2.1 Computer Auditing
2.1.1 The introduction of automated Accounting Information Systems
In earlier times, when all accounting information was processed and recorded in financial statements manually, it was relatively easier for the auditor to observe the audit trail as all evidence was produced in a manual/physical format. At that time, Information Systems (IS) were only a small integrated part of the accounting system which only automated minor parts of the accounting process, such as payroll processing. Figure 2.1, as suggested by Arnold and Sutton (2001), illustrates the evolution of the relationship between accounting and information systems throughout the last four decades.
AccountingFigure 2.1 – Evolution of AIS
Information SystemsTIME LINE
Over time, accounting and information systems started to integrate as more accounting tasks were becoming automated. In fact, Arnold and Sutton (2001) state that “the fundamental underlying driver of evolution is simply that accounting no longer drives the information system; rather the information system drives accounting”.
As depicted in Figure 2.1, Information Systems have nowadays become an integral part of many companies. The Accounting Information System (AIS) is a small part of the whole Information System of an organisation, and as organisations continue to increase their reliance on computer technology to process, record and report financial information, auditors will undoubtedly have to rely on new information technology techniques in the conduct of their audits (Hunton, Bryant and Bagranoff, 2004).
Through the evolution of AISs, the traditional audit evidence was being replaced by electronic evidence (Rezaee and Reinstein, 1998). The American Institute of Certified Public Accountants (AICPA) in Auditing Procedures Study – ‘The Information Technology Age: Evidential Matter’ (1997) defines electronic evidence as “information transmitted, processed, maintained, or accessed by electronic means and used by an auditor to evaluate financial statement assertions”. The concept of electronic evidence created new challenges to the modern auditor as the traditional audit trail could no longer be observed (Bierstaker, et al., 2001). This required auditors to consider the use of computer audit techniques in order to be able to carry out audit tests on electronic evidence (Mancuso, 1997). The use of such new techniques will eventually improve the effectiveness and efficiency of the audit as auditors will be free from carrying out many traditional routine audit tasks and instead the auditor can focus more on higher level tasks, such as understanding the client’s business risk (Rezaee, Elam and Sharbatoghlie, 2001).
2.1.2 Auditing Around to Auditing With the Computer
With the introduction of computer technology, auditors did not have the extensive knowledge to use computers to enhance the efficiency and effectiveness of the audit. Initially, auditors regarded the computer as a ‘black box’ and audit ‘around’ the computer (Watne and Turney, 2002). This consists in the auditor observing inputs into the system and the relative outputs and checking for mutual consistency (Hall, 2004). When using this method no attempt is made to establish and evaluate existence of controls. Auditing around the computer is only relevant when automated systems applications are relatively simple and straightforward (supported with up-to date documentation on how the system works); and when the audit trail is easy to observe (Cerullo and Cerullo, 2003).
The increased reliance on computers for accounting by organisations created the need for auditors to understand and assess the controls that were in place in computer systems (Watne and Turney, 2002). Ignoring such computer controls would hinder the ability of the auditor to assess the effectiveness and robustness of the client’s internal controls. Auditors could no longer audit around the computer, but instead a new approach, auditing ‘through’ the computer, was being used. Hall (2004) defines auditing through the computer as:
“â€¦the ability to trace transaction paths from input to output through all parts of the system-manual and automated. The flow of data must be verified as it moves through the system, and the contents of machine readable files must be examined. Internal controls are tested as they operate on the data. The black box is gone.”
The ‘auditing through the computer’ approach is suitable for testing controls in complex Information Technology (IT) systems (as suggested in SAS No. 94 – The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit). The motive behind auditing through the computer is to be able to understand and assess the robustness and operating effectiveness of the computer controls within a system. According to Cerullo and Cerullo (2003), this approach is based on the assumption that if controls are adequately developed into the system, then errors are unlikely to slip by undetected, and thus outputs from the system can reasonably be accepted as reliable.
Moreover, Hall (2004) suggests that the current trend is towards auditing ‘with’ the computer, that is, instead of being treated as a ‘black box’, the computer is actually used as a tool to access, review and extract files and data from the client’s AIS. This approach helps auditors to improve the efficiency and effectiveness of the audit as the computer’s speed and reliability can be used to review large volumes of data. However, the last two approaches highlight the need for auditors to have an extensive knowledge of computers in order to be able to assess the integrity of the client’s computer system or to use the computer as a tool to carry out the audit.
2.1.3 Objective of an Audit in an IT Environment
Nonetheless, whether an audit is carried out in an IT environment or not, the objective of the audit remains the same, that is, as expressed by International Federation of Accountants (IFAC) in ‘ISA 200 – Overall Objectives of the Independent Auditor and the conduct of an audit in accordance with International Standards on Auditing’:
“To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework”
The auditor must be able to obtain sufficient and appropriate evidence in order to reduce audit risk to an acceptable low level. In doing so, the auditor would be in a position to express an opinion whether the financial statements prepared by the client give a ‘true and fair’ view.
