One day seminar on IS Audit a Practical approach and CAAT on 17 July 2004, New Delhi By A.

.Rafeq, FCA, CISA, CQA, CFE, Bangalore

1

Learning Objectives
Why CAATs? What are CAATs? Benefits and Features of CAATs How to use CAATs? Using CAATs Case studies through demo of CAAT Software Strategies for using CAATs Myths and Pitfalls of CAATs Questions
2

What Are CAATs? (contd)

Another

category of software that is relevant to 21st century auditors are Audit Automation software which are used for making the audit more efficient and reusable such as planning to electronic workpapers Examples of these include PWCs TeamMate and Methodwares suite of software such as Audit Builder, COBIT Advisor, etc.
3

Why Automate The Audit?

Todays computer systems process far more data than ever before and the increased processing volumes has rendered the process of traditional audit sampling techniques far too risky and insufficient to draw reasonable conclusions from such small samples especially from large populations Certain computerized processes produce intermediate results which are not output as hard copies and, therefore, the only way to test the integrity of a multistep process is to review the information that is passed from step to step using automation Many of the internal controls in todays business processes that have been traditionally handled by manual controls are now performed by computer systems

Types of CAAT Tools

Audit Software These are software that have been designed with the auditor in mind and are able to produce reports and analyses that are highly audit-centric e.g. produce summaries, stratification of data, statistical sampling and computations that are normally pursued by auditors Can easily produce PC-readable files that can be imported/exported into popular applications software such as Microsoft Excel, Lotus 1-2-3, etc.
Examples of such tools are ACL (Audit Command Language), IDEA (Interactive Data Extraction & Analysis), SoftCAAT and CAPanaudit Plus
5

Types of CAAT Tools (contd)

Report Generators/Report Writers These are designed primarily to extract data for output into easily readable and understandable formats for normal consumption by end-users Although not designed with auditors in mind, these tools can be useful in extracting relevant audit information Most report writers are designed as part of the application such as accounting application or ERP and, therefore, integrate seamlessly with the underlying application
Examples of such tools are Microsoft Access, CA EasyTrieve, SAS, Monarch, etc.
6

Types of CAAT Tools (contd)

Business Intelligence Software These represent a new breed of report writing software designed to extract useful analyses for management consumption They are normally sold independently of the applications from which they are designed to read data from and are supposed to be easy to use with features such as drag-and-drop
Examples of such software are Business Objects and Seagate Crystal Reports

Types of CAAT Tools (contd)

Platform

Specific Retrieval Systems

These are usually security-oriented and written by the platform vendor or third parties to extract useful security-related or administration-related information
Examples

of these are Axent ESM (Enterprise System Manager), Intrusion Security Analyst (formerly Kane Security Analyst), ISS Internet Scanner and tools from the Microsoft Windows NT/2000 Resource Kit

Using CAATs in Business Audits

In

a business audit, most of the audit areas are strictly to do with financial and operational risks which are not IT-based However, since most of an organizations data is stored in digital form and resides in computer systems, a business auditor would do well to know how to obtain the audit evidence he/she requires directly from the source i.e. the computer systems
9

Using CAATs in Business Audits (contd)

Business

auditors need to overcome their phobia of computers and technology and understand that IT processes merely replace manual processes and not change them Most accounting-based business processes are relatively simple and represent store-andretrieve type of function where accounting transactions do not undergo any significant transformation such as complex computations but are merely input into the system and either reclassified, summarized or grouped in another form with minimal computations
10

Using CAATs in Business Audits (contd)

Process

of extracting information from computer is relatively easy because it involves understanding where the input data has been stored in the system and merely using the right tools to extract them for audit purposes Involves understanding the logical architecture of the applications data structures and knowing where these data are stored
11

Using CAATs in Business Audits (contd)

Know

what tools are available for data extraction and how to use them Modern-day PC-based applications have plenty of connectivity features like ODBC (Open Data Base Connectivity) drivers that come bundled with operating systems such as Microsoft Windows that will allow you to connect quite seamlessly with most popular databases
12

Are Computers vulnerable?

