Dissertation v1.16

Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities
MSc Audit Management & Consultancy Dissertation September 2008
David Tomlinson
Page 2
MSc Audit Management & Consultancy

Table of Contents
1 Introduction..............................................................................................5 1.1 Background of Researcher.................................................................5 1.2 Overview............................................................................................6 1.3 Rationale..........................................................................................10 1.4 Aim...................................................................................................12 1.5 Supporting Research Objectives.......................................................12 1.6 Research Questions..........................................................................13 1.7 Synopsis of Prior Research...............................................................13 1.8 Conclusion........................................................................................14 2 Research Methodology...........................................................................15 2.1 Introduction......................................................................................15 2.2 Research Philosophy.........................................................................15 2.2.1 Positivism...................................................................................15 2.2.2 Interpretivism.............................................................................16 2.2.3 Pragmatism................................................................................16 2.2.4 Summary....................................................................................16 2.3 Research Approach ..........................................................................17 2.3.1 Deductive...................................................................................17 2.3.2 Inductive.....................................................................................17 2.3.3 Summary....................................................................................18
Page 1

2.4 Research Strategies.........................................................................18 2.4.1 Experiment.................................................................................18 2.4.2 Survey........................................................................................19 2.4.3 Case Study..................................................................................19 2.4.4 Grounded Theory........................................................................19 2.4.5 Ethnography...............................................................................20 2.4.6 Summary....................................................................................20 2.5 Research Methods............................................................................20 2.5.1 Population...................................................................................21 2.5.2 Sample........................................................................................21 2.6 Data Collection and Analysis Methods..............................................21 2.6.1 Questionnaire.............................................................................22 2.6.2 Interviews...................................................................................22 2.6.3 Summary....................................................................................23 2.7 Ethics of research.............................................................................24 2.8 Conclusion........................................................................................24 3 Literature Review...................................................................................25 3.1 Introduction......................................................................................25 3.2 Assurance.........................................................................................26 3.2.1 Definition....................................................................................26 3.2.2 Internal Audit .............................................................................26 3.2.3 Audit Process..............................................................................27
Page 2

3.2.4 Engagement Planning (2200).....................................................27 3.2.5 Performing the Engagement (2300)...........................................31 3.2.6 Communicating the Results (2400)............................................36 3.2.7 Summary ...................................................................................39 3.3 Computer Assisted Audit Techniques (CAAT)...................................41 3.3.1 Definition....................................................................................41 3.3.2 CAAT Type 1: Computer System Audit Tools and Techniques....41 3.3.3 CAAT Type 2: Computer-based Audit Support Tools and Audit Automation..........................................................................................45 3.3.4 Summary....................................................................................49 3.4 Generalised Audit Software..............................................................51 3.4.1 Definition....................................................................................51 3.4.2 GAS Products..............................................................................51 3.4.3 GAS Constituents and their Use..................................................53 3.4.4 Determining factors of when to use GAS....................................62 3.4.5 Summary ...................................................................................66 3.5 Conclusion........................................................................................67 4 Empirical Research.................................................................................69 4.1 Introduction......................................................................................69 4.2 The Research Process.......................................................................69 4.3 Research Findings............................................................................70 4.3.1 To what extent is GAS used?......................................................71
Page 3

4.3.2 What GAS do internal audit providers use?................................72 4.3.3 When do internal auditors use GAS within the internal audit process for assurance activities?................................................73
5 Conclusion..............................................................................................75 5.1 Introduction......................................................................................75 5.2 Conclusion from Literature Review...................................................75 5.3 Conclusions from Empirical Research Conducted.............................75 5.4 Achievement of Research Objectives...............................................75 6 Recommendations..................................................................................75 6.1 Introduction......................................................................................75 6.2 Based on conclusion findings ..........................................................75 6.3 Naming.............................................................................................75 6.4 Further Research..............................................................................75 Appendix A...............................................................................................76 Appendix ?................................................................................................77 Reasons GAS not used:............................................................................77 References...............................................................................................78 Bibliography.............................................................................................80 ................................................................................................................83
Page 4

Introduction
1.1 Background of Researcher

The researcher completed an undergraduate degree in Business
Information Technology in July 2004. His first job was as a Trainee IT Auditor with a top 20 UK accountancy firm undertaking IT audits across public sector as an outsourced provider. After eight months undertaking IT assurance work it became apparent that IT is only one element where assurance is required. The desire to appreciate wider business risks lead to a move from the accountancy firm in summer 2005, moving to a consortium providing internal audit services for Universities in the North of England. Since then the researcher has broadened his knowledge and experience undertaking all types of audit and consulting work, giving him an appreciation of both IT and business risk. During his time he has helped strengthen the audit methodology by promoting and encouraging the use of computer assisted audit techniques (CAATs). This has lead to a real interest in how IT can support the audit process, particularly as IT is so pervasive within internal control. With 3 years experience within internal audit and an academic and professional background in IT the researcher wants to contribute to the internal audit body of knowledge drawing on his knowledge and experience.
Page 5

1.2 Overview
Computers have been an integral part of the workplace for the past 20 years. Technology has not stopped moving and the advent of the internet in the 1990s has had profound effect on organisations. Organisations are keen to use technology to streamline processes; provide additional value to operations and to enable advantage over competitors. Internal Audit has had to, and continues to, adapt to the changing control environment where more controls become electronic and managed by IT systems. Within organisations more pressure is on departments to be more profitable and in some cases justify their existence. Internal Audit faces this challenge and Chief Audit Executives (CAE) need to find ways of providing a value added assurance and consultancy service in more cost effective ways. The use of technology can help the CAE in many aspects of the internal audit function by using Computer Assisted Audit Techniques and Tools (CAATTs). Coderre (2005) describes CAATTs as computer-based tools and techniques which permit auditors to increase their personal productivity as well as that of the audit function. There are many varieties of CAATTs: Electronic Working Papers Text Search and Retrieval Software Licensing Checkers Electronic Questionnaires Expert Systems Data Mining Data Extraction and Analysis (also known as Generalised Auditing software (GAS))
Page 6

The list is by no means exhaustive and as indicated by Coderres definition a CAATT is anything an auditor uses that is computer-based. Data extraction and analysis tools (type of CAATT) are an essential tool for internal auditors if they are to become more efficient and add further value to the organisation. These are also known as generalised audit software (GAS). Off-the-shelf GAS software is available and they are now a feature in most internal audit departments. The Institute of Internal Auditors (IIA) conducts an annual Software survey to understand the types of GAS auditors use. The Software Survey 2006 indicated that a wide range of GAS are used with the most popular being Microsoft Excel, Microsoft Access and ACL. The Microsoft products (Excel and Access) can be seen wider than just GAS software because these can be used for nonaudit work. ACL (ACL Services Ltd.), however, has been specifically designed for auditors and the functionality has been designed to support audit activities. The two distinctive features of any GAS is data extraction and data analysis. In order to carry out analysis data has to be first extracted from corporate information systems. A good GAS is able to import data from any system, particularly popular formats such as Excel files; Access files; comma separated files and other delimited files. Once data has been imported in to the GAS the auditor has a wealth of data analysis tools and techniques at their disposal to apply to the data to support the audit process. A typical GAS is able to perform trend analysis, pivot tables, data summarisations, statistical analysis (mean, standard deviation, minimum values, maximum values etc) and many other analysis that can help detect fraud, identify key risk areas, test controls and any other activity that will help to deliver an audit engagement. As well as these analysis tools a good GAS will also have functionality to detect duplicate values, detect gaps in sequences and provide sampling
Page 7

techniques. With the plethora of analysis techniques available within a GAS it means that these tools are not just restricted to financial audits.
Page 8

Armed with this functionality internal audit have a powerful tool to provide many benefits. Coderre (2005) suggests GAS can be used during all audit phases particularly planning and fieldwork. GAS could be used for planning to define the audit population; review previous and current years expenditure and budgets; identify resource consumption and outputs; or perform trend analysis. This provides the auditor with a greater understanding of the area being audited and helps quantify and convey the degree of risks meaning the audit can be much more focused. Planning Having data at the planning stage of the audit gives the auditor the ability to get an overview of the audit area using the analysis tools. In doing so, the analysis may identify areas that have higher inherent risks than other areas and therefore allows the auditor to focus the audit appropriately. For example, on a Creditors Payment audit an aged creditors analysis could be undertaken detailing the performance of departments for paying invoices. Instantly, the auditor would be able to view which department processes the most invoices, which department spends the most and which department are the slowest in getting invoices paid. The auditor can use this information to make an informed decision on which departments to cover as part of the audit based on the differing levels of risk. Testing Depending on the internal audit departments audit methodology depends on what testing occurs. Testing tends to take place to confirm the effectiveness of control and/or to understand the extent of a failing control. Either way one of the greatest benefits of using a GAS is that tests can be undertaken on whole populations of data rather than samples. As a result internal audit can provide greater levels of assurance and therefore add more value to the organisation. The time it takes to undertake testing using GAS can also improve the internal auditors productivity. As a result
Page 9

the auditor can cover audits in greater depth and scope or the internal audit department can reduce resource or increase the number of audits. With more controls becoming computer-based it is difficult to test these controls manually. With GAS internal auditors are able to test data quality, completeness, consistency and correctness. They can also test for duplicate payments in an instant and test system calculations such as VAT, national insurance and PAYE tax. GAS can also easily compare datasets. For example, payroll details can be compared with accounts payable details to ensure that no employees have been paid on an invoice. Another example would be comparing a current inventory with a previous inventory to identify obsolete or slowmoving stock. Reporting GAS software is able to produce meaningful reports out of the data. When writing a report more weight can be given to an observation if it is supported by the facts and figures. The more recent GAS software can also generate graphs from data analysis. Auditors can bring reports to life by introducing graphs, tables and other analysis in to reporting to provide hard evidence of the risk exposure.
1.3 Rationale
Off-the-shelf GAS is generally expensive and therefore internal audit departments are keen to use it frequently to ensure they get best value from it. However, GAS is only one of many tools auditors should call upon to deliver an effective and efficient audit. Using GAS may be of detriment to the audit if it is not used in the right way. There are several implications internal auditors need to be aware of in order be sure that using GAS will add value to the audit engagement.
Page 10

