Internal Audit: Efficiency Through Automation teaches state-of-the-art computer-aided audit techniques, with practical guidelines on how to get much needed data, overcome organizational roadblocks, build data analysis skills, as well as address Continuous Auditing issues. Chapter 1 CAATTs History, Chapter 2 Audit Technology, Chapter 3 Continuous Auditing, Chapter 4 CAATTs Benefits and Opportunities, Chapter 5 CAATTs for Broader Scoped Audits, Chapter 6 Data Access and Testing, Chapter 7 Developing CAATT Capabilities, Chapter 8 Challenges for Audit,
Table of Contents:
Case Studies xv
Preface xvii
Acknowledgments xxi
CHAPTER 1 CAATTs History 1
The New Audit Environment 2
The Age of Information Technology 3
Decentralization of Technology 3
Absence of the Paper Trail 4
Do More with Less 4
Definition of CAATTs 5
Evolution of CAATTs 6
Audit Software Developments 7
Historical CAATTs 8
Test Decks 8
Integrated Test Facility (ITF) 9
System Control Audit Review File (SCARF) 9
Sample Audit Review File (SARF) 9
Sampling 10
Parallel Simulation 10
Reasonableness Tests and Exception Reporting 11
Traditional Approaches to Computer-Based Auditing 12
Systems-Based Approach 12
Data-Based Approach 15
Audit Management and Administrative Support 19
Roadblocks to CAATT Implementation 20
Summary and Conclusions 24
CHAPTER 2 Audit Technology 27
Audit Technology Continuum 27
Introductory Use of Technology 27
Moderate Use of Technology 28
Integral Use of Technology 29
Advanced Use of Technology 30
Getting There 31
General Software Useful for Auditors 32
Word Processing 32
Text Search and Retrieval 34
Reference Libraries 35
Spreadsheets 35
Presentation Software 37
Flowcharting 38
Antivirus and Firewall Software 39
Software Licensing Checkers 39
Specialized Audit Software Applications 40
Data Access, Analysis, Testing, and Reporting 40
Standardized Extractions and Reports 44
Information Downloaded from Mainframe Applications and/or Client Systems 45
Electronic Questionnaires and Audit Programs 48
Control Self-Assessment 49
Parallel Simulation 50
Electronic Working Papers 51
Data Warehouse 52
Data Mining 54
Software for Audit Management and Administration 56
Audit Universe 56
Audit Department Management Software 57
E-mail 57
File Transfer Protocol (FTP) 57
Intranet 59
Databases 60
Groupware 61
Electronic Document Management 61
Electronic Audit Reports and Methodologies 62
Audit Scheduling, Time Reporting, and Billing 63
Project Management 64
Extensible Business Reporting Language (XBRL) 64
Expert Systems 67
Audit Early-Warning Systems 68
Continuous Auditing 69
Continuous Auditing versus ContinuousMonitoring 72
Example of Continuous Auditing: Application to an Accounts Payable Department 74
Stages of Continuous Auditing 77
Continuous Auditing Template 79
Sarbanes-Oxley 80
Important SOX Sections 81
The Role and Responsibility of Internal Audit 83
Risk Factors 84
Detecting Fraud 85
Determining the Exposure to Fraud 86
SOX Software 88
Assessment of IT Controls and Risks 90
Defining the Scope 92
GAIT Principles 93
Governance, Risk Management, and Compliance (GRC) 94
Internal Audit’s Role in the GRC Process 97
Identifying and Assessing Management’s Risk Management Process 99
Assessment of Internal Control Processes 100
GRC Software 101
Summary and Conclusions 102
CHAPTER 3 CAATTs Benefits and Opportunities 103
The Inevitability of Using CAATTs 103
The New IM Environment 105
The New Audit Paradigm 105
Expected Benefits 108
Planning Phase—Benefits 109
Conduct Phase—Benefits 112
Data Analysis 112
Increased Coverage 112
Better Use of Auditor Resources 115
Improved Results 116
Reporting Phase—Benefits 116
Administration of the Audit Function—Benefits 117
Reduced Costs 119
Increased Performance 120
Increased Time for Critical Thinking 122
Recognizing Opportunities 124
Transfer of Audit Technology 126
Summary and Conclusions 127
CHAPTER 4 CAATTs for Broader-Scoped Audits 129
Integrated Use of CAATTs 129
Value-for-Money Auditing 134
Value-Added Auditing of Inventory Systems 134
Data Analysis in Support of Value-Added Inventory Auditing 135
