Financial Institution Auditing Techniques and Compliance Laws - Coursework Example

Financial Auditing Techniques and compliance laws Introduction Financial s are required by law to comply with several regulations which ensure protection of their client’s private information and be able to detect any risk of occurrence of identity theft or fraud. As such, auditing detects errors of both accidental and intentional nature such as fraud, incorrect input, missing figure, duplication or inconsistence. Auditing companies are complying with the laws and the changing technology in the financial institutions such as online banking by application of Computer Assisted Audit Techniques (CAATs) like Audit Command Language (ACL), Interactive Data Extraction and Analysis (IDEA) and excel spreadsheets. Financial institutions are required to comply with the following laws. 2. Compliance Laws 2.1 Gramm-Leach-Bliley Act (GLBA) (Weiss & Solomon, 2011) Gramm-Leach-Bliley Act was introduced in 1999 to protect the financial privacy of the consumers in the financial institutions at the same time introducing reforms in the financial services industry. The act covered financial institutions which are required to protect the privacy of the client’s financial issues. All businesses were expected to be compliant not later than July 1, 2001. The Federal Trade Commission (FTC) and other selected government agencies were directed by the Act with the responsibility of Implementing the regulations of the Acts financial privacy provisions (GLB Act). Compliance with the privacy requirement of the Gramm-Leach-Bliley Act is imposed on the financial information’s which are involved in activities of financial nature such as lending, investing, brokering or servicing loans, career counseling, stock exchange dealers among others in the same line of service. Financial institutions are required to uphold the consumer financial privacy and also those persons who come across "nonpublic personal information" which they are not entitled to from any financial institution are limited from using such information without prior authorization from the consumer. The Gramm-Leach-Bliley Act protects the consumer from publication of their “nonpublic personal information”. This is the information which the financial institution requires from an individual when issuing them with a financial product or service. The privacy act does not cover that information which is publicly accessible. At the time of introducing the consumer-financial institution relationship, the later should provide the consumer with a privacy notice in written form which is "clear and conspicuous". The notice lays down the limitations in which the information will be used. This act also forbids financial institutions from giving out their customers account numbers which also applies to marketing transactions. Auditors of financial institutions are limited by the Gramm-Leach-Bliley Act to comply with the privacy of the consumer’s accounts and private information. 2.2 Red Flags Rules Red Flags Rules are regulatory requirements covered by the financial institutions and creditors with an aim of preventing and detecting Identity theft. The rules are enforced by the Federal Trade Commission (FTC), the National Credit Union Administration (NCUA) and the federal bank regulatory agencies that belonged to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Compliance with the red flag rules apply to financial institutions and those creditors with "covered accounts" who collect information from their clients at the time of establishing the relationship with the client. The covered persons are required to assign the task of Red Flags compliance to a competent skilled persons who is responsible for maintaining a program of identifying identify thefts and also monitor associated controls which will enable them detect early warning signs of risk of identity theft. The identity theft program should contain; A response plan Address employee awareness training, Oversee service providers, Be approved by the Board of Directors, a senior employee or owner of the company. Over years, many financial institutions and creditors did not prioritize the protection of their client’s information despite there being many issues of increasing numbers of creditors dealing with problems of identity theft. They felt no regulatory obligations to protect client’s personal information as the cost of the identify theft fraud was left for the creditors and financial institutions. The red flag rules were made to prevent the financial institutions and creditors from absorbing all the consequences of identity theft and other costs that resulted from lawsuits. The covered financial institutions and creditors will face scrutiny for not complying with the Red Flags rules of protecting the personal and private information of their customers. 2.3 Sarbanes-Oxley Act (SOX) Sarbanes-Oxley Act was passed in 2002 with the main agenda of restoration of the investor’s confidence subsequent to a period of utmost bankruptcies and collapses of internal controls of major financial institutions which lead to heavy scrutiny of independent auditors, chief executives and audit committees. Some major corporate scandals which fueled the enactment of this law include those involved with the Enron, Peregrine Systems, WorldCom, Adelphia, and Tyco International. This scandals resulted into loses of billions of dollars of investors which was caused by the collapse in the companies when the share prices fell very low. This was a huge blow to the public confidence in securities markets. This act covers all public companies which are registered under the jurisdiction of the Securities and Exchange Commission. The act required that Public Company Accounting Oversight Board (PCAOB) be formed and detailed some requirements including certification of the results of managements quarterly and assertation of the effectiveness of the internal controls used for financial reporting. The compliance with the Sarbanes-Oxley enables the financial companies to legislate both the duration and the method in which they are mandated to store their financial records. This law cautions the company against the risk of accounting errors and financial fraud. To protect their financial safety, financial and accounting companies are required to preserve their records including business emails, instant messages, transactions, and any other relevant data files for a period of not less than seven years. This enhances an easy audit to detect any threat of theft or fraud. 