Chapter 18

1
Chapter 18        

• Concurrent Auditing Techniques

2
Introduction        

• In this chapter, we examine
• the basic nature of Concurrent Auditing
  Techniques,
• the reasons why they were developed,
• their relative advantages and disadvantages, and
• some methods of implementing CAT.
• A large number of different CAT have now been
  developed.

3
Introduction 

• A close examination, however, reveals that they
  are all variations on a theme.
• For this reason, here we cover just a few of the
  major techniques that have been used.
• If we understand the nature of these few
  techniques, we should then be able to adapt them
  in various ways to suit the particular needs of
  any audit we might wish to undertake.

4
Need for CAT

• Disappearing Paper-Based Audit Trail
• Continuous Monitoring
• Required by Advanced Systems
• Increasing Difficulty of Performing Transaction
  Walkthroughs
• Presence of Entropy in Systems
• Problems Posed by Outsourced and Distributed
  Information Systems
• Problems Posed by Interorganizational Information
  Systems

5
Types of CAT

• Integrated Test Facility
• Snapshot/Extended Record
• System Control/Audit Review File
• Continuous and Intermittent Simulation

6
Implementing CAT

• Perform a Feasibility Study
• Seek the Support of Groups Affected by Concurrent
  Auditing
• Ensure that the Relevant Expertise Is Available
• Ensure the Commitment of Stakeholders
• Make the Necessary Technical Decisions
• Plan the Design and Implementation
• Implement and Test
• Postaudit the Results

7
Strengths/Limitations of CAT

• The major strengths of CAT are that they provide
  an alternative method of auditing, surprise
  testing for auditors, a test facility for IT, and
  training for users
• The major limitations of CAT are cost and
  training requirements.

8
Basic Nature of CAT

• CAT use two bases for collecting audit evidence.
• First, special audit modules are embedded in
  application systems or system software to
  collect, process, and print audit evidence.
• Second, in some cases, special audit records are
  used to store the audit evidence collected so
  auditors can examine this evidence at a later
  stage.
• These records can be stored on application system
  files or on a separate audit file.

9
Timing of Evidence Reporting

• The timing of evidence reporting is a decision
  that auditors can make.
• a critical error or irregularity - auditors might
  program the embedded audit routines to report the
  error or irregularity immediately. In this light,
  the evidence could be transmitted directly to a
  printer or terminal in the auditor's office.
• immediate reporting of the error or irregularity
  might not be essential. Auditors can then store
  the evidence for reporting at some later time.

10
Factors Motivating the use of CAT

• The paper-based audit trail in application
  systems is progressively disappearing. CAT
  provide a way for auditors to capture the
  evidence that previously existed.
• Errors or irregularities in advanced computer
  systems can propagate quickly to other systems
  and cause material losses. CAT allow auditors to
  monitor these systems on a timely basis.

11
Factors Motivating the use of CAT

• Performing transaction walkthroughs in advanced
  computer systems is often difficult. CAT provide
  a means of tracing transactions as they follow
  different execution paths in an application
  system.
• All systems have entropy, which is their tendency
  to move toward internal disorder and eventual
  collapse. CAT provide early warning of the
  presence of and effects of entropy in application
  systems.

12
Factors Motivating the use of CAT

• Outsourced and distributed information systems
  pose problems for auditors because it is
  difficult for them to be physically present at
  information systems facilities to gather
  evidence. The embedded audit routines used with
  CAT provide a way of collecting audit evidence
  when application system processing is carried out
  at remote locations.

13
Integrated test facility (ITF)

• Integrated test facility (ITF) is a CAT that
  involves establishing a dummy entity on an
  application system's files and processing audit
  test data against this dummy entity.
• In this way, auditors can verify the application
  system's processing authenticity, accuracy, and
  completeness.

