Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In association with
Sponsor’s Message
AuditWare Systems was established 22 years ago when Brendan Walsh, its
managing director, first came across IDEA during a business trip to Canada,
whilst working at the ICAEW. IDEA was originally developed by the Canadian
Institute of Chartered Accountants and was acquired by CaseWare International
Inc. in early 2000.
During the entire 22 year period, AuditWare has been the official distributor
in both the UK and Ireland, and has been in the enviable position of both
experiencing and contributing to the development of this amazing piece of
software.
What is IDEA?
IDEA is a Computer Assisted Audit Tool, an Interactive Data Extraction and
Analysis tool. Through a unique and powerful combination of data access,
analysis and integrated reporting capabilities, IDEA is able to import data from
virtually any source, across any system, through a consistent user interface –
whether housed in mainframes, servers, legacy systems, or PC networks. By
independently comparing and analysing data from ERP, CRM, SCM, or other
enterprise applications, IDEA enables audit, financial, and control professionals
to gain immediate insight into the transactional data underlying their business
processes and financial reporting.
The key distinctions of IDEA include:
• Enterprise-wide data access: Leverage the critical data housed in multiple ERP
systems, legacy systems, or customised applications to conduct the in-depth
analysis necessary in today’s complex business and regulatory environments.
With seamless, independent data access you are able to save time and
reduce the need to request data extracts from busy IT departments, as well
as analyse data at the source level, assuring data quality and integrity are
maintained.
• Ability to analyse high transaction volumes quickly and efficiently: IDEA
is able to analyse over 2 billion records, ensuring the analysis of all data
(every field and/or record of interest) – and to do this independently of any
application that actually processes and records the transactions.
• Purpose-built analysis and reporting capabilities: Cut the time needed for
audit and compliance reviews with powerful, robust IDEA analytics – ranging
from simple classification commands through to sophisticated tests and
digital analysis. Compare data drawn from disparate systems to gain greater
insight, identifying suspicious transaction patterns, trends, anomalies, and
control gaps or weaknesses.
• Efficiency, effectiveness, scalability and sustainability: Automate critical
analytic tests to improve productivity and efficiency, combining this with a
comprehensive audit trail.
• With market-leading IDEA technology, organisations can better assure
compliance, reduce risk and fraud, contain costs, minimise revenue leakage,
and enhance profitability. Audit and control professionals consistently rate
IDEA as the preferred audit-specific software for data analysis and extraction,
fraud detection, and continuous monitoring.
In conclusion, we would like to thank the ICAEW for providing us with the
opportunity of being involved with this publication and look forward to
receiving any feedback.
A Guide to E-Auditing
by Nigel Lewis
This report is published by the Faculty of Information Technology of
the Institute of Chartered Accountants in England and Wales. The views
expressed do not necessarily reflect those of the Council of the Institute.
Copyright © 2009 ICAEW
All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise without the
prior permission of the publisher.
No responsibility for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication can be accepted
by the publisher.
ISBN 978-1-84152-825-0
Contents
Preface 4
1. Introduction 5
2. Uses and Benefits of CAATs 6
3. Generic Approach 8
4. Major CAATs Techniques 11
Live interrogation 11
Offline interrogation 12
Continuous auditing 12
Data mining 13
5. Detailed Review Techniques 15
6. Top Tips 17
Appendix A: Further Information Resources 18
Appendix B: Examples of E-Auditing Software 19
4 A Guide To e-Auditing
Preface
Introduction
1
E-auditing is a generic term that covers a number of similar activities. Other
popular terms include ‘Interrogations’, and CAATs (Computer Assisted Audit
Techniques) or CAATTs (Computer Assisted Audit Tools and Techniques). More
recently ‘continuous auditing’ and ‘data mining’ have also emerged.
In essence it is the use of computers and computer software to extract useful
information from an organisation’s computer systems.
