J. Suen - University of Waterloo

advertisement

UNIVERSITY OF WATERLOO

School of Accountancy

ACC 626

Computer Assisted Audit Techniques: A Study of the Tools, their Usage and Future Initiatives

Waterloo, Canada prepared by

Jonathan Suen

July 5, 2009

1. INTRODUCTION

PC-based computer-assisted audit tools (CAATs) have been available since late

1980s (Brodie, 1990; ACL, 2009). Before that, there were CAATs that run on client’s mainframe. One advantage of PC-based CAATs is that clients do not have to worry about the auditors changing their data. PC-based CAATs are also less costly (Brodie, 1990). With lower cost and lower risk, advocates expected auditors to maximize the use of CAATs. This research paper will look at:

how prevalent the use of CAATs is among internal and external auditors,

major CAAT offerings, and

future initiatives.

This paper shall focus on the application of CAATs in financial statement audits. Note that CAATs can be broadly classified as data analysis software, network security evaluation software, operating systems and database management system security evaluation software, and software and code testing tools (Sayana, 2003). For the rest of this paper, the term CAATs will refer only to data analysis software, as procedures involving the other tools are beyond the scope of financial statement audits.

2. Trend in Use of IT in Clients and Auditors’ Use of CAATs

Accounting information systems (AIS), used loosely here to include accounting software such as QuickBooks, are now widely used in organizations of all sizes. As most AIS come with the function to export data, it has become easier for client staff to provide auditors with data in electronic form. Transferring data to auditors’ computers are also easy, with the ever-increasing storage capacity of removable media such as DVDs and USB drives. Despite having the means to download and analyze data, many firms did not use CAATs as much as they should (Gascoyne, 1992).

Reasons for underutilizing CAATs may include:

cost constraints (Gascoyne, 1992). CAATs often take longer to use during the first year of implementation, since auditors need to take time to explain data needs to clients and understand the data. Many practitioners claim not to

1

consider an extended budget period when evaluating the value of CAATs because prior experience has showed that savings are not realized in year two (KPMG, 2005);

the misconception that CAATs are cost effective only for larger jobs, thus limiting their use to jobs “whose profiles demand it” (Gascoyne, 1992); and

insufficient planning. Decisions regarding where to use CAATs are made too early in the audit process, and without adequately considering risk

(Paukowits, 2000). Firms are simply looking to automate old tests (Gascoyne,

1992), and the use of CAATs is often limited to the more popular functions

(Paukowits, 2000).

User resistance is no longer an issue, as today’s auditors are very technology savvy and readily accept most audit tools (KPMG, 2005). If it were, training is effective at reducing staff’s unwillingness to be innovative with technology.

Nevertheless, auditors are known to use CAATs for fraud detection (such as journal entry testing) and ad hoc testing, rather than substantive testing, and even more rarely for control testing. CAATs are often used in selecting samples for confirmations, preparing aged receivables reports, and to quantify findings. In addition, they are required when large volume of data rendered manual vouching and recalculation inadequate, if not impossible, to gather sufficient audit evidence.

2.1 Benefits of CAATs

The costs of common CAATs (to be introduced later) can be justified by the following benefits:

Cost savings. This can be achieved by replacing manual audit activities such as selecting statistical samples (Lanza, 1998), or by analyzing large volume of data.

Achieving 100% coverage of transactions, potentially allowing auditors to detect more misstatements than sampling (Lanza, 1998). This offers value to clients, and lowers risk of restatements. Auditors can also quantify misstatements precisely, rather than extrapolating misstatements from errors

2

(Lanza, 1998). This gives auditors more ground in requesting clients to adjust its accounts.

Macros and preprogrammed routines can further enhance audit efficiency

(Sayana, 2003).

Having the right technology, including CAATs, and using them the right way can facilitate staff in understanding client business and performing a more efficient audit. It also represents learning opportunities for staff. These lead to happier staff, which in turn leads to lower staff turnover (Heveron, 2007).

2.2 Ways to increase the use of CAATs among auditors

CAATs should be used whenever they lead to improved audit efficiency and audit quality. The following ways can increase the use to CAATs among auditors:

To achieve cost savings, adequate training that includes real-life exercise with audit software is essential (Sayana, 2003).

As auditors with shorter-term budget and evaluation periods are less likely to implement technology such as CAATs, evaluate the effectiveness of the use of CAATs using longer-term budget that is more than 2 years (KPMG, 2005).

Budget for year one should be extended to accept a reasonable increase in time.

External auditors need senior management support for CAAT use (KPMG,

2005), and internal auditors need support from audit committee, management, and the IT department.

To decrease the time spent on data acquisition, audit managers should obtain the support of client superiors (KPMG, 2005). The audit team should define the output requirements, and document how reports or data extractions were obtained as well as the queries used (ISACA, 2008).

Audit team should link CAATs with high risk areas during planning to take advantage of the ability of CAATs to test specific risks and audit 100% of large volume of data easily.

3

Audit team should consider using CAATs for more than ad hoc tests and fraud procedures.

Ultimately, whether CAATs can improve audit efficiency and strength of audit evidence depends on the audit team’s understanding of the client’s business processes and experience with the audit tools.

2.4 Situations in which CAATs can be used to test controls

The U.S. Statement on Audit Standard 94 states that “it is not practical or possible to restrict detection risk to an acceptable level by performing substantive tests,” given the increased prevalence of paperless processes (Gallegos et al,

2004). Certain situations require auditors to test IT controls. Examples of these situations include:

Applications or systems involving electronic data interchange (EDI) (Gallegos et al, 2004);

Electronic payment systems (Gallegos et al, 2004);

Decision support systems that involves automatic reasoning where they support decision-making within the client organization (Gallegos et al, 2004);

In systems that provide electronic services to customers (Gallegos et al,

2004); and

Applications that perform complex calculations that leads to financial decisions (Gallegos et al, 2004).