Firstly, is the use of GAS appropriate for the audit area? Audit Managers are keen for GAS to be used as much as possible to demonstrate to the audit committee that internal audit provide a modern service using the latest tools and techniques to add value. Audit Managers want also want to justify the costs of using GAS and so more pressure may be applied to use them when it may not be necessary. Secondly, what is the cost of obtaining the data? This is where value can be easily lost if the auditor gets the data request wrong. The auditor needs to know exactly what they want and they need to be able to communicate this to system owners that can provide the data. Any misinterpretation in this communication means data requests have to be re-requested, costing time, or the auditor uses the data and realises it is not what they wanted wasting time undertaking incorrect analyses and/or testing. Thirdly, has the data been imported in to the GAS correctly? It is essential that when importing data the GAS stores each data field with the appropriate data type. For example, if a date field is imported then the GAS needs to know it is a date field and not a character field. As a consequence of getting this wrong certain calculations and analyses will not work and in most cases data would need to be re-imported with the correct data types. The most essential aspect of importing data is to reconcile totals back to the source system to guarantee the data is accurate so that any analyses and/or tests cannot be contested due to data quality issues. Fourthly, do we have the skills to operate GAS? Internal Auditors require knowledge of operating GAS from requesting data, importing data and undertaking analyses and testing. From experience the researcher has found that the knowledge tends to be with IT Auditors when it should be a tool that all auditors should use.
Page 11

There is no framework published that gives internal auditors guidance on the application of generalised audit software (GAS). From experience the researcher has found that there has been inconsistent application of GAS and there may be an opportunity to understand the rationale behind the inconsistent approaches. Using the research methodology, outlined in Chapter 2, research will be undertaken to identify the extent to which GAS is used; how it is used and the skills required to operate GAS. It is hoped that the research data will provide enough information to develop a framework for internal audit providers to follow to ensure they get optimum value from this type of CAATT.
1.4 Aim
The research aim is to undertake a research study to establish a framework for the effective application of generalised audit software.
1.5 Supporting Research Objectives

To investigate how generalised audit software is applied by internal audit providers within the UK. To evaluate the application of generalised audit software by internal audit providers. To develop a framework for the effective application of generalised audit software.
Page 12

1.6 Research Questions

To what extent is GAS used by internal audit providers? What GAS do internal audit providers use? When do internal auditors use GAS within the internal audit process (assurance activities)? How do internal auditors know when to use GAS? How do internal audit providers ensure they get optimal value from GAS?
1.7 Synopsis of Prior Research

There are limited articles in professional and academic journals written on generalised audit software and where there are they tend to have a bias towards certain proprietary GAS (e.g. ACL or IDEA). Similarly there have not been many books published in this area. A study on the use of GAS in the financial sector by Debreceny et al. (2005, P605) also noted the limited research on GAS and Boritz (2002, p239) also notes there is virtually no research interest in data analysis, a key constituent of GAS. The use of the name generalised audit software or GAS is seldom used but sometimes differing terminology is used and often GAS is referred to as CAATTS. Although they are a CAATT, GAS is just one aspect of these so it is likely that the research will have to consider CAATTS research to try to filter literature that is actually referring to GAS. From preliminary research, there is no evidence of a framework in place for the effective application of GAS. Therefore it is considered that there is an opportunity to establish such a framework.
Page 13

1.8 Conclusion
The pervasive nature of technology across organisations has had an impact on the control environment and the way in which internal audit provide assurance that risks are being adequately managed. In order to truly provide robust assurance internal audit need to utilise technology to facilitate their opinion on the management of risk. Generalised audit software can help in providing a more informed risk-based approach to audit engagements and it is also a powerful means to test the effectiveness of controls (particularly IT controls), which would be impractical or impossible to do manually. GAS must be applied effectively to ensure that it is being used to add value in terms of improving the efficiency of the audit and to improve the effectiveness of the audit opinion. The aim of this research is to provide a framework so that the idea of effective application is carried out in practice.
Page 14

Research Methodology
2.1 Introduction
The research methodology chapter will look to design and develop a framework for how the research will be undertaken. The research philosophy sets the scene of the project by illustrating the researchers values and assumptions in the context of the research area. Complementing the philosophy, appropriate research approaches and strategies are discussed and recommended. As common with all research the methods to collect data and also the ethical issues relating to the research is discussed. It is important that research project has a framework to follow to help the researcher achieve the research objectives and answer the research questions.
2.2 Research Philosophy

Research philosophies relate to the development of knowledge and the nature of that knowledge (Saunders et al. 2007). A philosophy indicates how the researcher views the world and the type of assumptions that will be made. The philosophy is the platform the research approach and strategies are built upon. Below are some of the common research philosophies described.
2.2.1
Positivism
The Researcher adopting a Positivism approach, according to Remenyi et al (1998), prefers working with an observable social reality and that the end product of such research can be law-like generalisations. Gill and Johnson (2002 cited in Saunders et al. 2007) add the positivist researcher
Page 15

is likely to use a highly structured methodology in order to facilitate replication.
2.2.2
Interpretivism
Saunders et al. (2007) suggest that there is an argument that the social world of business and management is far too complicated to have lawlike generalisations akin to the Positivism approach. Interpretivism places more emphasis on the role of people and their interpretations of the world. Saunders et al. (2007) states that the researcher has to adopt an empathetic stance. The researcher must enter the social world of the research subject and to understand the world from their point of view.
2.2.3
Pragmatism
Saunders et al. (2007) states that researchers adopting the position of a pragmatist believe that choosing a single research philosophy position, such as positivism or interpretivism, is unrealistic in practice and that the most important determinant of the research philosophy is the question. Tashakkori and Teddkue (1998 cited in Saunders et al. 2007) advocate study what interests you and is of value to you, studyin the different ways in which you deem appropriate, and use the results in ways that can bring about positive consequences within your value system.
2.2.4
Summary
The ultimate aim of the research is to develop a framework drawing on best practice and synergies of application based on the research data collected. The interpretivism philosophy is the most aligned to this research because the research will need to understand how internal auditors have interpreted how to apply generalised audit software to the activities they undertake during an audit. The pragmatism philosophy is also interesting in that the researcher is looking to bring out benefits and
Page 16

that it does not want to be restricted to a philosophy in order to deliver the research objectives.
2.3 Research Approach

There are two distinct types of research approach, deductive and inductive.
2.3.1
Deductive
Saunders et al. (2007) state the researcher undertaking a deductive approach will develop a theory and hypothesis and design a research strategy to test the hypothesis. This approach is seen to be more akin to a research area that has a wealth of literature where the researcher could base a theory upon. This approach also lends itself to research projects that have a challenging time frame because it is seen that data collection and analysis can be done in one snapshot making it easier to predict time schedules accurately (Saunders et al. 2007).
2.3.2
Inductive
Saunders et al. (2007) state the researcher undertaking an inductive approach will collect data and develop theory as a result of your data analysis. The inductive approach is driven by the research data collected so that a theory is developed based on these results. It may be more appropriate for the researcher to study a small sample of subjects and it is more likely the data collected will be of a qualitative nature (Saunders et al. 2007).
Page 17

2.3.3
Summary
The inductive approach lends itself to more qualitative data collection approach, which would benefit the research by getting close to the research topic and obtaining a thorough understanding of how internal audit providers use generalised audit software. This is important because preliminary research indicates there is not a wealth of literature in this area and a framework does not currently exist to test. The deductive approach may provide too much of a rigid framework to follow in a subject area where not much has been written. The flexibility of the inductive approach is another key benefit to why it will be adopted for this research.
2.4 Research Strategies

As part of designing research a research strategy, or mix or strategies, need to be adopted to provide a method in which the research objectives and questions can be answered. Some strategies have clear links that belong to the research approach (deductive or inductive). Below are some of the common research strategies.
2.4.1
Experiment
Saunders et al. (2007) summarise that experiment research typically involves: Definition of a theoretical hypothesis; Selection of samples of individuals from known populations; Random allocation of samples to different experimental conditions, the experimental group and the control group; Introduction of planned intervention or manipulation to one or more of the variables;
Page 18

Control of all other variables;
This type of strategy lends itself to the more traditional research involved in natural sciences and it would be difficult to apply such a strategy to this particular research title and to the business world in general.
2.4.2
Survey
Surveys allow the researcher to collect potentially large sums of quantitative data in an economical way in terms of time and cost. Questionnaires tend to be the most popular form of surveys, although they are not the only method. . Questionnaires are relatively simple to complete and understand and for the researcher it provides data in a standard form so data can be easily compiled and compared.
2.4.3
Case Study
Robson (2002 cited in Saunders et al. 2007) defines a case study as a strategy for doing research which involves empirical investigation of a particular contemporary phenomenon within its real life context using multiple sources of evidence. Researchers adopting a case study strategy have to validate their findings through triangulation. Triangulation refers to the use of different data collection techniques within one study in order to ensure that the data are telling you what you think they are telling you (Saunders et al. 2007). These data collection techniques can include interviews, questionnaires, documented evidence and observation. Saunders et al. (2007) believes using case studies is a beneficial way of exploring and challenging existing theory.
2.4.4
Grounded Theory
Grounded theory is a research strategy that presents the researcher an opportunity to develop a theoretical framework from research observations. Collis and Hussey (2003 cited by Saunders et al. 2007) calls
Page 19

grounded theory an inductive/deductive approach, theory being grounded in such continual reference to the data.
2.4.5
Ethnography
The purpose of Ethnography is to describe and explain the social world the research subjects inhabit in the way in which they would describe and explain it (Saunders et al. 2007). It is a time consuming approach, which would take place over an extended period of time. This strategy is beneficial if the researcher wants to get an close to a particular context by understanding the perceptions of the people involved. This would be a good strategy for this research however, time constraints would not allow this as well as the ability to have access to potential research participants.
2.4.6
The research
Summary
philosophy (interpretivism) and research approach
(inductive) point the research to a research strategy that is able to get close and understand to the research context in depth and to understand how people have interpreted the application of GAS. Therefore a research strategy that provides the researcher with the ability to ask what? why? when? And how?, without being restricted by a rigid methodology. A multiple case study approach will be taken so that the findings of one case can be compared with others so that a generalisation can be made to develop a framework.
2.5 Research Methods

The terms quantitative and qualitative relate to the type of data that can be collected and the processes used to analyse these types of data. To
Page 20

undertake the research for this project a choice has to be taken for the best method of collecting information to support research the objectives. Saunders et al. (2007) defines quantitative as data collection techniques or data analysis procedures that generates or uses numerical data. In contract qualitative data is data collection techniques or data analysis procedures that generates or uses non-numerical data. Based on the research strategy (case study) it is conducive for qualitative data to be collected and analysed to understand how internal providers apply generalised audit software. It is not expected that quantitative analysis will be undertaken using the case study approach.
2.5.1
Population
The population of the research topic could potentially be every internal audit provider in existence. To undertake research with this population would not be practical in reality and it would not be possible to interview representatives of each one in the time constraints of the project. Taking this into account the population for this research topic is restricted to internal audit providers within the UK.
2.5.2
Sample
Although the population has been reduced to internal audit providers within the UK, this is still too large to cover as part of the research project. Therefore a sample of 3 to 5 internal audit providers will be chosen so that multiple case studies can be undertaken, which is reasonable within the time constraints. The sample will include the researchers employer and then the rest of the sample being chosen at random relying on the researchers networks and his employers networks.
2.6 Data Collection and Analysis Methods
Page 21