2.4 Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) is officiated by the Payment Card Industry Security Standards Council. The standards cover the merchants who deal with credit cards and transmit data from client’s credit card. The standards primary agenda is to reduce the payment card fraud especially for online transactions. This will in turn improve the credit card data security. Enforcement of these standards is the mandate of the acquiring bank which requires every organization to possess a merchant account. Compliance to the standards enhances protection of both the merchant and their clients thereby maintaining a safe transaction environment. The Payment Card Industry Data Security Standard (PCI DSS) is extensively recognized as a set of policies and procedures which are meant to improve the security of credit, debit and cash card transactions while safeguarding the cardholders from encroachment into personal information which can lead to fraud. These standards were created by a combined effort of Visa, MasterCard, Discover and American Express. At its inception, PCI DSS was guided by six primary objectives. First, maintaining a secure network for conducting financial and accounting transactions by using protective measures such as firewalls. The second objective was to protect the cardholder’s information with sources of crucial like dates of birth, Social Security numbers, phone numbers, residential address and mailing addresses being kept safe and away from any threats of hacking by using digital encryption. The system meant to safeguard the information against hacking activities by regular updates of anti-virus software or anti-spyware programs. The system would also restrict and control the access and operations to the systems information. Also, constant monitoring and testing of the system should be done to ensure that the security measures are sound and strong. Lastly, a security policy must be drafted, maintained and followed and impose penalties for those who are non-compliant. 3. Tools and techniques The tools and techniques used in auditing of financial institutions include; 3.1 Computer Assisted Audit Techniques (CAATs) and Generalized Audit Software (GAS) (Braun, R. & Davis, H., 2003) CAATs techniques are applied in auditing procedures and they use the computer as an audit tool (Braun and Davis 2003). CAATs tools are varied from simple word processing to specialized expert systems. Generalized Audit Software (GAS) is a class of CAATs which is extensively used on auditing firms. GASs packages have computer programs which have general modules specialized with the capability of reading available computer files and manipulate sophisticated data stored in the files for purposes of auditing the records. GAS has an efficient and manageable interface which captures the audit requirements of the auditor and converts them into program codes by closely examining the client’s database. They do not require highly sophisticated programming techniques, as such; they are very simple and cost effective with their requirement of less specialized information systems knowledge and they can easily be adapted to different users and accounting environments. GAS is effectively used to audit financial institutions like banks which perform large scale financial transactions on a daily basis and especially those online banking transaction which require the customer to complete the whole process without the mediation of the banks’ employees. Many financial institutions have applied extensive use of information technology in their services which results in increased volumes of transactions within a short time. This creates urgency in the processing of information which requires the almost complete dependence on the records and reports maintained by the IT systems. This presents the most accessible and updated information on the financial position of the company with regards to assets and liabilities (IAASB 2003a).Due to the electronic nature of the audit trail auditors need to information technology and its application in order to protect and identify potential threats to a bank. Application of GAS enables auditors to focus on the internal control systems of the bank and examine them for accuracy and completeness of the banking operations (Coderre 1996, 1998). GAS’s latest versions are Audit Command Language (ACL) and Interactive Data Extraction and Analysis (IDEA). 3.2 Audit Command Language (ACL) (ACL, 2011) Audit Command Language (ACL) is a version of GAS which presents insightful auditing by application of information technology. It provides a comprehensive and practical view for purposes of accomplishing an effective risk management and assurance of the business financial records. ACL presents a continuum model with five levels of analysis that can be used by internal audits for expansion of application of data analytics. The five levels are; Basic, Applied, Managed, Automated and Monitoring and they progress to improve the benefits derived from using ACL in auditing. The five levels of data analysis are used by organization depending on their level of complexities. The More the sophistication of analysis capabilities, the more the level of strategic value the company will derive from the audit. The analytic process extends as internal audits advance establishing a process control which advances following an automated and continuous model. Every step in the continuum of auditing requires the input of auditors in data analysis in order to oversee the process and recognize the points of past control failures. This essentially provides reflections on risk management, compliance and governance of companies. ACL enables an auditing process and data analysis which is timely in the assessment of risks and controls in a company which would rather be very timely and in effective when manually done. They not only test for past errors but also the occurrence of risks, fraud, error and abuse of data. The five levels range from the simple ‘basic’ level to ‘monitoring’ which is the most complex level. Although many organizations wish to advance to monitoring level due to its associated benefits, building through the entire levels for background building blocks. 