Computer Assisted Audit Techniques - Essay Example

Executive Summary; Computer Assisted Audit Techniques help in the automation of auditing techniques, due to this automation, audit procedures that are followed during the course of audit become easy. More and greater reliance is placed up on the conclusion. This paper discusses the procedures that are followed in carrying out such techniques. The paper gives a wide concept of the application of Computer Assisted Audit techniques, the businesses in which such technique is preferred over traditional audit techniques. CAAT is by far an innovation in the field of auditing; it has led to cover up the gaps of traditional auditing techniques. The aim of this project is to give a better understanding of Computer Assisted Audit Techniques; this is further supported by practical illustrations and examples of CAATs. To start any audit, an understanding and knowledge of the business should be gained during the planning stage. This knowledge of the business helps in analyzing the internal control systems, and then it is decided whether to rely on the internal control system or not. It is later decided upon the nature of the client and its system to use Computer Assisted Audit Techniques. CAATs can be used for both testing of internal control as well as substantive procedures. The advantages of CAATs clearly outweigh its disadvantages and this technique clearly has an upper hand when it comes to process large amount of data Contents Contents 2 Introduction 3 Gathering sufficient Appropriate Evidence 4 Importance of Knowledge of the Business 5 Application of CAATs in the Audit Process 6 Risks of CAATs 8 Benefits of CAATs 9 Planning for the use of CAATs 10 Becoming an IT audit specialist 12 Recommendations and Conclusion 13 References 16 Introduction Auditing is the process by which something is examined with a view to form an opinion. This allows users of that opinion to gain assurance that the opinion, process or the information can be trusted. The purpose of assurance services is to increase the confidence and reduce the risk of the user of those services. The main purpose of auditing is to ensure that financial statements are free from material misstatement or error. An auditor carries out two types of assurance engagement with one being the reasonable assurance engagement and the other being the limited assurance engagement. When giving out a reasonable assurance engagement, the auditor gathers sufficient appropriate evidence to support his conclusion and to make a stronger conclusion. On the contrary, a limited assurance engagement gives out a negative assurance report and the evidence gathered in such assurance engagement is only related to the specific subject matter that is being audited rather than the entire financial statement. Such assurances help the users of the financial statements to decide upon their investment in any particular company or venture. The use of computers in business information systems has fundamental effects on the nature of business transacted, procedures followed, risks occurring and measures to reduce the impact of risks. Manual processing and computer based processing of transactions are well differentiated from each other and they have their own benefits. With the use of computer processing, many clerical errors are eliminated but there are other issues when it comes to auditing such as an audit trail might only exist for a short time period or it may be available in computer readable form. The nature of the trail is dependent on the transaction processing mode. “The auditor should obtain sufficient appropriate audit evidence to draw reasonable conclusions on which to base the audit opinion” (ISA 500).To support an audit opinion, an auditor would need to have valid evidence. For each item in the financial statements, management makes different assertions e.g. that the plant and machinery belongs to the company, creditors are to be paid an amount of money and these creditors are not fictitious, etc. All these assertions made by the management of a client company are to be validated by the auditor and to for this, the auditor requires evidence. Different information system would require different ways to gather evidence. Different procedures are followed to acquire audit evidence such as inquiry, observation, inspection, confirmation, re-calculation/re-performance, monitoring, etc. These can be applied manually or with the use of computer assisted audit techniques. Computer assisted audit techniques are a way of automating the procedure involved in auditing. CAATs aim to assist auditors in reducing their manual work; huge data can be analyzed quickly and efficiently with the use of Computer Assisted Audit Techniques. CAATs have on the other hand have become a necessity for auditors to adopt, as the data involved on larger companies is very huge and it may be analyzed quickly and efficiently to give out a timely conclusion. This paper gives out a better understanding of Computer Assisted Audit Techniques and the circumstances in which an auditor is most likely to adopt or to avoid such technique. This paper gives out the benefits and the flaws of CAATs with respect to the auditors and the users of the financial statements. Gathering sufficient Appropriate Evidence Auditor need some evidence to base their decision upon, hence they should gather sufficient appropriate evidence to support their decision. An auditor can gather evidence during the course of the audit by looking at the transactions of