Answer

Is

Both
Yes

And No

13

The Yes Part Of It

Environmental

Conducive For Crime No Suspicious Movements All Data Available At One Location Weak Pass Word System Access-easy

14

The Yes Part Of It

Audit

Trails -Absent User Activity - No Record Transportation And Duplication - Easy Deterrents - Absent Program Controls - Inadequate

15

The Yes Part Of It

Process

Controls - Ineffective Input Controls - Insufficient Audit - Inefficient Managers Not Trained In Controls

16

The Yes Part Of It

Therefore Alter

It Is Easy To:

The Programs Modify Inputs Interfere In Process Change Printouts Alter Stored Records
17

New Audit Concerns

Theft

Damage Destruction Equipment Of Media Documents Sabotage Hacking Espionage

18

How Do They Do It?

Trap Doors Trojan Horses Salami Spoofing Masquerading Logic Bomb Patching Piggybacking Data Diddling

19

How Do They Do It?

Hacking Asynchronous Virus Piracy Magnets

Attacks

Traffic

Analysis Active Tapping Passive Tapping Emr Scanning

20

Lingering Doubts (1)

Can The

We Assure Ourselves That

Data Cannot Be Changed

During Or After The Audit?

Either

21

Lingering Doubts (2)

Can

We Assure Ourselves That

There Of

Are No Risks

Fraud Or Of Losing Data?

22

Lingering Doubts (3)

Can

An Accountant Assure The Management That Financial ;Data Is Secure From Leakage And The Controls Are Effective Against Frauds?

The

23

On What Tools Do We Depend At Present?

Inspection

Of Books Of Account At Regular Intervals System Of Ticks And Tallies

24

The Tools We Depend On

Link

Between The Books Of The Current Year And The Previous Year Of Cancellation On The Vouchers Audited

Marks

25

Some Questions (1)

How The

Do We Use

Ticks & Tallies

Hard Copies Are Not Available?

When

26

Some Questions (2)

How

Do We Verify The

Castings Done

And Postings

By The Computer?

27

Some Questions (3)

How

Do We Verify Transactions

When In

There Are No Vouchers

Online Data Entry Systems?

28

Some Questions (4)

How

Do We Verify Accuracy And Authorization Of Automatically Generated By Computer?

Entries

29

Some Questions (5)

Is

It, Or Is It Not, Necessary That We Assure Ourselves The Computer Has Performed Accurately?

That

30

The Basic Problem

Are For

Our Tools Enough

The Audit Of
Environment?

Computerised

31

Demo of Audit Software

32

Case Study 1: Tax Audit

Review

of deposits accepted in cash>20000 Review of payment in cash > 10000 Review of TDS compliance Analysis of Inventory

33

Case Study 2: Financial audit

Review

of Authorisation of vouchers Review of discount policy Compliance with tax rates sales tax, excise duty, etc Aging of debtors
34

Case Study 3: Internal Audit

Overall

statistical analysis Identification of exception items Duplicate payment for invoices Debtors outstanding beyond credit period Age-wise analysis of debtors Age-wise analysis of inventory
35

Tips for using CAATs

Awareness and understanding within audit department Participation and involvement of IT department Realization that data analysis technologies depend upon auditors The role of IS Audit specialist vs the financial/operation auditor Examine Practical Issues

Data access Technical difficulties Political considerations Project champions Ongoing support

36

Evaluate Alternatives
Define

criterion Evaluate different options Choose based upon criterion Ease of use Audit support File size limitations Automation capabilities Data access Speed of operation
37

38

Use of CAATs

CAATS can greatly enhance effectiveness and efficiency in the audit process during the planning, field work, and reporting phases
An auditor can use CAATs to perform tests that would normally be impossible or time-consuming to perform manually

For example, sorting, calculations, matching, and extracting

CAATs can allow an auditor to interrogate and analyze data more interactively, by removing the boundaries that can be imposed by an fixed audit program

For example, an auditor can analyze data and react immediately to the results of the analysis by simply modifying the parameters This type of interaction helps an auditor understand the data

CAATs can help auditors modify their initial approach to auditing an area based on preliminary findings
39

Audit Tasks and CAATs

Plan audits Identify and document procedures and controls Test controls Substantively test evidential matter Report findings and recommendations

CAATs can be used for each of the above

40

Strategies for using CAATs

Identify

the goals and objectives of the investigation or audit This may not always mean that CAATs will be used for a particular audit The point is to keep in mind all relevant techniques and technologies and to avoid traditional attitudes and thinking

