icai-4

7/29/2019 ICAI-4

1/55

1

One day seminar on

IS Audit a Practical approach

and CAAT

on

17 July 2004, New Delhi

By

A.Rafeq, FCA, CISA, CQA, CFE, Bangalore

7/29/2019 ICAI-4

2/55

2

Learning Objectives

Why CAATs?What are CAATs?

Benefits and Features of CAATs

How to use CAATs? Using CAATs Case studies through

demo of CAAT Software

Strategies for using CAATsMyths and Pitfalls of CAATs

Questions

7/29/2019 ICAI-4

3/55

3

Another category of software that isrelevant to 21stcentury auditors are Audit

Automation software which are used for

making the audit more efficient andreusable such as planning to electronicworkpapers

Examples of these include PWCsTeamMate and Methodwares suite ofsoftware such as Audit Builder, COBIT

Advisor, etc.

What Are CAATs? (contd)

7/29/2019 ICAI-4

4/55

4

Why Automate The Audit?

Todays computer systems process far more data thanever before and the increased processing volumes hasrendered the process of traditional audit samplingtechniques far too risky and insufficient to drawreasonable conclusions from such small samplesespecially from large populations

Certain computerized processes produce intermediateresults which are not output as hard copies and,therefore, the only way to test the integrity of a multi-step process is to review the information that is passedfrom step to step using automation

Many of the internal controls in todays businessprocesses that have been traditionally handled by manualcontrols are now performed by computer systems

7/29/2019 ICAI-4

5/55

5

Types of CAAT Tools

Audit Software

These are software that have been designed withthe auditor in mind and are able to producereports and analyses that are highly audit-centrice.g. produce summaries, stratification of data,

statistical sampling and computations that arenormally pursued by auditors

Can easily produce PC-readable files that can beimported/exported into popular applications

software such as Microsoft Excel, Lotus 1-2-3, etc. Examples of such tools are ACL (Audit

Command Language), IDEA (Interactive DataExtraction & Analysis), SoftCAAT and CA-Panaudit Plus

7/29/2019 ICAI-4

6/55

6

Types of CAAT Tools (contd)

Report Generators/Report Writers

These are designed primarily to extract data foroutput into easily readable and understandableformats for normal consumption by end-users

Although not designed with auditors in mind,these tools can be useful in extracting relevantaudit information

Most report writers are designed as part of the

application such as accounting application or ERPand, therefore, integrate seamlessly with theunderlying applicationExamples of such tools are Microsoft Access,

CA EasyTrieve, SAS, Monarch, etc.

7/29/2019 ICAI-4

7/557

Business Intelligence Software These represent a new breed of report writing

software designed to extract useful analyses formanagement consumption

They are normally sold independently of theapplications from which they are designed to readdata from and are supposed to be easy to usewith features such as drag-and-drop

Examples of such software are Business Objectsand Seagate Crystal Reports


7/29/2019 ICAI-4

8/558

Platform Specific Retrieval SystemsThese are usually security-oriented and

written by the platform vendor or thirdparties to extract useful security-related

or administration-related informationExamples of these are Axent ESM (Enterprise

System Manager), Intrusion Security Analyst

(formerly Kane Security Analyst), ISS Internet

Scanner and tools from the Microsoft WindowsNT/2000 Resource Kit


7/29/2019 ICAI-4

9/559

Using CAATs in Business Audits

In a business audit, most of the auditareas are strictly to do with financial andoperational risks which are not IT-based

However, since most of an organizationsdata is stored in digital form and residesin computer systems, a business auditor

would do well to know how to obtain theaudit evidence he/she requires directlyfrom the source i.e. the computersystems

7/29/2019 ICAI-4

10/5510

Business auditors need to overcome their

phobia of computers and technology andunderstand that IT processes merely replacemanual processes and not change them