For the purposes of this guide the term CAAT(s) will be used to describe all of
the above. The guide will outline their uses, provide examples, and identify the
challenges and solutions in making use of these techniques.
CAATs can be used by:
• External auditors conducting a statutory audit;
• Internal auditors as an element within the regular cycle of internal audit;
• Reporting accountants as part of an assurance assignment or due diligence
process;
• Regulators or government agencies, such as HMRC, carrying out routine
checks, enquiries or investigations;
• Management in business functions such as Finance or Sales departments.
In some cases a separate computer and associated software will be used to run
the CAAT, perhaps on a PC. In other cases just a separate piece of software
will be used, which will run on the same computer as the business application
under review.
In one large organisation, £5 million in duplicate invoice payments to suppliers
was identified, within a matter of days, by using CAATs on the purchase ledger.
It was embarrassing that the auditors found the error, but it also proved the
power and value that CAATs can bring to a business.
A key difference and a real benefit of using CAATs over more traditional (audit)
sampling techniques, is that with CAATs it is possible to investigate and test
100% of the population under review. For example you can cover 100% of all
transactions in a month, rather than simply examining a very small sample of
the transactions.
Ideally, the use of CAATs should be more widespread within organisations.
There are excellent tools available at reasonable costs; there are training
courses available, and plenty of resources to hand, particularly on the internet.
One possible reason for their lack of use is that there are sometimes technical
and practical challenges to be overcome. Initial enthusiasm can be muted by
technical problems. However, these challenges can be overcome, as this guide
will illustrate.
Business information systems are getting ever more complex, and IT staff are
usually fully occupied keeping these running, and developing new systems.
However, it is possible to develop CAATs capabilities within an organisation
through the use of specialist IT staff, in the first instance, in conjunction with
knowledgeable business staff and to subsequently utilise these on a cost
effective and regular basis.
6 A Guide To e-Auditing
GENERIC APPROACH
3
Like any worthwhile activity the approach you take is key to the success or
otherwise of the endeavour. Never is this more so, than when computers are
involved! A planned structured approach to using CAATS is not only useful, it
is absolutely essential if you are going to achieve something meaningful and
useful at the end.
The key considerations in a generic approach to CAATS are described below:
Objectives: It is necessary to clarify what the objectives are for using CAATs.
It is all too easy, when addressing CAATs challenges, to burn up resources and
lose sight of what is needed to be achieved.
Timescales: Start early, and put a realistic plan together. If you want answers
next week, you should have started several weeks ago (maybe months ago for
the more complex CAATs).
Resources: Identify what budget you have to expend on these activities, and
compare it to the likely benefits; what resources you have to hand, firstly within
your area of influence, and what other resources e.g. IT, you will need. Ensuring
success almost inevitably means involving the IT function. There will be cost
and timescale implications – see above. What may appear straightforward,
could be very involved in IT terms. A word of caution - for audit work involving
CAATs, an IT person could potentially compromise the results of CAATs work,
and therefore the independence of the audit work. Audit staff need to take this
into account, but it should not be a blocker to the CAATs being performed.
Integrity checks: Whatever CAATs method is used, it is necessary to ensure that
the process incorporates integrity, such as completeness checks. If, for example,
three separate months of sales ledger data are being extracted from, say, three
separate files, and then aggregated and reviewed on a PC, it is essential to
ensure that all records have arrived at the PC. In this simple example the record
count of the three separate files in the ledger system would be compared to
the aggregated total on the PC to detect if any had got ‘lost’ in the process.
CAAT packages usually have facilities to enable such integrity checking,
including hash totalling. Hash totalling can be applied to, for example, a batch
of invoice numbers, before and after a transfer from one system to another.
The hash total is a meaningless figure on its own, but by comparing the two
hash totals, assurance is given that all the invoice records have been transferred
satisfactorily.
Training: Where there are skill gaps, investigate appropriate training,
particularly on using PC-based packages. A PC-literate, enthusiastic person can
achieve significant results with such packages with a little training.
