Internal Audit E-Book

Table of Contents

Title Page

Copyright Page

Dedication

About The Institute of Internal Auditors

Preface

Acknowledgements

CHAPTER 1 - CAATTs History

The New Audit Environment

Definition of CAATTs

Evolution of CAATTs

Audit Software Developments

Historical CAATTs

Traditional Approaches to Computer-Based Auditing

Audit Management and Administrative Support

Roadblocks to CAATT Implementation

Summary and Conclusions

CHAPTER 2 - Audit Technology

Audit Technology Continuum

General Software Useful for Auditors

Specialized Audit Software Applications

Software for Audit Management and Administration

Continuous Auditing

Sarbanes-Oxley

Assessment of IT Controls and Risks

Governance, Risk Management, and Compliance (GRC)

Summary and Conclusions

CHAPTER 3 - CAATTs Benefits and Opportunities

The Inevitability of Using CAATTs

The New IM Environment

The New Audit Paradigm

Expected Benefits

Recognizing Opportunities

Transfer of Audit Technology

Summary and Conclusions

CHAPTER 4 - CAATTs for Broader-Scoped Audits

Integrated Use of CAATTs

Value-for-Money Auditing

Audit and Reengineering

Audit and Benchmarking

Summary and Conclusions

CHAPTER 5 - Data Access and Testing

Data Access Conditions

Data Extraction and Analysis Issues

Risks of Relying on Data—Reliability Risk

Potential Problems with the Use of CAATTs

Summary and Conclusions

CHAPTER 6 - Developing CAATT Capabilities

Professional Proficiency: Knowledge, Skills, and Disciplines

Steps in Developing CAATT Capabilities

Computer Literacy Working Group

CAATT Working Groups

Information Systems Support to Audit

Assure Quality

Summary and Conclusions

CHAPTER 7 - Challenges for Audit

Survival of Audit

Audit as a Learning Organization

Auditor Empowerment

Skills Inventory

Training Programs and Requirements

Training Options

Summary and Conclusions

Appendices

APPENDIX A - The Internet—An Audit Tool

APPENDIX B - Information Support Analysis and Monitoring (ISAM) Section

APPENDIX C - Information Management Concepts

APPENDIX D - Audit Software Evaluation Criteria

References

Index

Copyright © 2009 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our web site at http://www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Coderre, David G. Internal audit : efficiency through automation / David Coderre. p. cm. Includes bibliographical references and index.

eISBN : 978-0-470-47865-3

1. Auditing, Internal-Data processing. 2. Risk assessment-Data processing. I. Title. HF5668.25.C628 2009 657’.450285-dc22 2008037345.

For Anne, Jennifer and LindsayThis book celebrates the spirit of all auditors who are trying to do the best job they can with the tools available to them and who are continuously searching for “better ways.”David CoderreE-mail: [email protected]

Internal auditors cannot stand by and watch as the business world embraces new technology. The tools and techniques used in the past are no longer adequate; we need to restock our toolboxes with a variety of software to meet the challenges of auditing in today’s business environment.

David Coderre

About The Institute of Internal Auditors

The Institute of Internal Auditors (IIA) is internationally recognized as a trustworthy guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession’s global voice, chief advocate, recognized authority, acknowledged leader, and principal educator on governance, risk, and internal control.

The IIA sets, stewards, and promulgates the International Standards for the Professional Practice of Internal Auditing (Standards). The Institute also provides various levels of accompanying guidance; offers leading-edge conferences, seminars and Web-based training; produces forward-thinking educational products; offers quality assurance reviews, benchmarking, and consulting services; and creates growth and networking opportunities for internal auditors throughout the world. The IIA also certifies professionals through the globally recognized Certified Internal Auditor® (CIA® ), and provides specialty certifications in government, control self-assessment, and financial services.

