Internal Audit

David Coderre has over twenty years of experience in internal audit, management consulting, policy development, management information systems, system development, and application implementation areas. He is currently President of CAATS (Computer-Assisted Analysis Techniques and Solutions). He is the author of three highly regarded books on using data analysis for audit and fraud detection.

• Case Studies xvPreface xviiAcknowledgments xxiCHAPTER 1 CAATTs History 1The New Audit Environment 2The Age of Information Technology 3Decentralization of Technology 3Absence of the Paper Trail 4Do More with Less 4Definition of CAATTs 5Evolution of CAATTs 6Audit Software Developments 7Historical CAATTs 8Test Decks 8Integrated Test Facility (ITF) 9System Control Audit Review File (SCARF) 9Sample Audit Review File (SARF) 9Sampling 10Parallel Simulation 10Reasonableness Tests and Exception Reporting 11Traditional Approaches to Computer-Based Auditing 12Systems-Based Approach 12Data-Based Approach 15Audit Management and Administrative Support 19Roadblocks to CAATT Implementation 20Summary and Conclusions 24CHAPTER 2 Audit Technology 27Audit Technology Continuum 27Introductory Use of Technology 27Moderate Use of Technology 28Integral Use of Technology 29Advanced Use of Technology 30Getting There 31General Software Useful for Auditors 32Word Processing 32Text Search and Retrieval 34Reference Libraries 35Spreadsheets 35Presentation Software 37Flowcharting 38Antivirus and Firewall Software 39Software Licensing Checkers 39Specialized Audit Software Applications 40Data Access, Analysis, Testing, and Reporting 40Standardized Extractions and Reports 44Information Downloaded from Mainframe Applications and/or Client Systems 45Electronic Questionnaires and Audit Programs 48Control Self-Assessment 49Parallel Simulation 50Electronic Working Papers 51Data Warehouse 52Data Mining 54Software for Audit Management and Administration 56Audit Universe 56Audit Department Management Software 57E-mail 57File Transfer Protocol (FTP) 57Intranet 59Databases 60Groupware 61Electronic Document Management 61Electronic Audit Reports and Methodologies 62Audit Scheduling, Time Reporting, and Billing 63Project Management 64Extensible Business Reporting Language (XBRL) 64Expert Systems 67Audit Early-Warning Systems 68Continuous Auditing 69Continuous Auditing versus ContinuousMonitoring 72Example of Continuous Auditing: Application to an Accounts Payable Department 74Stages of Continuous Auditing 77Continuous Auditing Template 79Sarbanes-Oxley 80Important SOX Sections 81The Role and Responsibility of Internal Audit 83Risk Factors 84Detecting Fraud 85Determining the Exposure to Fraud 86SOX Software 88Assessment of IT Controls and Risks 90Defining the Scope 92GAIT Principles 93Governance, Risk Management, and Compliance (GRC) 94Internal Audit’s Role in the GRC Process 97Identifying and Assessing Management’s Risk Management Process 99Assessment of Internal Control Processes 100GRC Software 101Summary and Conclusions 102CHAPTER 3 CAATTs Benefits and Opportunities 103The Inevitability of Using CAATTs 103The New IM Environment 105The New Audit Paradigm 105Expected Benefits 108Planning Phase—Benefits 109Conduct Phase—Benefits 112Data Analysis 112Increased Coverage 112Better Use of Auditor Resources 115Improved Results 116Reporting Phase—Benefits 116Administration of the Audit Function—Benefits 117Reduced Costs 119Increased Performance 120Increased Time for Critical Thinking 122Recognizing Opportunities 124Transfer of Audit Technology 126Summary and Conclusions 127CHAPTER 4 CAATTs for Broader-Scoped Audits 129Integrated Use of CAATTs 129Value-for-Money Auditing 134Value-Added Auditing of Inventory Systems 134Data Analysis in Support of Value-Added Inventory Auditing 135Inventory Management Practices and Approaches 136Possible Areas for Audit-Suggested Improvements 138Audit and Reengineering 144Audit and Benchmarking 148Summary and Conclusions 152CHAPTER 5 Data Access and Testing 153Data Access Conditions 153Mainframe versus Minicomputer versus Microcomputer 154Portability of Programs and Data 154Limitations to Using the Microcomputer 155Processing Speeds 155Single Tasking 156Inability to Deal with Complex Data and File Structures 156Client Facilities 157Auditor’s Microcomputer-Based Facilities 158Data Extraction and Analysis Issues 159Accessing the Data 160Data Storage Requirements 161Analysis of Data 162Risks of Relying on Data—Reliability Risk 163Reliance on the Data 164Knowledge of the System 165Assessment of the Internal Controls 166New Topology of Data Tests 167Reducing Auditor-Induced Data Corruption 168Potential Problems with the Use of CAATTs 169Incorrect Identification of Audit Population 169Improper Description of Data Requirements 171Invalid Analyses 172Failure to Recognize CAATT Opportunities 173Summary and Conclusions 174CHAPTER 6 Developing CAATT Capabilities 177Professional Proficiency: Knowledge, Skills, and Disciplines 177Computer Literacy: Minimal Auditor Skills 178Ability to Use CAATTs 180Understanding of the Data 181Analytical Support and Advice 182Communication of Results 184Steps in Developing CAATT Capabilities 184Understand the Organizational Environment/Assess the Organizational Culture 184Obtain Management Commitment 185Establish Deliverables 186Set Up a Trial 186Plan for Success 186Track Costs and Benefits 187Lessons Learned 187Organize Working Groups 188Computer Literacy Working Group 189CAATT Working Groups 190Information Systems Support to Audit 191Assure Quality 195Quality Assurance Methodology 196Preventive Controls for CAATTs 197Detective Controls for CAATTs 198Corrective Controls for CAATTs 199Quality Assurance Reviews and Reports 200Summary and Conclusions 200CHAPTER 7 Challenges for Audit 203Survival of Audit 203Audit as a Learning Organization 204Knowledge Acquisition 204Information Dissemination 205Information Interpretation 205Organizational Memory 205New Paradigm for Audit 206Computer-Assisted Audit Techniques 206Computer-Aided Audit Thought Support 207Auditor Empowerment 208Access to Microcomputers and Computer Networks 209Access to Audit Software—Meta-Languages 209Universal Access to Data 210Access to Education, Training, and Research 210Skills Inventory 212Needed versus Actual Skills 212Required versus Actual Performance 215Auditor Skills for Using CAATTs 216IS Auditor Skills 216Training Programs and Requirements 217Conceptual Training 217Technical Training 218Training Options 218In-house 218Professional Associations 218Educational Institutions 219Computer-Based, Video-Based, and Web-Based Training 219Summary and Conclusions 220Appendices 223APPENDIX A The Internet—An Audit Tool 225The Internet 225Connecting to the Internet 225General Internet Uses 226Useful Sites for Auditors 229Examples of Audit-Related Internet Usage 230APPENDIX B Information Support Analysis and Monitoring (ISAM) Section 231APPENDIX C Information Management Concepts 235APPENDIX D Audit Software Evaluation Criteria 241General Capabilities 241Reporting Capabilities 241Graphics Capabilities 242Mathematical Functions 242File Manipulation Capabilities 242Record Definition Capabilities 242File Type Capabilities 242Programming Capabilities 242Support 243Other Capabilities 243References 245Index 249