Continous Auditing Through Leveraging Technology
Content
Copyright © 2006 ISACA. All rights reserved. www.isaca.org.
Continuous Auditing Through Leveraging Technology
By Srinivas Sarva, CISA
“The world we have created today as result of our thinking thus far has problems which cannot be solved by thinking the way we thought when we created them.” —Albert Einstein “Use technology to actually audit as opposed to using technology to automate manual auditing procedures.” —Comments from Big 4 Audit Partners1 ith companies’ annual reports ceasing to be corporate ambassadors, quarterly reports are increasingly taking centre stage in the evaluation process of bestperforming companies. Bowing to time constraints, the benefit of this quarterly information mix being systematically audited (for its data integrity) is conspicuous by its absence. In this scenario, continuous auditing, which leverages technology, offers considerable advantages over traditional auditing, which still adopts tools that are neither applicable nor efficacious. Unfamiliarity with concurrent auditing tools and techniques will delay the audit profession’s entry into the online delivery of information system and/or financial statement assurance. This article is not intended to deplore or discount traditional auditing techniques, but is directed toward analysing perceptions of current and future options for the preparation, delivery and assurance of financial information online. The article attempts to espouse the urgency of a structure within which continuous auditing may be developed—new ways of thinking, new standards, new software products and, above all else, new approaches from the accounting and auditing professions. For Internet-based, real-time financial information to have value, decision makers need real-time assurances from an independent third party that the information is secure, accurate and reliable. The auditing profession has been slow to adapt to the information needs of online users of financial data. A 1999 research report co-sponsored by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)2 has brought out a pressing requirement for delivery of practical solutions. This study concluded that, while continuous auditing of financial data is technologically viable, real-time assurance will require significant re-orientation of the auditor’s role in a real-time information system. Such issues as security over the audit process and increased flexibility of reporting formats need to be addressed and resolved by the auditing profession. Current auditing standards provide little guidance for information that is presented in nonstandard formats or that is updated on a continuous basis.
What Is Continuous Auditing?
Continuous auditing is “a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter.”3 A continuous audit relies heavily on information technologies such as broad bandwidth, web application server technology, web scripting solutions and ubiquitous database management systems with standard connectivity. Open database architecture empowers auditors to monitor a company’s systems over the Internet using sensors and digital agents. Incongruities between the records and the rules defined in the digital agents are transmitted via e-mail to the client and the auditor. For example, a digital agent performing analytical procedures on the accounts receivable would e-mail the auditor a huge outstanding beyond the receivable parameters defined in the digital agent. Once an account trigger has occurred, the digital agent would move to the transactional level to verify the authenticity of the sale by seeking an e-mail confirmation of the sale and acceptance of the goods/service by the customer. The audit routine described above is done electronically and automatically on a real-time basis as a part of continuous monitoring. Continuous audit takes off after this when an auditor, empowered with data, carries out independent confirmation and collects corroborative evidence to arrive at his/her own deductions. In this example, the auditor will re-send the e-mail to the customer to check the correctness of the mail ID and obtain a confirmation from the customer, if the situation demands. He/she will also assess the liquidity status of the customer to honor the debt commitment from publicly available financial statements. When an organisation tries to implement continuous auditing, the performance limitation is not the client’s system’s ability to perform multiple audit routines in real time on very high volumes of daily transactions, but the update frequency of the client’s records. If a company updates its system on a daily basis, the digital agents will be limited to daily execution. But in a majority of institutions, updating is done on a monthly or weekly basis. The time has arrived for the accounting firms to move toward some form of continuous auditing to compete. This is especially true for firms auditing public companies, which are actively traded on an exchange.
