Data Mining As A Financial Auditing Tool

Transcription

1 Data Mining As A Financial Auditing Tool M.Sc. Thesis in Accounting Swedish School of Economics and Business Administration 2002

2 The Swedish School of Economics and Business Administration Department: Accounting Type of Document: Thesis Title: Data Mining As A Financial Auditing Tool Author: Supatcharee Sirikulvadhana Abstract In recent years, the volume and complexity of accounting transactions in major organizations have increased dramatically. To audit such organizations, auditors frequently must deal with voluminous data with rather complicated data structure. Consequently, auditors no longer can rely only on reporting or summarizing tools in the audit process. Rather, additional tools such as data mining techniques that can automatically extract information from a large amount of data might be very useful. Although adopting data mining techniques in the audit processes is a relatively new field, data mining has been shown to be cost effective in many business applications related to auditing such as fraud detection, forensics accounting and security evaluation. The objective of this thesis is to determine if data mining tools can directly improve audit performance. The selected test area was the sample selection step of the test of control process. The research data was based on accounting transactions provided by AVH PricewaterhouseCoopers Oy. Various samples were extracted from the test data set using data mining software and generalized audit software and the results evaluated. IBM s DB2 Intelligent Miner for Data Version 6 was selected to represent the data mining software and ACL for Windows Workbook Version 5 was chosen for generalized audit software. Based on the results of the test and the opinions solicited from experienced auditors, the conclusion is that, within the scope of this research, the results of data mining software are more interesting than the results of generalized audit software. However, there is no evidence that the data mining technique brings out material matters or present significant enhancement over the generalized audit software. Further study in a different audit area or with a more complete data set might yield a different conclusion. Search Words: Data Mining, Artificial Intelligent, Auditing, Computerized Audit Assisted Tools, Generalized Audit Software

3 Table of Contents 1. Introduction Background Research Objective Thesis Structure 2 2. Auditing Objective and Structure What Is Auditing? Audit Engagement Processes Client Acceptance or Client Continuance Planning Team Mobilization Client s Information Gathering Risk Assessment Audit Program Preparation Execution and Documentation Completion Audit Approaches Tests of Controls Substantive Tests Analytical Procedures Detailed Tests of Transactions Detailed Tests of Balances Summary Computer Assisted Auditing Tools Objective and Structure Why Computer Assisted Auditing Tools? Generalized Audit Software Other Computerized Tools and Techniques Summary 23

4 4. Data mining Objective and Structure What Is Data Mining? Data Mining process Business Understanding Data Understanding Data Preparation Modeling Evaluation Deployment Data Mining Tools and Techniques Database Algorithms Statistical Algorithms Artificial Intelligence Visualization Methods of Data Mining Algorithms Data Description Dependency Analysis Classification and Prediction Cluster Analysis Outlier Analysis Evolution Analysis Examples of Data Mining Algorithms Apriori Algorithms Decision Trees Neural Networks Summary Integration of Data Mining and Auditing Objective and Structure Why Integrate Data Mining with Auditing? 43

5 5.3. Comparison between Currently Used Generalized Auditing Software and Data Mining Packages Characteristics of Generalized Audit Software Characteristics of Data Mining Packages Possible Areas of Integration Examples of Tests Summary Research Methodology Objective and Structure Research Period Data Available Research Methods Software Selection Data Mining Software Generalized Audit Software Analysis Methods Summary The Research Objective and Structure Hypothesis Research Processes Business Understanding Data Understanding Data Preparation Data Transformation Attribute Selection Choice of Tests Software Deployment IBM s DB2 Intelligent Miner for Data ACL Result Interpretations IBM s DB2 Intelligent Miner for Data ACL Summary 99

6 8. Conclusion Objective and Structure Research Perspective Implications of the Results Restrictions and Constraints Data Limitation Incomplete Data Missing Information Limited Understanding Limited Knowledge of Software Packages Time Constraint Suggestions for Further Researches Summary 105 List of Figures 105 List of Tables 105 References 105 a) Books and Journals 105 b) Web Pages 105 Appendix A: List of Columns of Data Available 109 Appendix B Results of IBM s Intelligent Miner for Data 105 a) Preliminary Neural Clustering (with Six Attributes) 105 b) Demographic Clustering: First Run 105 c) Demographic Clustering: Second Run 105 d) Neural Clustering: First Run 105 e) Neural Clustering: Second Run 105 f) Neural Clustering: Third Run 105 g) Tree Classification: First Run 105 h) Tree Classification: Second Run 105 i) Tree Classification: Third Run 105 Appendix C: Sample Selection Result of ACL 105