The IIA’s Web site, www.theiia.org, is rich with professional guidance and information on IIA programs, products, and services, as well as resources for IT audit professionals. The Institute publishes Internal Auditor, an award-winning, internationally distributed trade magazine and The IIA’s other outstanding periodicals address the profession’s most pressing issues and present viable solutions and exemplary practices.

The IIA Research Foundation (IIARF) works in partnership with experts from around the globe to sponsor and conduct research on the top issues affecting internal auditors and the business world today. Its projects advance the internal audit profession globally by enhancing the professionalism of internal audit practitioners. It also provides leading-edge educational products through the IIARF Bookstore.

Preface

Technology is pervasive—invading all areas of our personal and business lives. In our personal lives, we have some control over how much technology we will tolerate, but not so in our professional lives. Every aspect of modern organizations involves technology, to the extent that auditors can no longer audit around the computer as they did from 1960 until recently. Technology is an important element of a majority of the controls that are, or should be, in place. In addition, not only is technology a necessary tool of auditors, but it can also improve the efficiency and effectiveness of the audit process.

The ease of access and the myriad types of audit software has taken technology out of the hands of IT auditors and made it readily available to all auditors. The key to harnessing the power of technology and increasing audit efficiency is to ask the question “How can technology be used to support the audit function?” Furthermore, too many auditors are simply automating what was done manually before. Instead, auditors should be asking, “What else will technology allow me to do?” This demands that all auditors have access to, and an understanding of, the technology and underlying data, and that technology be employed in all phases of the audit from the initial development of the risk-based annual audit plan to the planning, conducting, reporting, and follow-up phases of individual audits.

Technology as an audit tool is not a new concept, but it has gained considerable ground in the last five to ten years. Part of the recent drive to incorporate technology in both business and audit has been a result of legislation such as Sarbanes-Oxley (SOX). The cost of compliance—millions of dollars on average—drove organizations to employ technology to reduce the people-intensive manual testing of financial controls that was overly time consuming. In particular, data analysis techniques offered much-needed efficiencies—reducing overall SOX compliance costs and expanding the scope and reliability of audit tests. The use of data analytics also gives auditors an independent view of the business systems, the individual financial transactions, and the key financial controls. Through continuous auditing, auditors can highlight anomalies, control deficiencies, and unusual trends. This means that errors, fraud, and other problems can be identified in a timely manner—supporting the compliance requirements of SOX Section 409.

Increased globalization of businesses, market pressure to improve operations, and rapidly changing business conditions are providing additional encouragement for technology-enabled auditing (TEA). These forces are creating the demand for more timely and ongoing assurance that controls are working effectively and risk is properly mitigated. To meet this need, many internal auditors are implementing continuous auditing. This book will help auditors learn what continuous auditing does and how it can help auditors make better use of data analytics, while maintaining their independence and objectivity in evaluating the effectiveness of risk management and control assessment processes.

Continuous auditing has two main components. The first is continuous risk assessment: audit activities that identify and evaluate companywide risk levels by examining trends in the data-driven risk indicators within a single process or system. These processes are then compared to their past performance and other business systems. For example, product line performance is compared to the performance of the previous year, but it is also assessed within the context of its performance compared the other plants.

The second component of continuous auditing is continuous control assessment: audit activities that identify whether key controls are working properly. Through continuous control assessments, individual transactions are monitored against a set of control rules to determine if the internal controls are functioning as designed and to highlight exceptions. Assessing a well-defined set of control rules allows auditors to warn the organization when process or system controls are not working as intended or when the controls are compromised. By identifying control weaknesses and violations, auditors can provide independent assurance to the audit committee and senior management.

A more recent catalyst for the use of technology in audit is governance, risk management, and compliance (GRC). High-performing companies are integrating their GRC activities to make them more efficient, effective, dependable, and legally sound. Internal audit can use technology to perform independent assessments of the management GRC processes—to determine whether there is reasonable assurance that the overall goals and objectives of the organization will be met. To do this, internal auditors must consider emerging areas of risk, the effectiveness of management’s monitoring programs, and the adequacy of management’s response to identified risks. This requires a systematic approach to the evaluation of risk management, control, compliance, and governance processes. Auditors can assist management by performing analytical reviews of the GRC processes, by testing compliance with general and application controls, and by performing trend analysis to identify emerging areas of risk.