It is thus fundamental for the auditor to assess the client’s IT environment and plan adequately (with the support of standards and guidelines) on whether the use of Computer-Assisted Audit Techniques (CAATs) will be required to gather sufficient appropriate evidence during the audit.
2.1.4 Audit of Public Interest Entities
CAATs are commonly used when auditing clients which carry-out all their operations online, such as ‘Online Gaming’ companies, and when auditing large clients which rely on large and complex IT systems. Examples of the latter could be listed companies, financial institutions and insurance companies, all of which fall under the definition of Public Interest Entities (PIEs).
The definition of PIEs varies across countries, but the core element is always the same. In fact, the revised 8th Directive provides with a core definition of PIEs, but it also permits the designation of other entities as PIEs by member states as they deem adequate (based on meeting a number of criteria). The definition is as follows:
“Entities governed by the law of a Member State whose transferable securities are admitted to trading on a regulated market of any Member Stateâ€¦, credit institutions â€¦ and insurance undertakingsâ€¦. Member States may also designate other entities as public interest entities, for instance entities that are of significant public relevance because of the nature of their business, their size or the number of their employees.”
In light of the definition set out by the revised 8th Directive, examples of Maltese PIEs are listed companies, financial institutions, insurance companies, large not for profit entities, and some publicly owned entities; all having a wide range of stakeholders.
Due to the public stake in the performance of PIEs, the auditors’ role and responsibilities in giving an opinion on the financial statements of such entities becomes more important. In fact, the majority of PIEs in Malta are audited by the Big Four audit firms as these firms have the extensive knowledge and resources to carry-out audits of PIEs efficiently and effectively.
Big Four Audit firms use CAATs to improve audit efficiency as it allows auditors to perform previous manual routine tasks quickly and efficiently (Zhao et al. 2004). Furthermore, Big Four Audit firms can use CAATs to improve audit effectiveness as more information can be obtained on controls within AISs of the client, and in certain cases 100 percent of the population can be tested (Braun and Davis, 2003).
2.2 Computer Assisted Auditing Techniques (CAATs)
2.2.1 Standards and Guidelines
Due to the aforementioned increased reliance on IT systems by clients, new auditing standards and guidelines were needed to provide support and guidance to auditors. With relevance to this study, there are three important standards/guidelines that provide guidance to auditors when carrying-out an audit within an IT environment.
‘SAS No. 94 – The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit’ provides appropriate guidance to auditors on how to adequately understand and assess the computer controls within an organisation. SAS No. 94 goes on to clarify what the auditor should know in order to be able to understand the automated and manual procedures an entity uses to prepare its financial statements and related disclosures (Yang and Guan, 2004). Furthermore, this auditing standard emphasises on the need to use Computer-Assisted Auditing Techniques (CAATs) to test automated controls, especially in complex IT environments (Cerullo and Cerullo, 2003).
‘ISACA Guideline No. 3 – Use Of Computer-Assisted Audit Techniques (CAATs)’ provide guidelines to auditors on how CAATs can be effectively applied, specifically by providing detailed steps in planning the use of CAATs; performing the work; documenting and reporting.
Another standard, ‘SAS No. 99 [should I refer to ISA 240 instead?] – Consideration of Fraud in a Financial Statement Audit’ provides guidance to auditors on how to identify risks of material misstatements whether due to error or fraud. SAS No. 99 also recognises the importance of CAATs in the consideration of fraud, as this standard suggests that in cases where the client relies heavily on computer systems, the auditor should make use of CAATs to detect patterns of fraud. Furthermore, this audit standard highlights the importance of identifying the possibility of management override of controls.
2.2.2 Application of CAATs in Financial Auditing
During a study carried out in Sweden by Temesgen (2005) on the “Determinants for effective application of software in CAATs” it was found that the most used type of CAATs by the big four audit firms in Sweden are CAATs used for simplification of monotonous tasks, such as Microsoft Office and other ‘off-the shelf’ audit software packages. On the other hand, this study identified that the most effective CAATs such as ‘Test Data’, ‘Integrated Test Facility’, ‘Parallel Simulation’ and other experts systems, which would have been more effective in observing electronic audit trails, are less utilised.
CAATs can aid the auditor in performing various audit procedures especially when adopting the ‘audit through the computer’ and ‘audit with the computer’ approaches. Depending on the requirements of the audit, the auditor can choose to use CAATs to perform specific audit tasks such as drawing a sample, comparing balances between accounting periods, reviewing transactions for fraudulent patterns, testing applications controls, and performing tests of detail.