7 Introduction 1.1. Background Auditing is a relatively archaic field and the auditors are frequently viewed as stuffily fussy people. That is no longer true. In recent years, auditors have recognized the dramatic increase in the transaction volume and complexity of their clients accounting and non-accounting records. Consequently, computerized tools such as general-purpose and generalized audit software (GAS) have increasingly been used to supplement the traditional manual audit process. The emergence of enterprise resource planning (ERP) system, with the concept of integrating all operating functions together in order to increase the profitability of an organization as a whole, makes accounting system no longer a simple debit-and-credit system. Instead, it is the central registrar of all operating activities. Though it can be argued which is, or which is not, accounting transaction, still, it contains valuable information. It is auditors responsibility to audit sufficient amount of transactions recorded in the client s databases in order to gain enough evidence on which an audit opinion may be based and to ensure that there is no risk left unaddressed. The amount and complexity of the accounting transactions have increased tremendously due to the innovation of electronic commerce, online payment and other high-technology devices. Electronic records have become more common; therefore, online auditing is increasingly challenging let alone manual access. Despite those complicated accounting transactions can now be presented in the more comprehensive format using today s improved generalized audit software (GAS), they still require auditors to make assumptions, perform analysis and interpret the results. The GAS or other computerized tools currently used only allows auditors to examine a company s data in certain predefined formats by running varied query commands but not to extract any information from that data especially when such information is unknown and hidden. Auditors need something more than presentation tools to enhance their investigation of fact, or simply, material matters. On the other side, data mining techniques have improved with the advancement of database technology. In the past two decades, database has become commonplace in

8 - 2 - business. However, the database itself does not directly benefit the company; in order to reap the benefit of database, the abundance of data has to be turned into useful information. Thus, Data mining tools that facilitate data extraction and data analysis have received greater attention. There seems to be opportunities for auditing and data mining to converge. Auditing needs a mean to uncover unusual transaction patterns and data mining can fulfill that need. This thesis attempts to explore the opportunities of using data mining as a tool to improve audit performance. The effectiveness of various data mining tools in reaching that goal will also be evaluated Research Objective The research objective of this thesis is to preliminarily evaluate the usefulness of data mining techniques in supporting auditing by applying selected techniques with available data sets. However, it is worth nothing that the data sets available are still in question whether it could be induced as generalization. According to the data available, the focus of this research is sample selection step of the test of control process. The relationship patterns discovered by data mining techniques will be used as a basis of sample selection and the sample selected will be compared with the sample drawn by generalized audit software Thesis Structure The remainder of this thesis is structured as follows: Chapter 2 is a brief introduction to auditing. It introduces some essential auditing terms as a basic background. The audit objectives, audit engagement processes and audit approaches are also described here. Chapter 3 discusses some computer assisted auditing tools and techniques currently used in assisting auditors in their audit work. The main focus will be on the generalized audit software (GAS), particularly in Audit Command Language (ACL) -- the most popular software in recent years. Chapter 4 provides an introduction to data mining. Data mining process, tools and techniques are reviewed. Also, the discussions will attempt to explore the concept,

9 - 3 - methods and appropriate techniques of each type of data mining patterns in greater detail. Additionally, some examples of the most frequently used data mining algorithms will be demonstrated as well. Chapter 5 explores many areas where data mining techniques may be utilized to support the auditors performance. It also compares GAS packages and data mining packages from the auditing profession s perspective. The characteristics of these techniques and their roles as a substitution of manual processes are also briefly discussed. For each of those areas, audit steps, potential mining methods, and required data sets are identified. Chapter 6 describes the selected research methodology, the reasons for selection, and relevant material to be used. The research method and the analysis technique of the results are identified as well. Chapter 7 illustrates the actual study. The hypothesis, relevant facts of the research processes and the study results are presented. Finally, the interpretation of study results will be attempted. Finally, chapter 8 provides a summary of the entire study. The assumptions, restrictions and constraints of the research will be reviewed, followed by suggestions for further research.

10 Auditing 2.1. Objective and Structure The objective of this chapter is to introduce the background information on auditing. In section 2.2, definitions of essential terms as well as main objectives and tasks of auditing profession are covered. Four principal audit procedures are discussed in section 2.3. Audit approaches including test of controls and substantive tests are discussed in greater details in section 2.4. Finally, section 2.5 provides a brief summary of auditing perspective. Notice that dominant content covered in this chapter are based on the notable textbook Auditing: An Integrated Approach (Arens & Loebbecke, 2000) and my own experiences What Is Auditing? Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria (Arens & Loebbecke, 2000, 16). Normally, independent auditors, also known as certified public accountants (CPAs), conduct audit work to ascertain whether the overall financial statements of a company are, in all material respects, in conformity with the generally accepted accounting principles (GAAP). Financial statements include Balance Sheets, Profit and Loss Statements, Statements of Cash Flow and Statements of Retained Earning. Generally speaking, what auditors do is to apply relevant audit procedures, in accordance with GAAP, in the examination of the underlying records of a business, in order to provide a basis for issuing a report as an attestation of that company s financial statements. Such written report is called auditor s opinion or auditor s report. Auditor s report expresses the opinion of an independent expert regarding the degree of reliability upon of the information presented in the financial statements. In other words, auditor s report assures the financial statements users, which normally are external parities such as shareholders, investors, creditors and financial institutions, of the reliability of financial statements, which are prepared by the management of the company.