its clients. The thing that is of essence is the time period, the IT auditor should consider the time during which the information is available to determine the nature, time and extent of substantive procedures e.g. if the transactions are processed using automated methods such EPDs, there are chances that the transaction may not be retrievable after a specific period of time, hence in these situations, it becomes difficult to gather appropriate evidence. The auditor should obtain such evidence which should be consistent with the objective of the audit. Where the auditor has gathered oral representation as evidence, it would be better to get them in documentary or material form such as third party confirmations. Importance of Knowledge of the Business An auditor should follow the Generally Accepted Auditing Standards before taking up any audit, issues such as auditor independence, Objectivity, Competence are considered before any audit assignment is initiated. At the planning stage of any audit, an auditor should analyze the business which is to be audited. Knowledge of the business comprises the nature of the client’s activities, the environment in which the client operates/ the industry, its management, control systems and the people whom it interacts with during the course of business. The auditor needs to understand the operating environment in which the client operates; the operating environment consists of the industry, competition, technology, laws and regulation, stakeholders and other related parties of the client. Many clients operate in different industry, though many operating in the same industry may have same characteristics e.g. manufacturing sector audit would require the auditor to focus on issues such as absorption rates, standard or product costing, variance analysis, etc. Knowledge of a client’s business can be obtained from numerous sources such as past experience with the same client, discussion with the client ad external sources such as trade press or industry surveys. Internal controls of the client is the other issue that the client should work upon; the more reliable the internal controls, the more accurate the output, leading to better conclusion. Audit risk is reduced if the clients internal control system is more reliable. An internal control system is made up of essential parts; Control Environment; is the philosophy of the management and its operating style, the ethical values of the staff and the management and its commitment towards it. A poor control environment can lead control procedures to be ineffective. Control procedures; are a set of procedures that can be seen everywhere e.g. Passport application needed to be counter signed, locking the door of the house when leaving, etc. While conducting an audit, the auditor should identify the control procedures to avoid any material misstatement. Control procedures relating to information processing are general and application controls. General controls are related to computer activities while application controls relate to precise tasks performed by applications. Testing of controls may be manual as well as automated, technique used to test automated controls differ from that of testing manual controls. To test automated control, three types of CAATs are used, Auditing with the computer Auditing around the computer Auditing through the computer Application of CAATs in the Audit Process With the vast use of IT techniques in a company, it is sometime useful to use such CAATs to test controls. CAATs can be used during each and every stage of the auditing process i.e. from planning to reporting stage. CAATs are systems based, transaction based or they provide automated methods for analyzing data and information. CAATs are carried out with the use of specific software; they are specially designed for audit purposes and are used to process the client’s data to ensure the accuracy of the figures. These techniques are used to detect any fraud or misappropriations within the client’s financial statements. Commonly used CAATs are: Generalized audit software; performs automated tasks, useful for both testing the controls as well as substantive procedures. Application software tracing and mapping; traces and follows the audit trail of information given by the computer system as it processes transactions. Expert System software; automates the knowledge of any particular profession into a software so that it can help an auditor in making rational decisions e.g. software giving legal advices. Audit software can pinpoint any particular activity that may lead to some fraudulent act. With audit software, huge amount of data can be analyzed to identify and discrepancy or any particular trend or pattern if compared with prior year data. Interactive Data Extraction and Analysis (IDEA) is a registered software that assists in many audit activities. It can perform many different functions such as: Duplicate identification; any duplication is identified within the data and hence it is eliminated. Aging; the aging of accounts receivable is tested to identify any particular bad debts. Sampling; samples of data are prepared and analyzed. Calculation; the total for any particular field is quickly accurately calculated. These procedures will be followed if the wages are to be audited with the use of CAATs; A random sample of employee is selected from the payroll and is traces back to their respective employment contracts to ensure existence. Reporting all employees earning more than $2500 per week Starters and