Since the data is in electronic form, CAATs can be used to help.

3. GAS offerings

GAS has come to refer to data analytic software specifically designed for auditors. They can be classified into two groups: standalone software and addons to Microsoft Excel. Auditors also use other software. While there is little public data on the software used by external auditors, many audit firms have not implemented GAS, citing ease of use and learning requirements as reasons

(Lanza, 2009).

4

Meanwhile, there were surveys on the software used by internal auditors.

Figure 1 shows the trends in software use among internal auditors. Note that while 2001 and 2005 figures are mostly comparative, 2009 figures may not be comparative because they were released in a different survey.

Figure 1

Trends in software use among IA

SAS

Other

Internally developed software

IDEA

Excel

Database software

ACL

2001

2005

2009

0% 10% 20% 30% 40% 50% 60%

Percentage

Notes to chart:

2001 and 2005 numbers are based on surveys conducted by the Institute of Internal Auditors on

US and European countries, while 2009 numbers are based on a survey by KPMG, which samples only companies from Europe, the Middle East, and Africa.

The category “Other” includes Business Intelligence software (Business Objects, Cognos, Crystal

Reports, etc.) and data retrieval tools (Easytrieve).

The category “Database software” includes Access, SQL, and AS/400 query.

Excel remains the most popular data analysis tools. Possible reasons include user familiarity with the interface and functions, and low costs since spreadsheet software has long been used by organizations. It is also interesting to note that 1) business intelligence tools are not gaining popularity despite their increased sophistication and deployment, 2) the decline in relative use of ACL, and 3) internally developed software are becoming less popular, possibly due to the availability and ease of maintenance with commercial solutions. Furthermore, the

KPMG report found that

audit tools “were not commonly used in areas such as planning and risk and controls analysis”

5

33% of organizations do not use any data analysis or sampling tools.

3.1 Standalone GAS: ACL vs. IDEA

Standalone GAS are more commonly used by organizations and audit firms than Excel add-ons. Two main solutions are Audit Command Language

(ACL) and Interactive Data Extraction and Analysis (IDEA). Both companies are headquartered in Canada.

3.1.1 History of ACL and IDEA

ACL “was first developed as a teaching tool at the University of British Columbia in the early 1970s and was released commercially in 1987” (CGA-Canada,

2004). It was supported by the Institute of Internal Auditors (Mattila, 2009), and is the most commonly used data extraction and analysis tool, used by “85 percent of the Fortune 500 companies and over twothirds of the Global 500, … and hundreds of national, state, and local governments” (ACL, 2009). There is evidence that Deloitte and Ernst & Young use ACL, as both firms offer ACL training courses (Deloitte, 2009; Ernst & Young, 2009).

On the other hand, IDEA was first developed by the Office of the Auditor

General of Canada in 1986, acquired by the CICA in 1987, and finally acquired by Caseware in 2000 (Mattila, 2009; CGA-Canada, 2004). Initially, it was mostly a sampling tool, reportedly slower than ACL (Mattila, 2009) and lack data manipulation features such as joining files and data stratification (Jacobson,

1990). It has since increased its market shares, and is known to be used by accounting firms such as BDO, Grant Thornton, KPMG,

PricewaterhouseCoopers, RSM McGladrey & Pullen, and others (Caseware,

2008).

Lastly, the GAS that schools expose students to may impact firms and organizations when choosing which product to implement. A survey conducted in

2004 found that ACL is more often used in universities than IDEA (Weidenmier,

2004). Since industry leadership is the most cited reason for choosing ACL, whether ACL or IDEA is used may be location-specific (e.g. IDEA may be more widely used in Canada than the U.S.)

6

3.1.2 Comparison based on user feedbacks found on the Internet

Overall, users found little difference in functionality between ACL and

IDEA. The main difference is that ACL uses SQL conventions when building queries, while IDEA incorporates many Visual Basic Applications components used in Excel (IIA user forum, 2009). As a result, many Excel macros are portable to IDEA (Mattila, 2009). The following are highlights of other user comments:

Pros of ACL:

Bigger online support community (IIA user forum, 2009)

More companies use ACL. Therefore, candidates with ACL experience are easier to find. This has hiring implications for organizations and firms (IIA user forum, 2009).

ACL create virtual tables while IDEA creates a new file with every command

(Texas ACL User Group, 2009). The main advantage with virtual tables is that auditors just have to move one file to the working paper.

ACL “allows users to SET LOG or SET SESSION to log specific periods of execution.” This leads to more concise working papers for review (Texas ACL

User Group, 2009). Users can also delete logs, although this might not be a desirable feature for auditors to ensure documentation completeness.

Pros of IDEA:

IDEA’s Import function has some key advantages. IDEA allows you to save how you interpret files as templates so that you can use it to import other files.

IDEA also imports PDF files better (Texas ACL User Group, 2009).

If you delete a file in IDEA, you can get it back from the recycle basket, while deleting files in ACL is final unless you have them backed up.

IDEA allows for multiple data extractions at one time, while ACL doesn’t.

A user found IDEA easier to user (IIA user forum, 2009). Examples given:

When joining files, key fields do not need to be of the same length in

IDEA, while this is required in ACL.

IDEA does not require users to index files, while this is required in ACL.

7

In IDEA, users do not need to give names to a filter and an index, while in

ACL they must.

As a result, the user found it easier to learn IDEA.

Nevertheless, overall user satisfaction with both solutions is highest among software used by internal auditors (IIA, 2006).