11 - 5 - Due to the time and cost constraints, auditors cannot examine every detail records behind the financial statements. The concept of materiality and fairly stated financial statements were introduced to solve this problem. Materiality is the magnitude of an omission or misstatement of information that misleads the financial statement users. The materiality standard applied to each account balance is varied and is depended on auditors judgement. It is the responsibility of the auditors to ensure that all material misstatements are indicated in the auditors opinion. In business practice, it is more common to find an auditor as a staff of an auditing firm. Generally, several CPAs join together to practice as partners of the auditing firm, offering auditing and other related services including auditing and other reviews to interested parties. The partners normally hire professional staffs and form an audit team to assist them in the audit engagement. In this thesis, auditors, auditing firm and audit team are synonyms Audit Engagement Processes The audit engagement processes of each auditing firm may be different. However, they generally involve the four major steps: client acceptance or client continuance, planning, execution and documentation, and completion Client Acceptance or Client Continuance Client acceptance, or client continuance in case of a continued engagement, is a process through which the auditing firm decides whether or not the firm should be engaged by this client. Major considerations are: - Assessment of engagement risks: Each client presents different level of risk to the firm. The important risk that an auditing firm must evaluate carefully in accepting an audit client are: accepting a company with a bad reputation or questionable ethics that involves in illegal business activities or material misrepresentation of business and accounting records. Some auditing firms have basic requirements of favorable clients. On the other hand, some have a list of criteria to identify the unfavorable ones. Unfavorable clients, for example, are in dubious businesses or have too complex a financial structure.

12 Relationship conflicts: Independence is a key requirement of the audit profession, of equal importance is the auditor s objectivity and integrity. These factors help to ensure a quality audit and to earn people s trust in the audit report. - Requirements of the clients: The requirements include, for example, the qualification of the auditor, time constraint, extra reports and estimated budget. - Sufficient competent personnel available - Cost-Benefit Analysis: It is to compare the potential costs of the engagement with the audit fee offered from the client. The major portion of the cost of audit engagement is professional staff charge. If the client is accepted, a written confirmation, generally on an annual basis, of the terms of engagement is established between the client and the firm Planning The objective of the planning step is to develop an audit plan. It includes team mobilization, client s information gathering, risk assessment and audit program preparation Team Mobilization This step is to form the engagement team and to communicate among team members. First, key team members have to be identified. Team members include engagement partner or partners who will sign the audit report, staff auditors who will conduct most of the necessary audit work and any specialists that are deemed necessary for the engagement. The mobilization meeting, or pre-planning meeting, should be conducted to communicate all engagement matters including client requirements and deliverables, level of involvement, tentative roles and responsibilities of each team member and other relevant substances. The meeting should also cover the determination of the most efficient and effective process of information gathering. In case of client continuance, a review of the prior year audit to assess scope for improving efficiency or effectiveness should be identified.

13 Client s Information Gathering In order to perform this step, the most important thing is the cooperation between the client and the audit team. A meeting is arranged to update the client s needs and expectations as well as management s perception of their business and the control environment. Next, the audit team members need to perform the preliminary analytical procedures which could involve the following tasks: - Obtaining background information: It includes the understanding of client s business and industry, the business objectives, legal obligations and related risks. - Understanding system structures: System structures include the system and computer environments, operating procedures and the controls embedded in those procedures. - Control assessment: Based upon information about controls identified from the meeting with the client and the understanding of system structures and processes, all internal controls are updated, assessed and documented. The subjects include control environment, general computerized (or system) controls, monitoring controls and application controls. More details about internal control, such as definitions, nature, purpose and means of achieving effective internal control, can be found in Internal Control Integrated Framework (COSO, 1992). Audit team members knowledge, expertise and experiences are considered as the most valuable tools in performing this step Risk Assessment Risk, in this case, is some level of uncertainty in performing audit work. Risks identified in the first two steps are gathered and assessed. The level of risks assessed in this step is directly lead to the audit strategy to be used. In short, the level of task is based on the level of risks. Therefore, the auditor must be careful not to understate or overstate the level of these risks.