As noted in 2.4.7 data collection will be based on a case study strategy and therefore the methods data collection methods for just qualitative data is explored.
2.6.1
Questionnaire
Questionnaires can be used to collect data as part of the case study strategy, although it is more popular with the survey strategy. A questionnaire is a general term to include all techniques of data collection in which each person is asked to respond to the same set of questions in a pre-determined order (deVaus 2002 cited by Saunders et al. 2007). For this type of research there is only chance to get the questions on the questionnaire right. It would be difficult to resend questionnaires for additional information, particularly if respondents chose to remain anonymous. However, if the questionnaire has been well designed and the questions are aligned with the research objectives it can be a very useful way to collect large quantities of data. Even more so if limited choice answers or likert scales are used for the question. It may be more problematic for comparative analysis if questionnaires have open questions where opinions and descriptive answers are given. Due to the nature of the research and in-depth analysis required it is unlikely questionnaires will be used to collect data. There may be opportunity, if time allows, to supplement the main collection of data with questionnaires for more specific questions.
2.6.2
Interviews
Interviews are categorised in to 3 categories, as described below. Structured Interview Structured interviews are typically used to collect quantitative data because the format of the interview is standardised and questions are
Page 22

predetermined. The interviewer asks each question and has to record the response by the interviewee. The interviewer is not allowed to deviate from the predetermined questions or change the tone of voice to ensure it is as objective as possible. Semi-structured Interview In contrast, semi-structured interviews are typically used to collect qualitative data and these do not have to follow a strict set of predetermined questions. Instead, the interviewer will have a list of key points and/or questions that they will want to cover with the interviewee. Depending on the responses of the interviewee or the context of the research the interviewer can deviate from the key points/questions, which may be triggered by the interviewees responses. Saunders et al. (2007) suggests that these semi-structured interviews should be recorded by audio-tape or by note taking methods. Un-structured Interview An unstructured interview are is far more informal and are used to investigate broader topics of interest. Unlike the previous two interviews there are no lists of key points and questions to prompt the interviewer. The interviewee is given the opportunity to talk freely about events, behaviour and beliefs in relation to the topic area (Saunders et al. 2007).
2.6.3
Summary
The semi-structured interview is the data collection method of choice for the research. In order for a framework to be developed data collected will need to be compared so it can be evaluated consistently so an element of structure is required, therefore the un-structured interview is not appropriate. The way in which internal audit providers have applied generalised audit software may differ for different reasons. It is these reasons that would not be able to be picked up if a structured interview, leaving the most the semi-structured interview as the most appropriate. This will allow the researcher to have a framework in place to get enough data on the different applications of generalised audit software and help to collect and probe for further pertinent information.
Page 23

2.7 Ethics of research

Ethical considerations have to be taken in to account in any line of research. For this particular project there will be no collection of personal data and the participants involved in the case study have the right to remain anonymous. The collection of data during the case study may contain information that participants view as data competitively sensitive. The researcher will assure sponsors/participants that company confidentiality will be upheld and transcripts from the case study will be verified by the sponsor/participant prior to being submitted for research purposes. Consent forms for using the data will be provided so that a record can be maintained. The researcher will observe all code of ethics including the Universities and the Institute of Internal Auditors.
2.8 Conclusion
The chapter has recommended the various research methods that will facilitate the achievement of the research objectives. It is expected that the case study approach using semi-structured interviews is the most appropriate method. The researcher will be able to concentrate on a small number of internal audit providers to understand they have applied GAS. Although a small sample the researcher can obtain a wealth of information from the multiple case studies and robust comparisons can be made so that benefits of applying GAS can be understood; good and bad practices of application can be identified and a generalised framework could be developed.
Page 24

Literature Review
3.1 Introduction
This chapter will introduce computer assisted audit techniques and assurance activities as a foundation for the research. The literature review makes use of relevant contributions from previous and current knowledge of the subject areas through the analysis and evaluation of published research papers, books, journals and other articles. From computer assisted audit techniques the review will focus specifically on generalised audit software taking in to account common misnomers; identifying common generalised audit software products and reviewing current frameworks for the application of generalised audit software. The literature review also seeks to analyse specific areas of assurance activities so that context can be provided to the potential areas where generalised audit software can be used. This chapter provides the researcher with an understanding of the current opinions and evidence related to generalised audit software and assurance activities in order to fulfil the research objectives: To investigate how generalised audit software is applied by internal audit providers within the UK. To evaluate the application of generalised audit software by internal audit providers. To develop a framework for the effective application of generalised audit software.
Page 25

3.2 Assurance
3.2.1 Definition
The word assurance is a fundamental part of the Institute of Internal Auditors (IIA) definition. The Collins paperback English dictionary (1992, p42) defines assurance as a statement or assertion intended to inspire confidence. Within a business environment, management seek this type of confidence to give themselves comfort that systems of internal control are operating effectively to help achieve the organisations objectives. The Institute of Internal Auditors UK and Ireland (2006) published advice to Audit Committees stating that organisations need to seek assurance from different sources whilst acknowledging the need for credible objective assurance, Assurance comes from many different sources. Assurance from management is fundamental, but to be effective it needs to be complemented by objective assurance from internal audit. The literature review seeks to understand the assurance activities that are undertaken by internal audit during an audit engagement. The aim is assess whether there is opportunity to use generalised audit software within these activities.
3.2.2
Internal Audit
The Institute of Internal Auditors - UK & Ireland (1999) define internal audit as, an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation achieve its objectives by bringing a systematic, disciplined approach to evaluated and improve the effectiveness of risk management, control and governance processes.
Page 26

Part
of
the
definition
outlines
that
internal
audit
evaluates
the
effectiveness of risk management, control and governance through a systematic and disciplined approach. The literature review will examine the framework internal auditors use to undertake a systematic and disciplined approach to audits, using the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing 2007 (known as the Standards hereon in).
3.2.3
Audit Process
The introduction to the Standards (IIA , 2007a) state: Internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met. The standards recognise audit practices may differ from organisation to organisation particularly the audit approach to audit engagements. The IIA provide a framework through its standards to allow internal auditors to fulfil their responsibilities whilst allowing for organisational differences. The following performance standards are specific for undertaking audit engagements: 2200 Engagement Planning 2300 Performing the Engagement 2400 Communicating Results
3.2.4
Engagement Planning (2200)
According to Drummond-Hill et al (2004, p147) the purpose of an engagement plan is to determine the significant parts of the potential
Page 27

audit those parts that are risk critical and to undertake the audit in a careful premiditated and co-ordinated way. The IIAs performance standard 2200 (IIA, 2007a) notes that internal auditors should develop and document a plan for all engagements. The engagement plan must include the scope, objectives, timing and resource allocations for the activity being audited. The engagement plan can also be referred to as the audit brief (Drummond-Hill et al, 2004) or the terms of reference (Spencer Pickett, 2005). Performance standard 2200 is broken down into further constituent parts to provide detailed guidance. These are described below. Performance standard 2201 Planning considerations As part of developing the engagement plan the standard 2201 sets out areas for internal audit to consider: The objectives of the activity being reviewed and the means by which the activity controls its performance. The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activity's risk management and control systems compared to a relevant control framework or model. The opportunities for making significant improvements to the activity's risk management and control systems. This standard introduces a risk-based focus to audit planning. It requires the auditor to obtain knowledge of the audit activitys objectives, risks and related controls. Standard 2300 and its sub-standards offer guidance to the way in which this could be undertaken.
Page 28

Performance standard 2210 Engagement objectives The engagement objectives are the goals, the justification and the purpose (Drummond-Hill et al, 2004) of the proposed engagement. Standard 2210 insist that engagement objectives should be established for every engagement undertaken. The practice advisories (Institute of Internal Auditors, 2001) for the standard suggests, to help develop objectives, the internal auditor should: 2210.A1 Conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of this assessment; 2210.A2 Consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives. This is echoed by Lemon & Tatum (2003, p281) Engagement objectives should address the risks, controls and governance processes associated with the activity under review. Practice advisory 2210.A1 (Insitute of Internal Auditors, 2001) suggests a risk assessment is undertaken so that engagement objectives addresses the risks, controls and governance processes. The risk assessment allows the auditor to understand the background to the activity under review by understanding its purpose within the organisation, its objectives and goals. With this context the auditor can collect further information through surveys; interviews with individuals; on-site observations; reviewing management reports; studies and use of any other available means to help evaluate risks (Lemon & Tatum, 2003). The internal auditor should establish objectives that reflect the results of this assessment.
Page 29

Clear, definable and measurable objectives will provide stakeholders and the internal audit team clarity on what is required for the achievment of a successful audit. Performance standard 2220 Engagement scope The engagement scope sets the boundaries of the audit. It defines how deep and how wide the internal auditor will go to achieve the audit objectives. It is simply impossible to undertake a 100% audit of the whole of the target area. Decisions have to be made to limit the amount of work to the areas that provide the biggest gain. (Drummond-Hill et al, 2004) Drummon-Hill et al recognise the time constraints and resource limitations for internal audit functions. They infer that having a well defined scope will ensure that relevant and effective assurance can be provided by optimising resources to review the areas of high risk. Drummond-Hill et al.(2004) believe there are 5 main elements to consider when defining the scope: 1. The system and their boundaries 2. The controls 3. The risks 4. Personnel involved 5. Physical assets For each of the five elements the auditor needs to use the information analysed as part of preliminary work undertaken to inform the engagement scope. Whilst the internal auditor has to consider these 5 elements, the internal auditor is required by the performance standard
Page 30