leavers forms are seen and compared to the wages master file to ensure that valid employees are added or deleted from the payroll. The total of gross wages less deductions would hence equal net wages. An example can be used for compliance testing; XYZ auditors were detecting fraud in the contracting section of their client. Benford’s law technique was used to look at the two starting digits of any contracts, the auditors found that many of the digits were in 99, later the evidence proved that £100,000 was the limit of one manager who could solely sign and contract anybody, this way managers manipulated the limit by creating fictitious contracts below the limit. At £100,000 or above the contract to get approved, would have to be signed by another manager hence this created segregation of duty but the limit used was quite high besides the duty to create contracts should not have been handed over to one manager only. Risks of CAATs Certain precautions are looked upon before using any software for CAAT. Before carrying out CAAT, the auditor would make sure that the client’s files must not be corrupted or damaged, if this is the scenario, it may lead to a wrong conclusions even though the procedures adopted in CAATs would be perfect. The files to be used for testing in CAATs should be complete and accurate and the computer audit programs must be modified to align with any developments in the client’s application. The capability and the computer literacy of the audit team is analyzed before any Computer Assisted Audit Technique is implemented. CAATs usually take a long time to set up, hence time is always given the priority by including CAAT in planning of current year audit for its use in the next year assurance assignment. The auditor shall gain an understanding of the internal control relevant to the audit. Procedures involved in both the manual and the IT systems are understood by the auditor. An auditor often uses Internal Control Evaluation Questionnaires (ICEQ) to evaluate any weaknesses in the internal control system. The question remains the same but the auditor considers both manual and automated controls e.g. ICEQ – Can liabilities be incurred and not recorded? Manual Control – the auditor matches Goods Received Notes with appropriate purchase invoices Application Control/ CAAT – programmed sequence check on purchase invoices. Benefits of CAATs Generally Accepted Auditing Standards (GAAS) require that an auditor should work with integrity, be objective and in a clear state of mind during the course of audit. Besides the GAAS, many other bodies such as the IFAC have given some of their fundamental principles. These fundamental principles include Integrity, Objectivity, Professional Competence and due care, confidentiality and professional behavior. An auditor should follow these fundamental principles of ethical behavior during the course of the audit to increase investor’s confidence. CAAT enables an auditor to test a large amount of data more efficiently and effectively. This reduces the sampling risk that usually arises in manual audit techniques. Sampling risk is the risk that the auditor’s conclusion, based on a sample, may be wrong if the entire population of transaction were subjected to the same audit procedure. With the use of CAATs, almost every transaction is tested and it reduces the sampling risk. Besides the sampling risk, detection risk may also be lowered as the auditor may test a larger amount of transaction when using CAAT over manual audit techniques. “Detection risk is the risk that the auditor will not detect a misstatement that exists in an assertion that could be material. Detection risk is a function of the effectiveness of an audit procedure and of its application by the auditor. Detection risk cannot be reduced to zero because the auditor usually does not examine all of a class of transactions, account balances, or disclosure and because of other factors” (ISA 200). Firms considering to employ IT specialist would have to perform cost/benefit analysis before they hire any particular IT specialist for performing CAAT. Although it is very much a part of the Generally Accepted Audit Standards (GAAS) to have staff with appropriate technical knowledge and expertise before they are to take up any CAATS assignment. It would be at the disposal of the audit firm to decide upon hiring new IT specialist with appropriate expertise or training existing staff, all this would be decided after an appropriate cost/benefit analysis. Planning for the use of CAATs Computer Assisted Audit Techniques are divided into three main categories: Audit Software – computer programs used to interview the client’s computer files, this is used mainly for substantive procedures. Audit software can help an auditor to check larger volume of data. It includes logic programs that perform tasks as needed by the auditor; these tasks include sampling, reporting exceptional items and summarizing data. It is up to the auditor to decide upon the activities which he may want the audit software to perform. A practical example would be of the audit of wages: A random sample of employee is selected from the payroll and is traces back to their respective employment contracts to ensure existence. Reporting all employees earning more than $2500 per week Starters and leavers forms are seen and compared to the wages master file to ensure that valid employees are added or deleted from the payroll. The total of gross wages less deductions would hence equal net wages. Test Data – this is usually