Wikipedia

Computer-aided audit tools: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
No edit summary
Line 1:
'''Computer Aided Audit Tools''' (CAATS), also known as '''Computer Assisted Audit Tools and Techniques''' (CAATTS), is a growing field within the audit profession. CAATTS is the practice of using computers to automate or simplify the audit process. In the broadest sense of the term, CAATTS can refer to any use of a computer during the audit. This would include utilizing basic software packages such as Excel, Microsoft Access, and even word processors. It practice, however, CAATTS has become synonymous with incorporating Data Analytics into the audit process. This is one of the emerging fields within the audit profession.
{{dated prod|concern = {{{concern|Created a new page which (I hope) better discusses subject of [[Computer Aided Audit Tools]]. }}}|month = October|day = 22|year = 2006|time = 08:32|timestamp = 20061022083257}}
<!-- Do not use the "dated prod" template directly; the above line is generated by "subst:prod|reason" -->
 
==Traditional Auditing vs CAATTS==
{{cleanup-date|July 2006}}
'''Data analysis''' is the means by which the information systems auditor determines the completeness and accuracy of an organization’s data. [[Auditor]]s perform data analysis to determine where it is best to focus audit tests.
 
===Traditional Audit Example===
Along with manual audit procedures, the auditor can employ [http://www.isaca.org/Content/ContentGroups/Standards2/Standards,_Guidelines,_Procedures_for_IS_Auditing/IS_Auditing_Guideline_G3_Use_of_Computer-Assisted_Audit_Techniques1.htm computer assisted auditing tools and techniques (CAATT’s)] to perform data analysis throughout the audit engagement. Generalized Audit Software (GAS), also known as Data Analysis Software, is the most popular form of CAATT used in the data analysis process.
 
Traditionally auditors have been criticized because they reach conclusions based upon limited samples. It is not uncommon for an auditor to sample 30-50 transactions and declare a problem or conclude that "controls appear to be effective." Management upon hearing the verdict of the auditors will question the validity of the audit. Management realizes that they conduct thousands or perhaps millions of transactions a year and the auditor only sampled a handful. The auditor will then state that the conducted the sample based upon Generally Accepted Audit Standards (GAAS) and that their sample was statistically valid. The auditor is then forced to defend their methodology.
==Data analysis process==
 
Another common criticism of the audit profession occurs after a problem emerges. Whenever a problem emerges within a department, management asks, "Where was audit." If audit had reviewed the area recently it becomes a sticky situation as the Audit Manager attempts to explain that the reason the problem wasn't identified was because the problem was outside of the scope of the audit. The Audit manager might also try to explain that the sample was "a statistically valid sample with a 95% confidence level." The Audit Committee doesn't care that the audit was conducted according to GAAS, they only care that a problem went unnoted by the audit department.
Key steps within the data analysis process include:
#'''Scoping'''
#*The auditor determines audit objectives and identifies organizational systems containing potentially relevant data.
#'''Requesting Data from the Organization'''
#*In order to obtain sufficient, reliable, and relevant evidence to achieve their audit objectives, the auditor attempts to determine relevant data used to perform audit tests. The data is then requested from the organization’s IT department.
#'''Extracting Data'''
#*When data is extracted from an organization, the auditor must verify the integrity of the organization’s information system and IT environment from which the data is extracted.
#'''Data Importation'''
#*The auditor must determine the completeness and relevancy of data obtained by the organization.
#'''Data Profiling'''
#*The auditor performs relevancy checks on data. For example, checking an organization’s data to determine if there are any negative invoice amounts, debits don’t equal credits, or if there is omitted data.
#'''Data Analysis'''
#*The auditor analyzes the data to determine if sufficient evidence has been obtained to support their overall conclusions and findings of the audit.
#'''Reporting'''
#*The auditor must summarize the findings and then determine which type of audit report is most suitable to describe the outcome of the audit results. For example, an unqualified audit report vs. a qualified audit report.
#'''Documentation of Research Findings'''
#*The auditor must document their research findings in the forms of work papers, spreadsheets, flowcharts, and results of observations, to name a few. Audit documentation is essential to support the auditor’s findings and recommendations as stated in the audit report.
 