2220 to ensure the established scope sufficiently satisfies the objectives of the engagement. Performance standard 2230 Engagement resource allocation Performance standard 2230 notes that internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. Resource demands will be affected from organisation to organisation depending on the organisations audit methodology (Lemon & Tatum, 2003). For example, the use of generalised audit software will require specific data extraction and analysis skills as would the skills required to facilitate risk workshops. Performance standard 2240 Engagement Work Program Standard 2240 states that a work program should be developed by internal auditors to facilitate the achievement of the engagement objectives. Practice Advisory 2240.A1 (The Institute of Internal Auditors, 2001) indicates work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to its implementation, and any adjustments approved promptly.
3.2.5
Performing the Engagement (2300)
There is no clear distinction to when an audit engagement starts. It can be argued that even when planning an audit the internal auditor is performing the engagement. They are collecting analysing and synthesising information to establish the audit objectives and scope. Standard 2300 can therefore be used as guidance to help fulfil the requirements of the performance standard 2200 range. The focus of this
Page 31

standard is to ensure information is used to achieve the audit engagements objectives. The IIA Standard 2300 states when performing an engagement the internal auditor must identify, analyse, evaluate, and record sufficient information to achieve the engagements objectives. Performance standard 2310 Identifying Information The internal auditor has to identify information that is sufficient, reliable, relevant, and useful to achieve the engagements objectives (Performance standard 2310). Lemon & Tatum (2003) point out that the standard does not indicate the types of information the internal auditor should use. Instead the internal auditor has to apply professional judgement to how much and what type of information is required. There are endless sources of information the auditor may wish to call upon. It may be company strategies, policies, standard operating procedures, management reports, accounts, raw data etc. The standard ensures that the information identified and used should contribute to the achievement of the engagement objectives. Performance standard 2320 Analysis and Evaluation Standard 2320 states the internal auditor should base conclusions and engagement results on appropriate analyses and evaluations. Such analyses will be used as evidence to support engagement findings. Throughout the engagement the auditor has to make a number of evaluations. Initially, the audit activity under review has to be evaluated so that the auditor understands the governance, control and risk mitigation activities to establish the audit objectives (see standard 2200). Once the engagement planning is agreed, the next step for the internal auditor is to understand and evaluate the systems of internal control to
Page 32

see how they are managing the identified risks in line with the organisations risk appetite. There are many evaluation techniques the auditor can draw on for understanding the audit activity. The techniques used are limited by the auditors skills, knowledge and creative thinking. Other typical techniques include benchmarking, trend analysis, walkthrough test and review of corporate documents (policies, strategies, operation procedures etc). Once the auditor has evaluated the system the auditor seeks to provide further assurance by testing the risk management strategies or making an assessment of potential risk exposure. Testing is the act of securing suitable evidence to support an audit (Spencer Pickett, 2005) and it provides the evidence for a more accurate assurance for management (Drummond-Hill et al, 2004). The programme of testing, how much to test and what to test, is based on 4 areas according to Drummond-Hill et al. (2004, p201-202): The auditors evaluation of the risk mitigation strategies in place. The evidence required. The time, techniques and expertise available. The cost.
The two main types of testing are compliance tests and substantive tests. Compliance tests establish whether risk management strategies and/or controls are working as intended. Substantive testing is a more detailed approach and is used if the auditor needs evidence of the outcome of transactions. This type of testing does not evaluate the control but will inform the auditor whether activities have been carried out correctly and whether objectives have been achieved. Substantive testing is generally used to quantify errors and exceptions were compliance tests have found weak controls (Drummond-Hill et al., 2004).
Page 33

Testing by analytical review is also another approach to both evaluating the systems of internal control and evaluating risk management strategies/quantifying risk exposure. Analytical review can be drawn upon if the right skills and time is available and it involves the study and comparison of relationships between the information being tested and other relevant data (Drummond-Hill et al., 2004). The benefits to using the analytical review approach are listed by Drummond-Hill et al. (2004): Flexibility. There are many ways of testing many different pieces of information. Quick. It is comparatively quick and easy to do in a computerised environment, with the use of the right tools and techniques. Cost-effective. It is a cost effective method of substantive testing because it is quick and flexible. Analysis and evaluation is an essential for backing up findings and recommendations identified whilst performing the audit. The auditor needs to ensure this information is correctly recorded; this is outlined in standard 2330. Performance standard 2330 Recording Information Standard 2330 states that internal auditors should record relevant information to support the conclusions and engagement results. Lemon & Tatum (2003) discuss that the standards do not indicate what types of information shoud be recorded. They point to the practive advisory 2330-1 (The Insitute of Internal Auditors, 2001) indicating that the chief audit executive is responsible to establish documentation policies. Thus recognising that the organisation, design and content of engagement working papers and supporting documentation depend on the type of engagement being performed.
Page 34

To support conclusions and engagement results evidence is required. Spencer Pickett (2005, p240-241) states that evidence should have the following attributes: Sufficient. Evidence should be enough to satisfy the auditors judgement or persuade management to make any changes suggested by the audit. Relevant. Evidence should be collected related to the risk
management strategies and control objectives. Reliable. Evidence should be accurate, without bias and where possible obtained directly by the auditor. Practical. The cost of obtaining the evidence needs to be judged including the time-taken and the sensitivity. Recording working papers and evidence provides the auditor with greater leverage for persuasion and proving factual accuracy to management. Having these documents also helps senior audit peers undertake quality review, this will be explained as part of the 2340 standard. Performance standard 2340 Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed (standard 2340). Practice Advisory 2340-1 (The Institute of Internal Auditors, 2001) notes although the chief audit executive has overall responsibility for review, experienced internal auditors may review the work of other less experienced internal auditors. Audit engagements must be supervised throughout the whole process. Practice Advisory 2340 (The Institute of Internal Auditors, 2001) recommends that supervision should include:
Page 35

Ensuring
that
the
auditors and other
assigned
possess to
the
requisite the
knowledge, engagement.
skills,
competencies
perform
Providing appropriate instructions during the planning of the engagement and approving the engagement program.
Seeing that the approved engagement program is carried out unless changes are both justified and authorized.
Determining that engagement working papers adequately support the engagement observations, conclusions, and recommendations.
Ensuring that engagement communications are accurate, objective, clear, concise, constructive, and timely.
Ensuring that engagement objectives are met. Providing opportunities for developing internal auditors knowledge, skills, and other competencies.
3.2.6
Communicating the Results (2400)
Performance Standard 2400 is related to how the internal auditor communicates the engagement results to the relevant stakeholders. The internal auditor has to consider the audiences they are
communicating their results to. Different audiences require different communication needs and this may affect the methods used by the auditor to communicate results. committee and the board. To illustrate differing needs, operational managers are likely to need detailed findings and recommendations to take forward and resolve the operational issues identified. The auditor may have communicated these throughout the audit verbally but is still likely to issue written report at the
Page 36
Drummond-Hill et. Al (2004) identifies
four main audiences as operational managers; senior managers; the audit

end. On the other hand, senior management will be interested in the areas of highest risk exposure, which may affect the achievement of objectives. Drummond-Hill et. Al (2004) suggests the best way to communicate to senior management would be through presentation. The audit committee require a written summary of the high risk exposures but they would also like additional information on how management are dealing with issues raised, particularly those where management have not implemented agreed actions. Written reports are the mechanism to communicate findings to the relevant audiences. Drummond-Hill et al. (2004) point out that the role of audit reports are to communicate the results of the engagement; provide the internal auditors opinion on the audit activity and secure acceptance on recommendations, and the commitment to act upon these. Performance standard 2410 Criteria for communicating This performance standard sets out the need for communications to include the engagement's objectives and scope as well as applicable conclusions, recommendations, and action plans. The practice advisory (The Institute of Internal Auditors, 2001) suggests there are four key elements for articulating observations. These are criteria (the expectation), condition (the fact), cause (reason for different) and effect (risk or exposure). Although, the standard provides minimum expectations in terms of what to include in a report it still allows the organisation to use the format and style of their choice. Reports are not just limited to narrative and to help illustrate observations, or to quantify risk exposure, the internal auditor may want to use data analyses, graphs, charts, tables and photographs. Sawyer, Dittenhofer, & Scheiner(2003, p703) points out the benefits of this.
Page 37

Well-designed schedules, tabulations, charts , and graphs can bring clarity. One picture can make clear what a thousand words can only obscure. Performance standard 2420 Quality of communication Communications should be accurate, objective, clear, concise,
constructive, complete, and timely (Standard 2420). Reporting is cruicial to the success of the audit engagement and tends to be internal audits end product. The reporting has to meet the needs of the various stakeholders including the audit committee and management (Spencer Pickett, 2005). The quality of communication should be regularly assessed to ensure that quality, in line with the standards, is continuous. According to Lemon & Tatum (2003, citing Cutler 2001) if youre still using the same report that you were using five years ago, chances are youre providing more information than your readers want. Performance standard 2421 Errors and Omissions If a final communication contains a significant error or omission, the chief audit executive should communicate corrected information to all parties who received the original communication. Performance standard 2430 Engagement Disclosure of Noncompliance with the Standards When non-compliance with the Standards impacts a specific engagement, communication of the results should disclose the: Standard(s) with which full compliance was not achieved, Reason(s) for noncompliance, and Impact of noncompliance on the engagement.
Page 38

Performance standard 2440 Disseminating the results The chief audit executive should communicate results to the appropriate parties.
3.2.7
Summary
International Standards for the Professional Practice of Internal Auditing provide internal auditors a framework to undertake an audit engagement in a systematic and disciplined approach, so necessary assurance can be provided to management. It is recognised by that standards that the approach and process undertaken to deliver audit engagements are likely to differ from organisation to organisation and therefore allows internal audit functions to interpret the standards and build them in to their systematic approach. Interpreting the standards, one can summarise particular areas which are essential for delivering an audit engagement: Planning a premeditated and co-ordinated approach to establish audit objectives whilst aligning and getting best use out of available resources; Identification identifying risk management processes, internal control and governance arrangements of the area under review; Evaluation testing the risk management strategies or quantifying the extent of risk exposures; Communication communicating the results in an appropriate method depending on the audience to persuade and engender buyin from management to agree and accept audit observations and recommendations.
Page 39

The means to fulfil these areas are open to further interpretation. This gives organisations the flexibility to set procedures based on their own cultures, personnel influence and resource limitations. Now four main areas of assurance activity have been identified the literature review will now seek to understand existing research in the area of generalised audit software (GAS). The next chapter will assist to understand what GAS is; how it has been developed; what are the advantages and disadvantages of GAS and to establish whether there is any published guidance when to use GAS. Once this is established it should be apparent to which assurance activities GAS could potentially be used.
Page 40

3.3 Computer Assisted Audit Techniques (CAAT)

3.3.1 Definition
Computer Assisted Audit Techniques (CAATs) are computer-based tools and techniques which permit auditors to increase their personal productivity as well as that of the audit function (Coderre, 2005). Coderre offers two types of CAATs within his definition. The first are those computer-based tools that support the audit function to introduce autonomy and improve operational efficiency and effectiveness. Examples of these include spreadsheets, electronic timesheets, and automatic working papers. The second type of CAATs are those that are used as part of the audit engagement to analyse and evaluate computerised systems, their controls and data.
3.3.2
CAAT Type 1: Computer System Audit Tools and Techniques
The
pervasive
nature
of
computers
and
technology
throughout
organisations means that todays auditor has to audit through the computer in order to provide effective assurance. Computer system audit tools and techniques help to audit through the computer and there are common tools and techniques the auditors can utilise. Auditing through the computer means that the applications within a computer are tested to ensure their controls are operating as intended so that data input is processed accurately. Braun and Davis (2003) categorises computer system audit tools and techniques in to five categories (see table 2). Tool/Techniqu e Test Data Description Test data examines an applications logic directly. Auditor pre-plans input and expected outcome. A copy of the application is run in a test environment and is
Page 41

subject to the pre-planned input. If the output is not what the auditor expects it provides an indicator to a potential control failure or application failure. Integrated Test ITF examines an applications logic directly. The auditor Facility (ITF) has to be involved in the system design so that a test module can be created for use by audit. The test module is embedded in to the system so that test data can be put through the module and the data will be processed using the actual system and processes without affecting live data. This allows the system and its controls to be tested during operation. Parallel Simulation Parallel Simulation examines an applications logic directly by comparing the actual application with an application designed by the auditor designed to replicate the process. Client data is put through both applications and the results are compared to check data integrity and the quality of the process performed.
Embedded audit Embedded audit module indirectly examines an module applications logic. A module is inserted in to the clients application by the auditor designed to select transactions that meet pre-set criteria. The auditor can use these transactions to demonstrate compliance/noncompliance with policies/procedures or also to select a certain sample for substantive testing. Generalised GAS examines an applications logic indirectly. Auditor audit software uses GAS to extract data from a system for analysis. (GAS) GAS software allows the auditor to analyse trends; summarise data, view exceptions etc. The key strength of GAS that is allows the auditor to perform certain tests on the whole population of the data rather than a sample.
Table 1: Descriptions of Braun and Davis (2003) CAAT Categorisations
Based on the Braun and Davis (2003) categorisation it is evident there are two types of computer system audit tools and techniques: 1. Those that examine application logic directly (examination of controls and process); a 2. Those that examine the application logic indirectly (examination of data);
Page 42

