GENERALIZED AUDIT SOFTWARE

Transcription

1 EVIDENCE COLLECTION The auditors problem is not a shortage of evidence collection techniques to use, but it is knowing what technique or set of techniques is best to use for a given system or program. Our focus is on the nature of the tools and techniques, methodologies for using the tools and techniques, and the relative advantage and disadvantages of the tools and techniques. GENERALIZED AUDIT SOFTWARE A major tool available to the auditor for collecting evidence on the quality of an application system is generalized audit software. GAS provides a means to gain access and manipulate data maintained on computer media. MOTIVATION FOR GENERALIZED AUDIT SOFTWARE DEVELOPMENT It is a program providing powerful data retrieval, data manipulation, and reporting capabilities specifically oriented to the needs of auditors. The primary motivation for developing this software is the set of problems caused by the diversity of computerized information processing environments that confront the auditor. With resource constraints, it is often impossible to develop specific programs for every system that will extract, manipulate and report data required for audit purposes. The trade off made is on processing efficiency The other motivation is the need to provide audit capabilities to auditors relatively unskilled in the use of computers. FUNCTIONAL CAPABILITIES File Access It enables files having different record formats and file structures to be read Some packages now provide access to more complex structures such as trees and networks File reorganization it allows data to be sorted into different orders and data from different files to be merged onto one file. Sorting capabilities are necessary for e.g reporting data in a specified order or comparing data on two files. Merging capabilities are needed if data from separate files is to be combined on a separate work file. Selection it provides powerful selection capabilities for extracting data that satisfies certain tests. A query can be (PAY GT AND(OVERTIME GE 2000 OR ALLOWANCES EQ 6)) Statistical The statistical capabilities of GAS vary from primitive to sophisticated. At a basic level every nth record can be selected. Functions may exist supporting financial analysis; e.g regression and financial ratio analysis. Arithmetic It provides the full set of arithmetic operators enabling work fields to be computed, the arithmetic accuracy of the data to be checked, control totals to be produced etc. for e.g net pay calculations for a payroll file can be recomputed or files can be crossfooted.

2 Stratification and Frequency Analysis if stratification and frequency analysis capabilities are provided, frequency tables and bar charts can be produced. File Creation and Updating GAS allows work files to be created and updated thus the auditor causes minimum interference to normal application system processing. Reporting GAS can produce reports containing information useful to the auditor. These reports can be formatted in different ways AUDIT TASKS THAT CAN BE ACCOMPLISHED The functional capabilities of GAS can be combined in different ways to accomplish several audit tasks. Examine the Quality of Data GAS can be used to examine the existence, accuracy, completeness, and consistency of data maintained on files. The auditor examines the quality of data because it reflects the quality of the application system that processes the data. e.g if the address field on debtors records contains blanks, the auditor must question the adequacy of the validation processes contained in the system. The quality of the data reflects the quality of the personnel who developed and maintain the application system, and the quality of the personnel who use the system. If the data is low in quality, the application system processing the data may poorly designed, poorly implemented, or poorly maintained. Examine the Quality of System Processes Even though the quality of the system data is high, the quality of system processes may be low from the view point of achieving the objectives of the organisation. e.g upon using GAS to age an accounts receivable file, the auditor may find substantial numbers of overdue accounts. Such an attribute of data reflects adversely on both the computer system and the manual system. GAS provides powerful capabilities for producing mgt reports useful for various kinds of analysis that reflect on the quality of system processes. Through a parallel simulation technique, GAS can be used to compare the master file produced by the parallel simulation program with the master file produced by the application system and generate a report of discrepancies. Examines the Existence of the Entities the data Purports to Represent Data may exist, be accurate, complete and consistent; however, it may have no real world correspondence. It may represent a bogus insurance policy or an inventory item that no longer exists. Thus an auditor may select inventory for observation. Undertake Analytical Review it is the process of obtaining key ratios and totals from an organization's data for comparison with previous years' ratios and totals or industrywide ratios and totals. GAS can be used to extract data required for analytical review and prepare various ratios and totals

