Online Audit(India)

advertisement

Online Auditing

IT Audit Seminar organized by National Audit Office, China

1 to 4 September 2004

Paper on “On line Auditing”

By Ms.Puja S. Mandol and Ms. Monica Verma

Supreme Audit Institution of India

Introduction

The proliferation of corporate-wide networks is enabling progressive integration of worldwide manufacturing, inventory keeping, and financial management. In turn, these developments have substantially reduced the incremental costs and complexity of consolidated reporting and its disclosure to related parties.

Widespread availability of computer networking makes it possible to dramatically increase the frequency of periodic audits by redesigning the auditing architecture around online auditing.

Online Audit

Online audit is a technique, which is used to collect audit evidence at the same time as an application system undertakes processing of data or immediately after the processing is completed, in a paperless environment. It is a type of continuous auditing, which produces audit results at the same time or within a short period after the event has taken place. It is more cost effective and less time consuming.

Online Audit has different imperatives for internal and external auditors. For internal auditors it means an audit, which is undertaken by being an integral part of the information system. At every stage the controls and checks are exercised and the outcomes are arrived at, after processing is authenticated and checked by the internal auditors.

On the other hand, external auditors take up audit exercise immediately after the processing is complete. External audit is slightly behind online audit, but nonetheless instantaneous as it is immediately taken up after the processing is over. A continuous audit by an external auditor is feasible, if it is implemented as a fully automated process with instant access to relevant events and their outcomes. The only

Supreme Audit Institution, India

1

Online Auditing known way to satisfy these requirements is to implement continuous auditing on a network based online computer system. An online system refers to a system that provides a permanent connection to the network system to both the organization and the auditors.

Factors encouraging the growth of online audit

Various factors have motivated the use of online audit. First, with the paper based transactions and audit trails fast disappearing, on line auditing provides an alternative and fairly reliable method to capture the evidence. Second, errors or irregularities in advanced computer systems spread quickly and jeopardize various system resources. Real-time online audit can minimize the losses arising out of such events. Third, these techniques provide a means of tracing transactions as they follow execution paths in an application system. Performing transaction walkthroughs in advanced computer systems is often very difficult. Finally, it is difficult for auditors to gather evidence from remote locations in case of outsourced or widely distributed information systems. These techniques provide an easy means to collect audit evidence under these circumstances.

Feasibility and success of online auditing depends on available technology options and the cost effectiveness of the same. Internet and Internet based secure networking techniques have facilitated the growth of online audit.

Legal and Regulatory requirements of Online Audit

Various national and international bodies have enacted legislations with respect to any set of transactions undertaken in an online environment. These legal frameworks, therefore guide online auditing as well. The principal issue is that secure gateways and systems should be deployed that enables only the auditor to authenticate and log on to the auditee’s system At the same time and auditor have to abide by standard code of conduct to maintain confidentiality and integrity of information system, because electronic data is vulnerable to easy and fast replication. Some of the legal and regulatory aspects of online systems and transactions are described below—

In 1996, United Nations Commission on International Trade Law

(UNCITRAL) adopted Model Law on Electronic Commerce . The Model Law

Supreme Audit Institution, India

2

Online Auditing governs the use of modern means of communications and storage of information, such as electronic data interchange (EDI), electronic mail and telecopy, with or without the use of paper-based concepts such as “writing”, “signature” or “original”. By providing standards by which the legal value of electronic messages can be assessed, the Model Law plays a significant role in enhancing the use of paperless communication.

The General Assembly of the United Nations adopted the Model Law on

Electronic Commerce earlier adopted by UNCITRAL by a resolution during 1997.

This resolution recommended inter alia that all States should give favorable consideration to the said Model Law when they enact or revise their laws. Such a recommendation was necessary to have uniformity of the law applicable to paperless methods of communication and storage of information.

In India paperless (online) transactions are government by the IT Act 2000. It provides for legal recognition to transactions carried out by means of electronic data interchange and other means of electronic communication, and facilitates electronic filing of documents with the Government agencies. This legislation governs the following —

Legal recognition of electronic records

Authentication of an electronic record by affixing digital signature and legal recognition of digital signature

Security of electronic record and digital signature

Uniqueness of the private key and the public key to the subscriber

Responsibilities of a Certifying Authority and the subscriber and each party in a transaction.

Penalty for damage to computer, computer system, etc., tampering with computer source documents, hacking with computer system and for breach of confidentiality and privacy.

As an allied exercise, acts related to “Evidence” and “Banking” were suitably amended to record legal recognition of online transactions.