3.3 Interactive Data Extraction and Analysis (IDEA) (Janvrin, D.,et al., 2008) This is another version of GAS which is extensively used by financial institutions and other companies for analysis, manipulation and interrogation of large scale data of any type of a business. The application of IDEA in the auditing of any business is influenced by certain factors which gauge their appropriateness against other technologies. They are the objectives of the auditing procedure, the volume of data and the depth of information which influences their ease of downloading. IDEA is a very effective technique for achieving auditing objectives which require completeness and valuation of information. It enables the auditor to conduct a comprehensive audit within the shortest time. It is also used to detect errors and to determine the degree with which certain items in the records meet the set criteria o the company thereby improving efficiency in the company’s report. IDEA is also effective when checking control of the company for compliance testing. The main purpose of using IDEA in auditing is to improve proficiency of the auditor in both efficiency and effectiveness. Effectiveness in auditing is demonstrated by auditing the right things while efficiency is depicted by those auditors who audit the company records the right way. IDEA therefore enables the auditor to audit the right records to rgith way. To achieve effectiveness, the auditor has to conduct a brainstorming meeting which determines the material records, accounts and transactions cycles that need to be audited while at the same time leaving the insignificant and immaterial records unaudited. This will improve efficiency and time management. With the right records, IDEA is very fast and can expend it operations without any effort which improves its efficiency. 3.4 Excel (Lanza, R., 2006) Excel is a toll used by auditors for numeric procedures. The most common process in excel is the stratification of numeric amounts such as transactions and account balances. Excel enables auditors to determine a sampling plan which helps them identify unusual imbalances in the records such as amounts that do not tally in the books of records. It also provides insights as to how the audit records are structured. An audit test can be performed by Stratification of numerical data in the excel spreadsheet. Excel spreadsheets require importation of data from other sources such as books of accounts, journals and transactions. After that, the auditor uses the specialized feature available in the excel software in the checking of errors, fraud or imbalance in the accounts. This can be done by sorting data so as to identify any missing records or duplication of data, extracting important and crucial information such as notable overspending and calculating the numeric in their fields and using the data to sample the results. Use of Excel for auditing involves exceptional testing, statistical sampling and testing for duplicates. Exceptional testing is used to recognize strange occurrences such as non-correlation of pieces of information such as expenses and grade of output. Excel thus enables the auditor to identify such discrepancy. Statistical sampling is used to test for the validity of information by utilizing complex methods like the monetary unit sampling which are not easy by other techniques. Lastly, excel is very effective to test duplication of information especially those involved with payment. 4. Conclusion The Auditing tools presented in this research checks for errors in the company records with an aim of providing the financial institutions with helpful insights on the validity and adherence of their records with the true and fair position of the company. With compliance of the financial institutions with the laws regulating the usage and exposure of their clients’ personal information and using the technology for auditing their records, the financial institutions will not only reduce instance of fraud but also reduce the costs associated with losses, lawsuits and bad image linked to financial scandals. 5. References ACL. (2011). The ACL audit analytic capability model. Retrieved from www.adfor.eu/beta2/download/get/lang/it/id/27 Braun, R. & Davis, H. (2003). Computer-assisted audit tools and techniques: Analysis and perspectives. Managerial Auditing Journal 18(9). Janvrin, D., Lowe, D., & Bierstaker, J. (2008). Auditor acceptance of computer-assisted audit techniques. Retrieved from http://www.mtc.gov/uploadedFiles/Multistate_Tax_Commission/Audit_Program/Resource/AuditorAcceptance.pdf Lanza, R. (2006). Using excel as an audit software. Retrieved from http://www.auditsoftware.net/documents/excel-audit-software.pdf MAP. (2008). Use of data extraction & analysis software in a financial statement audit. Retrieved from https://www.audimation.com/pdfs/bill-allen-data-extraction-article.pdf Shein, M. & Lanza, R. (2004). Top audit tests using active data for excel. Retrieved from http://www.auditsoftware.net/documents/auditebooksample.pdf Weiss, M. & Solomon, M. (2011). Auditing it infrastructures for compliance (1st ed). Sudbury: MA. Jones & Bartlett Learning. Read More