18.104.22.168 Sampling and Tests of Detail
When using CAATs the auditor has the ability to test large volumes of transactions, more than he would have had he done the same process manually. This is one of the advantages of using CAATs. Using the computer’s speed, reliability, accuracy and robustness the auditor can perform repetitive tasks efficiently and effectively. Additionally, CAATs can also be used to draw samples representing the population and to carry out tests of detail, such as recalculation of discounts on invoices or recalculation of overtime allowances
22.214.171.124 Analytical Procedures
‘ISA 520 – Analytical Procedures’ defines analytical procedures as “evaluations of financial information through analysis of plausible relationships among both financial and non-financial data”. Furthermore, according to Wilson and Colbert (1991), “analytical procedures involve drawing conclusions based on expected amounts calculated by the auditor”. In performing such procedures, CAATs can be useful especially when reviewing complex data. These automated techniques are set to compare figures between accounting periods and possibly identify inconsistencies.
126.96.36.199 Test of General and Application Controls
CAATs can also aid in testing general and application controls. As required in the ‘audit through the computer’ approach, such computer aided techniques are used to assess the reliability of internal controls within computerised systems (Watne and Turney, 2002). For this to be successful the auditor must first understand how the client’s system works, and then various CAATs can be applied to test the operating effectiveness of the client’s system controls.
188.8.131.52 Fraud Detection
Recent fraud scandals such as the cases of Enron and Worldcom, increased the importance given to performing audit procedures with the objective to identify fraudulent activities. As organisations use computer technology to process information, weak computerised internal controls or the lack thereof would increase the risk of fraud occurring through computer assisted means (Coderre, 2000).
In fact, ‘SAS No. 99 – Consideration of Fraud in a Financial Statement Audit’ proposes the use of CAATs for identifying fraudulent transactions and management override of controls. ‘Digital Analysis’ is one type of CAAT with the specific purpose to identify fraudulent transactions (Hall 2004). This approach is used to identify inconsistencies in digits based on statistical properties through the use of Benford’s Law.
Additionally, according to Coderre (2000), as auditors develop a more systematic knowledge of fraudulent patterns within organisation, they can create a “fraud profile” which identifies the main fraud areas and patterns. This could then function as a template and be used when auditing different organisations.
2.3 Types of Computer Assisted Auditing Techniques
CAATs are often divided into two categories, that is, CAATs used by the auditor to review and extract data (auditing with the computer); and CAATs used for testing the controls within computerised AISs of clients (auditing through the computer).
2.3.1 Reviewing and Extracting Data Files
Compared with the techniques used for testing controls within AISs, CAATs used for reviewing and extracting data may require relatively less computer knowledge to use. Auditors may use these techniques to review and extract transaction and standing data in order to use it to perform substantive tests or test of controls. Two types of CAATs generally falling in this category are the ‘Data File Interrogation’ and ‘Embedded Audit Module’ techniques.
184.108.40.206 Data File Interrogation
Data File Interrogation is about using the computer as a tool to review large volumes of data (Auditnet, 2003). With the use of computer software, the auditor can use the computer’s speed and reliability to perform tasks such as searching for missing or duplicate transactions; and comparing the contents of two files and printing a report containing the results with exceptions and/or record matches. Data File Interrogation can also be used to extract representative samples of data from the population to be used at a later stage in the audit.
220.127.116.11 Embedded Audit Module (EAM)
As the name suggests, an ‘Embedded Audit Module’ is a programmed module embedded in the client’s computer system to review and capture data based on predetermined criteria set-out by the auditor (Auditnet, 2003). Transactions are examined as they are inputted in the system. The objective of the EAM is to capture those transactions which fall under the parameters set-out by the auditor. These transactions are then copied and stored in an audit log file for subsequent review from the auditor. The transactions which are captured by the EAM can then be used by the auditor to perform substantive tests.
One the advantages of using Embedded Audit Modules is that it provides the auditor with data which is captured throughout the audit period and thus reduce the time and amount of work the auditor must do to identify transactions to be used for substantive testing at a later stage. On the other hand, one major limitation of EAM is that it cannot be easily added to the client’s system once it is operational and thus this technique is more useful when the client’s system is still in the design stage (Auditnet, 2003).
2.3.2 Testing Controls within Accounting Information Systems
In contrast to the first category of techniques discussed above, there are CAATs which the auditor uses to audit through the computer. According to Braun and Davis (2003) these CAATs are used by auditors to “examine the internal logic of the application”. This means that the objective of such techniques is to assess the integrity and operational effectiveness of the controls within the client’s computerised system.
