Pics from : http://www.pragroup.ca/Services/InformationTechnology/tabid/70/Default.aspx Computer Assisted and Audit Tools and Techniques Drs. Haryono, Ak. M.Com & Dimas M. Widiantoro, SE., S.Kom., M.Sc. Agenda • This chapter discusses data extraction tools that are used to analyze the data processed by an application rather than the application itself. • By analyzing data retrieved from computer files, the auditor can make inferences about the presence and functionality of controls in the application that processed the data. List of Agenda • • • • • Definition Data structures EAM GAS ACL Software Definition • What is CAAT? • Computer Assisted Auditing Techniques Techniques and computer programs that are developed to audit electronic data. • Computer Assisted Audit Techniques, with respect to the Information technology audit process. Example of CAAT • http://www.youtube.com/watch?v=ysLyBBN9 Rj4 • http://www.youtube.com/watch?v=_8J6LLbivs The Usage CAATTs • Auditors make extensive use of CAATTs in gathering accounting data for testing application controls and in performing substantive tests. Data Extraction Software • An important use of such software is in performing substantive tests. • Most audit testing occurs in the substantivetesting phase of the audit. • These procedures are called substantive tests because they are used to substantiate dollar amounts in account balances. Substantive test? • Substantive procedures (or substantive tests) are those activities performed by the auditor to detect material misstatement or fraud at the assertion level. Substantive tests • Include, but are not limited to, the following: – Determining the correct value of inventory – Determining the accuracy of prepayments and accruals – Confirming accounts receivable with customers – Searching for unrecorded liabilities Substantive tests (Cont) • In an IT environment, the records needed to perform such tests are stored in computer files and databases. • Before substantive tests can be performed, the data need to be extracted from the host system and presented to the auditor in a usable format. Data Structures • Consist of two fundamental component – Organization • The way records are physically arranged on the secondary storage device. – Sequential – Random – Access Method • Technique used to locate records and to navigate through the database of file. File Processing Operations • Retrieve a record from the file based on its primary key • Insert a record into a file • Update a record in the file • Read a complete list of records • Find the next record in the file • Scan a file for records with common secondary keys • Delete a record from a file Sequential Structure • Sequential storage and access method Indexed Structure • Indexed Structure Weakness of Index Hashing Techniques • Hashing Techniques • A hashing structure employs an algorithm that converts the primary key of a record directly into a storage address. Hashing eliminates the need for a separate index. By calculating the address, rather than reading it from an index, records can be retrieved more quickly. Relational Database Structure, Concepts, and Terminology • Relational databases are based on the indexed sequential file structure. • Accordingly, a system is relational if it: • 1. Represents data in the form of twodimensional tables. • 2. Supports the relational algebra functions of restrict, project, and join. Data Extraction Software • Two types: – embedded audit modules (EAM) – general audit software (GAS) Relational Database Linkages Relational Dtabase Anomalies Database • This section deals with why database tables need to be normalized. In other words, why is it necessary for the organization’s database to form an elaborate network of normalized tables linked together like those illustrated in Figure below • ? Why, instead, can we not simply consolidate the views of one user (or several) into a single common table from which all data needs may be met? • 1. All non-key (data) attributes in the table are dependent on (defined by) the primary key. • 2. All non-key attributes are independent of the other non-key attributes. Embedded Audit Module • The objective of EAM is to identify important transactions while they are being processed and extract copies of them in real-time. • An EAM is a specially programmed module embedded in a host application to capture predetermined transaction types for subsequent analysis. Embedded Audit Module (Cont) • As the selected transaction is being processed by the host application, a copy of the transaction is stored in an audit file for subsequent review. • The EAM approach allows selected transactions to be captured throughout the audit period, or at any time during the period, thus significantly reducing the amount of work the auditor must do to identify significant transactions for substantive testing. Embedded Audit Module (Cont) • To begin data capturing, the auditor specifies to the EAM the parameters and materiality threshold of the transactions set to be captured. • For example, let’s assume that the auditor establishes a $50,000 materiality threshold for transactions processed by a sales order processing system. • Transactions equal to or greater than $50,000 will be copied to the audit file. • From this set of transactions, the auditor may select a subset to be used for substantive tests. Risks in using EAM • Operational efficiency: EAM may decrease operational performance because executing EAM incurs extra system overhead. • Verifying EAM integrity: When application logic is modified, corresponding EAM logic may also need to be changed. Generalized Audit Software (GAS) • Most widely used CAATT for IS auditing. • GAS allows auditors to access electronic coded data files and perform various operations on their contents. • Some of the more common uses for GAS are shown in page 274…. GAS is popular • GAS languages are easy to use and require little computer background on the part of the auditor. • Many GAS products can be used on both mainframe and PC. • Auditors can perform their tests independent of the computer service’s staff. • GAS can be used to audit the data stored in most file structures and formats. ACL software • Designed as a meta-language for auditors to access most data stored by electronic means and test them comprehensively • Many of the problems associated with accessing complex data structures have been solved by ACL’s Open Data Base Connectivity (ODBC) interface. • Definition of ODBC ODBC Illustration ODBC-compliant DBMS MS SQL Application Program Driver SQL commands Driver Oracle Driver DB 2