W
The Need for Continuous Auditing
Though the 1999 research report from CICA and AICPA advocated the urgency and relevancy of continuous audit, the
1
JOURNALONLINE
industry has not facilitated the electronic access to information, and the profession has not vigorously pursued the cause of continuous audit. The spate of financial scandals in highly publicised companies in the recent past has brought in its wake the US Sarbanes-Oxley Act of 2002, whose section 404 compliance warrants implementation of continuous auditing.4 Management and auditors now have to rely on the IT amenities and tools that facilitate continuous monitoring and continuous auditing. The availability of affordable technology has also resulted in the integration of technology with continuous auditing. Developments on the IT front that made the time right for continuous auditing include: • Strong processors capable of being partitioned for running parallel activities • Disk mirroring and raid systems that provide the ability to capture transactions • Petabytes (a petabyte is one thousand trillion bytes) of cheap disk storage • Broadband networks delivering high speed data transfer • Strong encryption algorithms to provide a high level of security
Continuous audits are viable when there is a high degree of automation of the processes used to capture, manipulate, store and disseminate data related to the subject matter under audit.
Avenues of Continuous Audit
The continuous audit methodologies can be broken down into three different data levels, which are basic areas of data examination: • Keystroke level • Transaction level • Transaction pattern level Keystroke Level To be successful in thorough policing through continuous auditing, the parsing of every keystroke for the operation of database utilities is essential. Critical relational databases, used for financial statement compilation, can be manipulated through the use of utilities, the most common of which is Structured Query Language (SQL). SQL statements, the standard language for relational database management systems, are used to perform tasks such as updating data on, or retrieving data from, a database. Some common relational database management systems that use SQL are Oracle, Sybase, Microsoft SQL Server, Access and Ingres. Today’s end users are familiar with this utility, and anyone who is determined to commit a fraud and armed with the necessary system authorisation can update a master file in seconds, with no trace whatsoever. For example, standard SQL commands, such as select, join, project, insert, update, delete, create and drop, can be used to accomplish almost everything that one needs to do with a database. The use of such utilities should never be needed in normal times except when the referential integrity of database entities may be lost (such situations require a trained technician, not an application user, to repair). The utilities must be operated only with the database administrator password. Password control exists just for this reason—to prevent unauthorised access to various areas of the system. But in many real-life situations, the passwords of the superuser are loosely guarded and frequently changed. To defraud the company using SQL or SQL derivatives, security clearance is needed; the user must be signed on at the highest authority. The auditor electronically watches the selected SQL commands through continuous monitoring and, upon a system trigger being generated by an audit tool, will compile through electronic data interchange the corroborative evidence to evaluate the impact of the command and take appropriate action online to curtail the impact of the event. The auditor can seek explanations from the auditee groups and form an opinion on real-time compliance of requisite policies and procedures. Transaction Level Transactions are generally validated at the time of entry by the application software. Such validations are relatively simple processes, e.g., the date is within range, the field is numeric, or the field is mandatory or non-mandatory. Traditionally, the auditor checks the master file data with a CAAT, which offers
JOURNALONLINE
Hurdles in Implementing Continuous Auditing
Two of the biggest hurdles, aside from the technical ones, are the client’s buy-in and staff training. Accustomed to annual audits and all they entail, clients will not be favorably disposed to continuous monitoring unless it is unobtrusive. In addition, continuous auditing requires accounting firms to have direct access to information systems. Companies are already uneasy about the level of access that auditing firms have now, so allowing direct access will require high levels of trust and commitment. To perform a continuous audit, the auditor has to develop utility programs that routinely perform during the normal processing of the enterprise’s day-to-day operations. Auditors can also rely on utility software that is used in running the system. Continuous audit warrants access to exception transactions identified by computer-assisted audit technique (CAAT) programs and not the whole of the database. Control tools in the form of role-based access controls (RBACs) incorporated in the day-to-day programs through transaction objects (programmed data) and task profiles for each of the roles must be thoroughly reviewed by auditors before placing reliance on them. While RBACs are incorprated in the access control policy of the organisation, its reality check is to be confirmed by continuous audit. Continuous auditing facilitates online review of changes either in the assigned membership of a role or a role profile of RBAC. Momentary downgrading of controls and excecution of conflicting roles by the same user can be tracked and recorded only by continuous audit. For this requisite software, technical skills, in addition to knowledge of the subject matter, are to be obtained by the auditors. Further, external auditors have to rely more on knowledge, expertise and the work of internal auditors, which can be used most effectively in setting up a continuous audit process. Positive fallout from continuous auditing services include shorter audit cycle, increased flexibility, customisable reports to clients and third parties, and reduced audit-related costs.