Regulation/security: Depending on the industry sector of the organisation,
and information under review, the appropriate regulations and policies,
external and internal, need to be adhered to when performing CAATs. Ensuring
that, for example, the Data Protection Act 1998 (DPA ) is complied with, affects
most organisations in a CAATs context, but depending on the sensitivity of the
data, for example, medical, customer, staff or share price sensitive, appropriate
controls need to be maintained to reduce risks of unauthorised disclosure of
the information. This will require strong access controls on a PC if information
has been downloaded to it as a result of CAATs work; it could mean encryption
of the contents of the PC; it will mean effective physical controls (locked
cupboard or safe) or encryption of any media (memory sticks, CDs, DVDs) used
to transfer or store the information. If either internal email, or internet-based
A Guide To e-Auditing 9
For more information about IDEA and to request a Free Demo, visit
our website at www.caseware-idea.com.
Live interrogation
One of the simplest interrogation techniques comes in this category, and it is
merely to use existing reporting options within the application itself. Sometimes
these reporting options are on a menu system, or they may be restricted to
users with higher privileges such as an administrator. To find out about these,
it is necessary to refer to the administrator or somebody else with detailed
knowledge about the application. In this way a full list of the options available
can be obtained, as some of these may have been hidden from normal users
when the system was first configured.
Some people would not regard this as a CAAT, since it is not using a separate
piece of software; it is merely using the existing functions of the application,
which hitherto may not have been exploited for this purpose. This is a moot
point, but it still may be a valuable method of extracting the information
required.
A more complex technique in this category involves utilising a Report
Generator, inbuilt into or bolted onto the application, where there is a simple
language which can be used to perform interrogations on the application data.
There may already be pre-configured reports available to be used, by entering
parameters such as date ranges, or invoice amounts etc. There may also be
existing reports which can be readily modified and used for a new interrogation
task. An example is SAP, the commonly-used Enterprise Resource Planning suite
of software, which has a Report Generator called ABAP.
The next level in complexity is the use of a generic interrogation language
known as SQL (Structured Query Language). SQL is a very popular standard
language for querying and updating databases. It is more technical, and much
riskier using this on a live system, and requires good training. A big advantage
of SQL is that it is a universal language, so when the techniques have been
mastered on one system, using it on another system which supports SQL is
a lot easier. It typically takes less than a week to learn enough of the basics
to do useful SQL e-auditing. Both SQL and the previously mentioned Report
12 A Guide To e-Auditing
Offline interrogation
The Offline interrogation approach is more involved and can sound like a lot
of effort. However, it is the probably the most popular method of e-auditing.
It nearly always requires the services of a specialist (IT) person, initially, but in
some ways it is less risky and more flexible than the Live approach. In essence
the technique involves four elements:
• Identifying all the data likely to be required for the interrogations. This is best
performed jointly by a person who knows the business application and a
specialist (IT) person who knows how the data is structured / organised.
• Performing the extract of the aforementioned data into a file(s) on the target
system will be done by the IT specialist, who will then prepare the extracted
file ready for transfer to a PC.
• Transferring the file(s) to a PC which is usually straightforward, but can be
tricky depending upon the facilities available in the organisation. There are a
number of possible methods including a file transfer over the network, using
email, writing the file(s) onto a CD, or DVD drive attached to the target
system, and then putting the CD or DVD disk into the PC.
• Performing interrogations on a PC is the main aim of the process, and
there is a wide variety of software packages available to be used. Microsoft
Excel is usually available on a PC at no extra cost, so should be considered
first. However, it has capacity limitations of 64,000 rows, (or records) of
information. Microsoft Access, a desktop database package, can be used, and
does not have Excel’s capacity limitations, though it requires more skill.
If you are handling hundreds of thousands or millions of records of information,
or want software designed specifically for e-auditing, then consider buying
specialist e-auditing packages. These were originally written for audit staff to
perform a range of interrogations on a PC, ranging from simple to complex.