3.2 CATTS: Excel add-ons

Cost and user acceptance are often why auditors either don’t use GAS or don’t use them to its potential (Auditsoftware.net, 2009). Excel based GAS are both cheaper and easier for users to accept. Two major offerings of Excel based

GAS are ActiveData and TopCAATs. The former is based in Canada, and the latter is based in the UK. Both solutions offer most of the main capabilities of standalone GAS. They have an advantage from an audit efficiency standpoint - auditors do not have to export results to Excel for further documentation. They also an advantage from a usability standpoint – since they are based on Excel, all Excel functions can be used simultaneously.

3.3 Excel macros and SQL

Excel macros and SQL combined make a cost-effective substitute for

GAS. Excel macros can be programmed to perform many data analysis functions of the aforementioned GAS, such as random sampling and testing compliance with a set of user-determined attributes (Burnett, 2005). Downsides include requirement of Excel know-how and testing before implementation. Nevertheless,

Excel macros can be used across audits if data structure is the same.

SQL substitutes GAS in many data extraction and manipulation functions.

For example Auditors can use SQL to perform data classification (frequency distribution, outlier and trend identification, etc), data extraction, sampling, and audit tests (recalculatio n, Benford’s Law analysis, etc) (Blakley, 2008).

There are three major advantages with using SQL (Blakley, 2008):

1. Auditors can interrogate the system directly, crafting queries to suit a number of audit tests.

8

2. Many audit procedures such as subtotals and use of selection criteria are already built into SQL.

3. Since SQL is a universal language, SQL commands can be used across audits.

Drawbacks include learning curve of SQL and risk of unintentionally changing client data. These drawbacks can be mitigated, however. Firstly, the cost and time required to teach auditors SQL is reduced by the fact that “20% of the SQL statements and syntax can provide 80% of all commonly needed audit functionality” (Blakley, 2008). Secondly, there are techniques to restrict modification of data, such as working with virtual tables called views, rather than actual tables.

3.4 Overall comparison

Appendix I contains a comparison of ACL, IDEA, ActiveData, TopCAATs, and

Excel and SQL. The comparison is based on similar comparisons done by

Auditsoftware.net and the research paper “Selecting an Audit Software Package for Classroom Use” (Weidenmier, 2004), as well as Internet search.

To summarize, Excel add-ons such as TopCAATs and ActiveData are capable substitutes of the more expensive standalone GAS. However, robustness and user support base are not as proven as standalone GAS. ACL and IDEA also have better import capabilities. For these reasons, the best recommendation seems to be a two product approach (Lanza, 2009):

1) Use one of the Excel addons, which will probably cover most of auditors’ needs with minimal training, and

2) Purchase one or two ACL / IDEA licenses (per office) and invest in training a couple of experts “for those occasions where a little more is needed”, such as importing a difficult file.

4. How ACL and IDEA have changed in recent versions

One way to get a sense of where GAS are heading is by looking at past improvements. Back in 1988, ACL was already able to import various file

9

formats, perform data extraction and sampling (including MUS), summarize, compile summary statistics, insert virtual fields, and log activities (Stanley, 1988).

Appendix 2 contains a list of enhancements and new features to IDEA since version 6. Improvements are continually made to documentation, GUI, and import capability. New functionality includes data analysis capabilities, standardized tests, and Equation Editor functions. Overall, continual additions of functions, improvements to GUI, and user customization are ways IDEA are using to increase value to organizations and firms.

4.1 Future Initiatives with GAS

Practitioners can expect software makers to continue to introduce new data interrogation functions in their software, as well as offer user customization. As most accounting information systems have the ability to export files as CSV or

Excel files, Excel-based GAS has the potential to compete with standalone GAS and drive price down. Nevertheless, adoption of Excel-based GAS might be opposed by users, who may have developed expertise with ACL and IDEA.

As CAATs become more widely use, there is potential for users sharing customized scripts. Such collaboration might improve audit efficiency and further boost the use of CAATs. As continuous auditing becomes more widely practiced, CAATs may also become more widely used.

5. Conclusion

While ACL and IDEA are becoming more widely used by organizations and firms,

Excel-based GAS is a viable substitute. In additional, Excel macros and SQL are serviceable substitutes to GAS for auditors with limited budgets and who are open to learning new techniques. Auditors should consider whether the cost savings and added competency warrant the training and commitment necessary to realize the potential of the two techniques. Regardless of what GAS is implemented, auditors should adopt best practices in using CAATs, such as documenting data acquisition process, and using CAATs in high risk areas.

10

Works Cited

Audimation. "IDEA v7 Enhancements." Caseware IDEA June 2006. 5 July 2009

<http://www.audimation.com/pdfs/IDEA%20D.A.S-Enhancements-2006-

AUDIMATION.pdf>.

Brodie, Grant. "CAATs scan." CA Magazine Apr. 1990: 32-24. 5 July 2009 <ABI/INFORM>.

Caseware IDEA. "IDEA v8 Enhancements." Caseware IDEA Mar. 2009. 5 July 2009

<http://www.caseware.com/products/idea/IDEAEnhancements.pdf>.

Caseware. "CaseWare IDEA Inc. Releases IDEA 2004." n/a Jan. 2004. 5 July 2009

<http://www.casewareidea.com/caseware/about-us/news-reviews/caseware-idea-inc.releases-idea-2004>.

Caseware. "CaseWare IDEA announces 1st North America IDEA User Conference ." n/a May

2008. 5 July 2009 <http://www.caseware.com/about-us/news-reviews/1st-northamerican-idea-user-conference>.

