Vous êtes sur la page 1sur 86

Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

MSc Audit Management & Consultancy Dissertation September 2008

David Tomlinson

Page 2

MSc Audit Management & Consultancy
Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

Table of Contents
1 Introduction..............................................................................................5 1.1 Background of Researcher.................................................................5 1.2 Overview............................................................................................6 1.3 Rationale..........................................................................................10 1.4 Aim...................................................................................................12 1.5 Supporting Research Objectives.......................................................12 1.6 Research Questions..........................................................................13 1.7 Synopsis of Prior Research...............................................................13 1.8 Conclusion........................................................................................14 2 Research Methodology...........................................................................15 2.1 Introduction......................................................................................15 2.2 Research Philosophy.........................................................................15 2.2.1 Positivism...................................................................................15 2.2.2 Interpretivism.............................................................................16 2.2.3 Pragmatism................................................................................16 2.2.4 Summary....................................................................................16 2.3 Research Approach ..........................................................................17 2.3.1 Deductive...................................................................................17 2.3.2 Inductive.....................................................................................17 2.3.3 Summary....................................................................................18

Page 1

MSc Audit Management & Consultancy
Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

2.4 Research Strategies.........................................................................18 2.4.1 Experiment.................................................................................18 2.4.2 Survey........................................................................................19 2.4.3 Case Study..................................................................................19 2.4.4 Grounded Theory........................................................................19 2.4.5 Ethnography...............................................................................20 2.4.6 Summary....................................................................................20 2.5 Research Methods............................................................................20 2.5.1 Population...................................................................................21 2.5.2 Sample........................................................................................21 2.6 Data Collection and Analysis Methods..............................................21 2.6.1 Questionnaire.............................................................................22 2.6.2 Interviews...................................................................................22 2.6.3 Summary....................................................................................23 2.7 Ethics of research.............................................................................24 2.8 Conclusion........................................................................................24 3 Literature Review...................................................................................25 3.1 Introduction......................................................................................25 3.2 Assurance.........................................................................................26 3.2.1 Definition....................................................................................26 3.2.2 Internal Audit .............................................................................26 3.2.3 Audit Process..............................................................................27
Page 2

...................................67 4 Empirical Research..................53 3.................49 3....6 Communicating the Results (2400)...3........2 The Research Process.......2........................................4 Engagement Planning (2200)..............................................1 To what extent is GAS used?..................................................................5 Conclusion................................1 Definition..........................4 Determining factors of when to use GAS.........3..............2 GAS Products..............................................2...........69 4....5 Performing the Engagement (2300).........7 Summary ..................4................................5 Summary .......................41 3.........MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3.......3 CAAT Type 2: Computer-based Audit Support Tools and Audit Automation..................................69 4...................................................3.........................41 3..........................................................66 3...................................2........................................................................3..36 3..31 3.4 Generalised Audit Software....................................2 CAAT Type 1: Computer System Audit Tools and Techniques............4.......................45 3....................51 3......................51 3......27 3..................3 Computer Assisted Audit Techniques (CAAT)....................................4 Summary............................................................................62 3.............................3.39 3..................3 GAS Constituents and their Use................................................1 Introduction............................51 3....................................................................70 4...........................................71 Page 3 .........4........41 3........1 Definition.......................................4....4..................................2..........3 Research Findings.........................................69 4...

.......77 Reasons GAS not used:.................................................2 What GAS do internal audit providers use?..........................................3.........................75 5........................................................................................................................4 Further Research.........................................................80 .....................................................................................................1 Introduction........................................78 Bibliography........................3 Naming...75 6..................................1 Introduction.........2 Based on conclusion findings ................................................................................4 Achievement of Research Objectives...............2 Conclusion from Literature Review........................3 Conclusions from Empirical Research Conducted............................................75 Appendix A...................................................................................................................................................................MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 4.......72 4.................................................................................................................83 Page 4 ....................................................................................76 Appendix ?...................................................................................75 6.......................75 6 Recommendations......................................75 5.............................................................77 References.75 5......................................75 5..............75 6..............73 5 Conclusion...................75 6...........3..............3 When do internal auditors use GAS within the internal audit process for assurance activities?.......

Since then the researcher has broadened his knowledge and experience undertaking all types of audit and consulting work. With 3 years experience within internal audit and an academic and professional background in IT the researcher wants to contribute to the internal audit body of knowledge drawing on his knowledge and experience. During his time he has helped strengthen the audit methodology by promoting and encouraging the use of computer assisted audit techniques (CAATs). moving to a consortium providing internal audit services for Universities in the North of England.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 1 Introduction 1. His first job was as a Trainee IT Auditor with a top 20 UK accountancy firm undertaking IT audits across public sector as an outsourced provider.1 Background of Researcher The researcher completed an undergraduate degree in Business Information Technology in July 2004. giving him an appreciation of both IT and business risk. After eight months undertaking IT assurance work it became apparent that IT is only one element where assurance is required. particularly as IT is so pervasive within internal control. The desire to appreciate wider business risks lead to a move from the accountancy firm in summer 2005. This has lead to a real interest in how IT can support the audit process. Page 5 .

provide additional value to operations and to enable advantage over competitors. Coderre (2005) describes CAATTs as computer-based tools and techniques which permit auditors to increase their personal productivity as well as that of the audit function. Organisations are keen to use technology to streamline processes. Within organisations more pressure is on departments to be more profitable and in some cases justify their existence. adapt to the changing control environment where more controls become electronic and managed by IT systems. and continues to.2 Overview Computers have been an integral part of the workplace for the past 20 years. Internal Audit faces this challenge and Chief Audit Executives (CAE) need to find ways of providing a value added assurance and consultancy service in more cost effective ways. Internal Audit has had to. The use of technology can help the CAE in many aspects of the internal audit function by using Computer Assisted Audit Techniques and Tools (CAATTs). Technology has not stopped moving and the advent of the internet in the 1990’s has had profound effect on organisations.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 1. There are many varieties of CAATTs: • • • • • • • Electronic Working Papers Text Search and Retrieval Software Licensing Checkers Electronic Questionnaires Expert Systems Data Mining Data Extraction and Analysis (also known as Generalised Auditing software (GAS)) Page 6 .

The Software Survey 2006 indicated that a wide range of GAS are used with the most popular being Microsoft Excel. comma separated files and other delimited files. Access files. has been specifically designed for auditors and the functionality has been designed to support audit activities. identify key risk areas. test controls and any other activity that will help to deliver an audit engagement. Off-the-shelf GAS software is available and they are now a feature in most internal audit departments. These are also known as generalised audit software (GAS). The two distinctive features of any GAS is data extraction and data analysis. however. Once data has been imported in to the GAS the auditor has a wealth of data analysis tools and techniques at their disposal to apply to the data to support the audit process. standard deviation. pivot tables. As well as these analysis tools a good GAS will also have functionality to detect duplicate values.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities The list is by no means exhaustive and as indicated by Coderre’s definition a CAATT is anything an auditor uses that is computer-based. detect gaps in sequences and provide sampling Page 7 . A typical GAS is able to perform trend analysis. The Institute of Internal Auditors (IIA) conducts an annual Software survey to understand the types of GAS auditors use. minimum values. The Microsoft products (Excel and Access) can be seen wider than just GAS software because these can be used for nonaudit work. A good GAS is able to import data from any system. statistical analysis (mean. Microsoft Access and ACL. maximum values etc) and many other analysis that can help detect fraud. particularly popular formats such as Excel files. In order to carry out analysis data has to be first extracted from corporate information systems. Data extraction and analysis tools (type of CAATT) are an essential tool for internal auditors if they are to become more efficient and add further value to the organisation. ACL (ACL Services Ltd.). data summarisations.

Page 8 .MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities techniques. With the plethora of analysis techniques available within a GAS it means that these tools are not just restricted to financial audits.

This provides the auditor with a greater understanding of the area being audited and helps quantify and convey the degree of risks meaning the audit can be much more focused. As a result Page 9 . For example. on a Creditors Payment audit an aged creditors analysis could be undertaken detailing the performance of departments for paying invoices. In doing so. GAS could be used for planning to define the audit population. The auditor can use this information to make an informed decision on which departments to cover as part of the audit based on the differing levels of risk. Coderre (2005) suggests GAS can be used during all audit phases particularly planning and fieldwork. Testing Depending on the internal audit departments audit methodology depends on what testing occurs. or perform trend analysis. review previous and current year’s expenditure and budgets. Instantly.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Armed with this functionality internal audit have a powerful tool to provide many benefits. identify resource consumption and outputs. the analysis may identify areas that have higher inherent risks than other areas and therefore allows the auditor to focus the audit appropriately. Planning Having data at the planning stage of the audit gives the auditor the ability to get an overview of the audit area using the analysis tools. As a result internal audit can provide greater levels of assurance and therefore add more value to the organisation. the auditor would be able to view which department processes the most invoices. which department spends the most and which department are the slowest in getting invoices paid. Either way one of the greatest benefits of using a GAS is that tests can be undertaken on whole populations of data rather than samples. The time it takes to undertake testing using GAS can also improve the internal auditors productivity. Testing tends to take place to confirm the effectiveness of control and/or to understand the extent of a failing control.

Another example would be comparing a current inventory with a previous inventory to identify obsolete or slowmoving stock. Using GAS may be of detriment to the audit if it is not used in the right way. There are several implications internal auditors need to be aware of in order be sure that using GAS will add value to the audit engagement. With GAS internal auditors are able to test data quality. They can also test for duplicate payments in an instant and test system calculations such as VAT. GAS is only one of many tools auditors should call upon to deliver an effective and efficient audit. GAS can also easily compare datasets. payroll details can be compared with accounts payable details to ensure that no employees have been paid on an invoice. Auditors can bring reports to life by introducing graphs. 1. Page 10 . The more recent GAS software can also generate graphs from data analysis.3 Rationale Off-the-shelf GAS is generally expensive and therefore internal audit departments are keen to use it frequently to ensure they get best value from it. With more controls becoming computer-based it is difficult to test these controls manually. When writing a report more weight can be given to an observation if it is supported by the facts and figures. Reporting GAS software is able to produce meaningful reports out of the data. For example. consistency and correctness. However. national insurance and PAYE tax.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities the auditor can cover audits in greater depth and scope or the internal audit department can reduce resource or increase the number of audits. tables and other analysis in to reporting to provide hard evidence of the risk exposure. completeness.

Secondly. As a consequence of getting this wrong certain calculations and analyses will not work and in most cases data would need to be re-imported with the correct data types. From experience the researcher has found that the knowledge tends to be with IT Auditors when it should be a tool that all auditors should use. if a date field is imported then the GAS needs to know it is a date field and not a character field. is the use of GAS appropriate for the audit area? Audit Managers are keen for GAS to be used as much as possible to demonstrate to the audit committee that internal audit provide a modern service using the latest tools and techniques to add value. The most essential aspect of importing data is to reconcile totals back to the source system to guarantee the data is accurate so that any analyses and/or tests cannot be contested due to data quality issues. what is the cost of obtaining the data? This is where value can be easily lost if the auditor gets the data request wrong. importing data and undertaking analyses and testing. or the auditor uses the data and realises it is not what they wanted wasting time undertaking incorrect analyses and/or testing. Thirdly. Any misinterpretation in this communication means data requests have to be re-requested. For example.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Firstly. The auditor needs to know exactly what they want and they need to be able to communicate this to system owners that can provide the data. Fourthly. Audit Managers want also want to justify the costs of using GAS and so more pressure may be applied to use them when it may not be necessary. has the data been imported in to the GAS correctly? It is essential that when importing data the GAS stores each data field with the appropriate data type. Page 11 . do we have the skills to operate GAS? Internal Auditors require knowledge of operating GAS from requesting data. costing time.