Most accounting-based business processesare relatively simple and represent store-and-retrieve type of function where accountingtransactions do not undergo any significant

transformation such as complex computationsbut are merely input into the system andeither reclassified, summarized or grouped inanother form with minimal computations

Using CAATs in Business Audits (contd)

7/29/2019 ICAI-4

11/5511

Process of extracting information fromcomputer is relatively easy because itinvolves understanding where the inputdata has been stored in the system and

merely using the right tools to extractthem for audit purposes

Involves understanding the logical

architecture of the applications datastructures and knowing where these dataare stored


7/29/2019 ICAI-4

12/5512

Know what tools are available for dataextraction and how to use them

Modern-day PC-based applications have

plenty of connectivity features like ODBC(Open Data Base Connectivity) driversthat come bundled with operatingsystems such as Microsoft Windows thatwill allow you to connect quite seamlesslywith most popular databases


7/29/2019 ICAI-4

13/55

13

Are Computers vulnerable?

Answer Is

Both

Yes And No

7/29/2019 ICAI-4

14/55

14

The Yes Part Of It

Environmental Conducive For Crime

No Suspicious Movements

All Data Available At One LocationWeak Pass Word System

Access-easy

7/29/2019 ICAI-4

15/55

15

The Yes Part Of It

Audit Trails -Absent

User Activity - No Record

Transportation And Duplication - EasyDeterrents - Absent

Program Controls - Inadequate

7/29/2019 ICAI-4

16/55

16

The Yes Part Of It

Process Controls - Ineffective

Input Controls - Insufficient

Audit - InefficientManagers Not Trained In Controls

7/29/2019 ICAI-4

17/55

17

The Yes Part Of It

Therefore It Is Easy To:

Alter The ProgramsModify Inputs

Interfere In Process

Change PrintoutsAlter Stored Records

7/29/2019 ICAI-4

18/55

18

New Audit Concerns

Theft Damage Destruction EquipmentOf Media Documents

SabotageHacking

Espionage

7/29/2019 ICAI-4

19/55

19

How Do They Do It?

Trap Doors

Trojan Horses-

Salami

Spoofing Masquerading

Logic Bomb

Patching Piggybacking

Data Diddling

7/29/2019 ICAI-4

20/55

20

How Do They Do It?

Hacking

Asynchronous Attacks

VirusPiracy

Magnets

Traffic Analysis Active Tapping PassiveTapping Emr Scanning

7/29/2019 ICAI-4

21/55

21

Lingering Doubts (1)

Can We Assure Ourselves That

The Data Cannot Be Changed

Either During Or After The Audit?

7/29/2019 ICAI-4

22/55

22


Can We Assure Ourselves That

There Are No Risks

Of Fraud Or Of Losing Data?

7/29/2019 ICAI-4

23/55

23


Can An Accountant Assure TheManagement That

The Financial ;Data Is Secure FromLeakage And The Controls Are Effective

Against Frauds?

7/29/2019 ICAI-4

24/55

24

On What Tools Do We DependAt Present?

Inspection Of Books Of Account AtRegular Intervals

A System Of Ticks And Tallies

7/29/2019 ICAI-4

25/55

25

The Tools We Depend On

Link Between The Books Of The CurrentYear And The Previous Year

Marks Of Cancellation On The VouchersAudited

7/29/2019 ICAI-4

26/55

26

Some Questions (1)

How Do We Use

The Ticks & Tallies

When Hard Copies Are Not Available?

7/29/2019 ICAI-4

27/55

27

Some Questions (2)

How Do We Verify The

Castings And Postings

Done By The Computer?

7/29/2019 ICAI-4

28/55

28

Some Questions (3)

How Do We Verify Transactions

When There Are No Vouchers

In Online Data Entry Systems?

7/29/2019 ICAI-4

29/55

29

Some Questions (4)

How Do We Verify Accuracy AndAuthorization Of

Entries Automatically Generated ByComputer?