2
batch processing of extracted data and performs powerful investigative examination of transactions. This review, on many occasions, is too late to prevent fraudulent transactions. This limitation is not because of the generic weakness of the tools, but because of its positioning and timing in the accounting process. If the auditor is able to invoke the tool in real time and position that tool immediately after the update of the master file, the tool will deliver its potential in real time, and the naissance of true continuous auditing will be experienced and felt. Currently developed IT tools provide safe and secure alerts in the form of e-mail and SMS texts to auditors in real time for further review at their end. These alerts will be triggered not by events but by rules, by which data integrity and completeness can be assured, that are to be endorsed by the auditor. If a particular event does not satisfy a rule, CAAT tools will immediately alert the auditors for their intervention. The skills required by auditors to operate, monitor and maintain these systems dynamically do not reside wholly within the current auditing/accounting communities, but rather in the realms of business information technology experts. To carry out the fiduciary role assigned to them, auditors must acquire such skills. Transaction Pattern Level Monitoring keystrokes dynamically and running CAAT software in real time are powerful audit tools, but there is a third level that will facilitate the auditor to attest to and report on management’s assessment of internal control under section 404 of the Sarbanes-Oxley Act. This level is the monitoring of data over a period of time using expert systems and rule-based criteria. For example, the update of a vendor master database is a continuous and ongoing process for a growing enterprise. Normally, such updates are in the form of fresh additions to the vendor list or the complete deletion of a vendor. Partial changes to particular fields of a vendor record within a short span of time (say, a few minutes or hours) is an ominous sign that needs to be reviewed (see the example in figure 1). Figure 1—Monitoring
Action 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Acceptable to System Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
System administrator (SA) signs on remotely. SA goes to master file maintenance routines. SA opens supplier master file, searches for supplier. SA changes mailing address of supplier. SA selects supplier invoice post routines. SA posts invoice for supplier just amended. SA selects payment run and cheques are produced. SA selects mail label run for suppliers with cheques. SA goes back to master file maintenance. SA changes supplier mailing address to original.
Figure 1, while simplistic and far-fetched, highlights the fact that fraud may be detected only in groups of transactions, may transpire over considerable time periods and may eventually culminate in fraudulent activities. To decipher such activities, a four-level mechanism has to be in place: 1. Data and transactions originating from various sources are processed in level one, where basic application editing occurs. At this stage, applications continue to run as normal, interacting with the various users. 2. At level two, all transactions and keystrokes are mapped to their requisite XCAL schemas, in real time, and are captured forensically on a daily basis. 3. Level three takes these transactions and keystrokes though real-time CAAT processing, where the full range of checks is carried out. This process runs slightly after the application level, but the delay is measured in nanoseconds. This is the first level where alerts may be sent out to a designated online systems audit centre (OLSAC). OLSAC should include those highly trained and skilled in business processes, information systems and auditing who can monitor alerts and investigate them online. The alerts are delivered through secure virtual private networks (VPNs) and are graded for levels of gravity. Transactions are kept for only one day at this level but pass through immediately to level four where they are stored for years. 4. Level four is where the expert systems trawl through the stored and newly arrived transactions looking for patterns as defined by the expert rules. These rules are treated similarly to virus definitions and are stored and updated in a central repository by industry type. As new intelligence develops new rule sets, they are automatically delivered and applied to the systems running in level four. This has a similar alert processing system to level three, but these alerts are more likely to be of a complex nature and may be graded differently from others. A further strength of level four is its ability to interface with various agencies to inquire and verify data given in transactions. An instance may be a new commercial order placed by a vendor that causes online inquiries to be made against creditworthiness and business performance in the last three years. The investigating OLSAC is also equipped with software that allows for forensic, evidential capture of transactions and snapshots of PC hard drives and databases. This software will be capable of running over existing networks whilst processing it live. Capture is authorised by the organisation, but users are unaware when the capture is undertaken. An audit application runs in concert with standard financial application suites, such as those offered by SAP, Oracle and PeopleSoft, monitoring each transaction conducted by the suite and looking out for exception transactions that violate the rules and practices. These rules are programmed in beforehand by the company’s auditor. When the application detects a deviation, it issues a warning report or an alert to top management and the auditor. Any corrective action and response by management should be to the satisfaction of the auditor.