• To evaluate the application of generalised audit software by internal audit providers. outlined in Chapter 2. • To develop a framework for the effective application of generalised audit software. 1. From experience the researcher has found that there has been inconsistent application of GAS and there may be an opportunity to understand the rationale behind the inconsistent approaches.5 Supporting Research Objectives • To investigate how generalised audit software is applied by internal audit providers within the UK.4 Aim The research aim is to undertake a research study to establish a framework for the effective application of generalised audit software. It is hoped that the research data will provide enough information to develop a framework for internal audit providers to follow to ensure they get optimum value from this type of CAATT. 1. how it is used and the skills required to operate GAS. Page 12 . Using the research methodology.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities There is no framework published that gives internal auditors guidance on the application of generalised audit software (GAS). research will be undertaken to identify the extent to which GAS is used.

p239) also notes there is “virtually no research interest” in data analysis. The use of the name generalised audit software or GAS is seldom used but sometimes differing terminology is used and often GAS is referred to as CAATTS.g. Although they are a CAATT. ACL or IDEA).7 Synopsis of Prior Research There are limited articles in professional and academic journals written on generalised audit software and where there are they tend to have a bias towards certain proprietary GAS (e. From preliminary research.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 1. A study on the use of GAS in the financial sector by Debreceny et al. Therefore it is considered that there is an opportunity to establish such a framework. a key constituent of GAS. Page 13 . P605) also noted “the limited research on GAS…” and Boritz (2002. (2005. there is no evidence of a framework in place for the effective application of GAS. Similarly there have not been many books published in this area.6 Research Questions • • • To what extent is GAS used by internal audit providers? What GAS do internal audit providers use? When do internal auditors use GAS within the internal audit process (assurance activities)? • • How do internal auditors know when to use GAS? How do internal audit providers ensure they get optimal value from GAS? 1. GAS is just one aspect of these so it is likely that the research will have to consider CAATTS research to try to filter literature that is actually referring to GAS.

In order to truly provide robust assurance internal audit need to utilise technology to facilitate their opinion on the management of risk. GAS must be applied effectively to ensure that it is being used to add value in terms of improving the efficiency of the audit and to improve the effectiveness of the audit opinion. which would be impractical or impossible to do manually. Page 14 . Generalised audit software can help in providing a more informed risk-based approach to audit engagements and it is also a powerful means to test the effectiveness of controls (particularly IT controls). The aim of this research is to provide a framework so that the idea of effective application is carried out in practice.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 1.8 Conclusion The pervasive nature of technology across organisations has had an impact on the control environment and the way in which internal audit provide assurance that risks are being adequately managed.

prefers “working with an observable social reality and that the end product of such research can be law-like generalisations…”. 2.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 2 Research Methodology 2.1 Introduction The research methodology chapter will look to design and develop a framework for how the research will be undertaken. As common with all research the methods to collect data and also the ethical issues relating to the research is discussed.1 Positivism The Researcher adopting a Positivism approach. according to Remenyi et al (1998). It is important that research project has a framework to follow to help the researcher achieve the research objectives and answer the research questions. 2007) add “the positivist researcher Page 15 . 2. Complementing the philosophy. The research philosophy sets the scene of the project by illustrating the researcher’s values and assumptions in the context of the research area.2 Research Philosophy Research philosophies relate to the development of knowledge and the nature of that knowledge (Saunders et al. Gill and Johnson (2002 cited in Saunders et al. 2007). A philosophy indicates how the researcher views the world and the type of assumptions that will be made. appropriate research approaches and strategies are discussed and recommended.2. Below are some of the common research philosophies described. The philosophy is the platform the research approach and strategies are built upon.

Saunders et al. Tashakkori and Teddkue (1998 cited in Saunders et al. The interpretivism philosophy is the most aligned to this research because the research will need to understand how internal auditors have interpreted how to apply generalised audit software to the activities they undertake during an audit. (2007) suggest that there is an argument that the social world of business and management is far too complicated to have “…lawlike generalisations…” akin to the Positivism approach. 2007) advocate “study what interests you and is of value to you. and use the results in ways that can bring about positive consequences within your value system”.2.2. 2.2. The researcher must enter the social world of the research subject and to understand the world from their point of view. Interpretivism places more emphasis on the role of people and their interpretations of the world. 2.4 Summary The ultimate aim of the research is to develop a framework drawing on best practice and synergies of application based on the research data collected.2 Interpretivism Saunders et al. studyin the different ways in which you deem appropriate. (2007) states that the researcher has to adopt an empathetic stance.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities is likely to use a highly structured methodology in order to facilitate replication. such as positivism or interpretivism. The pragmatism philosophy is also interesting in that the researcher is looking to bring out benefits and Page 16 . (2007) states that researchers adopting the position of a pragmatist believe that choosing a single research philosophy position.3 Pragmatism Saunders et al. is unrealistic in practice and that the most important determinant of the research philosophy is the question. 2.

deductive and inductive. The inductive approach is driven by the research data collected so that a theory is developed based on these results. It may be more appropriate for the researcher to study a small sample of subjects and it is more likely the data collected will be of a qualitative nature (Saunders et al. 2. This approach also lends itself to research projects that have a challenging time frame because it is seen that data collection and analysis can be done in one snapshot making it easier to predict time schedules accurately (Saunders et al.1 Deductive Saunders et al. 2007).MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities that it does not want to be restricted to a philosophy in order to deliver the research objectives.3.2 Inductive Saunders et al. 2.3 Research Approach There are two distinct types of research approach. This approach is seen to be more akin to a research area that has a wealth of literature where the researcher could base a theory upon.3. Page 17 . (2007) state the researcher undertaking an inductive approach will “collect data and develop theory as a result of your data analysis”. (2007) state the researcher undertaking a deductive approach will “develop a theory and hypothesis and design a research strategy to test the hypothesis”. 2. 2007).

• Introduction of planned intervention or manipulation to one or more of the variables.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 2.1 Experiment Saunders et al.4 Research Strategies As part of designing research a research strategy.3. Selection of samples of individuals from known populations. the experimental group and the control group. 2. The deductive approach may provide too much of a rigid framework to follow in a subject area where not much has been written. Page 18 . Some strategies have clear links that belong to the research approach (deductive or inductive). or mix or strategies. need to be adopted to provide a method in which the research objectives and questions can be answered. Random allocation of samples to different experimental conditions. This is important because preliminary research indicates there is not a wealth of literature in this area and a framework does not currently exist to test. 2. which would benefit the research by getting close to the research topic and obtaining a thorough understanding of how internal audit providers use generalised audit software. Below are some of the common research strategies. (2007) summarise that experiment research typically involves: • • • Definition of a theoretical hypothesis. The flexibility of the inductive approach is another key benefit to why it will be adopted for this research.4.3 Summary The inductive approach lends itself to more qualitative data collection approach.

Saunders et al. Collis and Hussey (2003 cited by Saunders et al. 2. Questionnaires are relatively simple to complete and understand and for the researcher it provides data in a standard form so data can be easily compiled and compared. (2007) believes using case studies is a beneficial way of exploring and challenging existing theory. 2007) calls Page 19 . Researchers adopting a case study strategy have to validate their findings through triangulation. This type of strategy lends itself to the more traditional research involved in natural sciences and it would be difficult to apply such a strategy to this particular research title and to the business world in general.4. questionnaires. “Triangulation refers to the use of different data collection techniques within one study in order to ensure that the data are telling you what you think they are telling you” (Saunders et al. 2. although they are not the only method.2 Survey Surveys allow the researcher to collect potentially large sums of quantitative data in an economical way in terms of time and cost. 2.4. documented evidence and observation. 2007).MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities • Control of all other variables.3 Case Study Robson (2002 cited in Saunders et al.4 Grounded Theory Grounded theory is a research strategy that presents the researcher an opportunity to develop a theoretical framework from research observations. . These data collection techniques can include interviews.4. 2007) defines a case study as “a strategy for doing research which involves empirical investigation of a particular contemporary phenomenon within its real life context using multiple sources of evidence”. Questionnaires tend to be the most popular form of surveys.

4. time constraints would not allow this as well as the ability to have access to potential research participants.5 Ethnography The purpose of Ethnography is to describe and explain the social world the research subjects inhabit in the way in which they would describe and explain it (Saunders et al.5 Research Methods The terms quantitative and qualitative relate to the type of data that can be collected and the processes used to analyse these types of data. 2. without being restricted by a rigid methodology. 2007). To Page 20 . This would be a good strategy for this research however. A multiple case study approach will be taken so that the findings of one case can be compared with others so that a generalisation can be made to develop a framework.4. This strategy is beneficial if the researcher wants to get an close to a particular context by understanding the perceptions of the people involved. Therefore a research strategy that provides the researcher with the ability to ask “what? why? when? And how?”. which would take place over an extended period of time. 2. theory being grounded in such continual reference to the data. It is a time consuming approach.6 The research Summary philosophy (interpretivism) and research approach (inductive) point the research to a research strategy that is able to get close and understand to the research context in depth and to understand how people have interpreted the application of GAS. 2.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities grounded theory an inductive/deductive approach.

1 Population The population of the research topic could potentially be every internal audit provider in existence. Saunders et al. (2007) defines quantitative as data collection techniques or data analysis procedures that generates or uses numerical data. In contract qualitative data is data collection techniques or data analysis procedures that generates or uses non-numerical data.6 Data Collection and Analysis Methods Page 21 . 2.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities undertake the research for this project a choice has to be taken for the best method of collecting information to support research the objectives. The sample will include the researchers employer and then the rest of the sample being chosen at random relying on the researchers networks and his employers networks.5.2 Sample Although the population has been reduced to internal audit providers within the UK. 2.5. Based on the research strategy (case study) it is conducive for qualitative data to be collected and analysed to understand how internal providers apply generalised audit software. It is not expected that quantitative analysis will be undertaken using the case study approach. this is still too large to cover as part of the research project. 2. which is reasonable within the time constraints. Taking this into account the population for this research topic is restricted to internal audit providers within the UK. Therefore a sample of 3 to 5 internal audit providers will be chosen so that multiple case studies can be undertaken. To undertake research with this population would not be practical in reality and it would not be possible to interview representatives of each one in the time constraints of the project.