 Amendments to the Indian Evidence Act, 1872 wherein in the definition of

"Evidence", for the words "all documents produced for the inspection of the

Supreme Audit Institution, India

3

Online Auditing

Court", the words " all documents including electronic records produced for the inspection of the Court " shall be substituted

Amendment to the Reserve Bank of India Act, 1934 with reference to electronic fund transfer.

Where transactions are trans-national in nature, international bodies have codified standard practices and carried out periodic surveys. For e.g. since 1996, the

Bureau of International Settlements (BIS), in cooperation with the Committee on

Payment and Settlement Systems (CPSS) have been regularly surveying electronic money transfers around the globe with the help of central banks worldwide and publishing survey reports to tackle the newly emerging issues.

The framework laid down by national governments for regulating online transactions, also governs “Online Audit”. Thus, the methods and procedures of online auditing may be subjected to monitoring by regulatory agencies.

Data Collection Techniques in Online Audit

Advanced and complex Information Systems (IS) are fast replacing the traditional paper based information systems. Large volume of data is spread over various files. Various data views specific to users is dependent on multiple source files. With the computer systems and their scope multiplying every day, large amount of data has to be collected by auditors for analysis and review in order to make meaningful recommendations. What makes the job of an auditor complex and challenging is that he has to perform this without disturbing the structure of the information system or the database.

A number of tools and techniques are available for extraction of data from computerized information systems such as generalized software, application related software, customized audit software such as IDEA, ACL etc, information retrieval software, utilities, on-line queries and conventional programming Language.

Online auditing systems needs elaborate data capture mechanisms and these mechanisms have to be customized for individual IT systems. System specific software are to be designed which allows for generation of records/reports designed to

Supreme Audit Institution, India

4

Online Auditing support analysis of online audit. The following five techniques can be used for data collection/ extraction in online audit:

1.

Integrated Test Facility (ITF)

2.

Snapshot/ Extended Record

3.

System Control Audit Review file (SCARF)

4.

Continuous and Intermittent Simulation (CIS)

5.

On-Line Inquiry

1.

Integrated test facility (ITF) – This technique involves establishing a dummy entity on an application system files and processing audit test data against this dummy activity as a means of verifying processing authenticity, accuracy and completeness. E.g. in a payroll system a fictitious person might be added in the database, if the application is an Electronic Data Interface (EDI) system the auditor may set up dummy entities in cooperation with the auditors of the other organizations. Auditors would then use test data to update the fictitious entity.

This test data would be included in the normal production data used as input to the application system.

There are two ways in which test data can be posted against an ITF dummy entity. The first involves tagging transactions submitted as production input to the application system to be tested. The application system must be programmed to treat the tagged transactions in a special way and invoke two updates, one for the designated application system master file record and one for the ITF dummy entity.

The second method involves designing new test transactions and entering them with the production input in the application system. The auditors cab then create the test data and insert the dummy entity’s unique identifier in the key field of the data to denote that it is an ITF transaction. The test data in this case is likely to achieve more complete coverage of the execution paths in the application system to be tested than selected production data.

The presence of ITF transaction affects results of an application system.

Thus it is necessary to remove the effects of ITF transactions. This can be done in three ways:

Supreme Audit Institution, India

5

Online Auditing

Application system is modified to recognize the transactions and ignore them for the purpose of processing,

Additional inputs are given in order to reverse the effect of the ITF transactions, and

Trivial entries are submitted so that the effects of ITF transactions are minimal.

2. Snapshot/extended record – This technique involves having software take pictures of the transactions as it flows through an application system. Auditors embed the software at those points where they deem material processing occurs.

To validate processing at various snapshot points both beforeimages and afterimages of the transactions are captured. They can assess the authenticity, accuracy and completeness of the processing carried out on the transaction by scrutinizing the beforeimage, the afterimage and the transformation occurred to the transaction. However the auditor has to take decision regarding the location of snapshot points, time of capturing snapshots and reporting of the snapshot data captured.

Extended records collects all the snapshot data related to a transaction in one place thereby facilitating audit evaluation work.

3. System Control Audit Review file (SCARF) – This is one of the most complex techniques of online auditing techniques. It involves embedding audit software modules within the host application system to provide continuous monitoring of system’s transactions. These audit modules are placed at predetermined points to gather information about transactions the auditors deem to be material. The information collected is written onto a special audit file, the SCARF master file, which the auditors examine for audit purposes. The two important decisions, which the auditor needs to take while using this technique, are what information to be collected and the reporting system to be used.

4. Continuous and Intermittent Simulation – This is a variation of SCARF method, which can be used when application system uses database management system.