14 - 8 - Level of risks is different from one auditing area to another. In planning the extent of audit evidences of each auditing area, auditors primarily use an audit risk model such as the one shown below: Planned Detection Risk = Acceptable Audit Risk Inherent Risk * Control Risk - Planned detection risk: Planned detection risk is the highest level of misstatement risk that the audit evidence cannot detect in each audit area. The auditors need to accumulate audit evidences until the level of misstatement risk is reduced to planned detection risk level. For example, if the planned detection risk is 0.05, then audit testing needs to be expanded until audit evidence obtained supports the assessment that there is only five percent misstatement risk left. - Acceptable audit risk: Audit risk is the probability that auditor will unintentionally render inappropriate opinion on client s financial statements. Acceptable audit risk, therefore, is a measure of how willing the auditor is to accept that the financial statements may be materially misstated after the audit is completed (Arens & Loebbecke, 2000, 261). - Inherent risk: Inherent risk is the probability that there are material misstatements in financial statements. There are many risk factors that affect inherent risk including errors, fraud, business risk, industry risk, and change risk. The first two are preventable and detectable but others are not. Auditors have to ensure that all risks are taken into account when considering the probability of inherent risk. - Control risk: Control risk is the probability that a client s control system cannot prevent or detect errors. Normally, after defining inherent risks, controls that are able to detect or prevent such risks are identified. Then, auditors will assess whether the client s system has such controls and, if it has, how much they can rely on those controls. The more reliable controls, the lower the control risk. In other words, control risk represents auditor s reliance on client s control structure. It is the responsibility of the auditors to ensure that no risk factors of each audit area are left unaddressed and the evidence obtained is sufficient to reduce all risks to an acceptable audit risk level. More information about audit risk can be

15 - 9 - found in Statement of Auditing Standard (SAS) No. 47: Audit Risk and Materiality in Conducting an Audit (AICPA, 1983) Audit Program Preparation The purpose of this step is to determine the most appropriate audit strategy and tasks for each audit objective within each audit area based on client s background information about related audit risks and controls identified from the previous steps. Firstly, the audit objectives, both transaction-related and balancerelated, of each audit area have to be identified. These two types of objectives share one thing in common -- that they must be met before auditors can conclude that the information presented in the financial statements are fairly stated. The difference is that while transaction-related audit objectives are to ensure the correctness of the total transactions for any given class, balance-related audit objectives are to ensure the correctness of any given account balance. A primary purpose of audit strategy and task is to ensure that those objectives are materially met. Such objectives include the following. Transaction-Related and Balance-Related Audit Objectives - Existence or occurrence: To ensure that all balances in the balance sheet have really existed and the transactions in the income statement have really occurred. - Completeness: To ensure that all balances and transactions are included in the financial statements. - Accuracy: To ensure that the balances and transactions are recorded accurately. - Classification: To ensure that all transactions are classified in the suitable categories. - Cut-off (timing): To ensure that the transactions are recorded in the proper period.

16 Others Balance-Related Audit Objectives - Valuation: To ensure that the balances and transactions are stated at the appropriate value. - Right and obligation: To ensure that the assets are belonged to and the liabilities are the obligation of the company. - Presentation and disclosure: To ensure that the presentation of the financial statements does not mislead the users and the disclosures are enough for users to understand the financial statements clearly. After addressing audit objectives, it is time to develop an overall audit plan. The audit plan should cover audit strategy of each area and all details related to the engagement including the client s needs and expectations, reporting requirements, timetable. Then, the planning at the detail level has to be performed. This detailed plan is known as a tailored audit program. It should cover tasks identification and schedule, types of tests to be used, materiality thresholds, acceptable audit risk and person responsible. Notice that related risks and controls of each area are taken into account for prescribing audit strategy and tasks. The finalized general plan should be communicated to the client in order to agree upon significant matters such as deliverables and timetable. Both overall audit plan and detailed audit programs need to be clarified to the team as well Execution and Documentation In short, this step is to perform the audit examinations by following the audit program. It includes audit tests execution, which will be described in more detail in the next subsection, and documentation. Documentation includes summarizing the results of audit tests, level of satisfaction, matters found during the tests and recommendations. If there is an involvement of specialists, the process performed and the outcome have to be documented as well. Communication practices are considered as the most important skill to perform this step. Not only with the client or the staff working for the client, it is also

