Practical Case studies of CAATs

Babu Jayendran B.Sc(Hons), FCA, CISA Unit -3: COMPUTER AS AUDIT AND CONTROL TOOL Computer Aided Audit Techniques Session 1 Controls and Auditing in Computer Environment Frequently used checks such as Field Checks numeric, Alpha, Lower Limit, Upper Limit, Range, Slab, Valid Codes, Sign test, check digits Group of Fields Tests Record Level Tests, Group of Records Tests Table Level Tests and Checks such as control totals, hash totals Inter table tests like Master present, Master missing System and inter system tests Reasonableness checks (Materiality) Duration : 20 hours

Practical Approach (An Example): Scenario Sales transactions from a front end Point of Sale System is summarized and passed into the back-end accounting system through a sales transactions interface file. Let us assume that the Gross Sales, Discount, Sales Tax and Cash account entries are summarized and passed to the accounting system, on a daily basis. The organization also has a sales register generated from the Point of Sale System, indicating the daily sales by invoice, and giving the break up of Gross Sales, Discount, Sales Tax and Cash received. Objective To ensure that the summarized entries passed by the interface program to the accounting system are correct and accurate. CAAT Tool Assuming that there is no Generalised Audit Software or any utility programs available, a practical approach would be to use products like Microsoft Excel. Such products are very powerful and can be used as a very good substitute for table level tests, control totals, extraction etc. Audit Steps 1) With the help of the organizations systems personnel understand the data structure and file format of the Sales Transaction Interface file. 2) Understand the program logic used in the front end Point of Sale program to summarise the sales transactions.

3) Understand the program logic used by the interface program to pass the accounting entries to the accounting system. 4) Obtain the necessary approval for data access, from the custodians of the data. 5) Based on a cut off date, transfer the Sales Transaction Interface file to a folder or library accessible to the auditor. 6) Import the Sales Transaction Interface file to Excel 7) Use Excels totaling functionality to total the columns for Gross Sales, Discount, Sales Tax and Cash received, for each date. 8) Verify that these totals match with the totals Daily Sales Register of the front end Point of Sale system. 9) Check the ledger accounts for Gross Sales, Discount, Sales Tax and Cash in the accounting system and ensure that the entries passed on a daily basis, tally with the summarized totals arrived at, in the Excel spreadsheet. 10) If the figures do not tally there could be a problem with the program logic of the interface program and this will have to be reviewed by the auditor. 11) It is important to identify the cause of the problem and the auditors recommendation should address this. 12) Document the audit steps and findings Sessions 2-3: Audit Techniques Review of Systems Test data Checking (Simple, compound and complex errors) Test data pack Test data generation Parallel processing Parallel programming Source Code Review

Practical Approach (An Example): Scenario Sales transactions from a front end Point of Sale System is summarized and passed into the back-end accounting system through a sales transactions interface file. Let us assume that the Gross Sales, Discount, Sales Tax and Cash account entries are summarized and passed to the accounting system, on a daily basis. The organization also has a sales register generated from the Point of Sale System, indicating the daily sales by invoice, and giving the break up of Gross Sales, Discount, Sales Tax and Cash received. Objective

To ensure that the sales transactions captured by the front end Point of Sale program are correct and accurate. CAAT Tool : Test data Audit Steps 1) Understand the program logic used in the front end Point of Sale program to capture the sales transactions. 2) After getting the necessary approvals, install the Point of Sale program in a computer accessible to the auditor, for the purposes of testing. 3) Create test data, for the different sales scenarios. The auditor should understand the business processes properly in order to create test data that will represent all sales conditions. 4) Enter the test data in the test system 5) Document the test scenario, expected result and the actual result. 6) Review the Point of Sale program sales reports to ensure that the test data entered has been correctly and accurately reflected in the sales reports. 7) Document the audit steps and findings.