“A questionnaire is a general term to include all techniques of data collection in which each person is asked to respond to the same set of questions in a pre-determined order (deVaus 2002 cited by Saunders et al.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities As noted in 2. It may be more problematic for comparative analysis if questionnaires have open questions where opinions and descriptive answers are given.2 Interviews Interviews are categorised in to 3 categories. although it is more popular with the survey strategy. Structured Interview Structured interviews are typically used to collect quantitative data because the format of the interview is standardised and questions are Page 22 . to supplement the main collection of data with questionnaires for more specific questions.6. For this type of research there is only chance to get the questions on the questionnaire right. 2007). if time allows.4. It would be difficult to resend questionnaires for additional information. Even more so if limited choice answers or likert scales are used for the question. Due to the nature of the research and in-depth analysis required it is unlikely questionnaires will be used to collect data. 2.7 data collection will be based on a case study strategy and therefore the methods data collection methods for just qualitative data is explored. if the questionnaire has been well designed and the questions are aligned with the research objectives it can be a very useful way to collect large quantities of data. particularly if respondents chose to remain anonymous. There may be opportunity. 2. as described below. However.1 Questionnaire Questionnaires can be used to collect data as part of the case study strategy.6.

MSc Audit Management & Consultancy
Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

predetermined. The interviewer asks each question and has to record the response by the interviewee. The interviewer is not allowed to deviate from the predetermined questions or change the tone of voice to ensure it is as objective as possible. Semi-structured Interview In contrast, semi-structured interviews are typically used to collect qualitative data and these do not have to follow a strict set of predetermined questions. Instead, the interviewer will have a list of key points and/or questions that they will want to cover with the interviewee. Depending on the responses of the interviewee or the context of the research the interviewer can deviate from the key points/questions, which may be triggered by the interviewee’s responses. Saunders et al. (2007) suggests that these semi-structured interviews should be recorded by audio-tape or by note taking methods. Un-structured Interview An unstructured interview are is far more informal and are used to investigate broader topics of interest. Unlike the previous two interviews there are no lists of key points and questions to prompt the interviewer. The interviewee is given the opportunity to talk freely about events, behaviour and beliefs in relation to the topic area (Saunders et al. 2007).

2.6.3

Summary

The semi-structured interview is the data collection method of choice for the research. In order for a framework to be developed data collected will need to be compared so it can be evaluated consistently so an element of structure is required, therefore the un-structured interview is not appropriate. The way in which internal audit providers have applied generalised audit software may differ for different reasons. It is these reasons that would not be able to be picked up if a structured interview, leaving the most the semi-structured interview as the most appropriate. This will allow the researcher to have a framework in place to get enough data on the different applications of generalised audit software and help to collect and probe for further pertinent information.

Page 23

MSc Audit Management & Consultancy
Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

2.7 Ethics of research
Ethical considerations have to be taken in to account in any line of research. For this particular project there will be no collection of personal data and the participants involved in the case study have the right to remain anonymous. The collection of data during the case study may contain information that participants view as data competitively sensitive. The researcher will assure sponsors/participants that company confidentiality will be upheld and transcripts from the case study will be verified by the sponsor/participant prior to being submitted for research purposes. Consent forms for using the data will be provided so that a record can be maintained. The researcher will observe all code of ethics including the Universities and the Institute of Internal Auditors.

2.8 Conclusion
The chapter has recommended the various research methods that will facilitate the achievement of the research objectives. It is expected that the case study approach using semi-structured interviews is the most appropriate method. The researcher will be able to concentrate on a small number of internal audit providers to understand they have applied GAS. Although a small sample the researcher can obtain a wealth of information from the multiple case studies and robust comparisons can be made so that benefits of applying GAS can be understood; good and bad practices of application can be identified and a generalised framework could be developed.

Page 24

MSc Audit Management & Consultancy
Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

3

Literature Review

3.1 Introduction
This chapter will introduce computer assisted audit techniques and assurance activities as a foundation for the research. The literature review makes use of relevant contributions from previous and current knowledge of the subject areas through the analysis and evaluation of published research papers, books, journals and other articles. From computer assisted audit techniques the review will focus specifically on generalised audit software taking in to account common misnomers; identifying common generalised audit software products and reviewing current frameworks for the application of generalised audit software. The literature review also seeks to analyse specific areas of assurance activities so that context can be provided to the potential areas where generalised audit software can be used. This chapter provides the researcher with an understanding of the current opinions and evidence related to generalised audit software and assurance activities in order to fulfil the research objectives: • To investigate how generalised audit software is applied by internal audit providers within the UK. • To evaluate the application of generalised audit software by internal audit providers. • To develop a framework for the effective application of generalised audit software.

Page 25

MSc Audit Management & Consultancy
Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

3.2 Assurance
3.2.1 Definition

The word ‘assurance’ is a fundamental part of the Institute of Internal Auditors (IIA) definition. The Collins paperback English dictionary (1992, p42) defines assurance as “a statement or assertion intended to inspire confidence”. Within a business environment, management seek this type of confidence to give themselves comfort that systems of internal control are operating effectively to help achieve the organisation’s objectives. The Institute of Internal Auditors – UK and Ireland (2006) published advice to Audit Committees stating that organisations need to seek assurance from different sources whilst acknowledging the need for credible objective assurance, Assurance comes from many different sources. Assurance from management is fundamental, but to be effective it needs to be complemented by objective assurance from internal audit. The literature review seeks to understand the assurance activities that are undertaken by internal audit during an audit engagement. The aim is assess whether there is opportunity to use generalised audit software within these activities.

3.2.2

Internal Audit

The Institute of Internal Auditors - UK & Ireland (1999) define internal audit as, an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation achieve its objectives by bringing a systematic, disciplined approach to evaluated and improve the effectiveness of risk management, control and governance processes.

Page 26

p147) the purpose of an engagement plan is “to determine the significant parts of the potential Page 27 . The IIA provide a framework through its standards to allow internal auditors to fulfil their responsibilities whilst allowing for organisational differences. The standards recognise audit practices may differ from organisation to organisation particularly the audit approach to audit engagements. using the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing 2007 (known as the Standards hereon in).4 Engagement Planning (2200) According to Drummond-Hill et al (2004. The literature review will examine the framework internal auditors use to undertake a systematic and disciplined approach to audits. size. 3. compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met. within organizations that vary in purpose.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Part of the definition outlines that internal audit evaluates the effectiveness of risk management.2. and by persons within or outside the organization.2. control and governance through a systematic and disciplined approach. 2007a) state: Internal audit activities are performed in diverse legal and cultural environments. The following performance standards are specific for undertaking audit engagements: • • • 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 3.3 Audit Process The introduction to the Standards (IIA . complexity. and structure. While differences may affect the practice of internal auditing in each environment.

The engagement plan can also be referred to as the audit brief (Drummond-Hill et al. risks and related controls. • The opportunities for making significant improvements to the activity's risk management and control systems. objectives. and operations and the means by which the potential impact of risk is kept to an acceptable level. 2004) or the terms of reference (Spencer Pickett. 2007a) notes that internal auditors should develop and document a plan for all engagements. It requires the auditor to obtain knowledge of the audit activity’s objectives. Page 28 . resources. ” The IIA’s performance standard 2200 (IIA. its objectives. These are described below. timing and resource allocations for the activity being audited. Standard 2300 and its sub-standards offer guidance to the way in which this could be undertaken.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities audit – those parts that are risk critical – and to undertake the audit in a careful premiditated and co-ordinated way. This standard introduces a “risk-based” focus to audit planning. The engagement plan must include the scope. Performance standard 2201 – Planning considerations As part of developing the engagement plan the standard 2201 sets out areas for internal audit to consider: • The objectives of the activity being reviewed and the means by which the activity controls its performance. Performance standard 2200 is broken down into further constituent parts to provide detailed guidance. • The adequacy and effectiveness of the activity's risk management and control systems compared to a relevant control framework or model. 2005). • The significant risks to the activity.

2210. 2001) for the standard suggests. interviews with individuals. and other exposures when developing the engagement objectives. The internal auditor should establish objectives that reflect the results of this assessment. studies and use of any other available means to help evaluate risks (Lemon & Tatum.A1 Conduct a preliminary assessment of the risks relevant to the activity under review. on-site observations. With this context the auditor can collect further information through surveys. p281) “Engagement objectives should address the risks. The practice advisories (Institute of Internal Auditors. irregularities. its objectives and goals. the justification and the purpose (Drummond-Hill et al. 2001) suggests a risk assessment is undertaken so that engagement objectives addresses the risks.A1 (Insitute of Internal Auditors. 2003). to help develop objectives. This is echoed by Lemon & Tatum (2003.A2 Consider the probability of significant errors.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Performance standard 2210 – Engagement objectives The engagement objectives are the goals. The risk assessment allows the auditor to understand the background to the activity under review by understanding its purpose within the organisation. reviewing management reports. Practice advisory 2210. Engagement objectives should reflect the results of this assessment. the internal auditor should: 2210. 2004) of the proposed engagement. noncompliance. controls and governance processes. Standard 2210 insist that engagement objectives should be established for every engagement undertaken. Page 29 . controls and governance processes associated with the activity under review”.

It defines how deep and how wide the internal auditor will go to achieve the audit objectives. The system and their boundaries 2. Drummond-Hill et al. the internal auditor is required by the performance standard Page 30 . They infer that having a well defined scope will ensure that relevant and effective assurance can be provided by optimising resources to review the areas of high risk. The controls 3. “It is simply impossible to undertake a 100% audit of the whole of the target area. Performance standard 2220 – Engagement scope The engagement scope sets the boundaries of the audit. The risks 4. Personnel involved 5.” (Drummond-Hill et al.(2004) believe there are 5 main elements to consider when defining the scope: 1.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Clear. definable and measurable objectives will provide stakeholders and the internal audit team clarity on what is required for the achievment of a successful audit. 2004) Drummon-Hill et al recognise the time constraints and resource limitations for internal audit functions. Whilst the internal auditor has to consider these 5 elements. Physical assets For each of the five elements the auditor needs to use the information analysed as part of preliminary work undertaken to inform the engagement scope. Decisions have to be made to limit the amount of work to the areas that provide the biggest gain.