===CAATTS Alternative===
[[Image:Data_analysis.JPG]]
CAATTS addresses these problems. CAATTS, as it is commonly used, is the practice of analyzing large volumes of data looking for anomalies. A well designed CAATTS audit will not be a sample, but rather a complete review of all transactions. Using CAATTS the auditor will extract every transaction the business unit performed during the period reviewed. The auditor will then test that data to determine if there are any problems in the data. For example, using CAATTS the auditor can find invalid Social Security Numbers (SSN) by comparing the SSN to the issuing criteria of the Social Security Administration. The CAATTS auditor could also easily look for duplicate vendors or transactions. When such a duplicate is identified, they can approach management with the knowledge that they tested 100% of the transactions and that they identified 100% of the exceptions.
 
===Traditional Audit vs CAATTS on Specific Risks===
==Computer-assisted auditing tools & techniques (CAATTs)==
 
Another advantage of CAATTS is that it allows auditors to test for specific risks. For example, an insurance company may want to ensure that it doesn't pay any claims after a policy is terminated. Using traditional audit techniques this risk would be very difficult to test. The auditor would "randomly select" a "statistically valid" sample of claims (usually 30-50.) They would then check to see if any of those claims were processed after a policy was terminated. Since the insurance company might process millions of claims the odds that any of those 30-50 "randomly selected" claims occurred after the policy was terminated is extremely unlikely. Even if one or two of those claims was for a date of service after the policy termination date, what does that tell the auditor?
CAATT's allow auditors to utilize computers to complete detailed and analytical tests with little effort.
 
Using CAATTS the auditor can select every claim that had a date of service after after the policy termination date. The auditor then can determine if any claims were inappropriately paid. If they were, the auditor can then figure out why the controls to prevent this failed. In a real life audit, the CAATTS auditor noted that a number of claims had been paid after policies were terminated. Using CAATTS the auditor was able to identify every claim that was paid and the exact dollar amount incorrectly paid by the insurance company. Furthermore, the auditor was able to identify the reason why these claims were paid. The reason why they were paid was because the participant paid their premium. The insurance company, having received a payment, paid the claims. Then after paying the claim the participant's check bounced. When the check bounced, the participant's policy was retroactively terminated, but the claim was still paid costing the company hundreds of thousands of dollars per year.
 
Which looks better in an audit report:
 
"Audit reviewed 50 transactions and noted one transaction that was processed incorrectly"
 
or
 
"Audit utilized CAATTS and tested every transaction over the past year. We noted XXX exceptions wherein the company paid YYY dollars on terminated policies."
 
==Specialized Software==
 
In the most general terms, CAATTS can refer to any computer program utilized to improve the audit process. Generally, however, it is used to refer to any data extraction and analysis software. This would include programs such as SAS, Excel, Access, Crystal Reports, Business Objects, etc. There are, however, two main companies that have developed specialized data analytic software specifically for auditors. They are [Audit Command Language] (ACL) and IDEA. More audit firms and departments use ACL than IDEA, but IDEA has been eroding ACL's user base.
 
Benefits of audit software include:
Line 38 ⟶ 35:
*Provides documentation of each test performed in the software that can be used as documentation in the auditor’s work papers.
 
Audit specialized software can easily perform the following functions:
===Data analysis software===
 
The most popular form of CAATTs, [http://www.isaca.org/Content/ContentGroups/Member_Content/Journal1/20033/Using_CAATs_to_Support_IS_Audit.htm data analysis software] is used to extract data from commonly used file formats and the tables of most database systems. This audit software can perform a variety of queries and other analyses on an organization’s data.
 