Deloitte. "Audit Command Language Program." n/a Mar. 2009. 5 July 2009

<http://www.deloitte.com/dtt/article/0,1002,cid%253D256833,00.html>.

Ernst & Young. "Workshop Managing Risk and Business Improvement with Analytics." n/a Feb.

2009. 5 July 2009

<http://www.ey.com/Publication/vwLUAssets/Workshop_Managing_risk_and_business_i mprovement_with_analytics_20090812/

$FILE/Workshop_Managing_risk_and_business_improvement_with_analytics_2009081

2.pdf>.

Gallegos, Frederick, Sandra Senft, Daniel P Manson, and Carol Gonzales. Information technology control and audit. n/a: ISACA, 2004.

Gascoyne, Rodney J. N.. "CAATs it if you can." CA Magazine June 1992: 38-40. 5 July 2009

<ABI/INFORM>.

Heveron Jr., John F. "Technology As a Tool for Recruiting and Retaining Staff." CPA Practice

Management Forum 3.12 (2007): 12,22. ABI/INFORM. 5 July 2009.

IIA. "Opening the door: new possibilities await auditors who can tie software tools into their organization's existing systems.." IIA Aug. 2005. 5 July 2009

<http://findarticles.com/p/articles/mi_m4153/is_4_62/ai_n15890727/pg_6/?tag=content;c ol1>.

IIA. "Tools of the Trade - internal audit software survey." IIA Aug. 2001. 5 July 2009

<http://findarticles.com/p/articles/mi_m4153/is_4_58/ai_78403693/?tag=content;col1>.

ISACA. "Use of CAATs." ISACA Dec. 2008. 5 July 2009

<http://www.itgi.org/AMTemplate.cfm?Section=Standards,_Guidelines,_Procedures_for_

IS_Auditing&Template=/ContentManagement/ContentDisplay.cfm&ContentID=39261>.

Jacobson, Scott D, and Wolfe Christopher. "Auditing with Your Microcomputer." Journal of

Accountancy 169.2 (1990): 70-80. ABI/INFORM Global. 5 July 2009.

King, Susan. "Tools to Manipulate Data." CGA Magazine Jan. 2004. 5 July 2009

<http://www.cga-canada.org/en-ca/AboutCGACanada/CGAMagazine/2004/Jan-

Feb/Pages/ca_2004_01-02_dp_doubleclick.aspx>.

11

Lanza, Rich. "Comparison of Generalized Audit Software." Auditsoftware.net n/a.n/a (2009): n/a.

5 July 2009 <http://www.auditsoftware.net/documents/GeneralizedAuditSoftware.pdf>.

Lanza, Richard B. "Take my manual audit, please." Journal of Accountancy 185.6 (1998): 33-36.

ABI/INFORM Global. 5 July 2009.

Martin, Gary. "How Audit Software Can Help Improve Data Analysis & Data Mining." Mid-Atlantic

Intergovermental Audit Forum n/a.n/a (2007): n/a. 5 July 2009

<http://www.auditforum.org/speaker%20presentations/mid%20atlantic/maiaf%2006%20

2007/martin.pdf>.

Mattila, Matti. "IDEA a Generalized Audit Software in CAATs." IDEA. 5 July 2009

<http://www.saunalahti.fi/mmla/ide01.html>.

Paukowits, Frank, and Ken Paukowits. "Bridging CAATs and Risk." The Internal Auditor 57.2

(2000): 27. ABI/INFORM Global. 5 July 2009.

Rich, Lanza. "TopCAATs - Audit software for the masses." Auditsoftware.net n/a (2009). 5 July

2009 <http://www.auditsoftware.net/documents/TopCAATs.pdf>.

Rowe, Rob. "An Examination of Contextual Factors and Individual Characteristics Affecting

Technology Implementation Decisions in Auditing." UWCISA Comments n/a.n/a (2005): n/a. 5 July 2009 <http://artsms.uwaterloo.ca/accounting/UWCISAnew/symposiums/symposium_2007/Curtis%20and%20Payne%20-

%20Oct%202007.ppt>.

Sayana, S. Anantha. "Using CAATs to Support IS Audit." ISACA 1 (2003). 5 July 2009

<https://www.isaca.org/Template.cfm?Section=IT_Audit_Basics&Template=/ContentMa nagement/ContentDisplay.cfm&ContentID=15894>.

Stanley, Philip. "ACL (Audit Command Language)." Modern Office Feb. 1998. 5 July 2009

<ABI/INFORM>.

Weidenmeir, Marcia L, and Terri L Herron. "Selecting an Audit Software Package for Classroom

Use." Journal of Information Systems 18.1 (2004): 95-110. ABI/INFORM. 5 July 2009.

And all the works cited in the annotated bibliography.

12

Appendix 1

– Comparison of Features among major CAATs

Note: The best product for each feature is highlighted.

Feature

Cost

Ease of Use

5

(1 = easiest, 5 = hardest to learn)

Frequency of updates ~ every 3 years

Import capability

10

:

6

~ every 2 years

7

~ every 4 years

8

N/A since new

- Excel, Access, Y Y Y

13

(except Y

Dbase, Delimited,

Fixed-Width

Dbase)

- Mainframe format

(EBCDIC and ASCII)

- PDF

- ODBC

- accounting software

11

ACL

$2,895 per user

1

4

Y

Y

Y

IDEA

$2,750 per user

1

3

Y (as AS400 file)

Y

Y

Y

12

Excel and SQL TopCAATs

$0

5

Y

Y

2

14

15

~$380

3

1

Y

Y

14

ActiveData

~$290

4

2

~ every 2 years

Y

Y

Y

14

9

1 As of February 2004, per CGA Magazine Article “Tools to Manipulate Data”

2

Cost does not consider cost of Microsoft Excel and database implementation and maintenance based on the assumptions that Excel cost is sunk cost for firms, and database costs are sunk cost for clients.