It can be argued that even when planning an audit the internal auditor is performing the engagement.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 2220 to ensure the established scope sufficiently satisfies the objectives of the engagement. 2001) indicates work programs should establish the procedures for identifying. Standard 2300 can therefore be used as guidance to help fulfil the requirements of the performance standard 2200 range. evaluating.A1 (The Institute of Internal Auditors. They are collecting analysing and synthesising information to establish the audit objectives and scope. Performance standard 2240 – Engagement Work Program Standard 2240 states that a work program should be developed by internal auditors to facilitate the achievement of the engagement objectives. The focus of this Page 31 . 3. Staffing should be based on an evaluation of the nature and complexity of each engagement. Resource demands will be affected from organisation to organisation depending on the organisation’s audit methodology (Lemon & Tatum.5 Performing the Engagement (2300) There is no clear distinction to when an audit engagement starts. analyzing. For example. 2003).2. The work program should be approved prior to its implementation. and available resources. and any adjustments approved promptly. the use of generalised audit software will require specific data extraction and analysis skills as would the skills required to facilitate risk workshops. Practice Advisory 2240. Performance standard 2230 – Engagement resource allocation Performance standard 2230 notes that internal auditors should determine appropriate resources to achieve engagement objectives. time constraints. and recording information during the engagement.

policies. the audit activity under review has to be evaluated so that the auditor understands the governance. the next step for the internal auditor is to understand and evaluate the systems of internal control to Page 32 . There are endless sources of information the auditor may wish to call upon. The standard ensures that the information identified and used should contribute to the achievement of the engagement objectives. management reports. standard operating procedures. Such analyses will be used as evidence to support engagement findings. Initially. The IIA Standard 2300 states when performing an engagement the internal auditor must identify. Once the engagement planning is agreed. Performance standard 2310 – Identifying Information The internal auditor has to identify information that is sufficient. evaluate.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities standard is to ensure information is used to achieve the audit engagements objectives. relevant. accounts. reliable. control and risk mitigation activities to establish the audit objectives (see standard 2200). Instead the internal auditor has to apply professional judgement to how much and what type of information is required. raw data etc. It may be company strategies. and record sufficient information to achieve the engagement’s objectives. analyse. Performance standard 2320 – Analysis and Evaluation Standard 2320 states the internal auditor should base conclusions and engagement results on appropriate analyses and evaluations. and useful to achieve the engagements objectives (Performance standard 2310). Throughout the engagement the auditor has to make a number of evaluations. Lemon & Tatum (2003) point out that the standard does not indicate the types of information the internal auditor should use.

2004). Testing is the act of securing suitable evidence to support an audit (Spencer Pickett. trend analysis. Once the auditor has evaluated the system the auditor seeks to provide further assurance by testing the risk management strategies or making an assessment of potential risk exposure. 2004). Substantive testing is a more detailed approach and is used if the auditor needs evidence of the outcome of transactions. strategies. walkthrough test and review of corporate documents (policies. Page 33 . Substantive testing is generally used to quantify errors and exceptions were compliance tests have found weak controls (Drummond-Hill et al. how much to test and what to test. There are many evaluation techniques the auditor can draw on for understanding the audit activity. The time. Other typical techniques include benchmarking. techniques and expertise available. 2005) and it provides the evidence for a more accurate assurance for management (Drummond-Hill et al. The evidence required.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities see how they are managing the identified risks in line with the organisation’s risk appetite. Compliance tests establish whether risk management strategies and/or controls are working as intended. p201-202): • • • • The auditor’s evaluation of the risk mitigation strategies in place. The programme of testing. The two main types of testing are compliance tests and substantive tests. The techniques used are limited by the auditor’s skills.. This type of testing does not evaluate the control but will inform the auditor whether activities have been carried out correctly and whether objectives have been achieved. The cost. operation procedures etc). (2004. knowledge and creative thinking. is based on 4 areas according to Drummond-Hill et al.

Analytical review can be drawn upon if the right skills and time is available and it involves the study and comparison of relationships between the information being tested and other relevant data (Drummond-Hill et al. Thus recognising that the organisation.. (2004): • Flexibility. It is a cost effective method of substantive testing because it is quick and flexible.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Testing by analytical review is also another approach to both evaluating the systems of internal control and evaluating risk management strategies/quantifying risk exposure. this is outlined in standard 2330. The auditor needs to ensure this information is correctly recorded. Performance standard 2330 – Recording Information Standard 2330 states that internal auditors should record relevant information to support the conclusions and engagement results. The benefits to using the analytical review approach are listed by Drummond-Hill et al. 2004). They point to the practive advisory 2330-1 (The Insitute of Internal Auditors. Lemon & Tatum (2003) discuss that the standards do not indicate what types of information shoud be recorded. design and content of engagement working papers and supporting documentation depend on the type of engagement being performed. It is comparatively quick and easy to do in a computerised environment. 2001) indicating that the chief audit executive is responsible to establish documentation policies. • Cost-effective. with the use of the right tools and techniques. Analysis and evaluation is an essential for backing up findings and recommendations identified whilst performing the audit. • Quick. Page 34 . There are many ways of testing many different pieces of information.

Having these documents also helps senior audit peers undertake quality review. without bias and where possible obtained directly by the auditor. Performance standard 2340 – Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved. Recording working papers and evidence provides the auditor with greater leverage for persuasion and proving factual accuracy to management. and staff is developed (standard 2340). The cost of obtaining the evidence needs to be judged including the time-taken and the sensitivity. Evidence should be collected related to the risk management strategies and control objectives. 2001) notes although the chief audit executive has overall responsibility for review.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities To support conclusions and engagement results evidence is required. Evidence should be accurate. • Practical. Practice Advisory 2340-1 (The Institute of Internal Auditors. experienced internal auditors may review the work of other less experienced internal auditors. • Reliable. 2001) recommends that supervision should include: Page 35 . quality is assured. Audit engagements must be supervised throughout the whole process. Evidence should be enough to satisfy the auditor’s judgement or persuade management to make any changes suggested by the audit. p240-241) states that evidence should have the following attributes: • Sufficient. • Relevant. Spencer Pickett (2005. Practice Advisory 2340 (The Institute of Internal Auditors. this will be explained as part of the 2340 standard.

• • Ensuring that engagement objectives are met. The internal auditor has to consider the audiences they are communicating their results to. To illustrate differing needs.2. clear. and timely. The auditor may have communicated these throughout the audit verbally but is still likely to issue written report at the Page 36 Drummond-Hill et. conclusions.6 Communicating the Results (2400) Performance Standard 2400 is related to how the internal auditor communicates the engagement results to the relevant stakeholders. • skills. operational managers are likely to need detailed findings and recommendations to take forward and resolve the operational issues identified. and recommendations.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities • Ensuring that the auditors and other assigned possess to the requisite the knowledge. competencies perform Providing appropriate instructions during the planning of the engagement and approving the engagement program. and other competencies. committee and the board. senior managers. constructive. • Seeing that the approved engagement program is carried out unless changes are both justified and authorized. objective. concise. engagement. Different audiences require different communication needs and this may affect the methods used by the auditor to communicate results. the audit . • Ensuring that engagement communications are accurate. 3. Al (2004) identifies four main audiences as operational managers. skills. • Determining that engagement working papers adequately support the engagement observations. Providing opportunities for developing internal auditors knowledge.

p703) points out the benefits of this. the standard provides minimum expectations in terms of what to include in a report it still allows the organisation to use the format and style of their choice. These are criteria (the expectation). particularly those where management have not implemented agreed actions. which may affect the achievement of objectives. graphs.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities end. On the other hand. charts. Sawyer. Although. cause (reason for different) and effect (risk or exposure). senior management will be interested in the areas of highest risk exposure. The practice advisory (The Institute of Internal Auditors. Performance standard 2410 – Criteria for communicating This performance standard sets out the need for communications to include the engagement's objectives and scope as well as applicable conclusions. and action plans. condition (the fact). Drummond-Hill et al. or to quantify risk exposure. & Scheiner(2003. recommendations. The audit committee require a written summary of the high risk exposures but they would also like additional information on how management are dealing with issues raised. Written reports are the mechanism to communicate findings to the relevant audiences. (2004) point out that the role of audit reports are to communicate the results of the engagement. Al (2004) suggests the best way to communicate to senior management would be through presentation. provide the internal auditor’s opinion on the audit activity and secure acceptance on recommendations. and the commitment to act upon these. the internal auditor may want to use data analyses. tables and photographs. Reports are not just limited to narrative and to help illustrate observations. Dittenhofer. Drummond-Hill et. 2001) suggests there are four key elements for articulating observations. Page 37 .

Reporting is cruicial to the success of the audit engagement and tends to be internal audit’s end product. 2005). communication of the results should disclose the: • • • Standard(s) with which full compliance was not achieved. constructive. in line with the standards. Performance standard 2430 – Engagement Disclosure of Noncompliance with the Standards When non-compliance with the Standards impacts a specific engagement. Page 38 . citing Cutler 2001) “if you’re still using the same report that you were using five years ago. and graphs can bring clarity. Reason(s) for noncompliance. objective. According to Lemon & Tatum (2003.” Performance standard 2420 – Quality of communication Communications should be accurate. concise.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities “Well-designed schedules. One picture can make clear what a thousand words can only obscure. and timely (Standard 2420). charts . The reporting has to meet the needs of the various stakeholders including the audit committee and management (Spencer Pickett. clear. and Impact of noncompliance on the engagement. is continuous. chances are you’re providing more information than your readers want. The quality of communication should be regularly assessed to ensure that quality. the chief audit executive should communicate corrected information to all parties who received the original communication.” Performance standard 2421 – Errors and Omissions If a final communication contains a significant error or omission. complete. tabulations.

Page 39 . 3. • Identification – identifying risk management processes. so necessary assurance can be provided to management.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Performance standard 2440 – Disseminating the results The chief audit executive should communicate results to the appropriate parties. one can summarise particular areas which are essential for delivering an audit engagement: • Planning – a premeditated and co-ordinated approach to establish audit objectives whilst aligning and getting best use out of available resources.7 Summary International Standards for the Professional Practice of Internal Auditing provide internal auditors a framework to undertake an audit engagement in a systematic and disciplined approach. It is recognised by that standards that the approach and process undertaken to deliver audit engagements are likely to differ from organisation to organisation and therefore allows internal audit functions to interpret the standards and build them in to their systematic approach. internal control and governance arrangements of the area under review.2. • Communication – communicating the results in an appropriate method depending on the audience to persuade and engender buyin from management to agree and accept audit observations and recommendations. • Evaluation – testing the risk management strategies or quantifying the extent of risk exposures. Interpreting the standards.

Page 40 . what are the advantages and disadvantages of GAS and to establish whether there is any published guidance when to use GAS. Once this is established it should be apparent to which assurance activities GAS could potentially be used. personnel influence and resource limitations. The next chapter will assist to understand what GAS is. Now four main areas of assurance activity have been identified the literature review will now seek to understand existing research in the area of generalised audit software (GAS).MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities The means to fulfil these areas are open to further interpretation. how it has been developed. This gives organisations the flexibility to set procedures based on their own cultures.