17 crucial to communicate among the team. Normally, it is a responsibility of the more senior auditor to coach the less senior ones. Techniques used are briefing, coaching, discussing, and reviewing. A meeting with client in order to discuss the issues found during the execution process and the recommendations of those findings can be arranged either formally or informally. It is a good idea to inform and resolve those issues with the responsible client personnel such as the accounting manager before the completion step and leave only the critical matters to the top management Completion This step is similar to the final step of every other kind of projects. The results of aforementioned steps are summarized, recorded, assessed and reported. Normally, the assistant auditors report their work results to the senior, or in-charge, auditors. The auditor-in-charge should perform the final review to ensure that all necessary tasks are performed and that the audit evidence gathered for each audit area is sufficient. Also, the critical matters left from the execution process have to be resolved. The resolution of those matters might be either solved by client s management (adjusting their financial statements or adequately disclosing them in their financial statement) or by auditors (disclosing them in the auditor s opinion). The last field work for auditors is review of subsequent events. Subsequent events are events occurred subsequent to the balance sheet date but before the auditor s report date that require recognition in the financial statements. Based on accumulated audit evidences and audit findings, the auditor s opinion can be issued. Types of auditor s opinion are unqualified, unqualified with explanatory paragraph or modified wording, qualified, adverse and disclaimer. After everything is done, it is time to arrange the clearance meeting with the client. Generally, auditors are required to report results and all conditions to the audit committee or senior management. Although not required, auditors often make suggestions to management to improve their business performance through the Management Letter. On the other hand, auditors can get feedback from the client according to their needs and expectations as well.

18 Also, auditors should consider evaluating their own performances in order to improve their efficiency and effectiveness. The evaluation includes summarizing client s comments, bottom-up evaluation (more senior auditors evaluate the work of assistant auditors) and top-down evaluation (get feedback from field work auditors) Audit Approaches In order to determine whether financial statements are fairly stated, auditors have to perform audit tests to obtain competent evidence. The audit approaches used in each audit area as well as the level of test depended on auditors professional judgement. Generally, audit approaches fall into one of these two categories: Tests of Controls There are as many control objectives as many textbooks about system security nowadays. However, generally, control objectives can be categorized into four broad categories -- validity, completeness, accuracy and restricted access. With these objectives in mind, auditors can distinguish control activities from the normal operating ones. When assessing controls during planning phase, auditors are able to identify the level of control reliance -- the level of controls that help reducing risks. The effectiveness of such controls during the period can be assessed by performing testing of controls. However, only key controls will be tested and the level of tests depends solely on the control reliance level. The higher control reliance is, the more tests are performed. The scope of tests should be sufficiently thorough to allow the auditor to draw a conclusion as to whether controls have operated effectively in a consistent manner and by the proper authorized person. In other words, the level of test should be adequate enough to bring assurance of the relevant control objectives. The assurance evidence can be obtained from observation, inquiry, inspection of supporting documents, re-performance or the combination of these.

19 Substantive Tests Substantive test is an approach designed to test for monetary misstatements or irregularities directly affecting the correctness of the financial statement balances. Normally, the level of tests depends on the level of assurance from the tests of controls. When the tests of controls could not be performed either because there is no or low control reliance or because the amount and extensiveness of the evidence obtained is not sufficient, substantive tests are performed. Substantive tests include analytical procedures, detailed tests of transactions as well as detailed tests of balances. Details of each test are as follows: Analytical Procedures The objective of this approach is to ensure that overall audit results, account balances or other data presented in the financial statements are stated reasonably. Statement of Auditing Standard (SAS) No. 56 also requires auditors to use analytical procedures during planning and final reporting phases of audit engagement (AICPA, 1988). Analytical procedures can be performed in many different ways. Generally, the most accepted one is to develop the expectation of each account balance and the acceptable variation or threshold. Then, this threshold is compared with the actual figure. Further investigation is required only when the difference between actual and expectation balances falls out of the acceptable variation range prescribed. Further investigation includes extending analytical procedures, detail examination of supporting documents, conducting additional inquiries and performing other substantive tests. Notice that the reliabilities of data, the predictive method and the size of the balance or transactions can strongly affect the reliability of assurance. Moreover, this type of test requires significant professional judgement and experience Detailed Tests of Transactions The purpose of detailed tests of transactions (also known as substantive testing of transactions) is to ensure that the transaction-related audit objectives are met in each accounting transaction. The confidence on transactions will

20 lead to the confidence on the account total in the general ledger. Testing techniques include examination of relevant documents and re-performance. The extent of tests remains a matter of professional judgement. It can be varied from a sufficient amount of samples to all transactions depending on the level of assurance that auditors want to obtain. Generally, samples are drawn either from the items with particular characteristics or randomly sampled or a combination of both. Examples of the particular characteristics are size (materiality consideration) and unusualness (risk consideration). This approach is time-consuming. Therefore, it is a good idea to reduce the sampling size by considering whether analytical procedures or tests of controls can be performed to obtain assurance in relation to the items not tested Detailed Tests of Balances Detailed tests of balances (also called substantive tests of balances) focuses on the ending balances of each general ledger account. They are performed after the balance sheet date to gather sufficient competent evidence as a reasonable basis for expressing an opinion on fair presentation of financial statements (Rezaee, Elam & Sharbatoghlie, 2001, 155). The extent of tests depends on the results of tests of control, analytical procedures and detailed tests of transactions relating to each account. Like detailed tests of transactions, the sample size can be varied and remains a matter of professional judgement. Techniques to be applied for this kind of tests include account reconciliation, third party confirmation, observation of the items comprising an account balance and agreement of account details to supporting documents Summary Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. As seen in figure 2.1, the main audit engagement processes are client acceptance, planning, execution and completion.

