Lesson 10 - Using CAATs
Transcript of Lesson 10 - Using CAATs
-
8/19/2019 Lesson 10 - Using CAATs
1/45
Auditing in CIS EnvironmentBSBA Financial Management IV
Lesson 10: Using CAATs
Southville International School & Colleges
2nd Semester S.Y. 2015-2016
Kristine B. Lopez
-
8/19/2019 Lesson 10 - Using CAATs
2/45
The Audit Function
The audit is to examine and to assure.
The nature of auditing differs according to thesubject under examination.
Audits can be internal,external, and audits of informationsystems.
-
8/19/2019 Lesson 10 - Using CAATs
3/45
Internal versus ExternalAuditing
In an internal audit a company’s ownaccounting employees perform the audit.Accountants working for an
independent CPA firm normallyperform the external audit .The chief function of the external audit is theattest function .
The fairness evaluation of thefinancial statements in an external audit isconducted according to GAAP.
-
8/19/2019 Lesson 10 - Using CAATs
4/45
Information Systems Auditing
Information systems auditing or electronic data processing (EDP) auditing involves evaluatingthe computer’s role in achieving audit and
control objectives.The AIS components of a computer-based AISare people, procedures, hardware, datacommunications, software and databases.
These components are a system of interactingelements.
-
8/19/2019 Lesson 10 - Using CAATs
5/45
The Information Audit Process
If computer controls are weak ornonexistent, auditors will needto do more substantive testing.
Substantive tests are detailed tests of transactions andaccount balances.
Compliance testing is performed
to ensure that the controls are inplace and working as prescribed.
This may entail using computer-assisted audittechniques (CAATs) .
-
8/19/2019 Lesson 10 - Using CAATs
6/45
Careers in InformationSystems Auditing
Information systems auditors may obtain aCertified Information Systems Auditor (CISA)professional certification.
May be employed as either internal orexternal auditors.
Specialized skills and broad-based set oftechnical knowledge needed.
-
8/19/2019 Lesson 10 - Using CAATs
7/45
Evaluating the Effectiveness of IT ControlsRisk Assessment
External auditor’s main objective in reviewinginformation systems control procedures is toevaluate the risks to the integrity of accounting
data.Information Systems Risk Assessment is a methodfor evaluating the desirability of IT-related
controls for a particular aspect of business risk.
-
8/19/2019 Lesson 10 - Using CAATs
8/45
Guidance in Designing andEvaluating IT Controls
Systems Auditability and Control (SAC) reportidentifies important information technologiesand the specific risks related to these
technologies.Control Objectives for Information and RelatedTechnology (COBIT) provides auditors with
guidance in assessing and controlling forbusiness risk associated with IT environments.
-
8/19/2019 Lesson 10 - Using CAATs
9/45
Auditing Around the Computer
Auditing Around the Computer assumesthat the presence of accurate outputverifies proper processing operations.
This type of auditing pays little or noattention to the control procedureswithin the IT environment.
Generally not an effective approach toauditing a computerized environment.
-
8/19/2019 Lesson 10 - Using CAATs
10/45
Auditing Through the Computer
When Auditing Through the Computer , an auditorfollows the audit trail through the internalcomputer operations phase of automated dataprocessing.
Attempts to verify the processing controlsinvolved in the AIS programs.
Primary approaches are
1) testing programs,2) validating computer programs,
3) reviewing systems software, and
4) continuous auditing.
-
8/19/2019 Lesson 10 - Using CAATs
11/45
1) Testing Computer Programs -Test Data
The Test Data Approach uses a set ofhypothetical transactions to test the editchecks in programs.
Auditor should use as many differentexception situations as possible.
Auditor can also use software programscalled test data generators to develop a setof test data.
-
8/19/2019 Lesson 10 - Using CAATs
12/45
Testing Computer Programs -Integrated Test Facility
An Integrated Test Facility (ITF) is effective in evaluatingintegrated online systems and complex programming logic.
ITF examines both the manual steps and the computerizedsteps that a company uses to process business transactions
Its purpose is to audit an AIS in an operational setting.
Establish a fictitious entity
Enter transactions for that entity
Observe how these transactions are processed.
The auditor’s role is to examine results of transactionprocessing to find out how well the AIS does the tasksrequired of it.
-
8/19/2019 Lesson 10 - Using CAATs
13/45
Testing Computer Programs -Parallel Simulation
With Parallel Simulation , the auditor useslive input data, rather than test data, in aprogram written or controlled by the auditor.
The auditor’s program usually simulates onlycertain critical functions of a client program.
Auditor needs complete understanding of
client system and sufficient technicalknowledge.
-
8/19/2019 Lesson 10 - Using CAATs
14/45
2) Validating Computer Programs
An auditor must validate any program withwhich he or she is presented.