2005).3.1 Definition Computer Assisted Audit Techniques (CAATs) are computer-based tools and techniques which permit auditors to increase their personal productivity as well as that of the audit function (Coderre.2 CAAT Type 1: Computer System Audit Tools and Techniques The pervasive nature of computers and technology throughout organisations means that today’s auditor has to audit through the computer in order to provide effective assurance. The second type of CAATs are those that are used as part of the audit engagement to analyse and evaluate computerised systems. Braun and Davis (2003) categorises computer system audit tools and techniques in to five categories (see table 2).3 Computer Assisted Audit Techniques (CAAT) 3. Examples of these include spreadsheets. The first are those computer-based tools that support the audit function to introduce autonomy and improve operational efficiency and effectiveness.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3. Tool/Techniqu e Test Data Description Test data examines an application’s logic directly. Auditor pre-plans input and expected outcome. and automatic working papers. 3. Auditing through the computer means that the applications within a computer are tested to ensure their controls are operating as intended so that data input is processed accurately. Coderre offers two types of CAATs within his definition.3. Computer system audit tools and techniques help to audit through the computer and there are common tools and techniques the auditors can utilise. electronic timesheets. their controls and data. A copy of the application is run in a test environment and is Page 41 .

summarise data. The “test” module is embedded in to the system so that test data can be put through the module and the data will be processed using the actual system and processes without affecting “live” data. Generalised GAS examines an application’s logic indirectly. (GAS) GAS software allows the auditor to analyse trends. a 2. view exceptions etc. Auditor audit software uses GAS to extract data from a system for analysis. A module is inserted in to the client’s application by the auditor designed to select transactions that meet pre-set criteria. Table 1: Descriptions of Braun and Davis (2003) CAAT Categorisations Based on the Braun and Davis (2003) categorisation it is evident there are two types of computer system audit tools and techniques: 1. Parallel Simulation Parallel Simulation examines an application’s logic directly by comparing the actual application with an application designed by the auditor designed to replicate the process. Page 42 . The auditor Facility (ITF) has to be involved in the system design so that a “test” module can be created for use by audit. Those that examine application logic directly (examination of controls and process). The auditor can use these transactions to demonstrate compliance/noncompliance with policies/procedures or also to select a certain sample for substantive testing. Embedded audit Embedded audit module indirectly examines an module application’s logic. This allows the system and its controls to be tested during operation. Client data is put through both applications and the results are compared to check data integrity and the quality of the process performed. The key strength of GAS that is allows the auditor to perform certain tests on the whole population of the data rather than a sample.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities subject to the pre-planned input. Those that examine the application logic indirectly (examination of data). Integrated Test ITF examines an application’s logic directly. If the output is not what the auditor expects it provides an indicator to a potential control failure or application failure.

These tend to be specialised tools for auditors to use for evaluation of security controls and testing compliance against organisation’s security policies (Sayana 2003). Network security evaluation software/utilities. 3. The auditor will control the input of test data and will have an expectation of the output. 2. focus on the analysis of data. parallel simulation and embedded audit module. These have also been included in Braun & Davis (2003) categories and include test data. Arens et al. (2000) and Davis and Braun (2003) are Page 43 . If there is irregular data then the auditor will use this to identify were application logic may be have failed (Hall 2000). Software and code testing tools. embedded audit module and GAS. Sayana (2003) offers a different perspective on categorising computer based audit techniques and tools: 1. Data analysis software (GAS). Sayana (2003) acknowledges the traditional tools and techniques highlighted by Arens et al. (2000) suggests there are three strategies for auditing through the computer. Data analysis software has also been identified by Braun & Davis (2003) but the other three categories of network security evaluation software.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Tools and techniques used to examine logic directly are used to test the expected or actual application controls. The tools that examine application logic indirectly. 4. OS & DBMS security evaluation software and software and code testing tools are very specific. Operating system (OS) and database management system (DBMS) security evaluation software.

During the course of the audit. However. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.A3: Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. to use for providing assurance in an IT pervasive world. reliable. the Information Systems Auditor is to obtain sufficient. 2006). 2007a) The Information Systems Audit and Control Association (ISACA) also underline this through their standard 060. the rigorous user acceptance testing and signoffs by aware users have made testing by auditors redundant throughout the years. Computer system tools and techniques must be employed in order to provide management with sufficient evidence to support audit findings and conclusions.020 (ISACA. relevant and useful evidence to achieve the audit objectives effectively. Without the use of the tools it is practically impossible to audit though the computer and its applications (Sayana 2002).MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities becoming rare due to the high standards and maturity of software development. (IIA. This is underlined by performance standard 1210. Sayana (2003) Sayana (2003) does not rule out the need to perform traditional methods like test decks but only if it is relevant to the environment the auditor operates within. The huge improvements in the quality and reliability processes reinforced by certifications in the software industry. if not imperative. not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. Page 44 . It is widely recognised within the internal audit profession that these tools and techniques are essential.

so costs are reduced whilst maximising benefits. these are discussed below.3 CAAT Type 2: Computer-based Audit Support Tools and Audit Automation There is an increased pressure to do more with less and due to the unfortunate perception that internal audit is an overhead. Ramamoorti et al. (2003. P326) states “given such strategic positioning within an organisation. 2005). Page 45 . This status brings expectations from the wider organisation to be efficient using technology.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3. Ramamoorti et al.3. There are many software packages and tools available to assist the audit function supporting audit management and administration. (2003) note that is critical for the internal audit function to be seen as a value-adding service and one with a respected status within the organisation. the function should clearly be technology-savvy and fully integrate IT into its methodology and activities. the internal audit function must become more efficient in delivering products and services as well as becoming more effective (Coderre.” Internal audit functions are looking to computer-based audit support tools and audit automation to gain efficiencies.

Modern word processors are armed with useful features such as spell-checking and thesaurus. risk matrices. 2005). spreadsheets.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3. it is a matter of understanding the features and assessing how these can be used to support audit processes. Spreadsheet The spreadsheet consists of rows and columns. management are now less focused on incorrectly spelled words and much more concerned about the content and issues of the report. dates. reports etc) to be standardised to a format and style of the internal audit functions choice so that the auditor. text and formulae and Page 46 . presentation. Examples of this type of software include word processors.3. Not only does it eliminate the need for auditors to reproduce documentation (Coderre 2005) it can also be used to portray a professional image. According to Coderre (2005) one of the benefits of these features is that it has improved the quality review.1 General Software General software is software that is not specifically designed for use by auditors but has functionality that the internal audit function can utilise. As illustrated software as simple as a word processor can bring benefits and efficiency gains to the internal audit function. Templates allow audit documentation (working papers. Another useful time-saving feature in word processors is the use of templates. Cells can contain numbers. Word Processor Word processors support the production of working papers and audit reports by allowing the auditor to record and manipulate textual information (Coderre. The intersection between each row and column forms a cell and it is these cells that form the spreadsheet. and flow charting.3.

2005). as suggested by Drummond-Hill et. P60) states that “any audit process which involves the analysis of quantities of data or repetitive calculation can be made more efficient by using a spreadsheet. sorting. flow charts are beneficial to assess the efficiency of a process or system. (2003. Spreadsheets can also be used for the audit process such as producing analysis and graphs for audit reports.” Presentation Ramamoorti et al. sound and video clips. which creates/embeds charts. pictures. It can also be used for data and extraction analysis when planning or testing audit engagements. particularly Page 47 . recording time and billing information and evaluating risk scores. The diversity of the spreadsheet provides many opportunities to benefit the internal audit function and individual auditor. graphs. concise and complete information. Flowcharting Flow charts are useful for documenting business procedures and identified controls in a visual format. Audit management can benefit from spreadsheets by using them for tracking audit budgets. By modelling a particular system. can help internal auditors present clear.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities users are able to manipulate this information through calculations.” The use of presentations is a useful tool for auditors when they want to communicate in a condensed and interesting manner (Coderre 2005). P330) articulates how presentation software can help the internal auditor: “Presentation software. Al (2004). filtering and performing in-built data analysis techniques (Coderre. It is particularly for useful reporting observations and recommendations to senior management. Coderre (2005.

thus increasing the quality and accessibility of documentation (Coderre 2005). worksheets) • • Enforcing a standard methodology/approach to conduct the audit Automatic naming and management of files. evaluate and report to support the audit process.3. all relevant data for auditors working off-site. and sharing of.3. Some flowchart software facilitates the user to follow particular flowcharting standards such as Rutterman. reports. shared access to audit information. Flow chart software enables the user to easily amend and update exiting flow charts. Traditionally flow charts were drawn by hand so any required updates were a time-consuming process (Coderre 2005). Using electronic method of working papers provides a robust framework for auditors to follow. and also assessing the effectiveness of system design by identifying key controls.2 Electronic Working Papers Electronic working papers provide auditors with an electronic means to plan. Coderre (2005) lists the basic capabilities of most electronic working papers: • Quick and reliable replication of databases and documents across one or many servers • • Automatic routing of information [workflow] The ability to create forms or standard templates for working papers (memos. record.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities for identifying duplication and bottle-necks. These capabilities described by Coderre (2005) are not exhaustive. solving document management and version control issues • Providing easy access to. workflow processing to allow automation and overall better control of audit Page 48 . 3.

4 Summary This part of the literature review has seen the common tools and techniques that can be applied by internal audit functions whether it be those tools that audit computer systems or those tools that are used to increase operational productivity of the audit department.3.3 Other common software Notwithstanding the software tools discussed there are many more the auditor can draw upon.3. 3. consistency and low cost. CAATTs can significantly improve audit effectiveness during the planning. Training Tends to allow self-pace learning. Reference A centralised library containing electronic Library documents to make it easier to control and retrieve. Instant Allows real-time text communication. Tool Technique Communication Email Allows writing. The purpose of this was to highlight how internal audit departments are able to improve efficiency and effectiveness using technology. and receiving of electronic messages. sending. reporting and follow-up phases of the audit. Training and Knowledge Sharing / Transfer Computer Based Training programs delivered from a computer. Table 2 Potential other software used by internal audit / Description 3. conduct. This contributes to a more efficient and effective audit function.3.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities documentation. The table below summarises other common software that could potentially be used by internal audit functions for increasing efficiency and effectiveness. Messenger Video/TeleAllows real-time video and audio conferencing communication. as Page 49 .

mentioned as part of the CAAT type 1. Page 50 .MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities well as improving the overall management of the audit function. is the most frequently used of all of the CAATTs according to Braun and Davis (2003). Coderre (2005. where GAS can be used and comment on any current guidance and/or framework for the use of GAS. The research will concentrate on this type of CAAT exploring the definition of GAS. available GAS tools. P21) Generalised audit software (GAS).

(2005. “Gas allow for data extraction and analysis.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3. 3.” Both definitions clearly link the use of data and analysis. Page 51 . Burnaby and Hass Data Mining and Analysis (2003) Sayana (2003) Data Analysis software Kalaba (2002) Computer Assisted Audit Technique (CAAT) Lanza (1998) Auditing Software Table 3: Other references for GAS Which ever term is used the context always make its clear data analysis is involved. They received 516 responses out of 6.500 IIA members that were invited to complete the survey.1 Definition Debreceny et al. application software and other sources and then conduct analyzes and audit routines on the extracted or live data.” Braun and Davis (2003. p605) defines generalised audit software as “…a class of packaged software that allows auditors to interrogate variety of databases.4 Generalised Audit Software 3.4.4. Debreceny et al. whether it be extracted or analysed in real-time.2 GAS Products In 2006 the Institute of Internal Auditors (IIA) undertook their 12th Internal Auditor software survey. (2005) recognises that GAS can perform analyses on live data as well as extracted data. In addition to this the literature review found many common variations and misnomers for describing GAS: Source GAS referred to as IIA Professional Guidance paper Information Retrieval and Analysis (2007b) Tool (IRAT) Coderre (2005) Data Extraction and Analysis tools Boheim and Rieman (1999) Bierstaker. p727) suggest that generalised audit software is the most frequently used of all CAATs and they present a simpler definition.