They are usually relatively easy to learn, and once a modicum of skill has been
built up they can be successfully used in a large range of different types of
interrogations, from almost any system in the organisation, using the four steps
above.
A list of some of the more popular CAATs software has been included in
Appendix B.
Continuous auditing
Continuous auditing is a valuable technique for improving the control
environment of a business application. It can be used for:
• Detecting fraud;
• Confirming that controls are working;
• Identifying exceptions that require further investigation;
• Detecting unusual activity.
Arguably, a good business application should have ‘continuous auditing
facilities’ available to be used, in the form of reports that can be produced
A Guide To e-Auditing 13
daily/ weekly/monthly etc. However if this is not the case, it is possible to bolt
them on.
A continuous auditing process can produce exceptions, e.g. transactions
happening at weekends, for an organisation that normally works a Monday
to Friday week. These will be highlighted for further investigation. Another
example would be in a financial services organisation, where the number of
new loans written in a specific time period (e.g. a month) by a single member
of staff has breached a threshold. It may be genuine, but it is also worthy of
investigation, as it may point to fraudulent activity. The benefits of continuous
auditing are that the checks for exceptions are performed by the system,
efficiently, all the time, and enable a focus on a small number of potential
exceptions, which can then receive the appropriate level of attention they
merit.
At the selection or design stage of a business application, or during the design
of a major change to an application, it is well worth considering specific
requirements in the continuous auditing area. Essentially, a semi-automatic
continuous audit programme can be inbuilt into a live running system, and set
to report against a set of parameters of interest. The parameters can be input
or changed, usually in a straightforward manner, and can therefore reflect
changing business needs.
If the above programme cannot be built into the live running system, then
alternatively it is usually possible, using a separate piece of software, to
set up regular routines, e.g. daily, weekly, or monthly, depending on the
requirements. These typically run overnight, trawling through the application
data and looking for data results that are potentially risky or unusual. The
reports produced can then be forwarded to supervisory management in the
business unit, a compliance function, or quality function, for the appropriate
attention.
An example of continuous auditing in the internet world is to detect
unauthorised changes to websites, hence to identify if inappropriate material
may have been uploaded to it, perhaps after a hacking attempt. In this
example, after each proper authorised change of an organisation’s website, a
hash total of its total contents is calculated and stored. There is then a routine
which regularly performs hash totalling, at least every hour, to compare original
and current hash totals. If a difference is detected an alert would be sent to IT
to investigate. This may be a specialist example, but hopefully it illustrates the
concept of continuous auditing.
Data mining
Data mining is a technique for finding useful information from a mass of your
organisation’s data, when you were not quite sure what you were looking for at
the outset!
It is normally achieved using a data warehouse, a huge database system, where
data is stored, having been regularly extracted from the key applications and
systems of the organisation. ‘Regularly’ may mean monthly, weekly or daily,
depending on the nature of the application data that is being extracted.
For larger systems, millions of transactions a day can be stored in a data
warehouse.
Mining the information can be complex, using expensive and specialised
software incorporating intricate rules or algorithms that look for patterns and
14 A Guide To e-Auditing
associations. For example, some supermarkets record all the individual items
purchased per customer and use data mining techniques to look for patterns
of product purchase in order to help optimise store layouts, as well as linking
purchases to customers and customer types to aid subsequent marketing
campaigns. The explanations and examples below are deliberately simple in
order to help explain the concept.
Data mining can also effectively be performed on a small scale using a PC, and
does not necessarily need large and expensive databases and systems.
A simple example would be to:
• Extract supplier information from the purchase ledger application to a PC;
• Extract information from the staff database to the same PC;
• Run comparisons of addresses and bank accounts across the two sets of
data. If any matches occurred these could be investigated, since it would be
unusual, in most organisations, for an employee to also be a supplier to the
organisation.