The key to effectively using TEA is to develop a good understanding of the main business processes and the associated information systems and infrastructure (i.e., their controls and the data contained therein). However, the adoption of TEA will require all auditors to have knowledge not only of information systems, but also the tools and techniques supporting the data analysis.

The chief audit executive and all auditors must realize that TEA will change the way audits are conducted, including the procedures and level of effort required. This will place new demands on the audit department and possibly on the work performed by IT auditors. Historically, the only auditors who even dared to look at the application controls were IT auditors; however, the audit world has changed significantly in the past few years. No longer are IT and business risks considered as separate entities. All auditors are encouraged to consider IT risks as business risks and to develop a more integrated approach to auditing. The role of the IT audit specialist has expanded to include supporting general audit by arranging for access, downloading the data, dealing with disparate data structures and data normalization issues, and assisting with the more complex analyses. The IT audit specialists can also be used in the quality assurance process—reviewing analyses performed by the auditors to ensure the results can be relied upon and developing standard routines that can ensure consistency and bring additional efficiencies to the analysis activities.

Everyone has heard the phrases “if it ain’t broke, don’t fix it” and “don’t reinvent the wheel.” These adages are useful to remember, but too often we find ourselves constrained by mental barriers that we create for ourselves. Methods that worked well in the past become entrenched in our way of thinking. Sometimes this is good, because past experiences can help us avoid pitfalls and maximize the use of our time. But strict reliance on past experiences can result in trying to force familiar solutions onto different problems, or can cause us to overlook new or more efficient approaches to old problems. Even when we utilize our standard tools, such as data analysis and audit software, we must try to find new approaches to address new situations. Data analysis and audit software provide us with many opportunities to be more creative in our approaches to problem solving.

This book describes many facets of TEA. It also presents numerous case studies that illustrate the power and flexibility of standard and audit-specific software packages. Internal auditors cannot stand by and watch as the business world embraces new technology. The tools and techniques used in the past are no longer adequate; we need to check our toolboxes to ensure that we have the tools needed to meet the challenges of auditing in today’s business environment.

Acknowledgments

The author would like to acknowledge Eric Desmarais for his research assistance, which was a great help in revising Appendix A.

CHAPTER 1

CAATTs History

Computers are not new to us. From microwave ovens to DVDs, everywhere around us we see and feel the effect of the microchip. But, too often, we have either not applied these new technologies to our everyday work activities, or we have only succeeded in automating the functions we used to do manually. “Things are working fine the way they are” or “I’m not an IS auditor” are just two of the many excuses we hear for not capitalizing on the power of the computer. However, we cannot afford to ignore the productivity gains that can be achieved through the proper use of information technology. The use of automation in the audit function—whether it is for the administration of the audit organization or tools employed during the conduct of comprehensive audits—has become a requirement, not a luxury. In today’s technologically complex world, where change is commonplace, auditors can no longer rely on manual techniques, even if they are tried and true. Auditors must move forward with the technology, as intelligent users of the new tools. The vision of the auditor, sleeves rolled up, calculator in hand, poring over mountains of paper, is no longer a realistic picture. Automation has found its way into our homes, schools, and the workplace—now is the time to welcome it into the audit organization.

This book discusses microcomputer-based audit software, but the techniques and concepts are equally applicable to mainframe and minicomputer environments. Examples of software packages are provided, but the focus is on the discussion of an approach to using automation to assist in performing various audit tasks rather than the identification of specific audit software packages.

Throughout this book, Computer-Assisted Audit Tools and Techniques (CAATTs) and audit automation are meant to include the use of any computerized tool or technique that increases the efficiency and effectiveness of the audit function. These include tools ranging from basic word processing to expert systems, and techniques as simple as listing the data to matching files on multiple key fields.