ACL and IDEA are both products that have been specifically designed by software vendors for extraction and analysis for audit purposes. as explained by Debreceny et al. The other tools listed above can perform data extraction and analysis but this is not their primary function and they have not been developed with audit tasks in mind. Page 52 . The following data extraction and analysis products were used by internal auditors: • • • • • • • • • Microsoft Access Audit Command Language (ACL) AS/400 query Excel Interactive Data Extraction and Analysis (IDEA) Monarch Oracle PeopleSoft SAP As part of Braun and Davis (2003) study they found from preliminary interviews that ACL and IDEA were used by their potential study participants. The results showed auditors interchanged between spreadsheets and speciality products depending on the audit requirement.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities The survey asked members to indicate which product they use frequently for data extraction and data analysis. (2005) These packages contain general modules to read existing computer files and perform sophisticated manipulations of data contained in the files to accomplish audit tasks.

These heterogeneous environments provide auditors with a challenge to extract the data they require. P607). CD-ROM etc) • the data format (ASCII print file.4. Modern GAS has been developed so that it has the flexibility to extract data from nearly any application or file format. Debreceny et al. The simplicity to use GAS has improved and now auditors do not have to be programmers to perform data extractions and analyses: They [GAS] have a user-friendly interface that captures users’ audit requirements and translates those user instructions or queries into program code. Internet.1 Data Extraction Data required for an audit may reside in diverse and distributed systems types with varying degrees of control Silltow (2002). The auditor must work with data owners to obtain the relevant data needed to meet the audit objectives. as stated by Debreceny et al. “GAS vendors provide data extraction routines for many different computing environments”. comma separated etc) Page 53 . data extraction and data analysis.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3. (2005.3. LAN. Coderre (2007) suggests writing a formal request to include: • the data source(s) and key fields • the timing of the data • data transfer format (floppy.3 GAS Constituents and their Use As the definition has outlined there are two key constituents of GAS. Silltow (2002) suggests that auditors should make data request arrangements well in advance of the time it is needed in order to minimise any effect on the organisation’s production environment. delimited.4. p607) The functionality on GAS such as IDEA and ACL provide auditors with a plethora of tools and techniques for extracting and analysing data. (2005. 3.

relevant and not excessive in relation to the purposes for which they are processed 4. P360) and and and any If data requests contain personal information the auditor has to be aware of the 8 principles of the Data Protection Act (1998): 1. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and Page 54 . In doing so. Personal data shall be obtained only for one or more specified and lawful purposes. and shall not be further processed in any manner incompatible with that purpose or those purposes 3. It is necessary to safeguard this program/system information production data with an appropriate level of confidentiality security. Personal data shall be processed fairly and lawfully 2. Personal data shall be processed in accordance with the rights of data subjects under this act 7. length. Personal data shall be adequate. Personal data shall be accurate and. description) • a print of the first 100 records Data requests may include. kept up to date 5. what is deemed.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities • controls totals (number of records. consider the level of confidentiality security required by the organisation owning the data and relevant legislation”. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 6. type. key numeric field totals) • record layout (field name. confidential and sensitive data. where necessary. Sufficient controls must be in place to ensure this data is secure during extraction and in some cases when transported. Silltow (2002. start position.

it is imperative to ensure data is appropriately safeguarded. Personal data shall not be transferred to a country or territory outside the European Economic Area. This ensures that data cannot be the access arrangements are not in breach of company policy or legislation such as Page 55 . Data obtained should be stored in an appropriate location so that the auditor can perform analysis and manipulate the data further. The discs have never turned up and since the Chairman of the HMRC resigned because of the operational failings and the flagrant breach of the Data Protection Act 1998. Once data is imported in to GAS such as ACL and IDEA data is locked down as read only (Singleton. The auditor must consider where to store the data and ensure DPA 1998 (seventh principle). or damage to. The data was extracted over two Compact Discs (CDs) and had over 25 million individual records. as Silltow (2002) states. Although HMRC protected the data with a password. With the simplicity of extracting data and importing data using GAS. unless that country or territory ensures an adequate level of protections to the rights and freedoms of data subjects in relation to the processing of personal data To highlight the importance and potential risk of data extraction. personal data 8. 2006). Information security experts suggested that the data should have been encrypted given the sensitivity of the data.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities against accidental loss or destruction of. with the right tools these passwords can potentially be compromised. which included personal details. The CDs were sent by courier to the NAO but they never arrived. the National Audit Office (NAO) in October 2007 requested child benefits data from Her Majesty’s Revenue and Customs (HMRC). In the wrong hands this information could be sold on or used for identify theft.

so all the auditor has to do is do the comparison. Most audit software packages have a user-friendly interface and are menu-driven. Juergens & Maberry (2006) suggest that the use is limited to IT auditors but simplicity of modern GAS allows any auditor to use as Coderre (2005.g. Additional functionality exists to add more fields to the data for further manipulation and analysis but the original data fields remain unchanged. This can be done by comparing the control totals (number of records.2 of GAS: Data Analysis Juergens & Maberry (2006.4. If personal data has been analysed and processed the auditor must consider how long the data should be retained for. Once data integrity is checked then the auditor is ready to analyse the data. sum of a key numerical field etc) from the formal data request (see above) against the data totals in the GAS. which will be explored in the next section. They can also be used to support process or operational audits (e. 3. P197) describes: Audit software permits auditors to interact with the data with minimum knowledge of specialized programming techniques. Page 56 . and they can support many types of testing.3. in line with the fifth principle of DPA 1998. Modern GAS has the functionality to allow the auditor to automatically calculate control totals. The auditor should perform analyses as per the audit objectives. Certain functions are automated to the extent that one command can be used to carry out a fairly complex task. Once this is done the auditor has one last consideration in terms of the actual data. P17–P18) describes the analysis functionality These tools allow an IT auditor to perform robust statistical analysis of large data sets. accounts payable fraud reviews). Coderre (2007) advises the auditor to check data integrity once it has been imported.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities inadvertently or maliciously changed during analysis so any results are accurate and reliable.

mode. Data profile Page 57 . is imperative to get the most from it. that is also an easy way to waste time and should be done only where that is useful. summarisations. P28) highlight the benefits of using data analysis during the planning phase of an audit: Applying analytic functions to data such as counting. Planning the use of GAS. which can provide further direction to the audit. it is important to stick to the audit objectives and to define and document the tests. (2000. classifying and sorting can yield valuable insights and leads regarding risk and magnitude of the potential exposure to loss. The Institute of Internal Auditors – UK and Ireland (2007b. which helps to influence the audit scope and assess the areas of high risk. This statement is also supported by Coderre (2007) and Singleton (2006). and consequently waste time: It is easy to download data and then experiment with all the different tests available in a specific IRAT [GAS] package. Typical GAS functionality to support planning includes pivot tables. statistical methods (mean. However. median. which are appropriate. To maximise productivity.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities The IIA emphasise the importance of having clear objectives so analysis is focused. which they both indicate that by reviewing data in this way is also likely to identify suspicious data and/or transactions. and data profile statistics. stratifying. age analyses. This provides the auditor with a better understanding of the audit activity. and the functionality to use. totaling. particularly as this software can be used for all audit phases (Coderre 2005). p6). With the amount of functionality available there is a danger auditors may perform analysis that appear interesting but do not actually meet the objectives of the audit. Planning Paukowits & Paukowits. standard deviation and sum).

2005). the auditor is faced with less paper and more electronic files (Coderre. screening and testing of 100 percent of the audit populations.g. Coderre (2005. improving audit efficiency. The sheer volume of electronic information makes it difficult for auditors to use manual techniques (Coderre. perform trend analyses. Coderre (2005) provides some practical suggestions how data analysis can be used to inform planning. review previous and current years’ expenditures and budgets.” Increasing test coverage (by testing a whole population) means that auditors are providing greater assurance. The Institute of Internal Audtors – UK and Ireland (2007b) list some key objectives in testing using IRATs [GAS]: Page 58 . 2005) to test effectiveness of controls. Using GAS auditors can audit “through the computer” and ensure input. Data analysis can assist auditors pinpointing likely risk areas for planning but Paukowits & Paukowits. or. Analysis can be applied to define audit populations. (2000) provide a caveat by stating that using data analysis for planning is still limited to the creative input and critical thinking abilities of the auditor. processing and output controls work as intended.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities statistics provide the auditor with an overview of the data displaying statistical analysis. extremes and reoccurring data. duplicate test) can be performed much faster than if it were done manually. P65) points out testing as one of the fundamental benefits of GAS. identify resource consumption and outputs. “…modern audit software facilitates electronic analysis. In addition. Testing As IT becomes increasingly more pervasive within the control environment. audit tests (e.

particularly with new software or new versions or releases of existing software. including trend data. Analytical review can also help the internal auditor during engagement planning to understand better the activity under review. eg to [obtain] external evidence. stratifications (ie number and value of items in bands) and percentages to indicate the plausibility of the data or certain unusual characteristics. Warner (1998) provides examples of typical audits and the testing techniques available when using ACL. exception testing for unusual items. However this is not always the case and it is worthwhile checking from time to time. including source documents. totals by relevant categories.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Key Objective Validity Description The most common use of IRATs is to validate data by cross-matching between files from different sources or checking for duplicates. The key objective used by the auditor depends on what is being audited and the defined audit objectives.Information retrieval and analysis tools. These examples can be found in appendix A. IRATs can also be used to select a sample for further testing. Payment and Payroll data contain patterns which can be checked. Auditors could draw on one or more on these testing techniques to provide the relevant evidence to provide reliable assurance for the auditable area. Based on the professional guidance for internal auditors . It is easy to assume that computer systems can add up and compute price and cost information correctly. This can involve testing every item in a file or data-base or can just be based on records meeting certain criteria eg. Page 59 . a modern GAS package. It can be difficult to prove the completeness of records but cross matching to another source or checking for gaps in a numeric reference can give significant assurance in this area. Tests on dates of transactions and the dates of associated activities can detect items recorded in the wrong period. Sample selection Completeness Mechanical accuracy Analytical review Cut-off Table 4: Key objectives in testing using IRATS [GAS]. IRATs can produce significant analysis.

If a program has the ability to identify Page 60 . Benfords law. This allows technically savvy auditors to programme automatic routines for repetitive tasks. frauds.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Silltow (2002) provides more audit examples where GAS can be useful for testing. correct pricing and calculation of commissions Potential Functionality Summarisation Sorting Conditions Benfords Law Conditions Duplicate detection Data Comparison GAS Creditors and debtors Payroll Duplicate detection Database comparison Re-performing calculations on key fields Gap detection Re-performing calculations on fields Sales key As highlighted by both Silltow (2002) and Warner (1998) typical testing functionality in modern GAS includes duplicate analysis. gap detection. accidental duplication and expenses out of control Tests for existence of employee and correctness of pay. With so much functionality Paukowitz & Paukowitz (2000. matching and comparing data from other databases. invalid invoices. unmatched cash and large balances Review potential cases of suppliers overpricing. The latest GAS also offers highly customisable scripting. calculations and computations. Comparison of staff on payroll against supplier list Completeness of transactions. or to use again in future audits. Some of these are included in the table below: Auditable Area Accounts receivable Aim Test for validity in particular old invoices. p27) offers a warning: “Auditors frequently limit their use of CAATs to the more popular capabilities of the software. re-calculations (parallel testing).