A marketing example of data mining would be to put together a list of the
different products sold to each customer. The list could be refined to establish
which customers have purchased product A and product B, but NOT product
C. The latter list could then be the focus of a targeted marketing campaign.
A further example, from an organisation’s customer application system, could
be to produce a list of the customers per address. Initially the number of
customers per address could be produced, and then for any records greater
than 1, customer names would be listed to aid the scrutiny of the information.
Such information has been used to detect fraud, or to provide valuable
information in sales and marketing activities.
A word of caution regarding the use of data mining techniques. A successful
outcome is very much dependent of the quality of the base data. If you are
matching post codes from several different systems and one of the systems has
only 70% of records with accurate post codes, the results will be disappointing.
It may be necessary to perform a data cleansing exercise first, prior to the data
mining, e.g. in this case, get post code accuracy better than 98%, either by
staff manually keying in the correct post codes or by using automated post
code cleansing routines.
Where there is significant processing involved in a data mining exercise, it can
slow the system down for other users. This is less of a problem with current
high performance systems, otherwise it is sometimes possible to schedule
CAATs to be run ‘off peak’, when the system is quieter, e.g. as an overnight job,
also known as a batch job.
On very large systems it may be possible to get a prediction of how long a data
mining exercise will take before it is actually run. This can be useful to ensure
that other users are not impacted, but also to help ensure that the routine has
been written efficiently. In one organisation a memorable data mining exercise
was initially predicted to run for 1 billion years! It was back to the drawing
board for that one to reduce it to more manageable proportions. Several
fundamental errors in the way the exercise was set to run were identified, and
when corrected it actually ran in a few hours.
A Guide To e-Auditing 15
TOP TIPS
6
• Plan to make regular use of the CAATs techniques you are developing. Doing
it as a one-off exercise is rarely cost effective.
• Be patient – you may want the answers immediately but these techniques
take a little time to initially develop and use effectively, before producing
potentially significant results.
• In some cases the information uncovered may point to fraudulent activity.
You need to have the procedures in place to engage the appropriate internal
and external agencies who are able to deal with this.
• Ensure that, when undertaking CAATs, appropriate IT skills are available,
and the usual IT Governance procedures (e.g. change controls) are used.
The systems being reviewed are frequently core to the business and causing
problems to them comes with a heavy price.
• Make sure that you receive adequate training irrespective of which CAAT
package you use. This will help you enormously in making efficient and
effective use of these feature-rich packages.
• Confirm that there is adequate protection of information on any PC you
use, commensurate with the protection afforded of the host system it was
extracted from. This will mean strong PC (and associated media) access
controls and possibly encryption.
• Continuous auditing is a technique that, in particular, requires effective
planning, budgeting, system building and testing. Don’t opt to use it simply
on a whim.
• Data mining brings with it a huge spectrum of scope and complexity. Start
small and simple, and then build on this.
• Pay particular attention to the quality and structure of the underlying data
prior to undertaking data mining exercises.
• Ensure that the processes used have integrity, for example by building in
completeness checks when transferring data from one system to another.
Also, maintain a record of the steps involved and key information such as file
versions used.
• Make good use of available support. Software packages have maintenance
arrangements, where expert support can be called upon to help address the
challenges you face.
• Ensure that there is compliance to both internal and external policies and
regulations, for example the Data Protection Act, with regard to the access
and processing of data.
18 A Guide To e-Auditing
A pp e n d i x
Internet Resources
Applications of IDEA
http://www.auditware.co.uk/solutions_default.asp
CaseWare’s Research Report, ‘Data Analysis – The Cornerstone of Internal
Auditing’
http://www.caseware.com/products/idea#_research_reports
Guide 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment
http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/
gtag3/
The CaseWare Smart Analyzer add-ons to IDEA – providing standard tests
http://www.caseware.com/products/idea/smart-analyzer-financial
White papers on data analysis, fraud detection and controls assurance
http://www.acl.com/resource_library/default.aspx
A Guide To e-Auditing 19
A pp e n d i x
The Author
£25
www.icaew.com/itfac