Sessions 4-6 Examination of Audit trail Log file review Random sampling Techniques Using Generalized Audit Software Using Audit Routines as part of regular software Using separate audit programs Audit systems Audit of Systems Development process (including system documentation) Audit of SDLC (Systems Development Life Cycle) Pre / Concurrent / Post Audit of al Unicode MS

Practical Approach (An Example): Scenario A trading company plans to carry out its annual physical stock take at its main warehouse. Objective To select a random sample of items that would give the auditor 90 % confidence that it would represent the total population of the items at the warehouse and to carry out a physical count of these items. CAAT Tool: Generalised Audit Software and Random Sampling. Audit Steps 1) Obtain the necessary approval for data access, from the custodians of the data. 2) Based on a cut off date, transfer the Item Master file, with the system balances, to a folder or library accessible to the auditor. 3) Convert the file to the record format of the Generalised Audit Software. 4) The number of records would represent the total population size of the items. 5) Use the Statistical Tools available in the Generalised Audit Software to establish the Sample Size. Attribute sampling technique can be used. Enter the following information: a. Expected Confidence Level b. Total Population Size c. Upper or Lower Error Limit d. Expected Error rate

6) Based on the sample size and initial random seed number the Generalised Audit Software will automatically pick random items representing the sample. 7) List these items with its identification number and description and a blank space to enter the physical count value. 8) The sort sequence could be based on item description. In large warehouses having bin locations, it may be worthwhile to sort the list by bin location so that the auditor will move in a structured manner rather than moving back and forth between bins. This can save a lot of time for the auditor. 9) Enter the physical count balances into the file converted in item (3) above. 10) Generate a discrepancy report and review the discrepancies. 11) If the actual error rate is greater than the expected error rate, re-enter the values in the statistical tool and re-compute the confidence level. 12) If the confidence level is not acceptable, re-compute the sample size and carry out a recount. 13) Document the audit steps and findings. Sessions 7 Cyber Audit using remote log ins Audit by simulation of errors, frauds Audit of Data Security such as online, offline, offsite backups Audit of System Security such as logins, access rights System Performance Audit

Practical Approach (An Example): Scenario An Internet based trading company has hosted a website for trading. Objective To establish the vulnerabilities of the website using scanning tools. CAAT Tool: Cyber Audit using Remote Login Scanning Tools Audit Steps 1) Obtain the necessary approval for carrying out a remote scan, from the custodians of the website. 2) Obtain the static IP address of the website.

3) Use a network security scanning tool to scan for vulnerabilities of the website. 4) Some Scanning Tools have the following components: a) Browser The browser is a normal web-browser that presents the links on a website in a convenient tree structure. It gives the auditor an idea of the organization of the website b) Miner This is a CGI (Common Gateway Interface) vulnerability scanner. It also scans for common HTTP implementation vulnerabilities on a given host. c) Scanner This is a generic vulnerability scanner. There are 2 scan modes: Port Scan Complete Scan

d) Tracer This is a simple trace-route utility that can be used to track the route that the given packet takes between two hosts. 5) The auditor should review the reports and assess the vulnerabilities. 6) All the vulnerabilities discovered are listed, along with a risk level assessment, with directions or suggestions on how the vulnerability may be fixed. Typically, the following information is provided for each vulnerability: a) The name of the vulnerability b) Risk Level (Low, Medium, High) c) A short description of the vulnerability d) How to fix the problem 7) Document the audit steps and findings. Sessions 8-9 Data Extraction and Analysis Tools using SQL commands Sessions 10 Case study/Project Practical Approach (An Example): Scenario

Sales transactions of an organization are recorded in a Sales Transactions file and the Cost of each item in the Item master file. Objective To establish whether any item has been sold below the cost price CAAT Tool: SQL Commands Audit Steps 1) Obtain the necessary approval for data access, from the custodians of the data. 2) Based on a cut off date, transfer the Sales Transactions file and the Item Master file to a folder or library accessible to the auditor. 3) With the help of the organizations systems personnel understand the data structure and file format of the Sales Transactions file and the Item Master file. 4) Understand the program logic for populating the relevant fields in the Sales Transactions file and the Item Master file. 5) Create a query to extract all items where the net sales price is less than the cost price 6) If the database supports SQL Queries, the auditor should select the relevant fields, like Item Details, Invoice Number, Invoice Date, Net Sales Price, Cost Price, Gross Loss, % of Loss, User ID of person making the Invoiceetc, from both the files since the actual sales price will be available in the Sales Transactions file and the cost price in the Item Master file. 7) The files should be joined by a common key, which, in this case, could be the item number. 8) For the exceptions found check the necessary approvals. 9) Document the audit steps and findings. Conclusion: CAATs are a very powerful tool in the hands of auditors and I do hope that I have been able to trigger a thought process in the minds of students. My suggestion is that when studying these concepts try and practically carry out some audit tests as indicated in this article so there will be clarity in your learning. Students are the future of our Institute and I strongly believe in tapping their full potential.