Three techniques are commonly used in the ‘audit through the computer’ approach and these are ‘Test Data’, ‘Integrated Test Facility’ (ITF), and Parallel Simulation.
18.104.22.168 Test Data
When using the ‘Test Data’ method, the auditor conducts testing of the client’s system by inputting simulated test transactions into the system. The facility to design the test data gives the auditor the ability to decide what to and not to test. These test transactions are processed by the system and then the auditor compares the processed results with expected output. Any differences between the processed results and the expected results by the auditor could indicate a logic or control problem within the client’s system (Braun and Davis, 2003). On the other hand, if no exceptions occur between the processed results and the expected results, then the auditor can reasonably assume that the system’s controls operate effectively under normal circumstances.
As suggested by Watne and Turney (2002), “the objective of performing substantive testing with test data is to determine the accuracy of that computer processing for which a test record is submitted”. Furthermore, test data can also be used to test the error detection capabilities of the system and to test the accuracy of reports produced by such system.
The test data approach is commonly used by auditors as it requires limited computer knowledge and it is relatively easier to use when compared to other CAATs. Additionally it provides the auditor with an understanding of how the system operates (Auditnet, 2003).
On the other hand, when creating the test data transactions the auditor may not be allowing for specific circumstances that may occur when the system is live and may lead the auditor making wrong assumptions on the integrity of the client’s system controls.
22.214.171.124 Integrated Test Facility (ITF)
Watne and Turney (2002) define ‘Integrated Test Facility’ as a “technique whereby the auditor creates simulated transactions, intermixes the transactions with a client’s actual transactions, waits for the processing of the intermixed transactions, and then analyses the processing of the simulated transactions”.
Figure 2.2, as depicted by Auditnet in its Monograph Series – Principles of Computer Assisted Audit Techniques (2003), illustrates the in-built testing facility/module which can be used for audit testing.
The process is the same as that for the test data approach. The difference between the two methods is that in the test data approach the auditor uses a copy of the client’s system to input the test transactions. On the other hand, when using the ITF method, the auditor actually inputs the test transactions in the client’s system when running live under normal circumstances. As depicted in Figure 2.2, the system then processes the client’s actual data intermixed with the auditor’s test data. Output is then separated again into client output and test output. The test output is compared with the auditor’s expected results and any deviations from the expected results are highlighted. Thus, this provides the auditor with a more accurate observation of controls within the system.
Figure 2.2 – Integrated Test Facility
The advantages that ITF has on test data are that it allows the auditor to make unscheduled regular testing on the system when it’s ‘live’, and it provides live evidence on the operation effectiveness and integrity of the client’s system. However, when using this method, auditors should give particular attention to identifying and removing the test transactions from the client’s records once the audit testing is complete as this may hinder the integrity of the client’s system.
126.96.36.199 Parallel Simulation
Similar to the Test Data approach and ITF, parallel simulation is used to test the integrity and operating effectiveness of the client’s application (Hunton, Bryant and Bagranoff, 2004). Figure 2.3 illustrates the process in using parallel simulation as depicted by Auditnet (2003).
Watne and Turney (2002) define parallel simulation as “the construction of a processing system for an accounting application and the processing of actual data through both the client’s program and the auditor’s program”. In simpler terms, the auditor designs an application which simulates the client’s application. The simulated application should contain the appropriate controls that the auditor is expected to find in the client’s application. Actual data (transactions occurring from the normal day-to-day running of the client’s business) is then inputted in both the client’s and simulation applications. The auditor then compares the output produced by the simulated application with that produced by the client’s application.
Figure 2.3 – Parallel Simulation
Assuming that the simulation application contains all the appropriate controls, then output from the simulation application should match with output from the client’s application. If there are differences between the outputs produced by the two systems, then the auditor may infer that the input, processing and output controls within the client’s application are not operating effectively.
As the ITF technique, parallel simulation enables the auditor to test the client’s system under normal operations. Furthermore it enables the auditor to use live data in testing controls unlike with the Test Data approach and ITF where test transactions are used. On the other hand, this technique requires extensive computer knowledge to be able to design a simulation application. Additionally, the cost for developing the simulation application can be relatively high (Watne and Turney, 2002)
As discussed in this chapter, CAATs provide means of improving the efficiency and effectiveness of the audit. However, as correctly stated by Brazina and Leauby (2004) “CAATs are not a substitute for auditor judgement”. It is crucial for auditors to use guidelines (such as ISACA Guideline No. 3) in order to plan the use of such techniques during the audit as lack of planning will eventually hinder the benefits derived from the use of CAATs. Particular considerations should also be given to the IT knowledge and experience of the audit team; the access available to the client’s computer systems; and the impracticability of performing manual tests when auditing complex automated systems.