21 Client Acceptance Gather Information Evaluate client Planning Execution & Documentation Completion Perform preliminary analytical procedures Assess risk and control Set materiality Develop audit plan and detailed audit program High Mobilize Gather information in details Perform Tests of Controls Control Reliance Perform Substantive Tests - Detailed Tests of Transactions - Analytical Procedures - Detailed Tests of Balances Document testing results Gather audit evidence and audit findings Review subsequent events Evaluate overall results Issue auditor s report Arrange clearance meeting with client Evaluate team performance Low Tests of Controls - Identify controls - Assess control reliance - Select samples - Test controls - Further investigate for unusual items - Evaluate Results Analytical Review - Develop expectations - Compare expectations with actual figures - Further investigate for major differences - Evaluate Results Detailed Tests - Select samples - Test samples - Further investigate for unusual items - Evaluate results Figure 2.1: Summary of audit engagement processes Planning includes mobilization, information gathering, risk assessment and audit program preparation. Two basic types of audit approaches the auditors can use during execution phase are tests of controls and substantive tests. Substantive tests include analytical procedures, detailed tests of transactions and detailed tests of

22 balances. The extent of test is based on the professional judgement of auditors. However, materiality, control reliance and risks are also major concerns. The final output of audit work is auditor s report. The type of audit report -- unqualified, unqualified with explanatory paragraph or modified wording, qualified, adverse or disclaimer -- depends on the combination of evidences obtained from the field works and the audit findings. At the end of each working period, the accumulated evidence and performance evaluation should be reviewed to assess scope for improving efficiency or effectiveness for the next auditing period. It is accepted that auditing business is not a profitable area of auditing firms. Instead, the value-added services, also known as assurance services, such as consulting and legal service are more profitable. The reason is that while cost of all services are relatively the same, clients are willing to pay a limited amount for auditing service comparing to other services. However, auditing has to be trustworthy and standardized and all above-mentioned auditing tasks are, more or less, time-consuming and require professional staff involvement. Thus, the main cost of auditing engagement is the salary of professional staffs and it is considerably high. This cost pressure is a major problem the auditing profession is facing nowadays. To improve profitability of auditing business, the efficient utilization of professional staff seems to be the only practical method. The question is how. Some computerized tools and techniques are introduced into auditing profession in order to assist and enhance auditing tasks. However, the level of automation is still questionable. As long as they still require professional staff involvement, auditing cost is unavoidable high.

23 Current Auditing Computerized Tools 3.1. Objective and Structure The objective of this chapter is to provide information about technological tools and techniques currently used by auditors. Section 3.2 discusses why computer assisted auditing tools (CAATs) are more than requisite in auditing profession at present. In section 3.3, general audit software (GAS) is reviewed in detail. The topic focuses on the most popular software, Audit Command Language (ACL). Other computerized tools and techniques are briefly identified in section 3.4. Finally, a brief summary of some currently used CAATs is provided in section 3.5. Before proceeding, it is worth noting that this chapter was mainly based on two textbooks and one journal, which are Accounting Information Systems (Bonar & Hopwood, 2001), Core Concept of Accounting Information System (Moscove, Simkin & Bagranoff, 2000) and Audit Tools (Needleman, 2001) Why Computer Assisted Auditing Tools? It is accepted that advances in technology have affected the audit process. With the ever increasing system complexity, especially the computer-based accounting information systems, including enterprise resource planning (ERP), and the vast amount of transactions, it is impractical for auditors to conduct the overall audit manually. It is even more impossible in an e-commerce intensive environment because all accounting data auditors need to access are computerized. In the past ten years, auditors frequently outsource technical assistance in some auditing areas from information system (IS) auditor, also called electronic data processing (EDP) auditor. However, when the computer-based accounting information systems become commonplace, such technical skill is even more important. The rate of growth of the information system practices within the big audit firms (known as the Big Five ) was estimated at between 40 to 100 percent during 1990 and 2005 (Bagranoff & Vendrzyk, 2000, 35). Nowadays, the term auditing with the computer is extensively used. It describes the employment of the technologies by auditors to perform some audit work

