by removing the boundariesthat can be imposed by an fixed audit program For example, an auditor can analyze data and react immediately to
the results of the analysis by simply modifying the parameters Thistype of interaction helps an auditor understand the data
CAATs can help auditors modify their initial approach toauditing an area based on preliminary findings
-
7/29/2019 ICAI-4
40/55
40
Audit Tasks and CAATs
Plan audits
Identify and document procedures andcontrols
Test controls
Substantively test evidential matter
Report findings and recommendations
CAATs can be used for each of the above
-
7/29/2019 ICAI-4
41/55
41
Strategies for using CAATs
Identify the goals and objectives of theinvestigation or auditThis may not always mean that CAATs
will be used for a particular audit Thepoint is to keep in mind all relevanttechniques and technologies and to
avoid traditional attitudes and thinking
-
7/29/2019 ICAI-4
42/55
42
Strategies for using CAATs
Identify what information will be required, toaddress the goals and objectives of theinvestigation or audit Note: Try to assume that the information
needed already exists in electronic format Determine what the sources of theinformation are (Accounts payable system,payroll master file system, contracts system)Who is responsible for the information (supervisors,
dept leaders, IT personnel)Documentation that describes the type of data in the
system
Documentation that describes how the informationflows
-
7/29/2019 ICAI-4
43/55
43
Strategies for using CAATs
Take time to understand the dataKnow what each field in the data setrepresents and how it might be relevant
to performing the auditReview the record layout for the file
Verify that the data is complete
(Compare it to a hard copy)
-
7/29/2019 ICAI-4
44/55
44
Strategies for using CAATs
Understand the system generating the data The best defense against misunderstanding
how the system processes data: Review documentation on the system For example,
user manuals, flowcharts, output reports
Speak with programmers and personnel familiar with thesystem
Points 1 and 2 may not necessarilyguarantee the data from the system isreliable The auditor can still do the
following: Play with the data - use audit software to interrogate the
data and produce summaries, indices, stratification, etcto help develop an overview of the information
-
7/29/2019 ICAI-4
45/55
45
Strategies for using CAATs
Develop working knowledge of CAATs
Critical for performing tasks andconcluding on analyses correctly
Requires time-commitment on thepart of the auditor, but will morethan pay off during future use ofthe software
-
7/29/2019 ICAI-4
46/55
46
Strategies for using CAATsDevelop a plan for analyzing the data (What, When, Where,
Why, and How) What- Specific objectives that should be addressed by
the analysis When Define the period of time that will be audited,
and arrange with IT personnel to secure the data for thatperiod
Where Define the sources of the data to be analyzed(Accounts payable, payroll)
Why Reason for performing the tests and analysis(general review, fraud audit, VFM)
How The types of analysis planned to be carried out bythe audit (Note- Because of the nature of CAATs, theanalysis plan should be viewed as a framework and notset in stone For example, additional ad-hoc test might beperformed, based on preliminary findings )
-
7/29/2019 ICAI-4
47/55
47
Myths of CAATs
Myth 1: Too costly to purchase andmaintain
Myth 2:Too technical and complex for
non-IS auditorsMyth 3:Only for use by IS Auditors
Myth 4: Hands-on approach to auditing
Myth 5: Client systems and datacompromised
-
7/29/2019 ICAI-4
48/55
48
Issues in accessing data for CAATs
Historically, problems with accessing data have beenmajor barrier to using CAATs
Advancements in hardware/software have minimizedtechnical problems and issues regarding data access.
Specialized hardware & involvement of IS specialistsare no longer a critical issue.
Audit software can read and analyze most dataformats and PCs can now handle large volumes ofdata and run analyses at very fast speeds
Usually, the access to data is not a technologicalproblem, but one of reluctance to provide that accessby management or the client depending where youstand.
Authorization and support is necessary for auditors toobtain physical access to data
-
7/29/2019 ICAI-4
49/55
49
Common problems associated withimproperly using CAATs
Not identifying correctly what data is to be audited
Requesting incorrect data files
Failure to identify all the important fields that need to be accessed
from the system
Not stating in advance the format the data can be downloaded
Not defining the fields correctly
Assuming the data represents the universe that is to be audited
Invalid analysis of the data
-
7/29/2019 ICAI-4
50/55
50
Pitfalls
Incorrect identification of Audit Objectives Improper definition of Data Requirement
Incorrect data access
Inappropriate Analysis Incorrect conclusion drawn
Failure to recognise CAATs opportunities
-
7/29/2019 ICAI-4
51/55
51
ICAEW REPORT - ROLE OF CAs
By 2005 - value adding professionalsChange working patterns
Broaden skills
Take advantage of the opportunities, elseWorking in lower grade jobs
Reduced salaries or
Become redundant
IT - key literacy for CAs
-
7/29/2019 ICAI-4
52/55
52
Key concepts to take away CAATs has potential to enable auditors to recognize
computer as a tool to assist them in the audit process
CAATs give auditors access to data in the medium in whichits stored, eliminating the boundaries of how it can beaudited
Once auditors accept CAATs, they will be in a better positionto have a considerable impact on their audit and auditee
Greatest barriers in promoting use of CAATs is failure torecognize opportunities to use CAATs for audit
Greatest benefit of using CAATs is the timesaving aspect
Using CAATs provides greater assurance of audit process
Learning and recognizing how CAATs can be used is mostcritical to its effective use
-
7/29/2019 ICAI-4
53/55
53
-
7/29/2019 ICAI-4
54/55
54
THIS IS ONLY THE BEGINNING
ITS NOT THE END,
ITS NOT EVEN THE BEGINNING OF THE END, BUT
ITS THE END OF THE BEGINNING
WINSTON CHURCHILL
I Would add
IT IS THE BEGINNING OF THE BEGINNING
IF YOU DONT STAY AHEAD YOU WILL REMAIN BEHIND
-
7/29/2019 ICAI-4
55/55