3 FUNCTIONAL LIMITATIONS Ex Post Auditing Only The software examines the quality of the data after it has been processed, thus some time lag exists between an application system error occurring and its identification. In some cases this elapsed time might be substantial if the application system is not audited on a regular basis. Limited Ability to Verify Processing Logic Tests performed by GAS involve live data; I.e; data captured and processed by the application system. The data may not test exceptional conditions that occur while it is important to know whether the application system will handle this condition. To solve this, parallel simulation can be used with test data as input to both the application system and the parallel simulation program. Limited Ability to Determine Propensity for Error Systems can be designed and implemented in a manner that allows the, at least to some extent, to cope with change and some can be designed and implemented so they are inflexible and degenerate quickly when change occurs. The ability of a system to cope with change is a concern for the auditor but no such evidence is gathered by GAS. INSTALLATION/AUDIT GROUP MATURITY Audit needs may not remain constant because the computer installations' life cycle imposses changes on the means of achieving audit objectives for the installetion. Also the internal EDP audit group itself experiences a life cycle throughout which the needs and capabilities of the group change. Impact of the Installation Life Cycle. As systems grow, they stabilize and this motivates the auditor to develop specialized audit software so the overheads incurred by the installation because of the audit function are reduced. Another motivation of using specialized software is that the usefulness of ex post auditing declines in more complex information processing environments. There is greater need for concurrent auditing to identify errors on timely basis. The auditor has increased involvement in the system development life cycle to provide guidance on the design of controls and performing tests on these controls. Impact of the Audit Group Life Cycle The audit group also experiences a life cycle of initiation, expansion and maturity. GAS is most suitable during the early stages of the groups life cycle. GAS provides the means for the audit group to respond quickly to the demands for application system audits. However, when audit groups matures, its tasks, objectives, standards, and expertise have stabilized. The group then seeks to reduce the overhead costs caused by auditing so it develops specialized audit software to take over the functions previously performed by generalized audit software. MANAGING A GENERALIZED AUDIT SOFTWARE APPLICATION Managing a generalized audit software application closely follows the steps needed for properly managing the development of any software project. They are five steps involved in managing an audit software application.

4 Feasibility Analysis and Planning When there is a potential opportunity for using an audit software, a feasibility analysis should be undertaken. The likely benefit depend on the audit objectives that the audit application software will help achieve. If the internal control system is weak, the value of the substantive test is higher than if the internal control system is strong. Costs may include adequacy of installation documentation, complexity of application system and files, labor costs for auditor, technical and administration advice, computing costs and supplies. A budget and time table can then be drawn. Application Design This stage involves a detailed design of the audit software application. The major steps are: Design Step Obtain detailed understanding of installation application system Design output reports required Prepare file definitions Define the logic of the audit software program Define supplementary data needed Prepare a test plan Explanation This understanding can be obtained through reviewing the application system documentation, flowcharting the application system, preparing decision tables. The output reports constitute some of the working papers for the audit. It is critical to see all the information required for the audit is output in a convenient form The files to be accessed and any work files to be created must be defined The logic should be flowcharted or described in decision tables Reference(look-up) tables for the audit software may have to be designed. Testing may be undertaken using a test deck or live data Once the design has been prepared, it should be reviewed and evaluated against the budget and timetable prepared during the feasibility analysis stage Coding and Testing the auditor undertakes test runs to check the accuracy of the processing logic specified. Operation once the coding and testing stage is complete, the auditor should make a final check to see no changes have been made to the application system that would impact the audit software program; e.g a change of a record format. The processing time schedule then must be confirmed with the operations manager of the installation and the audit software application run. Evaluation and Documentation of Results The output should be reviewed to check for any errors and determine whether audit objectives

5 have been attained. Respecification and rerunning of the program may be necessary. The documentation and results must be incorporated into the audit work papers along with any suggestions for improvements in future runs. The costs and benefits of the application should be compared with the budget. Finally any files created that may be needed for future use should be secured.