used while testing the controls in the client’s system. Test data is data generated by the auditor to be processed using the client’s computer system. Test data uses transaction of valid as well as invalid nature. If the invalid data is accepted, it goes out to show that the client’s internal control system is not working properly. Test data may be processed during routine production run i.e. ‘live test data” or it may processed in time outside the normal production cycle (Dead test data). Example of test data with respect to sales would be: Place in an order on the client’s system that should cause a customer to exceed his credit limit, if the controls would be working properly the order would not be accepted. Placing in a negative number of items on an order. This should be rejected if the controls would be working properly. Incomplete customer details may lead the system to reject the transaction until and unless all details are submitted. Other Techniques – there are two main technique besides the one mentioned above Integrated Test Facility; is used when test data is run live, dummy figures are added in the client’s control system to evaluate its effectiveness. Embedded audit facilities; are used by the auditor to gather and store information at the time of processing for future review and examination. Further on, any unusual transactions are spotted and recorded for subsequent attention. Any team of auditor applying CAATs on any client’s system should have the necessary experience and skills to carry out such techniques, without this knowledge, the auditor would have no idea about the application of CAATs and their exact usage while testing the controls of the clients. Techniques such as CAATs help the auditor in storing and analyzing data. This helps in reviewing the efficiency and effectiveness of the internal control system, besides testing the controls, some of these techniques also help in substantive procedures. For subsequent analysis or recurring audits in the future, the client and the auditor may keep the data intact by storing them in appropriate condition as it may suit them. ISA 230 states that audit documentation should be retained for five years from completion of the audit. This, consequently forces the audit firm to make arrangements for securing storage of recent files, recording older files and keeping back-up of IT based files. Becoming an IT audit specialist IT audit has recently been given a thrust and is considered as an integral part in maintaining discipline across the organization. The main function of the IT auditor is to examine the adequacy of the controls within the information system to ensure system effectiveness. Many companies have made it a compulsion to have an IT specialist in their audit team so that he may report on the integrity and the reliability of computerized data used with the IT systems of the company. IT audit is the process of gathering and evaluating evidence to proof that the computer system is designed to maintain data integrity, safeguarding of assets, effective use of the resources, etc. The perceived importance of an IT specialist in an audit firm will vary with the size of the firm, the larger the audit firm, the higher would be the importance of the IT audit specialist and vice versa. This is because smaller firms would not be using extensive computer related audit techniques as compared to the larger audit firms. IT Audit plays an essential part in maintaining discipline and severity throughout the organization’s functions and divisions. There are many different designations for an IT or an IS auditor but CISA (Certified Information Systems Auditor) and CIA (Chartered Internal Auditor) are the most commonly known certifications and designations of an IT audit specialist. Recommendations and Conclusion To give out a proper conclusion, an auditor should have an understanding of the business, its control environment, control activities, the clients systems in order to assess their reliability for the preparation of financial statements and designing appropriate audit procedures. Once the scope of audit is determined, the auditor looks upon the technology environment of itself and the client, clients that lack IT innovations and are way behind in technology would require extra effort and hence extra cost from the auditor, besides this, sometimes the auditor may be lacking appropriate technological developments when auditing more sophisticated companies which have more complex IT systems, if the audit firm faces such issue, it must either hire necessary skills and technological advancements before commencing on with any such audit or they must not take up such auditing assignments. The key objective of an audit does not change in a computer environment, the auditor still has to obtain and understanding of business to ascertain the control risk and plan the audit work accordingly to reduce detection risk. The level of audit testing would depend upon the reliability and the effectiveness of internal control system of the client. If the controls are programmed controls, the auditor would have to audit through the computer and use CAATs to ensure the effectiveness of the internal controls. References Information Technology Audit “General Principles” IT Audit Monograph Series # 1 http://www.intosaiitaudit.org/India_GeneralPrinciples.pdf International Federation of Accountants. Handbook of International Standards on Auditing and Quality Control. New York, N.Y.: International Federation of Accountants, 2009. Read More