3

4

199 British pounds, translated to CAD on July 5, 2009

5

249 USD, translated to CAD on July 5, 2009

6

Subjective rating, based on comparison done by Auditsoftware.net and assumption that the audit team does not know any SQL

7

ACL 9 was released in 2006, 3 years after the release of ACL 8. ACL 9.1 is the most current version as of July 5, 2009.

8

IDEA has been releasing a new version every 2 years since IDEA 2002. IDEA v8 is the most current version as of July 5, 2009.

9

Based on the period between Office 2003 and Office 2007

ActiveData was first released in 2005 <http://www.informationactive.com/?x=show&f=news>. A new version was released in 2007 that is compatible with Office 2007 and Windows Vista. I assume that ActiveData will release a new version more frequently than updates to Excel.

10

Based on comparison done by Auditsoftware.net

13

Feature

Processing

16

:

- Aging

- Append files

- Calculate Field

-

Benford’s Law

- Duplicates

- Extract / Filter

- Gaps Analysis

- Index / Sort

- Join / Relate

- Regression

- Sample

- Statistics

- Stratify

- Summarize

- Highlight differences

- Outlier extraction

Output:

- Export results

- Log

ACL

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

IDEA

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Excel and SQL

Y

Y

Y

Y (using SQL)

Y

Y

Y (using SQL)

Y

Y

Y (using SQL)

Y

Y (using SQL)

Y

Y

TopCAATs

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

?

ActiveData

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

11

This includes QuickBooks, Simply Accounting MYOB, AccPac, etc. Ability to import these files has implications for auditors of smaller organizations.

12

13

14

Compatibility utility available for download from Caseware IDEA, per CGA Magazine Article “Tools to Manipulate Data”

Users can export Access data to Excel, per http://office.microsoft.com/en-us/access/HP010950951033.aspx.

There are 3 rd

party products that allow users to import PDF to Excel, per comparison by Auditsoftware.net.

15

Users can access data within an Excel file by specifying an ODBC Data Query connection to an Excel file using the Excel ODBC driver, per http://www.adeptscience.co.uk/products/dataanal/genstat/htmlhelp/spread/HowtoAccessExcelData.htm.

16

Technically, Excel and SQL have all these features if macros are considered. Given the technical nature of macros and time to develop them, macros are excluded for this comparison.

14

Appendix 2

– Changes to IDEA from the last two version updates

The following version updates are compiled from Caseware IDEA media releases and product brochures.

Rows with changes in 2 or more versions are highlighted.

Enhancements:

Customization

Data Analysis

Documentation

Export

GUI

Import

Capability

IDEA v6 (released in 2004)

No data

IDEA v7 (2006)

Completely redesigned

IDEAScript

Enhancements to Pivot Table

- more functions to view results

History is better organized

Separate tabs for each file

More space to view data, as

File Explorer and Database

Properties windows now can be hidden and triggered by pointer

Improved drill-down

Bad data handling

Complex file assistance

IDEA v8 (2008)

Report name now based on

Result name

Include field names as first row when exporting to Text

Delimited or Fixed Length

Ability to save selected records only

Allow users to Sort data

Improved readability – can now assign an alternating row color

Field selection toolbar

– useful for databases containing more fields than can be displayed

Display Criteria history

Drag and Drop

Rerun now supported

IDEA Server imports now

15

Licensing

Sampling

Software updates

New

Functionality:

Customization

Data analysis

IDEA v6 (released in 2004)

full text searching across multiple fields

IDEA v7 (2006) IDEA v8 (2008) include ODBC and Excel

Report Reader: 4GB limit removed

Create or modify a record definition without having to open a data file

Network and standalone licensing

MUS now allow use of % for

Tolerable Error and Expected

Error

IDEA will now automatically look for new updates; quarterly updates to improve reaction to user needs

top record extraction

insert and delete fields without doing an extraction or import

Summarization now includes stats such as average, max,

Visual Script – allow users to build own automation without any coding

Custom Functions – allow users to create and share custom functions

16

Documentation

IDEA v6 (released in 2004)

field statistics and charting

IDEA v7 (2006) min

From Field Manipulation you can add field tags to facilitate standardized tests in IDEA

Smart Analyzer

IDEA v8 (2008)

Project Overview – a graphical representation of work done on all files in a

Working Folder new “@” functions Equation editor support and functions for time data types

enhanced functionality for the

Equation Editor

Export

GUI

Import

Capability

Sampling new “@” functions

(LastDayofMonth,

StripAccent, etc.)

Action Fields to allow drill down across multiple files

XML import

importing a print file

Classical Variables Sampling

Support for export of Results to custom document formats

(Excel, Caseware Working

Papers)

Group records by key

Text wrapping for character fields

New conclusion window

all invalid field data will be marked “Error”

17

Annotated Bibliography

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Burnett, Royce

D. and Mark

Friedman

Excel Macros to

Quicken SOX

Auditing

The Journal of

Corporate

Accounting &

Finance

Vol. 16, Iss. 5 Jul/Aug 2005 p. 47 – 58 May 30, 2009 website, link

ABI Inform

Annotation

The authors suggested the introduction of Excel-based macros to:

- randomly select a sample from the population;

- employ a set of attributes to identify if a transaction is in compliance;

- automatically place compliant transactions in a compliant file (spreadsheet) and generate relevant mathematical relationships about the compliant subsample;

- automatically place non-complaint transactions in a non-compliant file and generate mathematical relationships about the subsample;

- automatically separate the non-compliant transactions based on attribute parameters

Specific examples given include:

- control test of depreciation;

- selection and testing of Accounts Payable;

The majority of the article provides step-by-step instructions for setting up macros for the purposes mentioned above.

