Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Learning Objectives
Why CAATs? What are CAATs? Benefits and Features of CAATs How to use CAATs? Using CAATs Case studies through demo of CAAT Software Strategies for using CAATs Myths and Pitfalls of CAATs Questions
2
category of software that is relevant to 21st century auditors are Audit Automation software which are used for making the audit more efficient and reusable such as planning to electronic workpapers Examples of these include PWCs TeamMate and Methodwares suite of software such as Audit Builder, COBIT Advisor, etc.
3
Todays computer systems process far more data than ever before and the increased processing volumes has rendered the process of traditional audit sampling techniques far too risky and insufficient to draw reasonable conclusions from such small samples especially from large populations Certain computerized processes produce intermediate results which are not output as hard copies and, therefore, the only way to test the integrity of a multistep process is to review the information that is passed from step to step using automation Many of the internal controls in todays business processes that have been traditionally handled by manual controls are now performed by computer systems
These are usually security-oriented and written by the platform vendor or third parties to extract useful security-related or administration-related information
Examples
of these are Axent ESM (Enterprise System Manager), Intrusion Security Analyst (formerly Kane Security Analyst), ISS Internet Scanner and tools from the Microsoft Windows NT/2000 Resource Kit
a business audit, most of the audit areas are strictly to do with financial and operational risks which are not IT-based However, since most of an organizations data is stored in digital form and resides in computer systems, a business auditor would do well to know how to obtain the audit evidence he/she requires directly from the source i.e. the computer systems
9
auditors need to overcome their phobia of computers and technology and understand that IT processes merely replace manual processes and not change them Most accounting-based business processes are relatively simple and represent store-andretrieve type of function where accounting transactions do not undergo any significant transformation such as complex computations but are merely input into the system and either reclassified, summarized or grouped in another form with minimal computations
10
of extracting information from computer is relatively easy because it involves understanding where the input data has been stored in the system and merely using the right tools to extract them for audit purposes Involves understanding the logical architecture of the applications data structures and knowing where these data are stored
11
what tools are available for data extraction and how to use them Modern-day PC-based applications have plenty of connectivity features like ODBC (Open Data Base Connectivity) drivers that come bundled with operating systems such as Microsoft Windows that will allow you to connect quite seamlessly with most popular databases
12
Is
Both
Yes
And No
13
Conducive For Crime No Suspicious Movements All Data Available At One Location Weak Pass Word System Access-easy
14
Trails -Absent User Activity - No Record Transportation And Duplication - Easy Deterrents - Absent Program Controls - Inadequate
15
Controls - Ineffective Input Controls - Insufficient Audit - Inefficient Managers Not Trained In Controls
16
It Is Easy To:
The Programs Modify Inputs Interfere In Process Change Printouts Alter Stored Records
17
18
19
Attacks
Traffic
Either
21
There Of
Are No Risks
22
An Accountant Assure The Management That Financial ;Data Is Secure From Leakage And The Controls Are Effective Against Frauds?
The
23
24
Between The Books Of The Current Year And The Previous Year Of Cancellation On The Vouchers Audited
Marks
25
Do We Use
When
26
Do We Verify The
Castings Done
And Postings
By The Computer?
27
Do We Verify Transactions
When In
28
Entries
29
It, Or Is It Not, Necessary That We Assure Ourselves The Computer Has Performed Accurately?
That
30
The Audit Of
Environment?