Functions an auditor can perform using the software include:
 
*Data queries.
Line 50 ⟶ 43:
*Statistical analysis.
*Calculations.
*Duplicate inquires.
 
==Other uses of CAATTS==
The following are types of query and analysis tools used by auditors while performing data analysis.
 
In addition to using data analysis software, the auditor utilizes CAATS throughout the audit for the following activities while performing data analysis:
*'''Access''' &ndash; A database program that provides data selection, analysis, and reporting.
*'''[[Audit Command Language|ACL]] & IDEA''' &ndash; General audit software that reads files from most formats and provides data selection, analysis, and reporting.
*'''Excel''' &ndash; Spreadsheet software that provides analysis, calculation, graphing, and reporting.
*'''CA-Examine''' &ndash; A programming language that provides data selection, analysis, and reporting. Additional programming languages include: CA-Easytrieve, Vbasic, C, C++, JAVA, SQL, Perl, SAS, and SPSS.
*'''SAS Base''' &ndash; A business intelligence platform that is sometimes used for its strong ETL capabilities and ability to interface with major ERP.
*[http://www.categoric.com Categoric] Continuous Auditing technology. Connects to anything and provides real time monitoring of controls and KPIs
 
*'''Creation of Electronic Work Papers'''
Data analysis programs use such techniques as:
*'''Histograms''' &ndash; provides the auditor with a “snapshot” of the substance, makeup, and distribution of data within an organization’s accounting system.
*'''Modeling''' &ndash; allows the auditor to determine the reasonableness of an organization’s data by comparing current data with a trend or pattern as established by evaluating data from previous years.
*'''Comparative Analysis''' &ndash; Allows the auditor to compare sets of data to determine areas of audit interest.
 
===Other uses of CAATT's for data analysis===
 
In addition to using data analysis software, the auditor utilizes CAATT's throughout the audit for the following activities while performing data analysis:
 
*'''<u>Creation of Electronic Work Papers</u>'''
Keeping electronic work papers on a centralized audit file or database will allow the auditor to navigate through current and archived working papers with ease. The database will make it easier for auditors to coordinate current audits and ensure they consider findings from prior or related projects. Additionally, the auditor will be able to electronically standardize audit forms and formats, which can improve both the quality and consistency of the audit working papers.
 
*'''<u>Fraud Detection</u>'''
CAATTsCAATTS provides auditors with tools that can identify unexpected or unexplained patterns in data that may indicate fraud. Whether the CAATTCAATS is simple or complex, data analysis provides many benefits in the prevention and detection of fraud.
 
CAATTsCAATTS can assist the auditor in detecting fraud by performing and creating the following, respectively:
 
*'''Analytical Tests'''
#<u>''Analytical Tests''</u> &ndash; evaluations of financial information made by studying plausible relationships among both financial and non-financial data to assess whether account balances appear reasonable (AU 329). Examples include ratio, trend, and [http://www.nist.gov/dads/HTML/benfordslaw.html Benford's Law]tests.
Evaluations of financial information made by studying plausible relationships among both financial and non-financial data to assess whether account balances appear reasonable (AU 329). Examples include ratio, trend, and [Benford's Law] tests.
#<u>''Data Analysis Reports''</u> &ndash; reports produced using specific audit commands such as filtering records and joining data files.
 
*'''<u>ContinuousData Monitoring</u>Analysis Reports'''
Reports produced using specific audit commands such as filtering records and joining data files.
*[http://www.theiia.org/itaudit/index.cfm?fuseaction=print&fid=5404 Continuous Monitoring]is an ongoing process for acquiring, analyzing, and reporting on business data to identify and respond to operational business risks. For auditors to ensure a comprehensive approach to acquire, analyze, and report on business data, they must make certain the organization continuously monitors user activity on all computer systems, business transactions and processes, and application controls.
 