The description of CAATs used should also be included in the body of the report. such as GAS. then the auditor may be inclined to design a test to isolate only these types of problems – not necessarily because this represents a particular risk to the organisation…” This underlines the importance of ensuring tests are defined up front in line with the audit objectives. Modern GAS are able to present analysis graphically (bar charts. and the reader should be referred to an appendix with a more detailed description Page 61 . where the specific finding relating to the use of CAATs is discussed. Auditors can use these within their reports to clearly illustrate the significance of an audit finding. scope and methodology section of the report. ISACA Auditing Guidelines (2008) for the use of computer assisted audit techniques suggests three principles to follow when reporting on an audit that has used CAATs: 1. 3. but it should provide a good overview for the reader. particularly if 100 percent testing has been performed because this shows a true reflection of the exceptions. pie charts etc) as well as in data tables. Reporting Coderre (2005) believes that the use CAATs.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities duplicates or gaps. If the description of the CAATs used is applicable to several findings. it should be discussed briefly in the objectives. or is too detailed. This description should not be overly detailed. scope and methodology section of the report should contain a clear description of the CAATs used. can produce effective reports that can contribute to the overall acceptance of audit findings. 2. The objectives.

The Institute of Internal Auditors – UK and Ireland (2007b) suggest certain questions can be used to determine whether IRAT [GAS] should be used: • • Is the information stored electronically? Can the characteristics of accurate data be defined clearly so that a test can be formulated? • • Is it important to assess the full extent of an error? Is the particular data required available? It may have been deleted or a key element may not be in the file. Silltow (2002) outlines a six step guide for using GAS to support an audit: Step 1: Set your objectives. this is the key to using file interrogation software [GAS] successfully.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Following these guidelines will demonstrate to all report stakeholders that internal audit are using the latest tools and techniques to add value whilst improving audit efficiency. you may need to gain access to the files.4. Page 62 . to get the data you require. • Do the likely benefits from the testing justify the cost? When the auditor determines there is a benefit to using GAS Silltow (2002) states that the use of GAS is more effective if it is thoroughly planned. Also.4 Determining factors of when to use GAS GAS is just one tool of many CAATs and other manual techniques an auditor can draw on to contribute to the achievement of audit objectives. 3. and plan exactly what it is you need to do to reach the objectives. The database schema/file layout should assist you in determining whether you are selecting the correct files. Step 2: Determine the files to which you need to gain access. It will enable you to understand what you wish to achieve.

specifically for ACL but the principles also apply to any GAS. Step 5: Obtain the data. 4. List fields in all available databases and the standard reports that are available. and external to the client organization – including benchmarking and standards 2. within the database. Meet with the client and the programmer for the client applications. The first step is to ensure the auditor understands the goals and objectives of the audit. Request the required data – trying to ensure that unnecessary fields are excluded for the request. specifying: a. Once this is confirmed the following steps should be taken: 1. Based upon the audit objectives. This will enable you to fine-tune your requirements and ensure that your objectives are met without wasting too much time. the data source(s) and key fields. the key fields or data elements required by the audit team. identify the data sources. Prepare a formal request for the Page 63 . Step 6: Once you have completed your test – and satisfied yourself that objectives can be met – obtain all the data you need and produce the required reports.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Step 3: Select the fields you require. Step 4: Decide how much data you require and where you are going to store it when you get it. This is especially relevant if it takes a great deal of time to obtain the data from its source. It may be worthwhile getting a small amount of data first. required data. 3. Coderre (2007) outlines a more detailed approach to the application of GAS. to test out your theories. Identify all available databases both: Internal to the client organization – main application systems.

flat file. Verify the data integrity: a. start position. d. CD ROM. length. f. 7. Create or Build the ACL [GAS] Input File Definition . record layout (field name. timing. b. ODBC. Use Verify Command . key numeric field totals). the data format (DBF. control totals (number of records. etc. For each objective a. ASCII print file. etc.). tape.to check data integrity. Internet. d. integrity. c. STRATIFY.). Check ACL [GAS] totals against control totals. check the timing of the data to ensure proper file has been sent. etc. formulate hypotheses about field and record relationships Page 64 . the timing of the data (for example: as of Sept 31 2002). the data transfer format (floppy. CLASSIFY. LAN. a print of the first 100 records 5. g.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities b. and Delimited files. Delimited.automatically created by ACL for DBF. authorization – obtain client agreement on data (source. type.).use ACL commands COUNT. 6. etc to develop an overview of the data [or data profile statistics in other GAS] 8. compare ACL [GAS] view with Print Out of first 100 records e. e. STATISTICSC. description). Understand the Data . c. ODBC.

Evaluate the results . Evaluate initial results and refine the tests e. This is a comprehensive guide offered by Coderre (2007).to examine every item on the refined results. Re-run and refine test to produce shorter. Quality Assurance and Documentation .exceptions to source.the output is your “hit list” . interview. These guidelines provide that approach. Silltow (2002) provides more of an overview were Coderre (2007) elaborates on some of the steps. For each you should be say that the record is OK .possible problem records d. Use ACL [GAS] to perform analytical tests for each hypothesis c. 2000) so that maximum benefits are received when using GAS. and identify reasons for the exceptions. confirm analysis and nature of exceptions. Both indicate the need to: • define audit objectives. • determine data required • request the data • verify data reliability Successful application requires a well-designed and disciplined approach (Paukowits & Paukowits. g. more meaningful results (repeat steps 5-7 as needed) f. Form an audit opinion on every item in your results.using record analysis.there is a valid explanation. or that it is a probable improper transaction and more review is needed 9. which has synergies with Silltow’s (2002) six step suggestion.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities b. Run tests . Page 65 . or other techniques .

4. These have been designed with auditing in mind and although other tools allow data and analysis they are not designed purely for auditing purposes.5 Summary GAS is known with many different names but the common constituents of GAS are data extraction and data analysis. Page 66 . Using GAS should not be taken lightly and an assessment should be made whether it is the right tool. For planning it helps to define scope and understand the level of risks. If it is the right tool careful planning needs to be undertaken so time is used productively.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3. particularly for substantive testing. during testing it is able to provide assurance on 100 percent of data and for reporting it helps to illustrate observations and the level of risk. During the planning. testing and reporting of an audit engagement GAS is able to add value in many ways. The user friendly interfaces and the advanced functionality make it a popular tool for auditors to consider. data is well protected and most importantly the use of GAS supports the objectives of the audit. IDEA and ACL prove to be the most modern products.

which also identified the GAS internal audit providers use.5 Conclusion The literature review has provided secondary data to support my research objectives and research questions. which can be used to ascertain what part of assurance activities GAS could be potentially be used: IIA Standard Description Potential GAS use for Engagement Planning 2201 Internal audit should consider whilst planning “The significant risks to the activity” 2210. Do we have the right resource to operate GAS . The research has shown that GAS is used throughout the world as highlighted by the IIA’s Software survey in 2006.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 3.A1 Conduct a preliminary assessment of the risks relevant to the activity under review. 2210. 2230 “Internal auditors should determine appropriate resources Page 67 Part of planning – able to analyse data to assess levels of risk for certain audits GAS is able to help develop objectives by using GAS to support preliminary assessment of risks.A1 & A2 – practice advisories 2210.A2 Consider the probability of significant errors. and other exposures when developing the engagement objectives. By understanding the IIA standards for performing an engagement and understanding GAS functionality the research has provided an outline framework. Engagement objectives should reflect the results of this assessment. irregularities. noncompliance.

reliable. and action plans The review has also ascertained guidelines on when auditors should consider to draw on GAS. Data requested should be tested to ensure reliable! 2320 Analysis and evaluation Used for substantive testing and any other analysis 2330 Recording information GAS able to record and secure evidence meaning it is sufficient. time constraints. A survey has been designed to collect primary research data that will reflect the research identified during the literature review. and available resources” Performing the audit (2300) 2310 Identifying the Sufficient. Staffing should be based on an evaluation of the nature and complexity of each engagement. information relevant and useful to achieve objectives. Relate to IRAT checklist. Information identified and used should contribute to the achievement of the engagement objectives Auditor needs to identify opportunity if they can use GAS to perform audit. which objectives and scope may have been as well as applicable converted to graphics conclusions. In addition the research has uncovered two sets of guidance for auditors to follow when GAS is to be used. Page 68 . relevant and practical Communicating the results (2400) 2410 for communications to Conclusions can be include the supported by analysis engagement's done in GAS.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities IIA Standard Description Potential GAS use for to achieve engagement objectives. or data tables recommendations. reliable.

In order to achieve the objectives the research set out a number of questions to help achieve the objectives: • • • To what extent is GAS used by internal audit providers? What GAS do internal audit providers use? When do internal auditors use GAS within the internal audit process (assurance activities)? • • How do internal auditors know when to use GAS? How do internal audit providers ensure they get optimal value from GAS? The empirical research uses information collected from both the completed questions. • To develop a framework for the effective application of generalised audit software. • To evaluate the application of generalised audit software by internal audit providers.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 4 Empirical Research 4.1 Introduction This chapter seeks to analyse empirical research collected to help achieve the research objectives: • To investigate how generalised audit software is applied by internal audit providers.2 The Research Process Page 69 . questionnaires and literature review to answer these 4.

The time and resource constraints meant that the questionnaire was the optimal research method and the scope of the research sample was limited to two cohorts of internal audit providers. an email was sent to the CHEIA email distribution list holding 95 members.3 Research Findings Page 70 . All the email invitations contained a narrative as an introduction to the research and to outline the research ethics. 2004).MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Web-based questionnaires were used as the research method to collect primary research data from two cohorts of internal audit providers. 4. however 7 failed to complete the whole questionnaire leaving 29 responses out of a sample size of 386. Similarly. on average 10% (Swetnam. 400 email invitations were sent and 109 emails were returned within 24 hours as undeliverable or out of office. it was promised that those that completed the questionnaire would be sent the research analysis. The questionnaire was started online by 36 people. All invitations were successfully delivered. HIA and CHEIA were chosen to get a fair representation across public and private sector internal audit providers within the UK and also because these were easily accessible for the author. the Institute of Internal Auditors (UK & Ireland) Heads of Internal Audit (HIA) and Council of Higher Education Internal Auditors (CHEIA). In total this gave a total sample size of 386. As an incentive. a response rate of 7.5%. Therefore the number of responses received for this study was encouraging. All HIA on the IIA’s email distribution list were invited to complete the web-based questionnaire (as seen in Appendix B). Questionnaires risk a low response rate. In real terms the invitation reached 291 HIA.