18

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Debreceny,

Roger et al.

Employing generalized audit software in the financial services sector – Challenges and opportunities

Managerial

Auditing Journal

Vol. 20, Iss. 6 2005 p. 605 – 618 May 30, 2009 website, link

ABI Inform

Annotation

The study establishes the nature and extent of use of GAS by bank internal and external auditors. Limitations of GAS includes: a) potentially costly, with licensing fees and maintenance contracts, b) too technical and complex for non-IT auditors, evening if training is provided (note that this study was conducted prior to 2005), c) auditors feel more comfortable manually reviewing records, and d) clients are worried that their systems and data might be compromised.

The study is conducted with 2 large local and 1 international commercial banks in Singapore (Bank A, B, and C respectively).

Internal auditors:

- Bank A and C do use GAS for substantive tests. They use ACL, for 1) sampling, and 2) identify reactivation of dormant accounts;

- Banks often have in-house customized banking systems whose capabilities are similar to those of GAS. GAS, with more advance analytical capabilities, are used primarily for special investigations rather than a foundation for their regular annual work;

External auditors:

- as external auditors are more concerned with testing internal controls, they generally do not use GAS, except when there are there are significant changes (e.g. rollout of a new system by the bank, or an accrual or interest rate computation error is detected);

- GAS is mostly used for ad hoc testing and fraud detection, rather than substantive testing.

- Creating GAS queries require auditors to select correct samples and create their own queries, which are time-consuming. It is easier for the IT department to extract the data into Excel for auditors.

The study also highlights suggested improvements of GAS. Lastly, examples of GAS in the study include ACL, IDEA, and Panaudit Plus.

19

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Lungu, Ion and

Teodora

Vătuiu

Computer Assisted

Audit Techniques

Annals of the

University of

Petroşani,

Economics

Vol. 7 2007 Pg. 217 – 224 May 30, 2009 website, link

Google

Annotation

CAATs can be defined as “tools that have…as a purpose the improvement of the efficiency and efficacy of the audit process.” With the increasing use of ERP systems and the large volume of transactions processed by them, CAATs are replacing manual, classic audit techniques. The usage of CAATs must be planned and used only if it adds value to the audit or if manual procedures prove to be useless or less efficient. Five CAAT used in international audit offices include:

1.

ACL, which is unanimously accepted as leader due to flexibility, simple usage and trust that it offers. It allows auditors to connect their laptops to the client’s system and download necessary data.

2.

IDEA

3.

Pentana is a “management integrated system of risks and audit, which allows the user to develop a variety of activities, assisting him in the important steps of its mission.” The unique aspect about Pentana is that rather than detailed analysis of data, it emphasizes documentation of every step of the audit. At the

Planning

step, Pentana offers a global evaluation of the entity’s risks and the planning of the audit work. At this step, users are allowed to evaluate specific risks and the corresponding controls. Every risk is associated with a score consisting of a) the probability of risk accomplishment and b) associated impact. Results from the

Execution

step will lead to an audit report in which the necessary recommendations are stressed.

4.

AutoAudit is similar to Pentana. It documents the entire audit process as well as facilitates an analysis of the client’s data.

5.

ProAudit Advisor is another similar software to Pentana. It facilitates the determination of the audit approach and risk and control evaluation.

Therefore, there are two types of CAATs: one type that focuses on data analysis (i.e. ACL and IDEA), and another type that maintains a historic for each audit stage, and facilitates the identification and evaluation of risks at an organization’s level.

20

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database, website, link

Pennington,

Robin R. et al

The Effects of

Qualitative

Overload on

Technology

Acceptance

Journal of

Information

Systems

Vol. 20, No. 2 Fall 2006 Pg. 25 – 36 May 30, 2009 ABI Inform

Annotation

Qualitative overload refers to pressure felt by workers when there is a perception that the task at hand is too complex and that adequate training has not been provided. The study was conducted with graduate accounting students, who were required to complete a class assignment using ACL. The study showed that the lower the perceived ease of use, the more qualitative overload the students felt. It also found that the more qualitative overload students feel, the lower their intention to use an information system will be.

Negative effects of qualitative overload range from job dissatisfaction and unwillingness to be innovative with technology to turnover intentions. Qualitative overload can be reduced with training or changes in assignments or hiring practices.

Author Title of Article Periodical / Vol. / No. / Year published Pages Date accessed Location,

Website Edition database,

Winters, Bruce

I.

Choose the Right

Tools for Internal

Control Reporting

Journal of

Accountancy

Vol. 199, No. 3 Mar 2005 Pg. 10 May 30, 2009 website, link

ABI Inform

Annotation

One type of tool that can help companies monitor internal control compliance is “data mining, file retrieval, pattern recognition, and business intelligence tools.”

Some of the considerations of CPAs when deciding which software offering to buy include:

- the vendor’s viability as a going concern;

- the vendor’s support plans and their cost;

- the product’s ongoing compatibility with the company’s O/S and its scalability;

- whether customization of the product is available or required;

- the level of training the vendor provides; and

- the extent of integration with other tools;

21

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Zhao, Ning et al.

Auditing in the ecommerce era

Information

Management &

Computer

Security

Vol. 12, No. 5 2004 Pg. 389 – 400 May 30, 2009 website, link

ABI Inform

Annotation

CAATs are required in order to implement continuous auditing. Tools described are: embedded audit modules

– perform audit procedures while an application is running. They are ideal for “high-volume, online, real-time systems where the timeliness, completeness, accuracy, and validity of transactions are essential.” exception reporting

– extraction of data from the audit file to another file using criteria specified by the auditor; transaction tagging

– allows auditors to follow a transaction through the system step by step until the problem is identified. Certain transactions are tagged with a special identifier so that they can be recorded as they pass through the information system.