Tools and techniques used to examine logic directly are used to test the expected or actual application controls. The auditor will control the input of test data and will have an expectation of the output. The tools that examine application logic indirectly, embedded audit module and GAS, focus on the analysis of data. If there is irregular data then the auditor will use this to identify were application logic may be have failed (Hall 2000). Arens et al. (2000) suggests there are three strategies for auditing through the computer. These have also been included in Braun & Davis (2003) categories and include test data; parallel simulation and embedded audit module. Sayana (2003) offers a different perspective on categorising computer based audit techniques and tools: 1. Data analysis software (GAS); 2. Network security evaluation software/utilities; 3. Operating system (OS) and database management system (DBMS) security evaluation software; 4. Software and code testing tools. Data analysis software has also been identified by Braun & Davis (2003) but the other three categories of network security evaluation software; OS & DBMS security evaluation software and software and code testing tools are very specific. These tend to be specialised tools for auditors to use for evaluation of security controls and testing compliance against organisations security policies (Sayana 2003). Sayana (2003) acknowledges the traditional tools and techniques highlighted by Arens et al. (2000) and Davis and Braun (2003) are
Page 43

becoming rare due to the high standards and maturity of software development. The huge improvements in the quality and reliability processes reinforced by certifications in the software industry, the rigorous user acceptance testing and signoffs by aware users have made testing by auditors redundant throughout the years. Sayana (2003) Sayana (2003) does not rule out the need to perform traditional methods like test decks but only if it is relevant to the environment the auditor operates within. It is widely recognised within the internal audit profession that these tools and techniques are essential, if not imperative, to use for providing assurance in an IT pervasive world. This is underlined by performance standard 1210.A3: Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. (IIA, 2007a) The Information Systems Audit and Control Association (ISACA) also underline this through their standard 060.020 (ISACA, 2006). During the course of the audit, the Information Systems Auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. Computer system tools and techniques must be employed in order to provide management with sufficient evidence to support audit findings and conclusions. Without the use of the tools it is practically impossible to audit though the computer and its applications (Sayana 2002).
Page 44

3.3.3
CAAT Type 2: Computer-based Audit Support Tools and Audit Automation
There is an increased pressure to do more with less and due to the unfortunate perception that internal audit is an overhead, the internal audit function must become more efficient in delivering products and services as well as becoming more effective (Coderre, 2005). Ramamoorti et al. (2003) note that is critical for the internal audit function to be seen as a value-adding service and one with a respected status within the organisation. This status brings expectations from the wider organisation to be efficient using technology. Ramamoorti et al. (2003, P326) states given such strategic positioning within an organisation, the function should clearly be technology-savvy and fully integrate IT into its methodology and activities. Internal audit functions are looking to computer-based audit support tools and audit automation to gain efficiencies, so costs are reduced whilst maximising benefits. There are many software packages and tools available to assist the audit function supporting audit management and administration, these are discussed below.
Page 45

3.3.3.1
General Software
General software is software that is not specifically designed for use by auditors but has functionality that the internal audit function can utilise. Examples of this type of software include word processors, spreadsheets, presentation, and flow charting.
Word Processor
Word processors support the production of working papers and audit reports by allowing the auditor to record and manipulate textual information (Coderre, 2005). Modern word processors are armed with useful features such as spell-checking and thesaurus. According to Coderre (2005) one of the benefits of these features is that it has improved the quality review, management are now less focused on incorrectly spelled words and much more concerned about the content and issues of the report. Another useful time-saving feature in word processors is the use of templates. Templates allow audit documentation (working papers, risk matrices, reports etc) to be standardised to a format and style of the internal audit functions choice so that the auditor. Not only does it eliminate the need for auditors to reproduce documentation (Coderre 2005) it can also be used to portray a professional image. As illustrated software as simple as a word processor can bring benefits and efficiency gains to the internal audit function, it is a matter of understanding the features and assessing how these can be used to support audit processes.
Spreadsheet
The spreadsheet consists of rows and columns. The intersection between each row and column forms a cell and it is these cells that form the spreadsheet. Cells can contain numbers, dates, text and formulae and
Page 46

users are able to manipulate this information through calculations, sorting, filtering and performing in-built data analysis techniques (Coderre, 2005). Audit management can benefit from spreadsheets by using them for tracking audit budgets, recording time and billing information and evaluating risk scores. Spreadsheets can also be used for the audit process such as producing analysis and graphs for audit reports. It can also be used for data and extraction analysis when planning or testing audit engagements. The diversity of the spreadsheet provides many opportunities to benefit the internal audit function and individual auditor. Coderre (2005, P60) states that any audit process which involves the analysis of quantities of data or repetitive calculation can be made more efficient by using a spreadsheet.
Presentation
Ramamoorti et al. (2003, P330) articulates how presentation software can help the internal auditor: Presentation software, which creates/embeds charts, graphs, pictures, sound and video clips, can help internal auditors present clear, concise and complete information. The use of presentations is a useful tool for auditors when they want to communicate in a condensed and interesting manner (Coderre 2005). It is particularly for useful reporting observations and recommendations to senior management, as suggested by Drummond-Hill et. Al (2004).
Flowcharting
Flow charts are useful for documenting business procedures and identified controls in a visual format. By modelling a particular system, flow charts are beneficial to assess the efficiency of a process or system, particularly
Page 47

for identifying duplication and bottle-necks, and also assessing the effectiveness of system design by identifying key controls. Traditionally flow charts were drawn by hand so any required updates were a time-consuming process (Coderre 2005). Flow chart software enables the user to easily amend and update exiting flow charts. Some flowchart software facilitates the user to follow particular flowcharting standards such as Rutterman, thus increasing the quality and accessibility of documentation (Coderre 2005).
3.3.3.2
Electronic Working Papers
Electronic working papers provide auditors with an electronic means to plan, record, evaluate and report to support the audit process. Coderre (2005) lists the basic capabilities of most electronic working papers: Quick and reliable replication of databases and documents across one or many servers Automatic routing of information [workflow] The ability to create forms or standard templates for working papers (memos, reports, worksheets) Enforcing a standard methodology/approach to conduct the audit Automatic naming and management of files, solving document management and version control issues Providing easy access to, and sharing of, all relevant data for auditors working off-site. These capabilities described by Coderre (2005) are not exhaustive. Using electronic method of working papers provides a robust framework for auditors to follow; shared access to audit information; workflow processing to allow automation and overall better control of audit
Page 48

documentation. This contributes to a more efficient and effective audit function.
3.3.3.3
Other common software
Notwithstanding the software tools discussed there are many more the auditor can draw upon. The table below summarises other common software that could potentially be used by internal audit functions for increasing efficiency and effectiveness. Tool Technique Communication Email Allows writing, sending, and receiving of electronic messages. Instant Allows real-time text communication. Messenger Video/TeleAllows real-time video and audio conferencing communication. Training and Knowledge Sharing / Transfer Computer Based Training programs delivered from a computer. Training Tends to allow self-pace learning, consistency and low cost. Reference A centralised library containing electronic Library documents to make it easier to control and retrieve.
Table 2 Potential other software used by internal audit
/ Description
3.3.4
Summary
This part of the literature review has seen the common tools and techniques that can be applied by internal audit functions whether it be those tools that audit computer systems or those tools that are used to increase operational productivity of the audit department. The purpose of this was to highlight how internal audit departments are able to improve efficiency and effectiveness using technology. CAATTs can significantly improve audit effectiveness during the planning, conduct, reporting and follow-up phases of the audit, as
Page 49

well as improving the overall management of the audit function. Coderre (2005, P21) Generalised audit software (GAS), mentioned as part of the CAAT type 1, is the most frequently used of all of the CAATTs according to Braun and Davis (2003). The research will concentrate on this type of CAAT exploring the definition of GAS; available GAS tools; where GAS can be used and comment on any current guidance and/or framework for the use of GAS.
Page 50

3.4 Generalised Audit Software

3.4.1 Definition
Debreceny et al. (2005, p605) defines generalised audit software as a class of packaged software that allows auditors to interrogate variety of databases, application software and other sources and then conduct analyzes and audit routines on the extracted or live data. Braun and Davis (2003, p727) suggest that generalised audit software is the most frequently used of all CAATs and they present a simpler definition, Gas allow for data extraction and analysis. Both definitions clearly link the use of data and analysis. Debreceny et al. (2005) recognises that GAS can perform analyses on live data as well as extracted data. In addition to this the literature review found many common variations and misnomers for describing GAS: Source GAS referred to as
IIA Professional Guidance paper Information Retrieval and Analysis (2007b) Tool (IRAT) Coderre (2005) Data Extraction and Analysis tools Boheim and Rieman (1999) Bierstaker, Burnaby and Hass Data Mining and Analysis (2003) Sayana (2003) Data Analysis software Kalaba (2002) Computer Assisted Audit Technique (CAAT) Lanza (1998) Auditing Software
Table 3: Other references for GAS
Which ever term is used the context always make its clear data analysis is involved, whether it be extracted or analysed in real-time.
3.4.2
GAS Products
In 2006 the Institute of Internal Auditors (IIA) undertook their 12th Internal Auditor software survey. They received 516 responses out of 6,500 IIA members that were invited to complete the survey.
Page 51

The survey asked members to indicate which product they use frequently for data extraction and data analysis. The results showed auditors interchanged between spreadsheets and speciality products depending on the audit requirement. The following data extraction and analysis products were used by internal auditors: Microsoft Access Audit Command Language (ACL) AS/400 query Excel Interactive Data Extraction and Analysis (IDEA) Monarch Oracle PeopleSoft SAP
As part of Braun and Davis (2003) study they found from preliminary interviews that ACL and IDEA were used by their potential study participants. ACL and IDEA are both products that have been specifically designed by software vendors for extraction and analysis for audit purposes, as explained by Debreceny et al. (2005) These packages contain general modules to read existing computer files and perform sophisticated manipulations of data contained in the files to accomplish audit tasks. The other tools listed above can perform data extraction and analysis but this is not their primary function and they have not been developed with audit tasks in mind.
Page 52

