lesson 10 - using caats

8/19/2019 Lesson 10 - Using CAATs

1/45

Auditing in CIS EnvironmentBSBA Financial Management IV

Lesson 10: Using CAATs

Southville International School & Colleges

2nd Semester S.Y. 2015-2016

Kristine B. Lopez


2/45

The Audit Function

The audit is to examine and to assure.

The nature of auditing differs according to thesubject under examination.

Audits can be internal,external, and audits of informationsystems.


3/45

Internal versus ExternalAuditing

In an internal audit a company’s ownaccounting employees perform the audit.Accountants working for an

independent CPA firm normallyperform the external audit .The chief function of the external audit is theattest function .

The fairness evaluation of thefinancial statements in an external audit isconducted according to GAAP.


4/45

Information Systems Auditing

Information systems auditing or electronic data processing (EDP) auditing involves evaluatingthe computer’s role in achieving audit and

control objectives.The AIS components of a computer-based AISare people, procedures, hardware, datacommunications, software and databases.

These components are a system of interactingelements.


5/45

The Information Audit Process

If computer controls are weak ornonexistent, auditors will needto do more substantive testing.

Substantive tests are detailed tests of transactions andaccount balances.

Compliance testing is performed

to ensure that the controls are inplace and working as prescribed.

This may entail using computer-assisted audittechniques (CAATs) .


6/45

Careers in InformationSystems Auditing

Information systems auditors may obtain aCertified Information Systems Auditor (CISA)professional certification.

May be employed as either internal orexternal auditors.

Specialized skills and broad-based set oftechnical knowledge needed.


7/45

Evaluating the Effectiveness of IT ControlsRisk Assessment

External auditor’s main objective in reviewinginformation systems control procedures is toevaluate the risks to the integrity of accounting

data.Information Systems Risk Assessment is a methodfor evaluating the desirability of IT-related

controls for a particular aspect of business risk.


8/45

Guidance in Designing andEvaluating IT Controls

Systems Auditability and Control (SAC) reportidentifies important information technologiesand the specific risks related to these

technologies.Control Objectives for Information and RelatedTechnology (COBIT) provides auditors with

guidance in assessing and controlling forbusiness risk associated with IT environments.


9/45

Auditing Around the Computer

Auditing Around the Computer assumesthat the presence of accurate outputverifies proper processing operations.

This type of auditing pays little or noattention to the control procedureswithin the IT environment.

Generally not an effective approach toauditing a computerized environment.


10/45

Auditing Through the Computer

When Auditing Through the Computer , an auditorfollows the audit trail through the internalcomputer operations phase of automated dataprocessing.

Attempts to verify the processing controlsinvolved in the AIS programs.

Primary approaches are

1) testing programs,2) validating computer programs,

3) reviewing systems software, and

4) continuous auditing.


11/45

1) Testing Computer Programs -Test Data

The Test Data Approach uses a set ofhypothetical transactions to test the editchecks in programs.

Auditor should use as many differentexception situations as possible.

Auditor can also use software programscalled test data generators to develop a setof test data.


12/45

Testing Computer Programs -Integrated Test Facility

An Integrated Test Facility (ITF) is effective in evaluatingintegrated online systems and complex programming logic.

ITF examines both the manual steps and the computerizedsteps that a company uses to process business transactions

Its purpose is to audit an AIS in an operational setting.

Establish a fictitious entity

Enter transactions for that entity

Observe how these transactions are processed.

The auditor’s role is to examine results of transactionprocessing to find out how well the AIS does the tasksrequired of it.


13/45

Testing Computer Programs -Parallel Simulation

With Parallel Simulation , the auditor useslive input data, rather than test data, in aprogram written or controlled by the auditor.

The auditor’s program usually simulates onlycertain critical functions of a client program.

Auditor needs complete understanding of

client system and sufficient technicalknowledge.


14/45

2) Validating Computer Programs

An auditor must validate any program withwhich he or she is presented.

Procedures that assist in program validationare

1) tests of program change control,

2) program comparison, and

3) surprise audits and surprise use ofprograms.


15/45

Tests of Program Change Control

Program Change Control is a set of internalcontrols developed to ensure againstunauthorized program changes.

Requires documentation of every request forapplication program changes.

Test begins with inspection of documentationmaintained by information processingsubsystem.


16/45

Program Comparison

To guard against unauthorized programtampering, a test of length control total canbe performed.

A comparison program can compare codeline-by-line to ensure consistency betweenauthorized version and version being used.


17/45

Surprise Audits andSurprise Use of Programs

The Surprise Audit Approach involves examiningapplication programs unexpectedly.

With the Surprise Use Approach , an auditorvisits the computer center unannounced andrequests that previously obtainedauthorized programs be used for the required

data processing.


18/45

3) Review of SystemsSoftware

Systems software includes

1) operating system software,

2) utility programs,

3) program library software, and4) access control software.

Auditors should review systems softwaredocumentation.

Software tools can be used to review systemssoftware.

Systems software can generate incident reports.


19/45


20/45

Auditing with the Computer

Auditing with the Computer entails usingcomputer-assisted audit techniques (CAATs) tohelp in various auditing tasks.

This approach is virtually mandatory since dataare stored on computer media and manualaccess is impossible.

CAATs is effective and saves time.


21/45

General-Use Software

Auditors use General-Use Software such asspreadsheets and database management systemsas productivity tools to improve their work.

Auditors use Structured Query Language (SQL) toretrieve a client’s data and display these data ina variety of formats for audit purposes.


22/45

Generalized Audit Software

Generalized Audit Software (GAS) packagesenable auditors to review computer fileswithout continually rewriting processingprograms.

GAS programs are specifically tailored toauditor tasks.

