Details

<p>Case Studies xv</p> <p>Preface xvii</p> <p>Acknowledgments xxi</p> <p><b>CHAPTER 1 CAATTs History 1</b></p> <p>The New Audit Environment 2</p> <p>The Age of Information Technology 3</p> <p>Decentralization of Technology 3</p> <p>Absence of the Paper Trail 4</p> <p>Do More with Less 4</p> <p>Definition of CAATTs 5</p> <p>Evolution of CAATTs 6</p> <p>Audit Software Developments 7</p> <p>Historical CAATTs 8</p> <p>Test Decks 8</p> <p>Integrated Test Facility (ITF) 9</p> <p>System Control Audit Review File (SCARF) 9</p> <p>Sample Audit Review File (SARF) 9</p> <p>Sampling 10</p> <p>Parallel Simulation 10</p> <p>Reasonableness Tests and Exception Reporting 11</p> <p>Traditional Approaches to Computer-Based Auditing 12</p> <p>Systems-Based Approach 12</p> <p>Data-Based Approach 15</p> <p>Audit Management and Administrative Support 19</p> <p>Roadblocks to CAATT Implementation 20</p> <p>Summary and Conclusions 24</p> <p><b>CHAPTER 2 Audit Technology 27</b></p> <p>Audit Technology Continuum 27</p> <p>Introductory Use of Technology 27</p> <p>Moderate Use of Technology 28</p> <p>Integral Use of Technology 29</p> <p>Advanced Use of Technology 30</p> <p>Getting There 31</p> <p>General Software Useful for Auditors 32</p> <p>Word Processing 32</p> <p>Text Search and Retrieval 34</p> <p>Reference Libraries 35</p> <p>Spreadsheets 35</p> <p>Presentation Software 37</p> <p>Flowcharting 38</p> <p>Antivirus and Firewall Software 39</p> <p>Software Licensing Checkers 39</p> <p>Specialized Audit Software Applications 40</p> <p>Data Access, Analysis, Testing, and Reporting 40</p> <p>Standardized Extractions and Reports 44</p> <p>Information Downloaded from Mainframe Applications and/or Client Systems 45</p> <p>Electronic Questionnaires and Audit Programs 48</p> <p>Control Self-Assessment 49</p> <p>Parallel Simulation 50</p> <p>Electronic Working Papers 51</p> <p>Data Warehouse 52</p> <p>Data Mining 54</p> <p>Software for Audit Management and Administration 56</p> <p>Audit Universe 56</p> <p>Audit Department Management Software 57</p> <p>E-mail 57</p> <p>File Transfer Protocol (FTP) 57</p> <p>Intranet 59</p> <p>Databases 60</p> <p>Groupware 61</p> <p>Electronic Document Management 61</p> <p>Electronic Audit Reports and Methodologies 62</p> <p>Audit Scheduling, Time Reporting, and Billing 63</p> <p>Project Management 64</p> <p>Extensible Business Reporting Language (XBRL) 64</p> <p>Expert Systems 67</p> <p>Audit Early-Warning Systems 68</p> <p>Continuous Auditing 69</p> <p>Continuous Auditing versus ContinuousMonitoring 72</p> <p>Example of Continuous Auditing: Application to an Accounts Payable Department 74</p> <p>Stages of Continuous Auditing 77</p> <p>Continuous Auditing Template 79</p> <p>Sarbanes-Oxley 80</p> <p>Important SOX Sections 81</p> <p>The Role and Responsibility of Internal Audit 83</p> <p>Risk Factors 84</p> <p>Detecting Fraud 85</p> <p>Determining the Exposure to Fraud 86</p> <p>SOX Software 88</p> <p>Assessment of IT Controls and Risks 90</p> <p>Defining the Scope 92</p> <p>GAIT Principles 93</p> <p>Governance, Risk Management, and Compliance (GRC) 94</p> <p>Internal Audit’s Role in the GRC Process 97</p> <p>Identifying and Assessing Management’s Risk Management Process 99</p> <p>Assessment of Internal Control Processes 100</p> <p>GRC Software 101</p> <p>Summary and Conclusions 102</p> <p><b>CHAPTER 3 CAATTs Benefits and Opportunities 103</b></p> <p>The Inevitability of Using CAATTs 103</p> <p>The New IM Environment 105</p> <p>The New Audit Paradigm 105</p> <p>Expected Benefits 108</p> <p>Planning Phase—Benefits 109</p> <p>Conduct Phase—Benefits 112</p> <p>Data Analysis 112</p> <p>Increased Coverage 112</p> <p>Better Use of Auditor Resources 115</p> <p>Improved Results 116</p> <p>Reporting Phase—Benefits 116</p> <p>Administration of the Audit