*'''Continuous Monitoring'''
Additionally, the auditor can install audit procedures into their audit software called embedded audit routines, which can continuously capture and analyze an application’s processing results. The audit routines can capture transaction data, statistics, and continuously evaluate the organization’s computer system for processing errors. For example, evaluating whether fields that should only have alpha characters have no null data values and amount fields have no alpha characters.
[http://www.theiia.org/itaudit/index.cfm?fuseaction=print&fid=5404 Continuous Monitoring] is an ongoing process for acquiring, analyzing, and reporting on business data to identify and respond to operational business risks. For auditors to ensure a comprehensive approach to acquire, analyze, and report on business data, they must make certain the organization continuously monitors user activity on all computer systems, business transactions and processes, and application controls. The Institute of Internal Auditors recently published a GTAG on Continuous Monitoring.
 
== Note on the Acronyms CAATTS vs CAATS==
*'''<u>Audit Reporting</u>'''
Benefits to electronic audit reporting include:
 
CAATTS and CAATS are used interchangeably. While CAATS has emerged as the more common spelling, CAATTS is the more precise acronymn. The acronymn CAATTS solves one of the two problems with defining the acronym. CAATS means:
#Automatically providing information about sections of audits, as they are completed, to the audit supervisor to update them with the ongoing status of all audit projects. Frequent status updates will allow the supervisor to focus on certain processes of the audit, which indicates problems and/or provide additional resources in areas falling behind schedule.
#Providing links to working papers, worksheets, graphs, or other information that will be automatically updated as data changes.
#Report files can be shared by audit team members and management, and can easily be distributed via e-mail, file transfer, or audit website. The auditor must ensure appropriate security, confidentiality, and access controls for such reports.
 
''C''omputer ''A''ided (or ''A''ssisted) ''A''udit ''T''ools (or ''T''echniques)
== Note on the Acronyms CAATTS vs CAATS==
 
The first "A" and the "T" can have two different meanings depending on who uses the term. By using the term CAATTS, one is clearly incoprorating both "Tools" AND "Techniques."
When spoken, CAATTS and CAATS are used interchangeably. Most people do not realize that there is a subtle difference between the two.
 
==='''CAATTS and Other BEASTS for Auditors''' by [[David Coderre]]===
CAATTS stands for "Computer Aided Audit Tools and Techniques" or "Computer Assisted Audit Tools and Techniques."
 
'''CAATTS and Other BEASTS for Auditors''' by [[David Coderre]] is the seminal work on CAATTS. David Coderre argues that the term CAATTS is much more appropriate because there is no purpose in having techniques if you don't have the tools, or the tools without the techniques. Coderre attempts to differentiate the use of CAATTS for any computer program used to improve the audit with the acronym "BEASTS." BEASTS stands for, "Beneficial Electronic Audit Support Tools." While CAATTS has become a household term in audit units, BEASTS remains realatively unused. BEASTS includes electronic work papers, Microsoft suite of products, and non-analytical programs/applications.
CAATS can stand for either "Computer Aided Audit Tools" or "Computer Aided Audit Techniques." Again, some will use the word "Assisted" rather than "Aided."
 
==Web sites of selected audit software vendors==
Line 113 ⟶ 91:
*'''Audit Tools''' [http://www.theiia.org/itaudit/index.cfm?fuseaction=print&fid=320 Use of Computer-Assisted Audit Tools and Techniques (CAATTs), Part 1]
*'''Audit Tools''' [http://www.theiia.org/itaudit/index.cfm?fuseaction=print&fid=320 Use of Computer-Assisted Audit Tools and Techniques (CAATTs), Part 2]
*[http://www.theiia.org/index.cfm?doc_id=5365 The IIA's GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment]
 
==See also==
Line 118 ⟶ 97:
 
[[Category:Information technology audit]]
'''Bold text'''
Retrieved from "https://en.wikipedia.org/wiki/Computer-aided_audit_tools"