3.4.3
GAS Constituents and their Use
As the definition has outlined there are two key constituents of GAS, data extraction and data analysis. The simplicity to use GAS has improved and now auditors do not have to be programmers to perform data extractions and analyses: They [GAS] have a user-friendly interface that captures users audit requirements and translates those user instructions or queries into program code. Debreceny et al. (2005, p607) The functionality on GAS such as IDEA and ACL provide auditors with a plethora of tools and techniques for extracting and analysing data.
3.4.3.1
Data Extraction
Data required for an audit may reside in diverse and distributed systems types with varying degrees of control Silltow (2002). These heterogeneous environments provide auditors with a challenge to extract the data they require. Modern GAS has been developed so that it has the flexibility to extract data from nearly any application or file format, as stated by Debreceny et al. (2005, P607), GAS vendors provide data extraction routines for many different computing environments. The auditor must work with data owners to obtain the relevant data needed to meet the audit objectives. Silltow (2002) suggests that auditors should make data request arrangements well in advance of the time it is needed in order to minimise any effect on the organisations production environment. Coderre (2007) suggests writing a formal request to include: the data source(s) and key fields the timing of the data data transfer format (floppy, LAN, Internet, CD-ROM etc) the data format (ASCII print file, delimited, comma separated etc)
Page 53

controls totals (number of records, key numeric field totals) record layout (field name, start position, length, type, description) a print of the first 100 records Data requests may include, what is deemed, confidential and sensitive data. Sufficient controls must be in place to ensure this data is secure during extraction and in some cases when transported. It is necessary to safeguard this program/system information production data with an appropriate level of confidentiality security. In doing so, consider the level of confidentiality security required by the organisation owning the data and relevant legislation. Silltow (2002, P360) and and and any
If data requests contain personal information the auditor has to be aware of the 8 principles of the Data Protection Act (1998): 1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes 3. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed 4. Personal data shall be accurate and, where necessary, kept up to date 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 6. Personal data shall be processed in accordance with the rights of data subjects under this act 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and
Page 54

against accidental loss or destruction of, or damage to, personal data 8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protections to the rights and freedoms of data subjects in relation to the processing of personal data To highlight the importance and potential risk of data extraction, the National Audit Office (NAO) in October 2007 requested child benefits data from Her Majestys Revenue and Customs (HMRC). The data was extracted over two Compact Discs (CDs) and had over 25 million individual records, which included personal details. The CDs were sent by courier to the NAO but they never arrived. In the wrong hands this information could be sold on or used for identify theft. Although HMRC protected the data with a password, with the right tools these passwords can potentially be compromised. Information security experts suggested that the data should have been encrypted given the sensitivity of the data. The discs have never turned up and since the Chairman of the HMRC resigned because of the operational failings and the flagrant breach of the Data Protection Act 1998. With the simplicity of extracting data and importing data using GAS, as Silltow (2002) states, it is imperative to ensure data is appropriately safeguarded. Data obtained should be stored in an appropriate location so that the auditor can perform analysis and manipulate the data further. The auditor must consider where to store the data and ensure DPA 1998 (seventh principle). Once data is imported in to GAS such as ACL and IDEA data is locked down as read only (Singleton, 2006). This ensures that data cannot be the access arrangements are not in breach of company policy or legislation such as
Page 55

inadvertently or maliciously changed during analysis so any results are accurate and reliable. Additional functionality exists to add more fields to the data for further manipulation and analysis but the original data fields remain unchanged. Coderre (2007) advises the auditor to check data integrity once it has been imported. This can be done by comparing the control totals (number of records, sum of a key numerical field etc) from the formal data request (see above) against the data totals in the GAS. Modern GAS has the functionality to allow the auditor to automatically calculate control totals, so all the auditor has to do is do the comparison. Once data integrity is checked then the auditor is ready to analyse the data. The auditor should perform analyses as per the audit objectives, which will be explored in the next section. Once this is done the auditor has one last consideration in terms of the actual data. If personal data has been analysed and processed the auditor must consider how long the data should be retained for, in line with the fifth principle of DPA 1998.
3.4.3.2
of GAS:
Data Analysis
Juergens & Maberry (2006, P17P18) describes the analysis functionality
These tools allow an IT auditor to perform robust statistical analysis of large data sets. They can also be used to support process or operational audits (e.g. accounts payable fraud reviews), and they can support many types of testing. Juergens & Maberry (2006) suggest that the use is limited to IT auditors but simplicity of modern GAS allows any auditor to use as Coderre (2005, P197) describes: Audit software permits auditors to interact with the data with minimum knowledge of specialized programming techniques. Most audit software packages have a user-friendly interface and are menu-driven. Certain functions are automated to the extent that one command can be used to carry out a fairly complex task.
Page 56

The IIA emphasise the importance of having clear objectives so analysis is focused. With the amount of functionality available there is a danger auditors may perform analysis that appear interesting but do not actually meet the objectives of the audit, and consequently waste time: It is easy to download data and then experiment with all the different tests available in a specific IRAT [GAS] package. However, that is also an easy way to waste time and should be done only where that is useful. To maximise productivity, it is important to stick to the audit objectives and to define and document the tests, which are appropriate. The Institute of Internal Auditors UK and Ireland (2007b, p6). Planning the use of GAS, and the functionality to use, is imperative to get the most from it, particularly as this software can be used for all audit phases (Coderre 2005). Planning Paukowits & Paukowits, (2000, P28) highlight the benefits of using data analysis during the planning phase of an audit: Applying analytic functions to data such as counting, totaling, stratifying, classifying and sorting can yield valuable insights and leads regarding risk and magnitude of the potential exposure to loss. This provides the auditor with a better understanding of the audit activity, which helps to influence the audit scope and assess the areas of high risk. This statement is also supported by Coderre (2007) and Singleton (2006), which they both indicate that by reviewing data in this way is also likely to identify suspicious data and/or transactions, which can provide further direction to the audit. Typical GAS functionality to support planning includes pivot tables; summarisations; age analyses; statistical methods (mean, median, mode, standard deviation and sum); and data profile statistics. Data profile
Page 57

statistics provide the auditor with an overview of the data displaying statistical analysis, extremes and reoccurring data. Coderre (2005) provides some practical suggestions how data analysis can be used to inform planning. Analysis can be applied to define audit populations; review previous and current years expenditures and budgets; identify resource consumption and outputs; or, perform trend analyses. Data analysis can assist auditors pinpointing likely risk areas for planning but Paukowits & Paukowits, (2000) provide a caveat by stating that using data analysis for planning is still limited to the creative input and critical thinking abilities of the auditor. Testing As IT becomes increasingly more pervasive within the control
environment, the auditor is faced with less paper and more electronic files (Coderre, 2005). The sheer volume of electronic information makes it difficult for auditors to use manual techniques (Coderre, 2005) to test effectiveness of controls. Using GAS auditors can audit through the computer and ensure input, processing and output controls work as intended. Coderre (2005, P65) points out testing as one of the fundamental benefits of GAS, modern audit software facilitates electronic analysis, screening and testing of 100 percent of the audit populations. Increasing test coverage (by testing a whole population) means that auditors are providing greater assurance. In addition, audit tests (e.g. duplicate test) can be performed much faster than if it were done manually, improving audit efficiency. The Institute of Internal Audtors UK and Ireland (2007b) list some key objectives in testing using IRATs [GAS]:
Page 58

Key Objective Validity
Description The most common use of IRATs is to validate data by cross-matching between files from different sources or checking for duplicates. This can involve testing every item in a file or data-base or can just be based on records meeting certain criteria eg. exception testing for unusual items. IRATs can also be used to select a sample for further testing, eg to [obtain] external evidence, including source documents. It can be difficult to prove the completeness of records but cross matching to another source or checking for gaps in a numeric reference can give significant assurance in this area. It is easy to assume that computer systems can add up and compute price and cost information correctly. However this is not always the case and it is worthwhile checking from time to time, particularly with new software or new versions or releases of existing software. IRATs can produce significant analysis, including trend data, totals by relevant categories, stratifications (ie number and value of items in bands) and percentages to indicate the plausibility of the data or certain unusual characteristics. Payment and Payroll data contain patterns which can be checked. Analytical review can also help the internal auditor during engagement planning to understand better the activity under review. Tests on dates of transactions and the dates of associated activities can detect items recorded in the wrong period.
Sample selection Completeness
Mechanical accuracy
Analytical review
Cut-off
Table 4: Key objectives in testing using IRATS [GAS]. Based on the professional guidance for internal auditors - Information retrieval and analysis tools.
The key objective used by the auditor depends on what is being audited and the defined audit objectives. Auditors could draw on one or more on these testing techniques to provide the relevant evidence to provide reliable assurance for the auditable area. Warner (1998) provides examples of typical audits and the testing techniques available when using ACL, a modern GAS package. These examples can be found in appendix A.
Page 59

Silltow (2002) provides more audit examples where GAS can be useful for testing. Some of these are included in the table below: Auditable Area Accounts receivable Aim Test for validity in particular old invoices, unmatched cash and large balances Review potential cases of suppliers overpricing, invalid invoices, frauds, accidental duplication and expenses out of control Tests for existence of employee and correctness of pay. Comparison of staff on payroll against supplier list Completeness of transactions, correct pricing and calculation of commissions Potential Functionality Summarisation Sorting Conditions Benfords Law Conditions Duplicate detection Data Comparison GAS
Creditors and debtors
Payroll
Duplicate detection Database comparison Re-performing calculations on key fields Gap detection Re-performing calculations on fields
Sales
key
As highlighted by both Silltow (2002) and Warner (1998) typical testing functionality in modern GAS includes duplicate analysis, gap detection, Benfords law, re-calculations (parallel testing), matching and comparing data from other databases, calculations and computations. The latest GAS also offers highly customisable scripting. This allows technically savvy auditors to programme automatic routines for repetitive tasks, or to use again in future audits. With so much functionality Paukowitz & Paukowitz (2000, p27) offers a warning: Auditors frequently limit their use of CAATs to the more popular capabilities of the software. If a program has the ability to identify
Page 60

duplicates or gaps, then the auditor may be inclined to design a test to isolate only these types of problems not necessarily because this represents a particular risk to the organisation This underlines the importance of ensuring tests are defined up front in line with the audit objectives. Reporting Coderre (2005) believes that the use CAATs, such as GAS, can produce effective reports that can contribute to the overall acceptance of audit findings. Modern GAS are able to present analysis graphically (bar charts, pie charts etc) as well as in data tables. Auditors can use these within their reports to clearly illustrate the significance of an audit finding, particularly if 100 percent testing has been performed because this shows a true reflection of the exceptions. ISACA Auditing Guidelines (2008) for the use of computer assisted audit techniques suggests three principles to follow when reporting on an audit that has used CAATs: 1. The objectives, scope and methodology section of the report should contain a clear description of the CAATs used. This description should not be overly detailed, but it should provide a good overview for the reader. 2. The description of CAATs used should also be included in the body of the report, where the specific finding relating to the use of CAATs is discussed. 3. If the description of the CAATs used is applicable to several findings, or is too detailed, it should be discussed briefly in the objectives, scope and methodology section of the report, and the reader should be referred to an appendix with a more detailed description
Page 61