Procedures that assist in program validationare
1) tests of program change control,
2) program comparison, and
3) surprise audits and surprise use ofprograms.
-
8/19/2019 Lesson 10 - Using CAATs
15/45
Tests of Program Change Control
Program Change Control is a set of internalcontrols developed to ensure againstunauthorized program changes.
Requires documentation of every request forapplication program changes.
Test begins with inspection of documentationmaintained by information processingsubsystem.
-
8/19/2019 Lesson 10 - Using CAATs
16/45
Program Comparison
To guard against unauthorized programtampering, a test of length control total canbe performed.
A comparison program can compare codeline-by-line to ensure consistency betweenauthorized version and version being used.
-
8/19/2019 Lesson 10 - Using CAATs
17/45
Surprise Audits andSurprise Use of Programs
The Surprise Audit Approach involves examiningapplication programs unexpectedly.
With the Surprise Use Approach , an auditorvisits the computer center unannounced andrequests that previously obtainedauthorized programs be used for the required
data processing.
-
8/19/2019 Lesson 10 - Using CAATs
18/45
3) Review of SystemsSoftware
Systems software includes
1) operating system software,
2) utility programs,
3) program library software, and4) access control software.
Auditors should review systems softwaredocumentation.
Software tools can be used to review systemssoftware.
Systems software can generate incident reports.
-
8/19/2019 Lesson 10 - Using CAATs
19/45
-
8/19/2019 Lesson 10 - Using CAATs
20/45
Auditing with the Computer
Auditing with the Computer entails usingcomputer-assisted audit techniques (CAATs) tohelp in various auditing tasks.
This approach is virtually mandatory since dataare stored on computer media and manualaccess is impossible.
CAATs is effective and saves time.
-
8/19/2019 Lesson 10 - Using CAATs
21/45
General-Use Software
Auditors use General-Use Software such asspreadsheets and database management systemsas productivity tools to improve their work.
Auditors use Structured Query Language (SQL) toretrieve a client’s data and display these data ina variety of formats for audit purposes.
-
8/19/2019 Lesson 10 - Using CAATs
22/45
Generalized Audit Software
Generalized Audit Software (GAS) packagesenable auditors to review computer fileswithout continually rewriting processingprograms.
GAS programs are specifically tailored toauditor tasks.
Audit Command Language (ACL) andInteractive Data Extraction and Analysis(IDEA) are examples of GAS.
-
8/19/2019 Lesson 10 - Using CAATs
23/45
Advantages of a GAS Package
Allows the auditor to access computer-readablerecords for a wide variety of applications andorganizations.Enables the auditor to examine much more data
than could be examined through manual means.Rapidly and accurately performs a variety ofroutine audit functions.Reduces dependence on non-auditing personnel
for performing routine functions, thus enablingbetter control over the audit.Requires only minimal computer knowledge onthe part of the auditor.
-
8/19/2019 Lesson 10 - Using CAATs
24/45
Limitation of Using GAS Packages
The main limitation of using GASpackages is that they do not directlyexamine the application programs andprogrammed checks.
Thus, they cannot replace thetechniques of auditing through thecomputer.
-
8/19/2019 Lesson 10 - Using CAATs
25/45
Automated Workpaper Software
Automated Workpaper Softwarehandles accounts for manyorganizations in a flexible manner.
Features include:1) generated trial balances,
2) adjusting entries,
3) consolidations, and
4) analytical procedures.
-
8/19/2019 Lesson 10 - Using CAATs
26/45
Auditing in the Information Age
Software can control auditAudit tools stored on CD-ROMElectronic spreadsheetsClient/server systems
-
8/19/2019 Lesson 10 - Using CAATs
27/45
Today’s EnvironmentInternal Audit groups faced withgrowing workloads and heightened
accountabilityDiscovering that Computer Assisted
Auditing Tools (CAATs) offer muchneeded help
Audit technology tools facilitate moregranular analysis of data and help todetermine the accuracy of theinformation
Selection and Application of CAATs
-
8/19/2019 Lesson 10 - Using CAATs
28/45
-
8/19/2019 Lesson 10 - Using CAATs
29/45
CAATs- Review 100% of data
Filtering large volumes of data ismuch more practical and effective
Work with greater quantities of dataWork with data that is more complexAbility to identify financial leakage,policy noncompliance, and mistakes orerrors in data processing
For example: duplicate vendor payments;fraudulent transactions, circumvention ofinvoice approval limits
-
8/19/2019 Lesson 10 - Using CAATs
30/45
Tool selection
The challenge:
Make sure you are looking at the right
tools to deliver the benefits yourcompany needsIt is the user’s responsibility to becomefamiliar with the tools available inorder to pick the right oneHave a solid knowledge of yourbusiness, your data, and theaccounting practices in your industry
-
8/19/2019 Lesson 10 - Using CAATs
31/45
Tool selection
The IIA conducted an auditsoftware analysis and reportedseveral key recommendations forinternal auditors to consider in the
selection of CAATs:1. Determine the enterprise’s audit
mission, objectives and priorities
2. Determine the types and scope of
audits3. Consider the enterprise’s technology
environment
4. Be aware of the risks
-
8/19/2019 Lesson 10 - Using CAATs
32/45
1. Determine the enterprise’s auditmission, objectives and priorities
Auditors must consult with managementregarding what audit functions are of thehighest priority and where computer audittools may be applied to help meet thosepriorities.