JOURNALONLINE
3
Conclusion
Though the principles of auditing have not altered for centuries, there have been metamorphous changes in the means of handing over audit deliverables in the past decade. Legacy audit methodology has lost its relevancy in the current age of instant certification of information. It has to give way to continuous audit, which has become a professional imperative. With all the advances in IT, the cost of adopting continuous audit is no more prohibitive. The only forbidding thing in continuous auditing is the development of requisite software. With programming becoming more lucid and user-friendly, auditors need to make a one-time investment in getting programs developed to meet the continuous audit. Auditors have to visualise different scenarios for embedding them in the expert rules. By doing this, the auditor will no longer need to review sample data, but the whole of the transaction population can be viewed through remote monitoring. If the auditor has the necessary ability, he/she can remotely monitor every transaction that has material implications. IT, in recent times, has come a long way in facilitating the omnipresence of the auditor. In this ongoing development of continuous auditing, it remains to be seen whether the profession is brave enough to seize the opportunities that this new paradigm presents.
Endnotes
www.nysscpa.org/cpajournal/2003/0503/dept/d054603.htm Wood, Richard L. (study chair); Grant Thornton, http://csdl2.computer.org/comp/proceedings/hicss/2001/0981/ 07/09817049.pdf and www.cica.ca/index.cfm/ci_id/ 987/la_id/1.htm 3 Institute of Internal Auditors, Ottawa Chapter Newsletter, May 2004, www.theiia.org/chapters/pubdocs/94/IIA_May _2004_Newsletter.pdf 4 Interview with Mr. Castellano, chairman of the board of directors for Baker Tilly International, with WebCPA, www.webcpa.com/article.cfm?articleid=14584 and www.aicpa.org/info/sarbanes_oxley_summary.htm
1 2
Srinivas Sarva, CISA is manager of internal audit with Bharat Heavy Electricals Limited, India, a leading power equipment manufacturer. Sarva can be contacted at [email protected]
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
4
JOURNALONLINE
Continuous Auditing Through Leveraging Technology
By Srinivas Sarva, CISA
“The world we have created today as result of our thinking thus far has problems which cannot be solved by thinking the way we thought when we created them.” —Albert Einstein “Use technology to actually audit as opposed to using technology to automate manual auditing procedures.” —Comments from Big 4 Audit Partners1 ith companies’ annual reports ceasing to be corporate ambassadors, quarterly reports are increasingly taking centre stage in the evaluation process of bestperforming companies. Bowing to time constraints, the benefit of this quarterly information mix being systematically audited (for its data integrity) is conspicuous by its absence. In this scenario, continuous auditing, which leverages technology, offers considerable advantages over traditional auditing, which still adopts tools that are neither applicable nor efficacious. Unfamiliarity with concurrent auditing tools and techniques will delay the audit profession’s entry into the online delivery of information system and/or financial statement assurance. This article is not intended to deplore or discount traditional auditing techniques, but is directed toward analysing perceptions of current and future options for the preparation, delivery and assurance of financial information online. The article attempts to espouse the urgency of a structure within which continuous auditing may be developed—new ways of thinking, new standards, new software products and, above all else, new approaches from the accounting and auditing professions. For Internet-based, real-time financial information to have value, decision makers need real-time assurances from an independent third party that the information is secure, accurate and reliable. The auditing profession has been slow to adapt to the information needs of online users of financial data. A 1999 research report co-sponsored by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)2 has brought out a pressing requirement for delivery of practical solutions. This study concluded that, while continuous auditing of financial data is technologically viable, real-time assurance will require significant re-orientation of the auditor’s role in a real-time information system. Such issues as security over the audit process and increased flexibility of reporting formats need to be addressed and resolved by the auditing profession. Current auditing standards provide little guidance for information that is presented in nonstandard formats or that is updated on a continuous basis.
What Is Continuous Auditing?