When asked the reasons for not using GAS the respondents provided varying reasons as see in Appendix ?.1 To what extent is GAS used? Internal audit providers have a choice to what tools they wish to use when performing audit engagements. use GAS Page 71 . GAS. Others said their internal department was too small and three people said it would not offer value for money because of the time to re-familiarise with the software and GAS would not cover every auditable area. The findings also draw on relative findings identified in the literature review.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities The empirical research results are below analysed and interpreted in relation to the research objectives and research questions as outlined in Chapter 1. 4. In summary. as a data extraction and analysis tool. some of the responses can be interpreted as a lack of understanding about GAS and how it can be used.3. Figure 1: Percentage of respondents that Figure 1 shows that the introduction of GAS has not convinced every internal audit provider with 45% of respondents not using it at all. Some respondents admitted to not being familiar with this type of software and the benefits it can bring. is one of these and to investigate how this is applied by internal audit providers it was ascertained who actually uses them (see figure 1).

It is no surprise Excel is used by many auditors because it tends to be readily available as a general software package (see p41) and it is a package that is easy to perform quick analyses and Figure 2: Type of GAS operated by respondents Page 72 .2 What GAS do internal audit providers use? As described in the literature review GAS is defined and known by people in different ways but data extraction and analysis was the common factor. Respondents could choose more than one tool hence more than 21 responses.3. There are many tools that can do this and the research wanted to understand the type of software used to perform data extraction and analysis. The most popular GAS used were Excel and IDEA with 69% respondents using both of them. The respondent was asked to choose which GAS they operate using products highlighted by Gray (2006).MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 4. Figure 2 shows the most common GAS operated.

testing and reporting (see p25-35).3. Future research may want to understand if there is a link between audit tasks and GAS product used. Figure 3: Chart indicating assurance activities GAS is used and the frequency Page 73 . testing and reporting were the only activities GAS was used. but this was left blank for all respondents indicating that the areas of planning.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities charts. planning. The research shows that internal auditors do not rely on one particular GAS during audit engagements and they may draw on one or more.3 When do internal auditors use GAS within the assurance activities? internal audit process for One of the key research objectives was to investigate how GAS is used by internal audit providers by understanding how and when GAS is used within an audit engagement. The questionnaire asked respondents to indicate when GAS is used based on the three areas underpinned by the IIA’s International Standards for the Professional Practice of Internal Auditing. Respondents were also invited to provide other areas of an audit engagement where GAS is used. IDEA and ACL have been designed specifically for audit purposes and the research shows that 75% of the respondents have invested in this specific type of software. 4.

• X • X • X Further analysis for each assurance activity is provided below to explore specific reasons why GAS is used. The research also suggests that using GAS for reporting is far less popular with 63% of respondents indicating they would never use GAS for this. Page 74 . sometimes used or never used. specifically for planning only.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Figure 3 shows a large proportion of respondents sometimes use GAS for planning and testing. Only one respondent uses GAS for every audit.

4 Achievement of Research Objectives 6 Recommendations 6.1 Introduction 6. 6.1 Introduction 5. I would recommend that the Institute of Internal Auditors to consolidate and develop a common name for use. There were x.2 Based on conclusion findings Will need several sub-headings 6.2 Conclusion from Literature Review 5.4 Further Research Page 75 . y & z.3 Naming The literature review identified many different names and misnomers for generalised audit software.3 Conclusions from Empirical Research Conducted 5.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities 5 Conclusion 5.

P42) identifies examples of what ACL can do: Page 76 .MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Appendix A Warner (1998.

Inthe proccessof appraising software unsure of benefits of investing in software There is nothing which covers all the various areas which need to be audited in the University. Budget constraints New IA function. We do use software called Enterprise Risk Assessor for audit purposes but this is not data extraction software. with one goal being the introduction and use of GAS within the first 3 years. GAS skills need to be learned and used frequently in order to be applied usefully and easily and I do not consider that I would be able to achieve that. Have looked at software and concluded it would not be efficient or good value for money to use. If by GAS you are referring exclusively to internal audit data extraction and analysis software then the answer is no. I manage the department. Happy to discuss this if you wish. lack of knowledge of such systems We have internal frameworks and documentation templates which are more flexible and suited to meet the services need Page 77 . we use As400 Query and Excel but not as GAS the Audit is too small to benefit form its use GAS is not considered relevant to a modern risk-based internal audit approach as described by the IIA-UK & Ireland. perform some audits and outsource other audits to a range of contract auditors. This is because a) as an organisation we do not process high volumes of transactional data and b) as an organisaton we use a product called Business Objects that enables the extraction of all required data for audit purposes. We are a small IA department and I am the only employee. One of those is a firm specialising in IA and they use IDEA when appropriate or prompted by me. Never felt the need.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Appendix ? Reasons GAS not used: Familiarisation time required for use of GAS not cosidered cost effective in view of only occasional use.

8th ed. and Davis. Harlow: Pearson Education Limited. M. D. Available at http://www.. D. P. London: Sage. Williams. (2007). (2005). John Wiley & Sons Ltd.org/guidance/standardsand-practices/professional-practices-framework/standards/standards-forthe-professional-practice-of-internal-auditing/ Remenyi. and Thornhill. Page 78 . 725-731. H. E. B. 18(9).MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities References (ACFE) "Report to the Nation" Arens. 2007). (2000). Auditing an Integrated Approach. James K. IIA ACL Survey IIA Research Paper Coderre. Canada: Ekaros Analytical Inc. A. Saunders. (1998). Alvin A. Prentice-Hall. from ABI/INFORM Global database. (Document ID: 521149271). New Jersey. Inc. Managerial Auditing Journal. R. USA Braun. Retrieved February 18. Computer-assisted audit tools and techniques: analysis and perspectives. Research Methods for Business Students: Fourth Edition.L. 2008. Standards for the Professional Practice of Internal Auditing(Altamonte Springs.E. Spencer Pickett. Doing Research in Business and Management: An Introduction to Process and Method.. CAATTS & Other BEASTS for Auditors. (2005). and Loebbecke. (2003).H.. A.theiia.G. The essential handbook of internal auditing. and Swartz. FL: The Institute of Internal Auditors. Lewis.. The Institute of Internal Auditors. K. Money.

MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Page 79 .

Nelson. (2003). A. Coderre. J. 18 (9). (n.). 63 (4). Hall.reference. 56-62. H. R. & Seamour. (2005). Coderre.com Unabridged (v 1. 1st Ed. D. Moore.. (2003).. 25-27. 725-731. Information Systems Auditing and Assurance.d. Internal Auditor . South-Western College Publishing. & Davis. 55 (5). P. L. G. OH Page 80 .UK and Ireland. 57 (4). Moulton. (2004). Data extraction and analysis software: An audit examination tool for a new millennium.. CAATTS & Other BEASTS for Auditors. from Dictionary. S. & Singleton. 39-45. New Jersey: John Wiley & Sons. The Internal Auditor . (2000). L.1). Dictionary. T. M. 46-50. J. An array of technology tools. Braun. S. Study Text: Internal Auditing (Second Edition ed. S. Cangemi. R. Managerial Auditing Journal .. L. & Rieman. Managing the Audit Function: a corporate audit department procedures guide (3rd Edition ed. 2008. P.com website: http://dictionary. G. London: The Institute of Internal Auditors . Computer-assisted audit tools and techniques: analysis and perspectives. (1999). (2000).). Burnaby...com/browse/assurance Bierstaker. Inc. Drummond-Hill.. E. 18 (4). M. J. Boeheim. Gray. The Secured Lender . (2006). A. Retrieved June 11. D.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Bibliography assurance. Canada: Ekaros Analytical Inc. M..). Mason.. G. Recent changes in internal auditors' use of technology.. The Internal Auditor . & Hass. A. Computer-assisted fraud detection. (July 2003).

19-21. Eliminate the Auditors? The Internal Auditor . 38. 64 (4). Enhanced audit testing. 25-27. (1992). J.. The Internal Auditor .. Kirk. (1998). (1994). 64. & Paukowits. A. Educating internal auditors. & Salierno. R. Keys Jr. Hudson. (1995). (2004). 60 (4). 27-29. 54 (2). M. K. 32-35. 185 (6). (2007). 52 (3). Jackson. 51 (6). E. Journal of Accountancy . The Internal Auditor . Paukowits. A. A. M. (1997). Finding Profits in CAATs. The Internal Auditor . The Internal Auditor .. (2000). 57 (1). F. CAATS and compliance. B. McCollum. E. Paukowits. Mainstreaming CAATs. 25-27. 33-36. 55 (1). 61 (4). (1998). Building a better toolbox. compliance. R. Novin. (2003). 6568. 49 (2). M. 57 (2). Hyde. Smart auditing.. Delivering speed. The Internal Auditor .MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Hirte. 26. Page 81 . P. (1998). The Internal Auditor . J. accuracy. The Internal Auditor . D. (1995). 55 (2). Lynch. Choosing the right tools. F. (2000). Take my manual audit. Lanza. The Internal Auditor . Get the most out of AUDIT TOOLS. Bridging CAATs and risk. & Pearson. T. B. B. T. & Morgan. 32-43. 54. G. 36-47. Pyzik. please. The Internal Auditor . The Internal Auditor . J. 52 (2). The Internal Auditor . K.

Chichester: John Wiley & Sons Ltd. Singleton.theiia.. 2003. L. Dittenhofer. Journal of Information Systems . eds. CAAT can do. Selecting an Audit Software Package for Classroom Use.org/research/researchreports/research-opportunities-in-internal-audit/. Gramling and Sridhar Ramamoorti. Money. (2003). 18 (1). Sridhar and Marcia Weidenmier. M.. 73-75. Bailey Jr. ? (?). J. Home page on-line. Information Systems Control Journal . (2003). E. Study Text: Business Information Systems Auditing. Harlow: Pearson Education Limited. Internet. (2007).” In Research Opportunities in Internal Auditing. Available from http://www. K. & Herron. London: The Institute of Internal Auditors . Page 82 . S. Thompson. A. (2006). A. Sayana. Lewis. London: Sage. (2004). D. (2005). 301-377. The Internal Auditor . Florida: The Institute of Internal Auditors. T.. Research Methods for Business Students (Fourth Edition ed. & Thornhill. ? (?). ? Spencer Pickett. Using CAATs to Support IS Audit. Remenyi.. Audrey A. 95110. Weidenmier. Altamonte. Information Systems Control Journal . “The Pervasive Impact of Information Technology on Internal Auditing. T. J. Andrew D. Altamonte Springs. L. Generalized Audit Software: Effective and Efficient Tool for Todays IT Audits. M. & Swartz. The IIA Online.. A. M.).UK and Ireland. B.. C. & Scheiner. A. (2002). B. Sawyer's Internal Auditing. (2001). The essential handbook of internal auditing. 58 (3). Williams. H.. Doing Research in Business and Management: An Introduction to Process and Method. Saunders. P. H. (1998). L. ?? Silltow... Florida. Institute of Internal Auditors Research Foundation.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Ramamoorti. Sawyer.

stm) Accessed 16/07/2008 Page 83 .uk/1/hi/uk_politics/7104368. BBC News Website.co.MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Timeline: Child benefits records loss.bbc. (http://news.

MSc Audit Management & Consultancy Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities Page 84 .