24 that otherwise would be done manually or outsource. Such technologies are extensively referred to as computer assisted auditing tools (CAATs) and they are now play an important role in audit work. In auditing with the computer, auditors employ CAATs with other auditing techniques to perform their work. As its name suggests, CAAT is a tool to assist auditors in performing their work faster, better, and at lower cost. As CAATs become more common, this technical skill is as important to auditing profession as auditing knowledge, experience and professional judgement. There are a variety of software available to assist the auditors. Some are general-purpose software and some are specially designed that are customized to be used to support the entire audit engagement processes. Many auditors consider simple general ledger, automated working paper software or even spreadsheet as audit software. In this thesis, however, the term audit software refers to software that allows the auditors to perform overall auditing process that generally known as the generalized audit software Generalized Audit Software Generalized audit software (GAS) is an automated package originally developed in-house by professional auditing firms. It facilitates auditor in performing necessary tasks during most audit procedures but mostly in the execution and documentation phase. Basic features of a GAS are data manipulation (including importing, querying and sorting), mathematical computation, cross-footing, stratifying, summarizing and file merging. It also involves extracting data according to specification, statistical sampling for detailed tests, generating confirmations, identifying exceptions and unusual transactions and generating reports. In short, they provide auditors the ability to access, manipulate, manage, analyze and report data in a variety of formats. Some packages also provide the more special features such as risk assessment, high-risk transaction and unusual items continuous monitoring, fraud detection, key performance indicators tracking and standardized audit program generation. With the standardized audit program, these packages help the users to adopt some of the profession's best practices.

25 Most auditing firms, nowadays, have either developed their own GASs or purchased some commercially available ones. Among a number of the commercial packages, the most popular one is the Audit Command Language (ACL). ACL is widely accepted as the leading software for data-access, analysis and reporting. Some in-house GAS systems of those large auditing firms even allow their systems to interface with ACL for data extraction and analysis. Figure 3.1: ACL software screenshot (version 5.0 Workbook) ACL software (figure 3.1) is developed by ACL Services Ltd. ( It allows auditors to connect personal laptops to the client s system and then download client s data into their laptops for further processing. It is capable of working on large data set that makes testing at hundred-percent coverage possible. Moreover, it provides a comprehensive audit trail by allowing auditors to view their files, steps and results at any time. The popularity of the ACL is resulted from its convenience, its flexibility and its reliability. Table 3.1 illustrates the features of ACL and how are they used in each step of audit process.

26 Audit Processes ACL Features Planning - Risk assessment - Statistics menu - Evaluation menu Execution and Documentation Tests of Controls - Sample selection - Controls Testing - Results evaluation - Sampling menu with the ability to specify sampling size and selection criteria - Filter menu - Analyze menu including Count, Total, Statistics, Age, Duplicate, Verify and Search - Expression builder - Evaluation menu Analytical Review - Expectations development - Expected versus actual figures comparison - Results evaluation - Statistics menu - Merge command - Analyze menu including Statistics, Age, Verify and Search - Expression builder - Evaluation menu Table 3.1: ACL features used in assisting each step of audit processes

27 Audit Processes ACL Features Detailed Tests - Sample selection - Sample testing - Results evaluation Documentation - Sampling menu with the ability to specify sampling size and selection criteria - Filter menu - Analyze menu including Count, Total, Statistics, Age, Duplicate, Verify and Search - Expression builder - Evaluation menu - Document note - Automatic command log - File history Completion - Lesson learned record - Document Notes menu - Reports menu Other Possibilities - Fraud detection - Analyze menu including Count, Total, Statistics, Age, Duplicate, Verify and Search - Expression builder - Filter menu Table 3.1: ACL features used in assisting each step of audit processes (Continued) With ACL s capacity and speed, auditors can shorten the audit cycle with more thorough investigation. There are three beneficial features that make ACL a promising tool for auditors. First, the interactive capability allows auditors to test, investigate, analyze and get the results at the appropriate time. Second, the audit trail capability

28 records history of the files, commands used by auditors and the results of such commands. This includes command log files that are, in a way, considered as record of work done. Finally, the reporting capability produces various kinds of report including both predefined and customized ones. However, there are some shortcomings. The most critical one is that, like other GAS, it is not able to deal with files that have complex data structure. Although ACL s Open Data Base Connectivity (ODBC) interface is introduced to reduce this problem, some intricate files still require flattening. Thus, it presents control and security problems Other Computerized Tools and Techniques As mentioned above, there are many other computerized tools other than audit software that are capable of assisting some part of the audit processes. Those tools include the following: - Planning tools: project management software, personal information manager, and audit best practice database, etc. - Analysis tools: database management software, and artificial intelligence. - Calculation tools: spreadsheet software, database management software, and automated working paper software, etc. - Sample selection tools: spreadsheet software. - Data manipulation tools: database management software. - Documents preparation tools: word processing software and automated working paper software. In stead of using these tools as a substitution of GAS, auditors can incorporate some of these tools with GAS to improve the efficiency of the audit process. Planning tools is a good example. Together with the computerized tools, computerized auditing technique that used to be performed by the EDP auditors has now become part of an auditor s repertoire. At least, financial auditors are required to understand what technique to use,