41

Strategies for using CAATs

Identify what information will be required, to address the goals and objectives of the investigation or audit

Note: Try to assume that the information needed already exists in electronic format Determine what the sources of the information are (Accounts payable system, payroll master file system, contracts system)
Who

is responsible for the information (supervisors, dept leaders, IT personnel) Documentation that describes the type of data in the system Documentation that describes how the information flows

42

Strategies for using CAATs

Take

time to understand the data Know what each field in the data set represents and how it might be relevant to performing the audit Review the record layout for the file Verify that the data is complete (Compare it to a hard copy)

43

Strategies for using CAATs

Understand the system generating the data

The best defense against misunderstanding how the system processes data:

Review documentation on the system For example, user manuals, flowcharts, output reports Speak with programmers and personnel familiar with the system

Points 1 and 2 may not necessarily guarantee the data from the system is reliable The auditor can still do the following:

Play with the data - use audit software to interrogate the data and produce summaries, indices, stratification, etc to help develop an overview of the information

44

Strategies for using CAATs

Develop

working knowledge of CAATs

Critical for performing tasks and concluding on analyses correctly Requires time-commitment on the part of the auditor, but will more than pay off during future use of the software

45

Strategies for using CAATs

Develop a plan for analyzing the data (What, When, Where, Why, and How)
What - Specific objectives that should be addressed by the analysis When Define the period of time that will be audited, and arrange with IT personnel to secure the data for that period Where Define the sources of the data to be analyzed (Accounts payable, payroll) Why Reason for performing the tests and analysis (general review, fraud audit, VFM) How The types of analysis planned to be carried out by the audit (Note- Because of the nature of CAATs, the analysis plan should be viewed as a framework and not set in stone For example, additional ad-hoc test might be performed, based on preliminary findings )

46

Myths of CAATs
Myth

1: Too costly to purchase and maintain Myth 2:Too technical and complex for non-IS auditors Myth 3:Only for use by IS Auditors Myth 4: Hands-on approach to auditing Myth 5: Client systems and data compromised
47

Issues in accessing data for CAATs

Historically, problems with accessing data have been major barrier to using CAATs Advancements in hardware/software have minimized technical problems and issues regarding data access. Specialized hardware & involvement of IS specialists are no longer a critical issue. Audit software can read and analyze most data formats and PCs can now handle large volumes of data and run analyses at very fast speeds Usually, the access to data is not a technological problem, but one of reluctance to provide that access by management or the client depending where you stand. Authorization and support is necessary for auditors to obtain physical access to data
48

Common problems associated with improperly using CAATs

Not identifying correctly what data is to be audited Requesting incorrect data files Failure to identify all the important fields that need to be accessed from the system Not stating in advance the format the data can be downloaded Not defining the fields correctly

Assuming the data represents the universe that is to be audited

Invalid analysis of the data

49

Pitfalls
Incorrect

identification of Audit Objectives Improper definition of Data Requirement Incorrect data access Inappropriate Analysis Incorrect conclusion drawn Failure to recognise CAATs opportunities

50

ICAEW REPORT - ROLE OF CAs

By

2005 - value adding professionals Change working patterns Broaden skills Take advantage of the opportunities, else
Working

in lower grade jobs Reduced salaries or Become redundant IT

- key literacy for CAs

51

Key concepts to take away

CAATs has potential to enable auditors to recognize computer as a tool to assist them in the audit process

CAATs give auditors access to data in the medium in which its stored, eliminating the boundaries of how it can be audited
Once auditors accept CAATs, they will be in a better position to have a considerable impact on their audit and auditee Greatest barriers in promoting use of CAATs is failure to recognize opportunities to use CAATs for audit Greatest benefit of using CAATs is the timesaving aspect Using CAATs provides greater assurance of audit process Learning and recognizing how CAATs can be used is most critical to its effective use
52

53

THIS IS ONLY THE BEGINNING

ITS NOT THE END, ITS NOT EVEN THE BEGINNING OF THE END, BUT ITS THE END OF THE BEGINNING
WINSTON CHURCHILL

I Would add
IT IS THE BEGINNING OF THE BEGINNING
IF YOU DONT STAY AHEAD YOU WILL REMAIN BEHIND

54

55