Computerised
31
32
of deposits accepted in cash>20000 Review of payment in cash > 10000 Review of TDS compliance Analysis of Inventory
33
of Authorisation of vouchers Review of discount policy Compliance with tax rates sales tax, excise duty, etc Aging of debtors
34
statistical analysis Identification of exception items Duplicate payment for invoices Debtors outstanding beyond credit period Age-wise analysis of debtors Age-wise analysis of inventory
35
Data access Technical difficulties Political considerations Project champions Ongoing support
36
Evaluate Alternatives
Define
criterion Evaluate different options Choose based upon criterion Ease of use Audit support File size limitations Automation capabilities Data access Speed of operation
37
38
Use of CAATs
CAATS can greatly enhance effectiveness and efficiency in the audit process during the planning, field work, and reporting phases
An auditor can use CAATs to perform tests that would normally be impossible or time-consuming to perform manually
CAATs can allow an auditor to interrogate and analyze data more interactively, by removing the boundaries that can be imposed by an fixed audit program
For example, an auditor can analyze data and react immediately to the results of the analysis by simply modifying the parameters This type of interaction helps an auditor understand the data
CAATs can help auditors modify their initial approach to auditing an area based on preliminary findings
39
40
the goals and objectives of the investigation or audit This may not always mean that CAATs will be used for a particular audit The point is to keep in mind all relevant techniques and technologies and to avoid traditional attitudes and thinking
41
Identify what information will be required, to address the goals and objectives of the investigation or audit
Note: Try to assume that the information needed already exists in electronic format Determine what the sources of the information are (Accounts payable system, payroll master file system, contracts system)
Who
is responsible for the information (supervisors, dept leaders, IT personnel) Documentation that describes the type of data in the system Documentation that describes how the information flows
42
time to understand the data Know what each field in the data set represents and how it might be relevant to performing the audit Review the record layout for the file Verify that the data is complete (Compare it to a hard copy)
43
The best defense against misunderstanding how the system processes data:
Review documentation on the system For example, user manuals, flowcharts, output reports Speak with programmers and personnel familiar with the system
Points 1 and 2 may not necessarily guarantee the data from the system is reliable The auditor can still do the following:
Play with the data - use audit software to interrogate the data and produce summaries, indices, stratification, etc to help develop an overview of the information
44
Critical for performing tasks and concluding on analyses correctly Requires time-commitment on the part of the auditor, but will more than pay off during future use of the software
45
46
Myths of CAATs
Myth
1: Too costly to purchase and maintain Myth 2:Too technical and complex for non-IS auditors Myth 3:Only for use by IS Auditors Myth 4: Hands-on approach to auditing Myth 5: Client systems and data compromised
47
Historically, problems with accessing data have been major barrier to using CAATs Advancements in hardware/software have minimized technical problems and issues regarding data access. Specialized hardware & involvement of IS specialists are no longer a critical issue. Audit software can read and analyze most data formats and PCs can now handle large volumes of data and run analyses at very fast speeds Usually, the access to data is not a technological problem, but one of reluctance to provide that access by management or the client depending where you stand. Authorization and support is necessary for auditors to obtain physical access to data
48
Not identifying correctly what data is to be audited Requesting incorrect data files Failure to identify all the important fields that need to be accessed from the system Not stating in advance the format the data can be downloaded Not defining the fields correctly
49
Pitfalls
Incorrect
identification of Audit Objectives Improper definition of Data Requirement Incorrect data access Inappropriate Analysis Incorrect conclusion drawn Failure to recognise CAATs opportunities
50
2005 - value adding professionals Change working patterns Broaden skills Take advantage of the opportunities, else
Working
CAATs give auditors access to data in the medium in which its stored, eliminating the boundaries of how it can be audited
Once auditors accept CAATs, they will be in a better position to have a considerable impact on their audit and auditee Greatest barriers in promoting use of CAATs is failure to recognize opportunities to use CAATs for audit Greatest benefit of using CAATs is the timesaving aspect Using CAATs provides greater assurance of audit process Learning and recognizing how CAATs can be used is most critical to its effective use
52
53
ITS NOT THE END, ITS NOT EVEN THE BEGINNING OF THE END, BUT ITS THE END OF THE BEGINNING
WINSTON CHURCHILL
I Would add
IT IS THE BEGINNING OF THE BEGINNING
IF YOU DONT STAY AHEAD YOU WILL REMAIN BEHIND
54
55