Following these guidelines will demonstrate to all report stakeholders that internal audit are using the latest tools and techniques to add value whilst improving audit efficiency.
3.4.4
Determining factors of when to use GAS
GAS is just one tool of many CAATs and other manual techniques an auditor can draw on to contribute to the achievement of audit objectives. The Institute of Internal Auditors UK and Ireland (2007b) suggest certain questions can be used to determine whether IRAT [GAS] should be used: Is the information stored electronically? Can the characteristics of accurate data be defined clearly so that a test can be formulated? Is it important to assess the full extent of an error? Is the particular data required available? It may have been deleted or a key element may not be in the file. Do the likely benefits from the testing justify the cost?
When the auditor determines there is a benefit to using GAS Silltow (2002) states that the use of GAS is more effective if it is thoroughly planned. Silltow (2002) outlines a six step guide for using GAS to support an audit: Step 1: Set your objectives; this is the key to using file interrogation software [GAS] successfully. It will enable you to understand what you wish to achieve, and plan exactly what it is you need to do to reach the objectives. Step 2: Determine the files to which you need to gain access. The database schema/file layout should assist you in determining whether you are selecting the correct files. Also, to get the data you require, you may need to gain access to the files.
Page 62

Step 3: Select the fields you require, within the database. Step 4: Decide how much data you require and where you are going to store it when you get it. Step 5: Obtain the data. It may be worthwhile getting a small amount of data first, to test out your theories. This will enable you to fine-tune your requirements and ensure that your objectives are met without wasting too much time. This is especially relevant if it takes a great deal of time to obtain the data from its source. Step 6: Once you have completed your test and satisfied yourself that objectives can be met obtain all the data you need and produce the required reports. Coderre (2007) outlines a more detailed approach to the application of GAS, specifically for ACL but the principles also apply to any GAS. The first step is to ensure the auditor understands the goals and objectives of the audit. Once this is confirmed the following steps should be taken: 1. Meet with the client and the programmer for the client applications. Identify all available databases both: Internal to the client organization main application systems; and external to the client organization including benchmarking and standards 2. List fields in all available databases and the standard reports that are available. 3. Based upon the audit objectives, identify the data sources, the key fields or data elements required by the audit team. 4. Request the required data trying to ensure that unnecessary fields are excluded for the request. required data, specifying: a. the data source(s) and key fields, Prepare a formal request for the
Page 63

b. the timing of the data (for example: as of Sept 31 2002), c. the data transfer format (floppy, LAN, Internet, CD ROM, tape, etc.), d. the data format (DBF, Delimited, flat file, ODBC, ASCII print file, etc.), e. control totals (number of records, key numeric field totals), f. record layout (field name, start position, length, type, description), g. a print of the first 100 records 5. Create or Build the ACL [GAS] Input File Definition - automatically created by ACL for DBF, ODBC, and Delimited files. 6. Verify the data integrity: a. Use Verify Command - to check data integrity, b. Check ACL [GAS] totals against control totals, c. check the timing of the data to ensure proper file has been sent, d. compare ACL [GAS] view with Print Out of first 100 records e. authorization obtain client agreement on data (source, timing, integrity, etc.). 7. Understand the Data - use ACL commands COUNT, STATISTICSC, STRATIFY, CLASSIFY, etc to develop an overview of the data [or data profile statistics in other GAS] 8. For each objective a. formulate hypotheses about field and record relationships
Page 64

b. Use ACL [GAS] to perform analytical tests for each hypothesis c. Run tests - the output is your hit list - possible problem records d. Evaluate initial results and refine the tests e. Re-run and refine test to produce shorter, more meaningful results (repeat steps 5-7 as needed) f. Evaluate the results - using record analysis, interview, or other techniques - to examine every item on the refined results. g. Form an audit opinion on every item in your results. For each you should be say that the record is OK - there is a valid explanation; or that it is a probable improper transaction and more review is needed 9. Quality Assurance and Documentation - exceptions to source; confirm analysis and nature of exceptions; and identify reasons for the exceptions. This is a comprehensive guide offered by Coderre (2007), which has synergies with Silltows (2002) six step suggestion. Silltow (2002) provides more of an overview were Coderre (2007) elaborates on some of the steps. Both indicate the need to: define audit objectives; determine data required request the data verify data reliability Successful application requires a well-designed and disciplined approach (Paukowits & Paukowits, 2000) so that maximum benefits are received when using GAS. These guidelines provide that approach.
Page 65

3.4.5
Summary
GAS is known with many different names but the common constituents of GAS are data extraction and data analysis. The user friendly interfaces and the advanced functionality make it a popular tool for auditors to consider, particularly for substantive testing. IDEA and ACL prove to be the most modern products. These have been designed with auditing in mind and although other tools allow data and analysis they are not designed purely for auditing purposes. Using GAS should not be taken lightly and an assessment should be made whether it is the right tool. If it is the right tool careful planning needs to be undertaken so time is used productively, data is well protected and most importantly the use of GAS supports the objectives of the audit. During the planning, testing and reporting of an audit engagement GAS is able to add value in many ways. For planning it helps to define scope and understand the level of risks; during testing it is able to provide assurance on 100 percent of data and for reporting it helps to illustrate observations and the level of risk.
Page 66

3.5 Conclusion
The literature review has provided secondary data to support my research objectives and research questions. The research has shown that GAS is used throughout the world as highlighted by the IIAs Software survey in 2006, which also identified the GAS internal audit providers use. By understanding the IIA standards for performing an engagement and understanding GAS functionality the research has provided an outline framework, which can be used to ascertain what part of assurance activities GAS could be potentially be used: IIA Standard Description Potential GAS use for
Engagement Planning 2201 Internal audit should consider whilst planning The significant risks to the activity 2210.A1 & A2 practice advisories 2210.A1 Conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of this assessment; 2210.A2 Consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives. 2230 Internal auditors should determine appropriate resources
Page 67
Part of planning able to analyse data to assess levels of risk for certain audits GAS is able to help develop objectives by using GAS to support preliminary assessment of risks.
Do we have the right resource to operate GAS

IIA Standard
Description
Potential GAS
use
for
to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources Performing the audit (2300) 2310 Identifying the Sufficient, reliable, information relevant and useful to achieve objectives. Information identified and used should contribute to the achievement of the engagement objectives
Auditor needs to identify opportunity if they can use GAS to perform audit. Relate to IRAT checklist.
Data requested should be tested to ensure reliable! 2320 Analysis and evaluation Used for substantive testing and any other analysis 2330 Recording information GAS able to record and secure evidence meaning it is sufficient, reliable, relevant and practical Communicating the results (2400) 2410 for communications to Conclusions can be include the supported by analysis engagement's done in GAS, which objectives and scope may have been as well as applicable converted to graphics conclusions, or data tables recommendations, and action plans
The review has also ascertained guidelines on when auditors should consider to draw on GAS. In addition the research has uncovered two sets of guidance for auditors to follow when GAS is to be used. A survey has been designed to collect primary research data that will reflect the research identified during the literature review.
Page 68

Empirical Research
4.1 Introduction
This chapter seeks to analyse empirical research collected to help achieve the research objectives: To investigate how generalised audit software is applied by internal audit providers. To evaluate the application of generalised audit software by internal audit providers. To develop a framework for the effective application of generalised audit software. In order to achieve the objectives the research set out a number of questions to help achieve the objectives: To what extent is GAS used by internal audit providers? What GAS do internal audit providers use? When do internal auditors use GAS within the internal audit process (assurance activities)? How do internal auditors know when to use GAS? How do internal audit providers ensure they get optimal value from GAS? The empirical research uses information collected from both the completed questions. questionnaires and literature review to answer these
4.2 The Research Process
Page 69

Web-based questionnaires were used as the research method to collect primary research data from two cohorts of internal audit providers; the Institute of Internal Auditors (UK & Ireland) Heads of Internal Audit (HIA) and Council of Higher Education Internal Auditors (CHEIA). All HIA on the IIAs email distribution list were invited to complete the web-based questionnaire (as seen in Appendix B). 400 email invitations were sent and 109 emails were returned within 24 hours as undeliverable or out of office. In real terms the invitation reached 291 HIA. Similarly, an email was sent to the CHEIA email distribution list holding 95 members. All invitations were successfully delivered. In total this gave a total sample size of 386. All the email invitations contained a narrative as an introduction to the research and to outline the research ethics. As an incentive, it was promised that those that completed the questionnaire would be sent the research analysis. The questionnaire was started online by 36 people, however 7 failed to complete the whole questionnaire leaving 29 responses out of a sample size of 386, a response rate of 7.5%. Questionnaires risk a low response rate, on average 10%
(Swetnam, 2004). Therefore the number of responses received for this study was encouraging. The time and resource constraints meant that the questionnaire was the optimal research method and the scope of the research sample was limited to two cohorts of internal audit providers. HIA and CHEIA were chosen to get a fair representation across public and private sector internal audit providers within the UK and also because these were easily accessible for the author.
4.3 Research Findings
Page 70

The empirical research results are below analysed and interpreted in relation to the research objectives and research questions as outlined in Chapter 1. The findings also draw on relative findings identified in the literature review.
4.3.1
To what extent is GAS used?
Internal audit providers have a choice to what tools they wish to use when performing audit engagements. GAS, as a data extraction and analysis tool, is one of these and to investigate how this is applied by internal audit providers it was ascertained who actually uses them (see figure 1).
Figure 1: Percentage of respondents that
Figure 1 shows that the introduction of GAS has not convinced every internal audit provider with 45% of respondents not using it at all. When asked the reasons for not using GAS the respondents provided varying reasons as see in Appendix ?. In summary, some of the responses can be interpreted as a lack of understanding about GAS and how it can be used. Some respondents admitted to not being familiar with this type of software and the benefits it can bring. Others said their internal department was too small and three people said it would not offer value for money because of the time to re-familiarise with the software and GAS would not cover every auditable area.
use GAS
Page 71