Function—Benefits 117</p> <p>Reduced Costs 119</p> <p>Increased Performance 120</p> <p>Increased Time for Critical Thinking 122</p> <p>Recognizing Opportunities 124</p> <p>Transfer of Audit Technology 126</p> <p>Summary and Conclusions 127</p> <p><b>CHAPTER 4 CAATTs for Broader-Scoped Audits 129</b></p> <p>Integrated Use of CAATTs 129</p> <p>Value-for-Money Auditing 134</p> <p>Value-Added Auditing of Inventory Systems 134</p> <p>Data Analysis in Support of Value-Added Inventory Auditing 135</p> <p>Inventory Management Practices and Approaches 136</p> <p>Possible Areas for Audit-Suggested Improvements 138</p> <p>Audit and Reengineering 144</p> <p>Audit and Benchmarking 148</p> <p>Summary and Conclusions 152</p> <p><b>CHAPTER 5 Data Access and Testing 153</b></p> <p>Data Access Conditions 153</p> <p>Mainframe versus Minicomputer versus Microcomputer 154</p> <p>Portability of Programs and Data 154</p> <p>Limitations to Using the Microcomputer 155</p> <p>Processing Speeds 155</p> <p>Single Tasking 156</p> <p>Inability to Deal with Complex Data and File Structures 156</p> <p>Client Facilities 157</p> <p>Auditor’s Microcomputer-Based Facilities 158</p> <p>Data Extraction and Analysis Issues 159</p> <p>Accessing the Data 160</p> <p>Data Storage Requirements 161</p> <p>Analysis of Data 162</p> <p>Risks of Relying on Data—Reliability Risk 163</p> <p>Reliance on the Data 164</p> <p>Knowledge of the System 165</p> <p>Assessment of the Internal Controls 166</p> <p>New Topology of Data Tests 167</p> <p>Reducing Auditor-Induced Data Corruption 168</p> <p>Potential Problems with the Use of CAATTs 169</p> <p>Incorrect Identification of Audit Population 169</p> <p>Improper Description of Data Requirements 171</p> <p>Invalid Analyses 172</p> <p>Failure to Recognize CAATT Opportunities 173</p> <p>Summary and Conclusions 174</p> <p><b>CHAPTER 6 Developing CAATT Capabilities 177</b></p> <p>Professional Proficiency: Knowledge, Skills, and Disciplines 177</p> <p>Computer Literacy: Minimal Auditor Skills 178</p> <p>Ability to Use CAATTs 180</p> <p>Understanding of the Data 181</p> <p>Analytical Support and Advice 182</p> <p>Communication of Results 184</p> <p>Steps in Developing CAATT Capabilities 184</p> <p>Understand the Organizational Environment/Assess the Organizational Culture 184</p> <p>Obtain Management Commitment 185</p> <p>Establish Deliverables 186</p> <p>Set Up a Trial 186</p> <p>Plan for Success 186</p> <p>Track Costs and Benefits 187</p> <p>Lessons Learned 187</p> <p>Organize Working Groups 188</p> <p>Computer Literacy Working Group 189</p> <p>CAATT Working Groups 190</p> <p>Information Systems Support to Audit 191</p> <p>Assure Quality 195</p> <p>Quality Assurance Methodology 196</p> <p>Preventive Controls for CAATTs 197</p> <p>Detective Controls for CAATTs 198</p> <p>Corrective Controls for CAATTs 199</p> <p>Quality Assurance Reviews and Reports 200</p> <p>Summary and Conclusions 200</p> <p><b>CHAPTER 7 Challenges for Audit 203</b></p> <p>Survival of Audit 203</p> <p>Audit as a Learning Organization 204</p> <p>Knowledge Acquisition 204</p> <p>Information Dissemination 205</p> <p>Information Interpretation 205</p> <p>Organizational Memory 205</p> <p>New Paradigm for Audit 206</p> <p>Computer-Assisted Audit Techniques 206</p> <p>Computer-Aided Audit Thought Support 207</p> <p>Auditor Empowerment 208</p> <p>Access to Microcomputers and Computer Networks 209</p> <p>Access to Audit Software—Meta-Languages 209</p> <p>Universal Access to Data 210</p> <p>Access to Education, Training, and Research 210</p> <p>Skills Inventory 212</p> <p>Needed versus Actual Skills 212</p> <p>Required versus Actual Performance 215</p> <p>Auditor Skills for Using CAATTs 216</p> <p>IS Auditor Skills 216</p> <p>Training Programs and Requirements 217</p> <p>Conceptual Training 