This method uses the database management system to trap exceptions that are of interest to the auditors. First, a transaction is selected on the basis of sampling or

Supreme Audit Institution, India

6

Online Auditing its unusual characteristic. The database management system provides CIS with all data required by the application system to process the selected transaction. CIS now process the transaction by replicating the application system processing by way of parallel simulation. Every update to the database that arises from processing the selected transaction will be checked by CIS to determine whether discrepancies exist between the results produced by the two methods. Exceptions identified are then written to a log file like SCARF. Here also a reporting system to report exceptions in a meaningful way is necessary.

5. On-Line Inquiry On-line inquiry is interactive procedures that allow viewing selected data out of an application, system or a database management system. . In addition, Programming Language such as COBOL, Oracle, SQL can be used for information retrieval and analysis particularly for more complex queries.

Integrity and Security of data transmission in Online Audit

During online audit, the exposure of the information system to third party poses additional risks associated with security of the system. For the auditors the subject assumes importance because they work on classified information and confidential data of client organizations. The work becomes more complex, when the auditor deploys his own audit module that goes and works on the system whose data and transaction is being audited.

These security issues can be addressed in part by emerging technologies like virtual private networks. The security arrangements for audit performed by internal auditors would include mainly well defined access controls besides firewalls, packet filters etc when they are in a remote location. When an independent external auditor carries out the review, security arrangements are implemented over dedicated private leased lines or extranet or virtual private network. Sophisticated protocols utilizing both the modern public key cryptography and the traditional private key cryptography are used for this purpose.

The network systems include various communication network elements and protocols deployed to carry data and information between various users and sites of the information system. While conducting an online audit an auditor has to ensure that controls are in place to keep the Confidentiality, Integrity and Availability (CIA) of

Supreme Audit Institution, India

7

Online Auditing the data and information being processed and produced by the application software intact. In order to ensure that CIA triad is preserved the auditor shall ensure that:

Confidentiality i.

He is aware of a clear description of the security attributes of the network services and protocols used by the organization. ii.

The routing controls that exist to ensure that the information flows across various nodes of the network are not disturbed. iii.

The network layout and architecture and its interface with other external networks are approved and documented by the competent authority. iv.

Whenever an auditor deploys generalized audit software, which is external to the system, he would need to ensure that a policy on Network Trust

Relationship exists and only approved and authorized networks exchange information. v.

In case the audit module is interfaced through VPN, the auditor must ensure that, the VPN clients use encrypted VPN tunnels to ensure the privacy and integrity of the data passing over the public network. vi.

Cryptographic controls are exercised in compliance with the IT Act enacted in the country and approved and standard encryptions are applied to protect the confidentiality of sensitive or critical information. vii.

In case of remote locations access is subject to user and node authentication, access to diagnostic ports is securely controlled, controls exist to segregate groups of information service and users. viii.

Reports to the intrusion detection systems are analyzed and remedial actions are taken.

Integrity ix.

Firewall are procured from standard vendors and configured as per the organizational policy. x.

The server is protected from unauthorized intrusion and malicious programs using firewall and anti-virus programs. xi.

The audit should see that a well-defined policy on use of network services exist and users have access to services for which they have been authorized.

Supreme Audit Institution, India

8

Online Auditing

Availability xii.

Non-repudiation services are used for important communications. xiii.

Fault tolerance for data availability is identified keeping in view the criticality of the information. xiv.

Regular exercises are undertaken to make relevant personnel familiar with the computer incidents and breaches in security. xv.

A sound back up policy is in place to ensure availability of data for audit review.

When an external auditor carries out his independent review he may use either the audit module of the system or dedicated audit software. In each of these situations access controls play a very important role to ensure security of information systems during the course of online audit. The most important issues include

segregation of duties, defining access privileges of each member of the audit team, and network logs.

Data reuse - the use of data collected in one online audit project for other audit projects

Data reuse helps in reducing the time frame and cost of future audits and also deciding on focus areas of audit. Data collected in online audit of an organization can be used in audit projects of various other departments. In an Electronic Data

Interchange environment the data collected from one organization can be used while auditing another. While reusing the data it should be ensured that its confidentiality and integrity is maintained and the data reuse in done keeping in view the regulatory and legal framework of the country. E.g. Voucher Level Computerization (VLC)

Project, linking of information of various projects in a particular sector for audit reviews for over all analysis.

Case Study

In India, Information systems of Government’s departments/ organizations have been designed generally as stand-alone systems. However, these systems are being slowly replaced by new ones and the momentum towards integration of subsystem and standardization has picked up. In the Department of Customs, the Indian

Supreme Audit Institution, India

9

Online Auditing

Customs EDI System (ICES) has computerized Custom Houses all over India. This system envisages acceptance of customs documents and exchange of information electronically in structured formats, integrating customs with other agencies such as

Reserve Bank of India, Director General Foreign Trade, Custodians of Imports and

Exports Goods and Regulatory agencies involved in international trade. Within the customs house, the documents move from the desk of one customs officer to another in electronic form.