7/29/2019 ICAI-4

30/55

30

Some Questions (5)

Is It, Or Is It Not, Necessary That WeAssure Ourselves

That The Computer Has PerformedAccurately?

7/29/2019 ICAI-4

31/55

31

The Basic Problem

Are Our Tools Enough

For The Audit Of

Computerised Environment?

7/29/2019 ICAI-4

32/55

32

Demo of Audit Software

7/29/2019 ICAI-4

33/55

33

Case Study 1: Tax Audit

Review of deposits accepted incash>20000

Review of payment in cash > 10000

Review of TDS compliance

Analysis of Inventory

7/29/2019 ICAI-4

34/55

34

Case Study 2: Financial audit

Review of Authorisation ofvouchers

Review of discount policy

Compliance with tax rates

sales tax, excise duty, etcAging of debtors

7/29/2019 ICAI-4

35/55

35

Case Study 3: Internal Audit

Overall statistical analysis

Identification of exception items

Duplicate payment for invoicesDebtors outstanding beyond credit

period

Age-wise analysis of debtorsAge-wise analysis of inventory

7/29/2019 ICAI-4

36/55

36

Awareness and understanding within audit

department Participation and involvement of IT

department Realization that data analysis technologies

depend upon auditors The role of IS Audit specialist vs the

financial/operation auditor Examine Practical Issues

Data accessTechnical difficultiesPolitical considerationsProject championsOngoing support

Tips for using CAATs

7/29/2019 ICAI-4

37/55

37

Define criterion

Evaluate different options

Choose based upon criterion

Ease of use

Audit support

File size limitations

Automation capabilities

Data access

Speed of operation

Evaluate Alternatives

7/29/2019 ICAI-4

38/55

38

7/29/2019 ICAI-4

39/55

39

Use of CAATs

CAATS can greatly enhance effectiveness and efficiencyin the audit process during the planning, field work, andreporting phases

An auditor can use CAATs to perform tests that wouldnormally be impossible or time-consuming to perform

manually For example, sorting, calculations, matching, and extracting

CAATs can allow an auditor to interrogate and analyzedata more interactively, by removing the boundariesthat can be imposed by an fixed audit program For example, an auditor can analyze data and react immediately to

the results of the analysis by simply modifying the parameters Thistype of interaction helps an auditor understand the data

CAATs can help auditors modify their initial approach toauditing an area based on preliminary findings

7/29/2019 ICAI-4

40/55

40

Audit Tasks and CAATs

Plan audits

Identify and document procedures andcontrols

Test controls

Substantively test evidential matter

Report findings and recommendations

CAATs can be used for each of the above

7/29/2019 ICAI-4

41/55

41

Strategies for using CAATs

Identify the goals and objectives of theinvestigation or auditThis may not always mean that CAATs

will be used for a particular audit Thepoint is to keep in mind all relevanttechniques and technologies and to

avoid traditional attitudes and thinking

7/29/2019 ICAI-4

42/55

42


Identify what information will be required, toaddress the goals and objectives of theinvestigation or audit Note: Try to assume that the information

needed already exists in electronic format Determine what the sources of theinformation are (Accounts payable system,payroll master file system, contracts system)Who is responsible for the information (supervisors,

dept leaders, IT personnel)Documentation that describes the type of data in the

system

Documentation that describes how the informationflows

7/29/2019 ICAI-4

43/55

43


Take time to understand the dataKnow what each field in the data setrepresents and how it might be relevant

to performing the auditReview the record layout for the file

Verify that the data is complete

(Compare it to a hard copy)

7/29/2019 ICAI-4

44/55

44


Understand the system generating the data The best defense against misunderstanding

how the system processes data: Review documentation on the system For example,

user manuals, flowcharts, output reports

Speak with programmers and personnel familiar with thesystem

Points 1 and 2 may not necessarilyguarantee the data from the system isreliable The auditor can still do the

following: Play with the data - use audit software to interrogate the

data and produce summaries, indices, stratification, etcto help develop an overview of the information