217</p> <p>Technical Training 218</p> <p>Training Options 218</p> <p>In-house 218</p> <p>Professional Associations 218</p> <p>Educational Institutions 219</p> <p>Computer-Based, Video-Based, and Web-Based Training 219</p> <p>Summary and Conclusions 220</p> <p><b>Appendices 223</b></p> <p><b>APPENDIX A The Internet—An Audit Tool 225</b></p> <p>The Internet 225</p> <p>Connecting to the Internet 225</p> <p>General Internet Uses 226</p> <p>Useful Sites for Auditors 229</p> <p>Examples of Audit-Related Internet Usage 230</p> <p><b>APPENDIX B Information Support Analysis and Monitoring (ISAM) Section 231</b></p> <p><b>APPENDIX C Information Management Concepts 235</b></p> <p><b>APPENDIX D Audit Software Evaluation Criteria 241</b></p> <p> General Capabilities 241</p> <p> Reporting Capabilities 241</p> <p> Graphics Capabilities 242</p> <p> Mathematical Functions 242</p> <p> File Manipulation Capabilities 242</p> <p> Record Definition Capabilities 242</p> <p> File Type Capabilities 242</p> <p> Programming Capabilities 242</p> <p> Support 243</p> <p> Other Capabilities 243</p> <p>References 245</p> <p>Index 249 </p>

<b>David Coderre</b> has over twenty years of experience in internal audit, management consulting, policy development, management information systems, system development, and application implementation areas. He is currently President of CAATS (Computer-Assisted Analysis Techniques and Solutions). He is the author of three highly regarded books on using data analysis for audit and fraud detection.<br /> <br />

<b>Praise for Internal Audit: Efficiency through Automation</b> <p>"Internal audit's role within the organization is more visible than ever before, largely due to the intense regulatory and compliance pressures of the last few years. This book provides an excellent overview of technology's historical role in supporting audits, and practical examples of the value audit technology provides today. It should be mandatory reading for every audit leader tasked with maximizing the effectiveness of his or her audit team to support high- performing organizations."<br /> —Harald Will, President and CEO, ACL Services Ltd.</p> <p>"A wonderful desktop reference for anyone trying to move from traditional auditing to integrated auditing. The numerous case studies make it easy to understand?and provide?a how-to?for those?seeking to?implement automated tools including continuous assurance. Whether you are just starting down the path or well on your way, it is a valuable resource."<br /> —Kate M. Head, CPA, CFE, CISA, Associate Director, Audit and Compliance, University of South Florida</p> <p>"In the many years that it has been my pleasure to know and work with David Coderre, I have always been extremely impressed with his grasp of auditing, risk assessment, and data analytics, but more importantly how to do it all better and faster. If you want a high-quality audit outcome and effective resource utilization, learn from the best —it doesn't get any better!"<br /> —Greg Duckert, CIA, CISA, CPA, CMA,?CEO and founder, Virtual Governance Institute</p> <p>"'Do more with less.' A familiar phrase, but David Coderre actually shows you how to use technology to enhance your audit product. A must-read for any size audit shop."<br /> —Ian Craigen, Supervising Senior: IS Audit</p> <p>"David Coderre is the ultimate expert on the use of computer-assisted audit tools and techniques. His twenty-first-century methods are revolutionizing the way audits are conducted. We have used his recommended methods in our audit practice with great success for many years. Every audit organization—internal, external, governmental, SEC, or non-issuer—of every size should have David's books in use. These ideas work."<br /> —David L. Cotton, CPA, CFE, CGFM, Chairman, Cotton & Company LLP</p>

US