14
Test Data used with ITF

• The test data used with ITF might be live
  production transactions that are tagged so the
  application system knows they must also be
  processed against the dummy entity.
• Alternatively, the test data used could be
  designed specifically by auditors according to a
  test plan and submitted as part of the normal
  production data for the application system.

15
ITF - Affects on the Results

• The presence of ITF transactions in an
  application system affects the results
  obtained-for example, the control totals
  produced by the application system,
• Auditors can inform users that output has been
  affected by ITF transactions.
• Alternatively, they can try to remove their
  effects in some way.
• For example, auditors can modify the application
  system so it does not include the effects of ITF
  transactions in anv output it produces.

16
Snapshot CAT

• The snapshot CAT involves having embedded audit
  modules take pictures of a transaction as it
  flows through various points in an application
  system.
• The snapshots are either printed immediately or
  written to a file for later printing.
• Auditors must determine
• where they want to place the snapshot points in
  an application system,
• which transactions will be subject to snapshot,
  and
• how and when the snapshot data will be presented
  for audit evaluation purposes.

17
Extended Record Technique

• A modification to the snapshot technique is the
  extended record technique.
• Whereas snapshot writes a record for each
  snapshot point, the extended record technique
  appends data for each snapshot point to a single
  record.
• All the data relating to a transaction is kept,
  therefore, in the one place.

18
System Control Audit Review File (SCARF)

• This technique involves embedding audit modules
  in an application system to provide continuous
  monitoring of a system's transactions.
• The data collected via these routines includes
• errors and irregularities,
• policy and procedural variances,
• system exceptions,
• statistical samples, and
• snapshots and extended records.
• It is written to a special SCARF file for
  immediate or subsequent audit evaluation.

19
Use SCARF to collect the following types of
information
20
Use SCARF to collect the following types of
information
21
Use SCARF to collect the following types of
information
22
Use SCARF to collect the following types of
information
23
Use SCARF to collect the following types of
information
24
Continuous and Intermittent Simulation (CIS)

• The continuous and intermittent simulation (CIS)
  CAT can be used whenever application systems use
  a database management system.
• Transactions that are of interest to auditors
  are trapped by the database management system
  and passed to CIS.
• CIS then replicates the application system's
  processing, and the two sets of results are
  compared.
• If CIS's results differ from the application
  system's results, data about the discrepancy is
  written to a special audit file.
• If the discrepancies are material, CIS can
  instruct the database management system not to
  perform the updates to the database on behalf of
  the application system.

25
Implementation Steps for CAT

• Auditors must perform a feasibility study
• seek the support of persons who will be affected
  by use of CAT
• ensure that they have sufficient expertise to
  develop, implement, operate, and maintain CAT
  effectively and efficiently
• ensure that they have the commitment of key
  stakeholders including management,information
  systems staff, and application system users
  make the necessary technical decisions
• plan the design and implementation implement
  and test the techniques and
• carry out a post audit of costs and benefits
  after CAT have been used for some time.

26
Strengths of CAT

• The major strengths of CAT are that they provide
• A viable alternative to ex post auditing and
  auditing around the computer,
• A surprise test capability for auditors,
• A test vehicle for information systems staff, and
  
• A training vehicle for new users.

27
Strengths of CAT
28
Strengths of CAT
29
Surveys of Audit Use of CAT

• Surveys of audit use of CAT indicate limited but
  stable use over many years.
• CAT are more likely to be used if
• the audit is conducted by internal auditors
  instead of external auditors,
• auditors are involved in the development work
  associated with a new application system,
• auditors are employing other types of computer
  assisted audit techniques, and
• the incidence of automatically generated
  transactions in application systems goes up.

30
Surveys of Audit Use of CAT
31
Major Limitations of CAT

• The major limitations of CAT are
• the costs of developing, implementing, operating,
  and maintaining them can be high
• they are unlikely to be used effectively and
  efficiently unless auditors have substantial
  knowledge of and experience with information
  systems auditing and they are unlikely to be
  effective unless they are implemented in
  application systems that are relatively stable.