29 how to apply those techniques, and how to interpret the result to support their audit findings. Such techniques should be employed appropriately to accomplish the audit objectives. Some examples are as follows: - Test data: test how the system detect invalid data, - Integrated test facility: observe how fictitious transactions are processed, - Parallel simulation: simulate the original transactions and compare the results, - System testing: test controls of the client s accounting system, and - Continuous auditing: embed audit program into client s system Summary In these days, technology impacts the ways auditors perform their work. To conduct the audit, auditors can no longer rely solely on their traditional auditing techniques. Instead, they have to combine such knowledge and experience with technical skills. In short, the boundary between the financial auditor and the information system auditor has becomes blurred. Therefore, it is important for the auditors to keep pace with the technological development so that they can decide what tools and techniques to be used and how to use them effectively. Computer assisted auditing tools (CAATs) are used to compliment the manual audit procedures. There are many CAATs available in the market. The challenge to the auditors is to choose the most appropriate ones for their work. Both the generalized audit software (GAS), that integrates overall audit functions, and other similar software are available to support their work. However, GAS packages tend to be more widely used due to its low cost, high capabilities and high reliability.

30 Data mining 4.1. Objective and Structure The objective of this chapter is to describe the basic concept of data mining. Section 4.2 provides some background on data mining and explains its basic element. Section 4.3 describes data mining processes in greater detail. Data mining tools and techniques are discussed in section 4.4 and methods of data mining algorithms are discussed in section 4.5. Examples of most frequently used data mining algorithms are provided in section 4.6. Finally, the brief summary of data mining is reviewed in section 4.7. Notice that the major contents in this chapter are based on CRISP-DM 1.0 Step-by-Step Data Mining Guide (CRISP-DM, 2000), Data Mining: Concepts and Techniques (Han & Kamber, 2000) and Principles of Data Mining (Hand, Heikki & Smyth 2001) What Is Data Mining? Data mining is a set of computer-assisted techniques designed to automatically mine large volumes of integrated data for new, hidden or unexpected information, or patterns. Data mining is sometimes known as knowledge discovery in databases (KDD). In recent years, database technology has advanced in stride. Vast amounts of data have been stored in the databases and business people have realized the wealth of information hidden in those data sets. Data mining then become the focus of attention as it promises to turn those raw data into valuable information that businesses can use to increase their profitability. Data mining can be used in different kinds of databases (e.g. relational database, transactional database, object-oriented database and data warehouse) or other kinds of information repositories (e.g. spatial database, time-series database, text or multimedia database, legacy database and the World Wide Web) (Han, 2000, 33). Therefore, data to be mined can be numerical data, textual data or even graphics and audio.

31 The capability to deal with voluminous data sets does not mean data mining requires huge amount of data as input. In fact, the quality of data to be mined is more important. Aside from being a good representative of the whole population, the data sets should contain the least amount of noise -- errors that might affect mining results. There are many data mining goals have been recognized; these goals may be grouped into two categories -- verification and discovery. Both of the goals share one thing in common -- the final products of mining process are discovered patterns that may be used to predict the future trends. In the verification category, data mining is being used to confirm or disapprove identified hypotheses or to explain events or conditions observed. However, the limitation is that such hypotheses, events or conditions are restricted by the knowledge and understanding of the analyst. This category is also called top-down approach. Another category, the discovery, is also known as bottom-up approach. This approach is simply the automated exploration of hitherto unknown patterns. Since data mining is not limited by the inadequacy of the human brain and it does not require a stated objective, inordinate patterns might be recognized. However, analysts are still required to interpret the mining results to determine if they are interesting. In recent years, data mining has been studied extensively especially on supporting customer relationship management (CRM) and fraud detection. Moreover, many areas have begun to realize the usefulness of data mining. Those areas include biomedicine, DNA analysis, financial industry and e-commerce. However, there are also some criticisms on data mining shortcomings such as its complexity, the required technical expertise, the lower degree of automation, its lack of user friendliness, the lack of flexibility and presentation limitations. Data mining software developers are now trying to mitigate those criticisms by deploying an interactive developing approach. It is expected that with the advancement in this new approach, data mining will continue to improve and attract more attention from other application areas as well Data Mining Process According to CRISP-DM, a consortium that attempted to standardize data mining process, data mining methodology is described in terms of a hierarchical process that includes four levels as shown in Figure 4.1. The first level is data mining phases,