7/29/2019 ICAI-4

45/55

45


Develop working knowledge of CAATs

Critical for performing tasks andconcluding on analyses correctly

Requires time-commitment on thepart of the auditor, but will morethan pay off during future use ofthe software

7/29/2019 ICAI-4

46/55

46

Strategies for using CAATsDevelop a plan for analyzing the data (What, When, Where,

Why, and How) What- Specific objectives that should be addressed by

the analysis When Define the period of time that will be audited,

and arrange with IT personnel to secure the data for thatperiod

Where Define the sources of the data to be analyzed(Accounts payable, payroll)

Why Reason for performing the tests and analysis(general review, fraud audit, VFM)

How The types of analysis planned to be carried out bythe audit (Note- Because of the nature of CAATs, theanalysis plan should be viewed as a framework and notset in stone For example, additional ad-hoc test might beperformed, based on preliminary findings )

7/29/2019 ICAI-4

47/55

47

Myths of CAATs

Myth 1: Too costly to purchase andmaintain

Myth 2:Too technical and complex for

non-IS auditorsMyth 3:Only for use by IS Auditors

Myth 4: Hands-on approach to auditing

Myth 5: Client systems and datacompromised

7/29/2019 ICAI-4

48/55

48

Issues in accessing data for CAATs

Historically, problems with accessing data have beenmajor barrier to using CAATs

Advancements in hardware/software have minimizedtechnical problems and issues regarding data access.

Specialized hardware & involvement of IS specialistsare no longer a critical issue.

Audit software can read and analyze most dataformats and PCs can now handle large volumes ofdata and run analyses at very fast speeds

Usually, the access to data is not a technologicalproblem, but one of reluctance to provide that accessby management or the client depending where youstand.

Authorization and support is necessary for auditors toobtain physical access to data

7/29/2019 ICAI-4

49/55

49

Common problems associated withimproperly using CAATs

Not identifying correctly what data is to be audited

Requesting incorrect data files

Failure to identify all the important fields that need to be accessed

from the system

Not stating in advance the format the data can be downloaded

Not defining the fields correctly

Assuming the data represents the universe that is to be audited

Invalid analysis of the data

7/29/2019 ICAI-4

50/55

50

Pitfalls

Incorrect identification of Audit Objectives Improper definition of Data Requirement

Incorrect data access

Inappropriate Analysis Incorrect conclusion drawn

Failure to recognise CAATs opportunities

7/29/2019 ICAI-4

51/55

51

ICAEW REPORT - ROLE OF CAs

By 2005 - value adding professionalsChange working patterns

Broaden skills

Take advantage of the opportunities, elseWorking in lower grade jobs

Reduced salaries or

Become redundant

IT - key literacy for CAs

7/29/2019 ICAI-4

52/55

52

Key concepts to take away CAATs has potential to enable auditors to recognize

computer as a tool to assist them in the audit process

CAATs give auditors access to data in the medium in whichits stored, eliminating the boundaries of how it can beaudited

Once auditors accept CAATs, they will be in a better positionto have a considerable impact on their audit and auditee

Greatest barriers in promoting use of CAATs is failure torecognize opportunities to use CAATs for audit

Greatest benefit of using CAATs is the timesaving aspect

Using CAATs provides greater assurance of audit process

Learning and recognizing how CAATs can be used is mostcritical to its effective use

7/29/2019 ICAI-4

53/55

53

7/29/2019 ICAI-4

54/55

54

THIS IS ONLY THE BEGINNING

ITS NOT THE END,

ITS NOT EVEN THE BEGINNING OF THE END, BUT

ITS THE END OF THE BEGINNING

WINSTON CHURCHILL

I Would add

IT IS THE BEGINNING OF THE BEGINNING

IF YOU DONT STAY AHEAD YOU WILL REMAIN BEHIND

7/29/2019 ICAI-4

55/55