Two popular software provide some of the above CAATs are:

ACL

: It offers a tool, namely ACL for MVS, which allows auditors to extract information from mainframe data files. ACL for Windows can then be used for processing and analyzing the extract.

IDEA

: A tool developed by the CICA to help users sample and analyze data. There is no mention of embedded audit modules capability.

22

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Blakley, Mike SQL as an Audit

Tool

The EDP Audit,

Controls, and

Security

Newsletter

Vol. XXXVII,

No. 6

June 2008 1-16 May 30, 2009 website, link

ABI Inform

Annotation:

Knowledge of SQL will allow auditors to obtain data directly from the client system and perform their audit tests independently. The cost and time required to teach auditors SQL is reduced by the fact that “20% of the SQL statements and syntax can provide 80% of all commonly needed audit functionality.” There are at least four major advantages of SQL:

1. The auditor specifies what

info is needed, rather than how

the info is to be obtained.

2. Many of the audit needs for info such as subtotals and use of selection criteria are already built into SQL.

3. Since SQL is a universal language, SQL commands can be used across different audits.

4. Auditor can interrogate the system directly, crafting simple queries to suit a number of audit tests.

Auditors need to assess whether risks outweigh the potential benefit.

There are four major audit areas where SQL can provide significant support:

1. Data classification: population statistics, frequency distributions, outliers, trend identification

2. Data extraction: based on selection criteria, “drill-down” capabilities

3. Sampling: random sampling, interval sampling, stratified sampling

4. Audit tests: fuzzy matching, recalculations, Benford’s Law, Day of week testing, Top/bottom 10, Round number testing

23

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Chennai IT edge to auditing Businessline N/A 4 Sep. 2006 Pg. 1 May 30, 2009 website, link

ABI Inform

Annotation:

The article describes a CAAT developed by Astral Consulting to aid in performing Internal Audit services to clients. The CAAT allows the auditors to access client’s data independent of the system, tests the reliability of the software and perform audit checks more efficiently. It also helps the auditors analyze and interpret the data.

More specifically, CAAT is used in tests of details of transactions and balances, “for identifying inconsistencies or significant fluctuation tests of general controls,” and recalculation.

Auditors should set the objective of CAAT procedures, determine the integrity and accessibility of the entity’s files, identify specific files or databases to be examined, define output requirements, ensure that the use of the tool is properly controlled and refine estimates of costs and benefits.

The article also describes the software. It uses VC++ with Microsoft SQL Desktop Engine as the backend database. Data to be analyzed is imported into this database. Source data is accessed in read-only mode to preserve its integrity. The firm also implements hardware lock to keep away unauthorized persons from using this tool.

Author Title of Article Periodical / Vol. / No. / Year published Pages Date accessed Location,

Website Edition database,

Stimpson, Jeff Audit Tools Adapt to Changes

The Practical

Accountant

Vol. 40, No. 8 Aug. 2007 40 – 42 May 30, 2009 website, link

ABI Inform

Annotation

Accounting firms are implementing CAATs to increase efficiency and extent of coverage in data analysis. Roger Hodskins, VP of alliances and marketing at

Lumigent (a software vendor), expects the following changes with audit tools in general:

- Instead of focusing on only one component of the audit process (e.g. data analysis), new service offerings will take care of multiple components.

- With internal controls testing being more important post-SOX, more time will be spent on verifying the controls rather than on solving technical issues related to data gathering.

The article also talks about different audit tools and how they have tried to address new needs. However, IDEA is the only CAAT software discussed:

-

Smart Analyzer

: a collection of data analysis tests on major financial statement items, providing firms with a standardized approach to all audits;

- 3 tests to help auditors in their compliance with SAS 99 –

Consideration of Fraud in a Financial Statement Audit

. The 3 methods are:

-

Correlation

: measure the degree of association between revenue and related accounts such as raw materials usage, sales commissions, and other.

-

Trend Analysis

: create forecasts based on past data, for comparison with current period actual.

-

Time Series

: also designed for preparing forecasts, taking into account trends and seasonal fluctuations in past data.

24

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Qiu, Robin et al.

Study on database technologies used in computer-aided audit

Application

Research of

Computers

Vol. 25, No. 6 June 2008 Not provided May 30, 2009

Annotation

(Note that the article is in Simplified Chinese. I found the article to be interesting, but had to guess a large number of words.)

3 ways that practitioners extract data are:

1) Some database has native exporting capabilities.

2) MS Access and MS SQL Server have more advance exporting capabilities.

3) Through ODBC connection

Author Title of Article Periodical / Vol. / No. / Year published Pages website, link

Google

Date accessed Location,

Website Edition database,

Bulter, Ray Introducing

Computer-

Assisted Audit

Techniques www.isaca.ee

N/A N/A http://www.isaca.ee/706 May 30, 2009 website, link

Google

Annotation

Generalized Audit Software (GAS) mostly works on copy data and is used for data analysis as well as testing. With GAS, auditors can test completeness, accuracy, authorization, and can perform compliance as well as substantive tests. GAS also allows auditors to sample transaction data for testing or analysis.

Latest developments that have an impact on GAS are:

- Continuous audit tools can help log unusual activities or exceptions. Examples are ACL, Ernst & Young CARS, and Audicon Tool.

- XML / XBRL can be a data source.

- Web logs can be a data source.