-
8/19/2019 Lesson 10 - Using CAATs
33/45
2. Determine the types and scope ofaudits
What is the stated objective of theaudits?
What kinds of questions will auditors beasking and what will be the boundaries?Arriving at answers to these questions
will be critical in making an appropriatesoftware decision.
-
8/19/2019 Lesson 10 - Using CAATs
34/45
3. Consider the enterprise’stechnology environment
Any audit tools selected will have tomesh with the other software, hardwareand network systems already in place.In some cases, the existing ITinfrastructure may incorporate toolsthat auditors can use in concert withautomated software tools for improvedeffect.
-
8/19/2019 Lesson 10 - Using CAATs
35/45
4. Be aware of the risks
Applying software to any mission-criticalfunction carries some risks, and auditingsoftware is no different.
Automated software tools can promptauditors to jump to faulty conclusions ormake assumptions that run counter toenterprise operations.
-
8/19/2019 Lesson 10 - Using CAATs
36/45
Tool SelectionConsider:
How many data sources you have
Volume of transactions
Characteristics to look for in CAATs:Ease of use
Ease of data extraction
Ability to access a wide variety of data files from differentplatforms
Ability to integrate data with different formatAbility to define fields and select from standard formats
Menu-driven functionality for processing analysis commands
Simplified query building and adjustments
Logging features
-
8/19/2019 Lesson 10 - Using CAATs
37/45
Audit data analysis techniquesExecute tests for virtually all industries and almost all types ofdata:
Accounts Receivable
Payroll
Cash Disbursements
Purchasing
Sales
General Ledger
Work in Progress
Loss Prevention
Asset Management
Limiting factors:Access to data
Understanding of the data fields
Creativity of the auditor
-
8/19/2019 Lesson 10 - Using CAATs
38/45
ACL (Generalized Audit Software)
Data is locked down as read-onlyNo chance of inadvertently changingthe data
Much higher risk when usingspreadsheets
Commands are auditor-friendly
Fairly easy to grasp what thecommands will do once explained
Reasonably short learning curve
-
8/19/2019 Lesson 10 - Using CAATs
39/45
ACL
Automatically records all of thecommands that are run and the resultsof the procedures in its log
LOG feature enables automation ofworkpapers
Export the log to a word processor or otherfile type
-
8/19/2019 Lesson 10 - Using CAATs
40/45
ACL
Batch feature (Writing Scripts)Develop audit procedures to run in ACLAuditor puts together the variousroutines in a batch (similar to a macro)
Next time the auditor can run onecommand (push a button), and all ofthose procedures will run on autopilotwith ACL dumping the results into thelog
Become much more efficient over timeby running same tests periodically,adding new procedures to the batch
-
8/19/2019 Lesson 10 - Using CAATs
41/45
Additional Keys to Success
Identify a Champion- person withability to motivate, supervise, andgenerally make sure the technology isemployed and becomes successful
General Training- for the users of thesoftware (www.acl.com)Identify power users- given morespecific training and become leaders
of implementing the chosen software;assist other auditors; conduct in-housetraining.
-
8/19/2019 Lesson 10 - Using CAATs
42/45
Audit data analysis techniques
CAATs especially valuable inenvironments that have:
High volumes of transactions
Complex processes
Distributed operations
Unrelated applications and systems
-
8/19/2019 Lesson 10 - Using CAATs
43/45
Advantage of CAATs
Organizations gain assurance aboutthe accuracy of transactional data,and the extent to which businesstransactions adhere to controls andcomply with policiesConsistent use of automatedtransaction analysis and continuousmonitoring, CAATs enable real-timeindependent testing and validationof critical enterprise data.
-
8/19/2019 Lesson 10 - Using CAATs
44/45
Advantage to Management
Management can use suchinformation to proactively identifyexceptions to controls andcompliance policies and takeimmediate action.
Implementing these programs can
lead to increased confidence in thecorporate data underlying financialreporting.
-
8/19/2019 Lesson 10 - Using CAATs
45/45
END OF LECTURE