Data for the clearance of customs documents is captured under ICES by the following two methods:

Establishment of service centers in each custom location which would accept document from importers/exporters for data entry, and

Transfer of data by importers/exporters from their premises in the prescribed format using a communication link.

The project has been successfully commissioned at 23 locations in the country covering all major ports, airports, Inland Container Depots and land customs stations.

The traditional method of clearance of customs documents is gradually replaced by electronic clearance. ICES promotes transparency by reducing arbitrariness and uncertainty in the processing of documents. The only interface between customs and trade is at the time of collection of goods.

Audit Methodology of EDI System

In the EDI System designed by the Customs department, an audit module was developed, which is used by their internal auditors. SAI India introduced the concept of concurrent audit for auditing the cases finalized by the custom authorities on a dayto-day basis. The audit module provides for viewing the requisite bills (i.e. shipping bill and bill of entry) from database after completion of the processing by the customs. The system provides the facility to generate periodically various reports for use of the audit for critical analysis. This enables audit to view the documents cleared by the custom authorities immediately after they are finalized in the EDI system.

Thereafter, audit can give its observations on these cases indicating the gaps so that the custom authorities can re-examine the case within the period of six months after

Supreme Audit Institution, India

10

Online Auditing which the case is barred from revaluation. This is an important step in ensuring the timely scrutiny of cases by audit.

In order to encourage the online audit where the organizations have automated their critical functions, SAI India has issued similar instructions to various other

Central and State departments to replicate this system on online systems.

Issues for further deliberation

1.

Online auditing is technologically feasible only in certain sectors and for certain limited purposes. The acceptance of online auditing would largely depend on whether the cost of auditing can be minimized to make its application cost effective.

2.

The level of assurance that online auditing can provide regarding reliability of software infrastructure, process and date is another important factor to consider.

Online audit needs to provide continuous assurance regarding the authenticity, integrity, non reproduction of transactions, control over electronic systems, i.e.

Security of reports intranet/ over internet containing vital decisions making information.

Effectiveness of controls over databases, which are accessed by multiple users.

Timely delivery and quality of services being provided, etc.

3.

Automatic procedures are not as error proof as the normal ones. Special safeguards need to be incorporated into these procedures. If an error is committed while implementing an online audit procedures, its effects are likely to be magnified by recurrence.

4.

The auditee may be reluctant to accept online auditing because as it can makes excessively tight supervisions, which may demoralize the management who are required to exercise some discretions and initiative under some of the circumstances. More frequent investigations induced by online audit may prove to be costly and time consuming.

5.

Probability of the usage of online audit would be more when they are implemented as part of the development of a new application system, and where there is high incidence of automatically generated transactions in an application system.

Supreme Audit Institution, India

11

Online Auditing

Conclusion

In practice, development of online has to surmount numerous technological and organizational challenges. The variety of stand-alone software systems in organizations makes it difficult for auditors to develop integrated online auditing systems. However, current developments in information systems clearly show a trend towards more standardization and better integration of related sub systems.

Online audit has a wider scope than the essential audit, as it improves the quality of an audit by collecting larger samples electronically and continuously, which makes it possible for online audit to use very sophisticated alarms, triggers and analytical procedures for data analysis, thereby improving the quality of audit.

Online audit provides a viable alternative to using ex post auditing and auditing around the computer. As the cost associated with developing, implementing, operating and using online auditing techniques can be high, they are more likely to be used by internal auditors than external auditors. The development and deployment of an online auditing system likely to require close collaboration between auditors and auditees. External auditor has to play significant role in the development of auditee’s system.

The auditors are required to equip themselves with the knowledge and professional skills to undertake audit of such organizations in an online environment. There is a need to re-orient themselves with the changing technology and associated new challenges.

References

1.

IS 15150 2002 issued by Bureau of Indian Standards

2.

Information Systems Security Hand book for Indian Audit and Accounts

Department, Office of the Comptroller and Auditor General of India, December

2003

3.

Information Systems Control and Audit, Ron Weber

Supreme Audit Institution, India

12

Online Auditing

4.

Continuous Online Auditing: An Evolution -- Article submitted to the Journal of

Information Systems by Alexander Kogan, Ephraim F. Sudit, and Miklos A.

Vasarhelyi Faculty of Management, Rutgers University, Newark

5.

European Initiative in Electronic Commerce -- Communication to the European

Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, COM (97) 157

Supreme Audit Institution, India

13

Download