Continuous auditing is “a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter.”3 A continuous audit relies heavily on information technologies such as broad bandwidth, web application server technology, web scripting solutions and ubiquitous database management systems with standard connectivity. Open database architecture empowers auditors to monitor a company’s systems over the Internet using sensors and digital agents. Incongruities between the records and the rules defined in the digital agents are transmitted via e-mail to the client and the auditor. For example, a digital agent performing analytical procedures on the accounts receivable would e-mail the auditor a huge outstanding beyond the receivable parameters defined in the digital agent. Once an account trigger has occurred, the digital agent would move to the transactional level to verify the authenticity of the sale by seeking an e-mail confirmation of the sale and acceptance of the goods/service by the customer. The audit routine described above is done electronically and automatically on a real-time basis as a part of continuous monitoring. Continuous audit takes off after this when an auditor, empowered with data, carries out independent confirmation and collects corroborative evidence to arrive at his/her own deductions. In this example, the auditor will re-send the e-mail to the customer to check the correctness of the mail ID and obtain a confirmation from the customer, if the situation demands. He/she will also assess the liquidity status of the customer to honor the debt commitment from publicly available financial statements. When an organisation tries to implement continuous auditing, the performance limitation is not the client’s system’s ability to perform multiple audit routines in real time on very high volumes of daily transactions, but the update frequency of the client’s records. If a company updates its system on a daily basis, the digital agents will be limited to daily execution. But in a majority of institutions, updating is done on a monthly or weekly basis. The time has arrived for the accounting firms to move toward some form of continuous auditing to compete. This is especially true for firms auditing public companies, which are actively traded on an exchange.
W
The Need for Continuous Auditing
Though the 1999 research report from CICA and AICPA advocated the urgency and relevancy of continuous audit, the
1
JOURNALONLINE
industry has not facilitated the electronic access to information, and the profession has not vigorously pursued the cause of continuous audit. The spate of financial scandals in highly publicised companies in the recent past has brought in its wake the US Sarbanes-Oxley Act of 2002, whose section 404 compliance warrants implementation of continuous auditing.4 Management and auditors now have to rely on the IT amenities and tools that facilitate continuous monitoring and continuous auditing. The availability of affordable technology has also resulted in the integration of technology with continuous auditing. Developments on the IT front that made the time right for continuous auditing include: • Strong processors capable of being partitioned for running parallel activities • Disk mirroring and raid systems that provide the ability to capture transactions • Petabytes (a petabyte is one thousand trillion bytes) of cheap disk storage • Broadband networks delivering high speed data transfer • Strong encryption algorithms to provide a high level of security
Continuous audits are viable when there is a high degree of automation of the processes used to capture, manipulate, store and disseminate data related to the subject matter under audit.
Avenues of Continuous Audit
The continuous audit methodologies can be broken down into three different data levels, which are basic areas of data examination: • Keystroke level • Transaction level • Transaction pattern level Keystroke Level To be successful in thorough policing through continuous auditing, the parsing of every keystroke for the operation of database utilities is essential. Critical relational databases, used for financial statement compilation, can be manipulated through the use of utilities, the most common of which is Structured Query Language (SQL). SQL statements, the standard language for relational database management systems, are used to perform tasks such as updating data on, or retrieving data from, a database. Some common relational database management systems that use SQL are Oracle, Sybase, Microsoft SQL Server, Access and Ingres. Today’s end users are familiar with this utility, and anyone who is determined to commit a fraud and armed with the necessary system authorisation can update a master file in seconds, with no trace whatsoever. For example, standard SQL commands, such as select, join, project, insert, update, delete, create and drop, can be used to accomplish almost everything that one needs to do with a database. The use of such utilities should never be needed in normal times except when the referential integrity of database entities may be lost (such situations require a trained technician, not an application user, to repair). The utilities must be operated only with the database administrator password. Password control exists just for this reason—to prevent unauthorised access to various areas of the system. But in many real-life situations, the passwords of the superuser are loosely guarded and frequently changed. To defraud the company using SQL or SQL derivatives, security clearance is needed; the user must be signed on at the highest authority. The auditor electronically watches the selected SQL commands through continuous monitoring and, upon a system trigger being generated by an audit tool, will compile through electronic data interchange the corroborative evidence to evaluate the impact of the command and take appropriate action online to curtail the impact of the event. The auditor can seek explanations from the auditee groups and form an opinion on real-time compliance of requisite policies and procedures. Transaction Level Transactions are generally validated at the time of entry by the application software. Such validations are relatively simple processes, e.g., the date is within range, the field is numeric, or the field is mandatory or non-mandatory. Traditionally, the auditor checks the master file data with a CAAT, which offers
