Adapting your audit philosophy to COSO utilizing CAATS By Kate Head Audit and Investigations Manager, University of South

Florida 2002 As auditors we are often advisors to anage ent in relation to the i !le entation of new auto ated finan"ial syste s# $uring these efforts, we see to %e "onstantly re inding anage ent not to i !le ent a new syste %ased on the &old way' of doing %usiness# (e as) the to re*thin) their %usiness !ro"esses to enhan"e effe"tiveness, redu"e redundan"y, and fully utili+e the new fun"tions !rovided %y the newer tools# ,et, when we as auditors internally i !le ent an auto ated audit tool, su"h as A-., we often forget to !ra"ti"e what we !rea"h# (e too, try to in"or!orate A-. fun"tionality into the e/isting audit !ro"ess rather than re*thin)ing the audit !ro"ess and the affe"t this tool will have on audit de!art ent o!erations# In 0112, -2S2 told us that we needed to reassess our audit !ro"esses to in"or!orate soft "ontrols**not 3ust hard "ontrols# -2S2 also told us that one of the least i !ortant "o !onents of the internal "ontrol environ ent was a"tually those "ontrol !ro"esses we had s!ent 40*506 of our ti e evaluating# 7raditional auditing was %ased on the !rin"i!al that we should identify )ey "ontrols and then sele"t a re!resentative sa !le of transa"tions to verify their e/isten"e# If our sa !le indi"ates that these )ey "ontrols are fun"tioning, we "an a)e "ertain re!resentations regarding the finan"ial fun"tion %eing reviewed# 7here was little testing or evaluation of soft "ontrols# In 0118, -2-2 even further refined the "on"e!t !resented in -2S2 and !rovided us a series of twenty o%3e"tives of an effe"tive internal "ontrol syste # -2S2 9and -2-2: told us the ost i !ortant "o !onent of internal "ontrol was the "ontrol environ ent# But auditors "ontinue to struggle on how to evaluate ;tone fro the to!#; Soft "ontrols su"h as anage ent integrity, !hiloso!hy, and ethi"s have %een hard to <uantify# ,et we )now that e !loyee "o !lian"e with "ontrols is integrally tied to these fa"tors# 7he other three "o !onents of internal "ontrol 9ris) assess ent, infor ation and "o uni"ation, and onitoring: "an %e rated as e<ually i !ortant# 7esting of these !rin"i!als also did not see to fit with our traditional odel of s!ending ini al ti e on ris) assess ent and the a3ority of audit ti e on testing "ontrols# 2ften only 00 !er"ent of our audit ti e was s!ent in ris) assess ent 9see e/hi%it A:# =is) assess ent was often li ited to !erfor ing a few si !le analyti"al review !ro"edures and do"u enting "ontrol !ro"esses through narratives and flow"harts# =is) assess ent tools were li ited to de"iding what fun"tions to test#

2002 USF 2I>

In order to ado!t the !rin"i!als of -2S2 9and -2-2: you need to %e a%le to shift the audit ti e to in"lude a signifi"ant evaluation of the "ontrol environ ent, in"luding an assess ent of ris), a review of the infor ation availa%le to users a%out the syste and "ontrol !ro"esses, and an assess ent of the ade<ua"y of onitoring of o!erations# 9See e/hi%it B: 7he use of auto ated -AA7S easily !er its a shift to -2S2 9e/hi%it -:# Using -AA7S has for"ed auditors to learn ore a%out the finan"ial syste to %e reviewed# 7he auditor naturally o%tains a ore detailed overview of the infor ation and "o uni"ation !ro"esses in !la"e# 2ften the sa e infor ation used to train users is used to train auditors# Meetings with anagers and users on o!erational ris)s not only allows anage ent to share their )nowledge of the o!erational ris)s %ut allows the auditor to get a gli !se of the "ontrol environ ent through these intera"tions# In addition, onitoring syste s are "arefully reviewed %y auditors who are gaining infor ation a%out availa%le data sour"es# 2ften these onitoring re!orts are useful in -AA7 testing? therefore, they are ore "arefully analy+ed# As a result signifi"antly ore ti e is s!ent in understanding the "ontrol environ ent, infor ation and "o uni"ation syste s, and onitoring a"tivities# 7he !reli inary review of "ontrol !ro"esses is then li ited to those areas in whi"h "ontrol ris) is signifi"ant# 7his ini i+es ti e s!ent in evaluating low ris) o!erational areas and !la"es the a!!ro!riate a ount of e !hasis on these "ontrol a"tivities# (hile syste strengths and wea)nesses are still identified, this infor ation is used in deter ining what a nor al transa"tion loo)s li)e and where ris)s of errors ight o""ur# @ven %efore true -AA7 testing has %egun, the auditor is well on the way to evaluating four attri%utes of "ontrolA "ontrol environ ent, infor ation and "o uni"ation !ro"esses, onitoring syste s, and "ontrol a"tivities# 7he last "riteria for the esta%lish ent of an ade<uate internal "ontrol syste is the assess ent of ris)# 2ften these ris) are not !urely finan"ial and ay %e o!erational in nature# 7he assess ent of ris) is one area in whi"h -AA7 tools really shine# 7he data ining a"tivities used in -AA7S allow for a ore "o !rehensive assess ent of ris)# $ata ining is %ased on the a%ility to review large data files and drill down into the data to o%tain ore and ore detailed infor ation# Fun"tions su"h as analy+e, "lassify, and stratify allow the auditor to assess the data <ui")ly and to deter ine the degree of ris) asso"iated with various "ategories of transa"tions# 2n"e these high*ris) areas are identified, an ano aly*%ased testing a!!roa"h "an %e utili+ed#