Auditors can consider using CAATs to test controls, or analyze a possible weakness. To be successful with CAATs, questions auditors should ask are:

- What are you trying to achieve?

- What tool is best?

- Regarding the data:

- Do you understand the data? Have you got everything? What’s between you and the real data? Reconcile. Summarize on important fields. Do you need supporting tables?

Examples of GAS include ACL, IDEA, Filetab, and Panaudit. Other CAAT tools include ODBC links & MS Query and report files (Monarh / DataImport).

25

Author Title of

Article

Periodical /

Website

Vol. /

No. /

Year published

Pages Date accessed

Location, database,

Edition website,

Head,

Kate

Adapting your audit philosophy to COSO utilizing

CAATS tampabayiia.org

N/A 2002 http://tampabayiia.org/Worddocs/COSO_and_ACL_302.doc

May 30,

2009 link

Google

Annotation

CAATs help facilitate a shift to COSO. Using CAATs has forced auditors to spend more time understanding the information system to be reviewed. CAATs can also help in the following ways:

- Monitoring reports generated by monitoring systems can be analyzed in more detail using CAATs.

- Data mining activities used in CAATS allow for a more comprehensive assessment of risk.

Tools like ACL are powerful because they can test 100% of transactions in high risk areas. In an example provided, the auditors used ACL to extract unusual activity as well as calls made by terminated employees, and in turn were able to recalculate the phone bills and ensure management that the system was rating and billing calls properly.

Author Title of Periodical / Website Vol. / No. Year Pages Date Location,

Article / Edition published accessed database, website,

KPMG

Advisory

KPMG’s

2009 IT

Internal

Audit

Survey –

The status of IT Audit in Europe, the Middle

East and

Africa http://www.kpmg.eu/SucceedingInTurbulentTimes/6915.htm

N/A 2009 N/A May 30,

2009 link

ABI Inform

Annotation

Tools used for audit tests include data analysis and sampling, information security, dashboard monitoring, and specific tools for ERPs. While data analysis tools are the most commonly used tool, 33% of the organizations surveyed do not actually use data analysis or sampling tools. Data analysis tools used, from most commonly used to least, are: 1) Excel, 2) ACL, 3) Access, 4) SQL, 5) Other, 6) IDEA, 7) SAS, and 8) Easytrieve.

26

Author Title of Article Periodical /

Website

Vol. / No. /

Edition

Year published Pages Date accessed Location, database,

Mayberry,

Mark D.

CAATTS Ideal for

Efficient Audits infotech.aicpa.org N/A 2008 N/A May 30, 2009 website, link

Google

Annotation

CAAT can help with the Planning and Execution phase of audits:

Planning:

- Auditors can consider using CAATs for procedures that include certain terms, such as analyze, re-compute, calculate, sample, age, scan and compare. Then auditors can determine which of these procedures are time-consuming and focus on those they can perform in a different way.

- After auditors identify which procedures you can use CAATs for, auditors must identify which data files they need and how to obtain them from the accounting or IT group. Common export file types are comma or tab delimited ASCII, dBase, Excel, Access, PDF and XML.

Execution:

- Auditors can perform generic CAAT procedures such as scanning for duplicate entries, extracting entries posted on unusual dates, etc.

- Two common usage of CAAT routines are journal entries review and accounts receivable.

27

Author Title of

Article

Periodical / Website Vol. /

No. /

Editio n

Year publishe d

Page s

Mayberr y, Mark

D.

Computer

Assisted

Auditing

Tools and

Techniqu es http://infotech.aicpa.org/Events/February+2008+Top+Technology+Initiatives+Info cast.htm

N/A 2008 N/A May

30,

2009

Annotation

According to Mark Mayberry, National Director of Assurance Automation for BDO, internal and external audit teams can leverage CAATTs to:

- increase audit coverage;

- enhance management and planning of the audit function;

- focus on risk areas;

- increase cost-effectiveness;

- improve audit credibility;

- improve integration of IT and Financial audit skills;

- encourage auditor independence from IT & Finance

Date accesse d

Locatio n, databas e, website, link

Google

28

Author Title of

Article

Periodical / Website Vol. / No. /

Edition

Year published

Pages Date accessed

Location, database,

Texas ACL

User Group

ACL vs.

IDEA http://texasacl.financial.officelive.com/IDEA.aspx N/A N/A N/A May 30,

2009 website, link

Google

Annotation

Advantages of ACL over IDEA:

- If auditors want to copy the scripts of a test for reuse on a different audit, ACL’s code would be easier to read, as IDEA is based off Visual Basic.

- ACL “allows the user to SET LOG or SET SESSION to create specific working papers that capture only specific periods of execution.” This leads to more concise work papers.

- IDEA creates a new file with every command while ACL create virtual tables. The negative part of creating a new file is storage space and processing speed.

- ACL has a bigger online support community.

- ACL is used by more companies.

- ACL has numerous user groups meeting on a monthly basis while IDEA is working on establishing user groups that meet yearly.

Advantages of IDEA over ACL:

- When loading a file, IDEA automatically performs a statistics command on key fields.

- IDEA’s Import to Print functionality has some key advantages. IDEA allows you to save how you interpret files so that you can reuse it in reading another file.

IDEA also imports PDF files better.

- IDEA’s ability to APPEND databases is better.

- IDEA’s navigator display parent-child relationship of databases better.

- IDEA's JOIN function has a visual representation explaining what the results are when dealing with PRIMARY/SECONDARY tables matching or not matching.

- IDEA's GUI also allows for multiple data extracts at one time.

- It is easier to do testing directly in IDEA, as users can create editable fields to add comments to the IDEA file directly. IDEA also has a "tickmark" editable field.

29

Download