JOURNALONLINE
Hurdles in Implementing Continuous Auditing
Two of the biggest hurdles, aside from the technical ones, are the client’s buy-in and staff training. Accustomed to annual audits and all they entail, clients will not be favorably disposed to continuous monitoring unless it is unobtrusive. In addition, continuous auditing requires accounting firms to have direct access to information systems. Companies are already uneasy about the level of access that auditing firms have now, so allowing direct access will require high levels of trust and commitment. To perform a continuous audit, the auditor has to develop utility programs that routinely perform during the normal processing of the enterprise’s day-to-day operations. Auditors can also rely on utility software that is used in running the system. Continuous audit warrants access to exception transactions identified by computer-assisted audit technique (CAAT) programs and not the whole of the database. Control tools in the form of role-based access controls (RBACs) incorporated in the day-to-day programs through transaction objects (programmed data) and task profiles for each of the roles must be thoroughly reviewed by auditors before placing reliance on them. While RBACs are incorprated in the access control policy of the organisation, its reality check is to be confirmed by continuous audit. Continuous auditing facilitates online review of changes either in the assigned membership of a role or a role profile of RBAC. Momentary downgrading of controls and excecution of conflicting roles by the same user can be tracked and recorded only by continuous audit. For this requisite software, technical skills, in addition to knowledge of the subject matter, are to be obtained by the auditors. Further, external auditors have to rely more on knowledge, expertise and the work of internal auditors, which can be used most effectively in setting up a continuous audit process. Positive fallout from continuous auditing services include shorter audit cycle, increased flexibility, customisable reports to clients and third parties, and reduced audit-related costs.
2
batch processing of extracted data and performs powerful investigative examination of transactions. This review, on many occasions, is too late to prevent fraudulent transactions. This limitation is not because of the generic weakness of the tools, but because of its positioning and timing in the accounting process. If the auditor is able to invoke the tool in real time and position that tool immediately after the update of the master file, the tool will deliver its potential in real time, and the naissance of true continuous auditing will be experienced and felt. Currently developed IT tools provide safe and secure alerts in the form of e-mail and SMS texts to auditors in real time for further review at their end. These alerts will be triggered not by events but by rules, by which data integrity and completeness can be assured, that are to be endorsed by the auditor. If a particular event does not satisfy a rule, CAAT tools will immediately alert the auditors for their intervention. The skills required by auditors to operate, monitor and maintain these systems dynamically do not reside wholly within the current auditing/accounting communities, but rather in the realms of business information technology experts. To carry out the fiduciary role assigned to them, auditors must acquire such skills. Transaction Pattern Level Monitoring keystrokes dynamically and running CAAT software in real time are powerful audit tools, but there is a third level that will facilitate the auditor to attest to and report on management’s assessment of internal control under section 404 of the Sarbanes-Oxley Act. This level is the monitoring of data over a period of time using expert systems and rule-based criteria. For example, the update of a vendor master database is a continuous and ongoing process for a growing enterprise. Normally, such updates are in the form of fresh additions to the vendor list or the complete deletion of a vendor. Partial changes to particular fields of a vendor record within a short span of time (say, a few minutes or hours) is an ominous sign that needs to be reviewed (see the example in figure 1). Figure 1—Monitoring
Action 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Acceptable to System Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
System administrator (SA) signs on remotely. SA goes to master file maintenance routines. SA opens supplier master file, searches for supplier. SA changes mailing address of supplier. SA selects supplier invoice post routines. SA posts invoice for supplier just amended. SA selects payment run and cheques are produced. SA selects mail label run for suppliers with cheques. SA goes back to master file maintenance. SA changes supplier mailing address to original.