2002 USF 2I>

An assu !tion is ade that if the internal "ontrol stru"ture is wor)ing effe"tively, transa"tions will fall within e/!e"ted li its# Ano aly*%ased testing allows you to &ignore' those transa"tions that a!!ear reasona%le and allow you to "on"entrate your efforts on those transa"tions that have a higher !ro%a%ility of errors and irregularities# 7ransa"tions that do not eet the nor ally e/!e"ted range "an either %e natural ano alies in the environ ent, unintentional errors not identified %y the "ontrol a"tivities, or fraudulent transa"tions# In all of these situations, there is a good !otential that the "ontrol a"tivities failed# As a result, you are testing the "ontrol environ ent without having to evaluate all of the )ey "ontrols# ,ou are also eeting the audit standards for loo)ing for &red flags' of fraud and are not !la"ing undue e !hasis on the hard "ontrols# 2n"e you have lo"ated unidentified errors or irregularities, a review of the !ro"esses surrounding these transa"tions will hel! identify the hard and soft "ontrols that were issing or were not %eing i !le ented !ro!erly# In addition, the sa e audit !ro"edures you develo! to identify ano alies "an later %e used as "ontinuous onitoring tools %y anage ent# 7his will allow anage ent to !erfor an on*going evaluation of the "ontrol environ ent and !rovide a value*added audit servi"e# An e/a !le of this a!!roa"h is a re"ent audit of tele"o uni"ations we !erfor ed# After !erfor ing a ris) assess ent !ro"ess, we felt our highest ris) area was long distan"e "alls# (e used A-. not only to re!ort unusual a"tivity 9e/"essive long distan"e, fre<uent "alls to the sa e nu %er, e/"essive lengths, "osts, et":, %ut we were a%le to test for )nown ano alies su"h as "alls ade %y ter inated e !loyees 9indi"ating !hone "odes had not %een "an"elled:, and fa"ulty "odes used in dor itories 9indi"ating isuse of fa"ulty "odes:# (e were a%le to easily identify these "alls and !rovide an e/"ellent "ontinuous onitoring tool for anagers# (e also were a%le to re"al"ulate the !hone %ills and ensure anage ent that the syste was rating and %illing "alls !ro!erly# Sin"e A-. "an %e used to test 0006 of transa"tions, the audit re!ort also "an %e a ore %alan"ed re!ort of ris)s and itigating "ontrols# In the e/a !le a%ove we were a%le to re!ort that 0006 of the "alls were !ro!erly rated# 7he i !le entation of -AA7 tools will allow you to shift your efforts to %e ore in line with the -2S2 !yra id, !rovide ore infor ation and tools for anagers, and will in"rease the effi"ien"y and effe"tiveness of the audit de!art entBs o!erations# 7he audit !ro"ess goes fro a "he")list or !rogra driven !ro"ess to an intera"tive analysis of the high*ris) transa"tion in an o!erations# Manage ent %e"o es an integral !art of the !ro"ess fro ris) assess ent to resolving issues

2002 USF 2I>

identified %y the audit# @ !hasis is !la"ed on those ris)s that are un itigated rather than verifying "ontrol to deter ine their e/isten"e# 9See @/hi%it $:

2002 USF 2I>

@/hi%it A

Old Audit Model

Creli D=is) Assess ent 10%

7esting

70-80%

=e!orting

10-20%

@/hi%it B

COSO Auditing
-o !rehensive =is) Assess ent, In"luding I7 =is)s 7esting =e!orting 40-50%

40-50% 10%

@/hi%it -

2002 USF 2I>

Paradigm Shift
Old Model 'o#u! of Audit &m,ha!i! 0e!t! to 1etermine "e,ort &m,ha!i! 'inding! 0ran!a#tion 1ri(en %nternal Control! Com,lian#e .ith /e Control! +e. Model Pro#e!! 1ri(en "i!$ A!!e!!ment Pre!en#e of -nmitigated "i!$!

)i!tori#al *a!ed %n!tan#e O(erall A!!e!!ment of of +on-Com,lian#e "i!$ Control Wea$ne!!e! Wa ! to "edu#e "i!$ or %n#rea!e &ffi#ien#

@/hi%it $

&ffe#t on Pro#e!!
Old Model Preliminar 0e!ting Audit Planning S#o,e &!ta6li!hment *a!i! of S#o,e "e,ort 0iming 'inding! Che#$li!t 1ri(en *a!ed on Pa!t Audit5 Standard Plan! Set at *eginning7 %nfle8i6le Auditor 3udgment At &nd of 0e!ting Control 'la.!5 +oted %neffi#ien#ie! +e. Model Pro#e!! 1ri(en %ntera#ti(e A!!e!!ment Pro#e!! &!ta6li!hed after "i!$ A!!e!!ed7 'le8i6le Auditor2Manager A!!e!!ment of "i!$ Continuou! Wa ! to "edu#e "i!$ "i!$2%n#r4 &ffi#ien#

2002 USF 2I>