Audit Command Language (ACL) andInteractive Data Extraction and Analysis(IDEA) are examples of GAS.


23/45

Advantages of a GAS Package

Allows the auditor to access computer-readablerecords for a wide variety of applications andorganizations.Enables the auditor to examine much more data

than could be examined through manual means.Rapidly and accurately performs a variety ofroutine audit functions.Reduces dependence on non-auditing personnel

for performing routine functions, thus enablingbetter control over the audit.Requires only minimal computer knowledge onthe part of the auditor.


24/45

Limitation of Using GAS Packages

The main limitation of using GASpackages is that they do not directlyexamine the application programs andprogrammed checks.

Thus, they cannot replace thetechniques of auditing through thecomputer.


25/45

Automated Workpaper Software

Automated Workpaper Softwarehandles accounts for manyorganizations in a flexible manner.

Features include:1) generated trial balances,

2) adjusting entries,

3) consolidations, and

4) analytical procedures.


26/45

Auditing in the Information Age

Software can control auditAudit tools stored on CD-ROMElectronic spreadsheetsClient/server systems


27/45

Today’s EnvironmentInternal Audit groups faced withgrowing workloads and heightened

accountabilityDiscovering that Computer Assisted

Auditing Tools (CAATs) offer muchneeded help

Audit technology tools facilitate moregranular analysis of data and help todetermine the accuracy of theinformation

Selection and Application of CAATs


28/45


29/45

CAATs- Review 100% of data

Filtering large volumes of data ismuch more practical and effective

Work with greater quantities of dataWork with data that is more complexAbility to identify financial leakage,policy noncompliance, and mistakes orerrors in data processing

For example: duplicate vendor payments;fraudulent transactions, circumvention ofinvoice approval limits


30/45

Tool selection

The challenge:

Make sure you are looking at the right

tools to deliver the benefits yourcompany needsIt is the user’s responsibility to becomefamiliar with the tools available inorder to pick the right oneHave a solid knowledge of yourbusiness, your data, and theaccounting practices in your industry


31/45

Tool selection

The IIA conducted an auditsoftware analysis and reportedseveral key recommendations forinternal auditors to consider in the

selection of CAATs:1. Determine the enterprise’s audit

mission, objectives and priorities

2. Determine the types and scope of

audits3. Consider the enterprise’s technology

environment

4. Be aware of the risks


32/45

1. Determine the enterprise’s auditmission, objectives and priorities

Auditors must consult with managementregarding what audit functions are of thehighest priority and where computer audittools may be applied to help meet thosepriorities.


33/45

2. Determine the types and scope ofaudits

What is the stated objective of theaudits?

What kinds of questions will auditors beasking and what will be the boundaries?Arriving at answers to these questions

will be critical in making an appropriatesoftware decision.


34/45

3. Consider the enterprise’stechnology environment

Any audit tools selected will have tomesh with the other software, hardwareand network systems already in place.In some cases, the existing ITinfrastructure may incorporate toolsthat auditors can use in concert withautomated software tools for improvedeffect.


35/45

4. Be aware of the risks

Applying software to any mission-criticalfunction carries some risks, and auditingsoftware is no different.

Automated software tools can promptauditors to jump to faulty conclusions ormake assumptions that run counter toenterprise operations.


36/45

Tool SelectionConsider:

How many data sources you have

Volume of transactions

Characteristics to look for in CAATs:Ease of use

Ease of data extraction

Ability to access a wide variety of data files from differentplatforms

Ability to integrate data with different formatAbility to define fields and select from standard formats

Menu-driven functionality for processing analysis commands

Simplified query building and adjustments

Logging features


37/45

Audit data analysis techniquesExecute tests for virtually all industries and almost all types ofdata:

Accounts Receivable

Payroll

Cash Disbursements

Purchasing

Sales

General Ledger

Work in Progress

Loss Prevention

Asset Management

Limiting factors:Access to data

Understanding of the data fields

Creativity of the auditor


38/45

ACL (Generalized Audit Software)

Data is locked down as read-onlyNo chance of inadvertently changingthe data

Much higher risk when usingspreadsheets

Commands are auditor-friendly

Fairly easy to grasp what thecommands will do once explained

Reasonably short learning curve


39/45

ACL

Automatically records all of thecommands that are run and the resultsof the procedures in its log

LOG feature enables automation ofworkpapers

Export the log to a word processor or otherfile type


40/45

ACL

Batch feature (Writing Scripts)Develop audit procedures to run in ACLAuditor puts together the variousroutines in a batch (similar to a macro)

Next time the auditor can run onecommand (push a button), and all ofthose procedures will run on autopilotwith ACL dumping the results into thelog

Become much more efficient over timeby running same tests periodically,adding new procedures to the batch


41/45

Additional Keys to Success

Identify a Champion- person withability to motivate, supervise, andgenerally make sure the technology isemployed and becomes successful

General Training- for the users of thesoftware (www.acl.com)Identify power users- given morespecific training and become leaders

of implementing the chosen software;assist other auditors; conduct in-housetraining.


42/45

Audit data analysis techniques

CAATs especially valuable inenvironments that have:

High volumes of transactions

Complex processes

Distributed operations

Unrelated applications and systems


43/45

Advantage of CAATs

Organizations gain assurance aboutthe accuracy of transactional data,and the extent to which businesstransactions adhere to controls andcomply with policiesConsistent use of automatedtransaction analysis and continuousmonitoring, CAATs enable real-timeindependent testing and validationof critical enterprise data.


44/45

Advantage to Management

Management can use suchinformation to proactively identifyexceptions to controls andcompliance policies and takeimmediate action.

Implementing these programs can

lead to increased confidence in thecorporate data underlying financialreporting.


45/45

END OF LECTURE

lesson 10 - using caats

Documents