4.3.2
What GAS do internal audit providers use?
As described in the literature review GAS is defined and known by people in different ways but data extraction and analysis was the common factor. There are many tools that can do this and the research wanted to understand the type of software used to perform data extraction and analysis. The respondent was asked to choose which GAS they operate using products highlighted by Gray (2006). Respondents could choose more than one tool hence more than 21 responses. Figure 2 shows the most common GAS operated.
The most popular GAS used were Excel and IDEA with 69% respondents using both of them. It is no surprise Excel is used by many auditors because it tends to be readily available as a general software package (see p41) and it is a package that is easy to perform quick analyses and
Figure 2: Type of GAS operated by respondents
Page 72

charts. IDEA and ACL have been designed specifically for audit purposes and the research shows that 75% of the respondents have invested in this specific type of software. The research shows that internal auditors do not rely on one particular GAS during audit engagements and they may draw on one or more. Future research may want to understand if there is a link between audit tasks and GAS product used.
4.3.3
When do internal auditors use GAS within the assurance activities?
internal audit process for
One of the key research objectives was to investigate how GAS is used by internal audit providers by understanding how and when GAS is used within an audit engagement. The questionnaire asked respondents to indicate when GAS is used based on the three areas underpinned by the IIAs International Standards for the Professional Practice of Internal Auditing; planning, testing and reporting (see p25-35). Respondents were also invited to provide other areas of an audit engagement where GAS is used, but this was left blank for all respondents indicating that the areas of planning, testing and reporting were the only activities GAS was used.
Figure 3: Chart indicating assurance activities GAS is used and the frequency
Page 73

Figure 3 shows a large proportion of respondents sometimes use GAS for planning and testing. The research also suggests that using GAS for reporting is far less popular with 63% of respondents indicating they would never use GAS for this. Only one respondent uses GAS for every audit, specifically for planning only. X X X Further analysis for each assurance activity is provided below to explore specific reasons why GAS is used, sometimes used or never used.
Page 74

Conclusion
5.1 Introduction 5.2 Conclusion from Literature Review 5.3 Conclusions from Empirical Research Conducted 5.4 Achievement of Research Objectives
Recommendations
6.1 Introduction 6.2 Based on conclusion findings

Will need several sub-headings
6.3 Naming
The literature review identified many different names and misnomers for generalised audit software. There were x, y & z. I would recommend that the Institute of Internal Auditors to consolidate and develop a common name for use.
6.4 Further Research
Page 75

Appendix A
Warner (1998, P42) identifies examples of what ACL can do:
Page 76

Appendix ? Reasons GAS not used:

Familiarisation time required for use of GAS not cosidered cost effective in view of only occasional use. we use As400 Query and Excel but not as GAS the Audit is too small to benefit form its use GAS is not considered relevant to a modern risk-based internal audit approach as described by the IIA-UK & Ireland. Budget constraints New IA function, with one goal being the introduction and use of GAS within the first 3 years. Have looked at software and concluded it would not be efficient or good value for money to use. If by GAS you are referring exclusively to internal audit data extraction and analysis software then the answer is no. This is because a) as an organisation we do not process high volumes of transactional data and b) as an organisaton we use a product called Business Objects that enables the extraction of all required data for audit purposes. We do use software called Enterprise Risk Assessor for audit purposes but this is not data extraction software. Happy to discuss this if you wish. Inthe proccessof appraising software unsure of benefits of investing in software There is nothing which covers all the various areas which need to be audited in the University. We are a small IA department and I am the only employee. I manage the department, perform some audits and outsource other audits to a range of contract auditors. One of those is a firm specialising in IA and they use IDEA when appropriate or prompted by me. GAS skills need to be learned and used frequently in order to be applied usefully and easily and I do not consider that I would be able to achieve that. Never felt the need, lack of knowledge of such systems We have internal frameworks and documentation templates which are more flexible and suited to meet the services need
Page 77

References
(ACFE) "Report to the Nation" Arens, Alvin A. and Loebbecke, James K., (2000), Auditing an Integrated Approach. Prentice-Hall, Inc. 8th ed. New Jersey, USA Braun, R.L. and Davis, H.E. (2003). Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal, 18(9), 725-731. Retrieved February 18, 2008, from ABI/INFORM Global database. (Document ID: 521149271). IIA ACL Survey IIA Research Paper
Coderre, D.G. (2005). CAATTS & Other BEASTS for Auditors. Canada: Ekaros Analytical Inc. The Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing(Altamonte Springs, FL: The Institute of Internal Auditors, 2007). Available at http://www.theiia.org/guidance/standardsand-practices/professional-practices-framework/standards/standards-forthe-professional-practice-of-internal-auditing/ Remenyi, D., Williams, B., Money, A. and Swartz, E. (1998). Doing Research in Business and Management: An Introduction to Process and Method. London: Sage. Saunders, M., Lewis, P. and Thornhill, A. (2007). Research Methods for Business Students: Fourth Edition. Harlow: Pearson Education Limited. Spencer Pickett, K.H. (2005). The essential handbook of internal auditing. John Wiley & Sons Ltd.
Page 78

Page 79

Bibliography
assurance. (n.d.). Dictionary.com Unabridged (v 1.1). Retrieved June 11, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/assurance Bierstaker, J. L., Burnaby, P., & Hass, S. (July 2003). Recent changes in internal auditors' use of technology. Internal Auditor , 18 (4), 39-45. Boeheim, M. A., & Rieman, M. A. (1999). Data extraction and analysis software: An audit examination tool for a new millennium. The Secured Lender , 55 (5), 46-50. Braun, R. L., & Davis, H. E. (2003). Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal , 18 (9), 725-731. Cangemi, M. P., & Singleton, T. (2003). Managing the Audit Function: a corporate audit department procedures guide (3rd Edition ed.). New Jersey: John Wiley & Sons, Inc. Coderre, D. G. (2005). CAATTS & Other BEASTS for Auditors. Canada: Ekaros Analytical Inc. Coderre, D. G. (2000). Computer-assisted fraud detection. The Internal Auditor , 57 (4), 25-27. Drummond-Hill, J., Moore, S., Moulton, A., Nelson, R., & Seamour, S. (2004). Study Text: Internal Auditing (Second Edition ed.). London: The Institute of Internal Auditors - UK and Ireland. Gray, G. L. (2006). An array of technology tools. The Internal Auditor , 63 (4), 56-62. Hall, J. (2000), Information Systems Auditing and Assurance, 1st Ed., South-Western College Publishing, Mason, OH
Page 80

Hirte, B., & Morgan, J. (1995). Smart auditing. The Internal Auditor , 52 (2), 38. Hudson, M. E. (1998). CAATS and compliance. The Internal Auditor , 55 (2), 25-27. Hyde, G. (2007). Enhanced audit testing. The Internal Auditor , 64 (4), 6568. Jackson, R. A. (2004). Get the most out of AUDIT TOOLS. The Internal Auditor , 61 (4), 36-47. Keys Jr, T. E. (1995). Finding Profits in CAATs. The Internal Auditor , 52 (3), 64. Kirk, B. (2000). Delivering speed, accuracy, compliance. The Internal Auditor , 57 (1), 25-27. Lanza, R. B. (1998). Take my manual audit, please. Journal of Accountancy , 185 (6), 33-36. Lynch, J. J. (1992). Eliminate the Auditors? The Internal Auditor , 49 (2), 26. McCollum, T., & Salierno, D. (2003). Choosing the right tools. The Internal Auditor , 60 (4), 32-43. Novin, A. M., & Pearson, M. A. (1994). Educating internal auditors. The Internal Auditor , 51 (6), 54. Paukowits, F. (1998). Mainstreaming CAATs. The Internal Auditor , 55 (1), 19-21. Paukowits, F., & Paukowits, K. (2000). Bridging CAATs and risk. The Internal Auditor , 57 (2), 27-29. Pyzik, K. P. (1997). Building a better toolbox. The Internal Auditor , 54 (2), 32-35.
Page 81

Ramamoorti, Sridhar and Marcia Weidenmier. The Pervasive Impact of Information Technology on Internal Auditing. In Research Opportunities in Internal Auditing, eds. Andrew D. Bailey Jr., Audrey A. Gramling and Sridhar Ramamoorti, 301-377. 2003. Institute of Internal Auditors Research Foundation. The IIA Online. Home page on-line. Altamonte
Springs, Florida. Available from http://www.theiia.org/research/researchreports/research-opportunities-in-internal-audit/; Internet. Remenyi, D., Williams, B., Money, A., & Swartz, E. (1998). Doing Research in Business and Management: An Introduction to Process and Method. London: Sage. Saunders, M., Lewis, P., & Thornhill, A. (2007). Research Methods for Business Students (Fourth Edition ed.). Harlow: Pearson Education Limited. Sawyer, L. B., Dittenhofer, M. A., & Scheiner, J. H. (2003). Sawyer's Internal Auditing. Altamonte, Florida: The Institute of Internal Auditors. Sayana, S. A. (2003). Using CAATs to Support IS Audit. Information Systems Control Journal , ? (?), ?? Silltow, J. (2002). Study Text: Business Information Systems Auditing. London: The Institute of Internal Auditors - UK and Ireland. Singleton, T. (2006). Generalized Audit Software: Effective and Efficient Tool for Todays IT Audits. Information Systems Control Journal , ? (?), ? Spencer Pickett, K. H. (2005). The essential handbook of internal auditing. Chichester: John Wiley & Sons Ltd. Thompson, C. (2001). CAAT can do. The Internal Auditor , 58 (3), 73-75. Weidenmier, M. L., & Herron, T. L. (2004). Selecting an Audit Software Package for Classroom Use. Journal of Information Systems , 18 (1), 95110.
Page 82

Timeline:
Child
benefits
records
loss,
BBC
News
Website,
(http://news.bbc.co.uk/1/hi/uk_politics/7104368.stm) Accessed 16/07/2008
Page 83

Page 84

Dissertation v1.16

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Dissertation v1.16

Hochgeladen von

Copyright:

Verfügbare Formate

Developing a Framework for the Effective Application of Generalised Auditing Software in Assurance Activities

MSc Audit Management & Consultancy Dissertation September 2008

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

1.1 Background of Researcher

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

1.5 Supporting Research Objectives

MSc Audit Management & Consultancy

1.6 Research Questions

1.7 Synopsis of Prior Research

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

2.2 Research Philosophy

MSc Audit Management & Consultancy

is likely to use a highly structured methodology in order to facilitate replication.

MSc Audit Management & Consultancy

2.3 Research Approach

MSc Audit Management & Consultancy

2.4 Research Strategies

MSc Audit Management & Consultancy

Control of all other variables;

MSc Audit Management & Consultancy

2.5 Research Methods

MSc Audit Management & Consultancy

2.6 Data Collection and Analysis Methods

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

2.7 Ethics of research

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

Engagement Planning (2200)

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

Performing the Engagement (2300)

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

auditors and other

Communicating the Results (2400)

Drummond-Hill et. Al (2004) identifies

four main audiences as operational managers; senior managers; the audit

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

MSc Audit Management & Consultancy

3.3 Computer Assisted Audit Techniques (CAAT)

CAAT Type 1: Computer System Audit Tools and Techniques