Figure 1, while simplistic and far-fetched, highlights the fact that fraud may be detected only in groups of transactions, may transpire over considerable time periods and may eventually culminate in fraudulent activities. To decipher such activities, a four-level mechanism has to be in place: 1. Data and transactions originating from various sources are processed in level one, where basic application editing occurs. At this stage, applications continue to run as normal, interacting with the various users. 2. At level two, all transactions and keystrokes are mapped to their requisite XCAL schemas, in real time, and are captured forensically on a daily basis. 3. Level three takes these transactions and keystrokes though real-time CAAT processing, where the full range of checks is carried out. This process runs slightly after the application level, but the delay is measured in nanoseconds. This is the first level where alerts may be sent out to a designated online systems audit centre (OLSAC). OLSAC should include those highly trained and skilled in business processes, information systems and auditing who can monitor alerts and investigate them online. The alerts are delivered through secure virtual private networks (VPNs) and are graded for levels of gravity. Transactions are kept for only one day at this level but pass through immediately to level four where they are stored for years. 4. Level four is where the expert systems trawl through the stored and newly arrived transactions looking for patterns as defined by the expert rules. These rules are treated similarly to virus definitions and are stored and updated in a central repository by industry type. As new intelligence develops new rule sets, they are automatically delivered and applied to the systems running in level four. This has a similar alert processing system to level three, but these alerts are more likely to be of a complex nature and may be graded differently from others. A further strength of level four is its ability to interface with various agencies to inquire and verify data given in transactions. An instance may be a new commercial order placed by a vendor that causes online inquiries to be made against creditworthiness and business performance in the last three years. The investigating OLSAC is also equipped with software that allows for forensic, evidential capture of transactions and snapshots of PC hard drives and databases. This software will be capable of running over existing networks whilst processing it live. Capture is authorised by the organisation, but users are unaware when the capture is undertaken. An audit application runs in concert with standard financial application suites, such as those offered by SAP, Oracle and PeopleSoft, monitoring each transaction conducted by the suite and looking out for exception transactions that violate the rules and practices. These rules are programmed in beforehand by the company’s auditor. When the application detects a deviation, it issues a warning report or an alert to top management and the auditor. Any corrective action and response by management should be to the satisfaction of the auditor.
JOURNALONLINE
3
Conclusion
Though the principles of auditing have not altered for centuries, there have been metamorphous changes in the means of handing over audit deliverables in the past decade. Legacy audit methodology has lost its relevancy in the current age of instant certification of information. It has to give way to continuous audit, which has become a professional imperative. With all the advances in IT, the cost of adopting continuous audit is no more prohibitive. The only forbidding thing in continuous auditing is the development of requisite software. With programming becoming more lucid and user-friendly, auditors need to make a one-time investment in getting programs developed to meet the continuous audit. Auditors have to visualise different scenarios for embedding them in the expert rules. By doing this, the auditor will no longer need to review sample data, but the whole of the transaction population can be viewed through remote monitoring. If the auditor has the necessary ability, he/she can remotely monitor every transaction that has material implications. IT, in recent times, has come a long way in facilitating the omnipresence of the auditor. In this ongoing development of continuous auditing, it remains to be seen whether the profession is brave enough to seize the opportunities that this new paradigm presents.
Endnotes
www.nysscpa.org/cpajournal/2003/0503/dept/d054603.htm Wood, Richard L. (study chair); Grant Thornton, http://csdl2.computer.org/comp/proceedings/hicss/2001/0981/ 07/09817049.pdf and www.cica.ca/index.cfm/ci_id/ 987/la_id/1.htm 3 Institute of Internal Auditors, Ottawa Chapter Newsletter, May 2004, www.theiia.org/chapters/pubdocs/94/IIA_May _2004_Newsletter.pdf 4 Interview with Mr. Castellano, chairman of the board of directors for Baker Tilly International, with WebCPA, www.webcpa.com/article.cfm?articleid=14584 and www.aicpa.org/info/sarbanes_oxley_summary.htm
1 2
Srinivas Sarva, CISA is manager of internal audit with Bharat Heavy Electricals Limited, India, a leading power equipment manufacturer. Sarva can be contacted at [email protected]
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
4
JOURNALONLINE