Inventory Management Practices and Approaches 136
Possible Areas for Audit-Suggested Improvements 138
Audit and Reengineering 144
Audit and Benchmarking 148
Summary and Conclusions 152
CHAPTER 5 Data Access and Testing 153
Data Access Conditions 153
Mainframe versus Minicomputer versus Microcomputer 154
Portability of Programs and Data 154
Limitations to Using the Microcomputer 155
Processing Speeds 155
Single Tasking 156
Inability to Deal with Complex Data and File Structures 156
Client Facilities 157
Auditor’s Microcomputer-Based Facilities 158
Data Extraction and Analysis Issues 159
Accessing the Data 160
Data Storage Requirements 161
Analysis of Data 162
Risks of Relying on Data—Reliability Risk 163
Reliance on the Data 164
Knowledge of the System 165
Assessment of the Internal Controls 166
New Topology of Data Tests 167
Reducing Auditor-Induced Data Corruption 168
Potential Problems with the Use of CAATTs 169
Incorrect Identification of Audit Population 169
Improper Description of Data Requirements 171
Invalid Analyses 172
Failure to Recognize CAATT Opportunities 173
Summary and Conclusions 174
CHAPTER 6 Developing CAATT Capabilities 177
Professional Proficiency: Knowledge, Skills, and Disciplines 177
Computer Literacy: Minimal Auditor Skills 178
Ability to Use CAATTs 180
Understanding of the Data 181
Analytical Support and Advice 182
Communication of Results 184
Steps in Developing CAATT Capabilities 184
Understand the Organizational Environment/Assess the Organizational Culture 184
Obtain Management Commitment 185
Establish Deliverables 186
Set Up a Trial 186
Plan for Success 186
Track Costs and Benefits 187
Lessons Learned 187
Organize Working Groups 188
Computer Literacy Working Group 189
CAATT Working Groups 190
Information Systems Support to Audit 191
Assure Quality 195
Quality Assurance Methodology 196
Preventive Controls for CAATTs 197
Detective Controls for CAATTs 198
Corrective Controls for CAATTs 199
Quality Assurance Reviews and Reports 200
Summary and Conclusions 200
CHAPTER 7 Challenges for Audit 203
Survival of Audit 203
Audit as a Learning Organization 204
Knowledge Acquisition 204
Information Dissemination 205
Information Interpretation 205
Organizational Memory 205
New Paradigm for Audit 206
Computer-Assisted Audit Techniques 206
Computer-Aided Audit Thought Support 207
Auditor Empowerment 208
Access to Microcomputers and Computer Networks 209
Access to Audit Software—Meta-Languages 209
Universal Access to Data 210
Access to Education, Training, and Research 210
Skills Inventory 212
Needed versus Actual Skills 212
Required versus Actual Performance 215
Auditor Skills for Using CAATTs 216
IS Auditor Skills 216
Training Programs and Requirements 217
Conceptual Training 217
Technical Training 218
Training Options 218
In-house 218
Professional Associations 218
Educational Institutions 219
Computer-Based, Video-Based, and Web-Based Training 219
Summary and Conclusions 220
Appendices 223
APPENDIX A The Internet—An Audit Tool 225
The Internet 225
Connecting to the Internet 225
General Internet Uses 226
Useful Sites for Auditors 229
Examples of Audit-Related Internet Usage 230
APPENDIX B Information Support Analysis and Monitoring (ISAM) Section 231
APPENDIX C Information Management Concepts 235
APPENDIX D Audit Software Evaluation Criteria 241
General Capabilities 241
Reporting Capabilities 241
Graphics Capabilities 242
Mathematical Functions 242
File Manipulation Capabilities 242
Record Definition Capabilities 242
File Type Capabilities 242
Programming Capabilities 242
Support 243
Other Capabilities 243
References 245
Index 249
About the Author :
David Coderre has over twenty years of experience in internal audit, management consulting, policy development, management information systems, system development, and application implementation areas. He is currently President of CAATS (Computer-Assisted Analysis Techniques and Solutions). He is the author of three highly regarded books on using data analysis for audit and fraud detection.
