Professional Documents
Culture Documents
Module 9_ Data Analytics
Module 9_ Data Analytics
MODULE 9
● Identification of areas where poor data
Data analytics is an important tool for an IS auditor. quality exists
Through the use of technology, an IS auditor can ● Performance of risk assessment at the
select and analyze full data sets to continuously planning phase of an audit
audit or monitor key organizational data for
abnormalities or variances that can be used to PROCESS IN DATA ANALYTICS IN AUDIT
identify and evaluate organizational risk and
1. Setting the scope - determining audit/review
compliance with control and regulatory requirements.
objectives; defining data needs, sources and
reliability
DATA ANALYTICS - This is the starting point, all of the procedures
should be related to the scope.
2. Identifying and obtaining the data -
Data analytics is the science of fusing
requesting data from responsible sources,
heterogeneous data from various sources, drawing
testing a sample of data, extracting the data
relations and causalities among them, making
for use
predictions to gain insights, and supporting
- We need to identify where will we get the data
decision-making
(external or internal sources).
- Data science and data analytics are often being
3. Validating the data - determining if the data
interchanged.
are sufficient and reliable to perform audit
- However, the two topics are distinct from each
tests by:
other.
○ Validating balances independent of the
- Data science covers tasks related to finding
data set extracted
patterns in large data sets, training machine
○ Reconciling detailed data to report control
learning models, and deploying AI application.
totals
- Data analytics on the other hand is one of the
○ Validating numeric, character and date
tasks that resides under data science umbrella.
fields
- Specialization of data science focuses on
○ Verifying the time period of the data set
querying, interpreting, and visualizing data sets
(i.e., meets scope and purpose)
which are basically the procedures performed by
○ Verifying that all necessary fields in
IS auditors when analyzing evidences.
scoping are actually included in the
acquired data set
DATA ANALYTICS IN AUDIT
- In this process, we are going to apply the
- Data analytics is data-driven and relies with the learnings from the previous module with
availability of data. regards to the standards of the audit
- For big company with voluminous data, the evidences.
usage of data analytics greatly help the IS - You must ensure that the data you obtained
auditors during audit fieldwork. from the second process is sufficient and
- The IS auditor may set goals and parameters reliable.
that are within the IS auditors’ threshold and 4. Executing the tests - running scripts and
materiality level or even those that may be performing other analytical tests
considered red flags for checking. 5. Documenting the results - recording the
- Hence, the data analytics may be used in: testing purpose, data sources and conclusions
reached
● Determination of the operational - All procedures performed and the purpose
effectiveness of the current control should be included as well in your
environment documentation in the working paper.
● Determination of the effectiveness of 6. Reviewing the results - ensuring that the
antifraud procedures and controls testing procedures have been adequately
● Identification of business process errors performed and reviewed by a qualified person
● Identification of business process - This is the supervisory process in the audit
improvements and inefficiencies in the control review because after the procedures are
environment performed, of course in the audit, still someone
● Identification of exceptions or unusual is going to review your work.
business rules 7. Retaining the results - maintaining important
● Identification of fraud test elements, such as:
○ If you are familiar with the numbering query-based system is built on the knowledge
system, this includes the binary, base of senior auditors or managers.
hexadecimal, and decimal. ● results of each test are compared to
○ When you say flat-file, it consists of a single predetermined expectations to obtain an
table of data. objective assessment of application logic and
● GAS provides an IS auditor with an control effectiveness
independent means to gain access to data for
analysis and the ability to use high-level, - This technique involves the utilization of a copy
problem-solving software to invoke functions of the live computer system through which a
to be performed on data files. Features include series of transactions is passed in order to
mathematical computations, stratification, produce predetermined results.
statistical analysis, sequence checking, - This technique, while effective in searching for
duplicate checking and recomputations defects, is limited by the volume of data that
○ GAS is designed specifically for auditors in can be handled.
order to provide a user-friendly audit to - Creating a test data requires a complete set of
carry out a variety of standard tasks valid and invalid transactions.
required by the auditor, such as examining - Incomplete test data may explore critical
records, testing calculations, and making branches of application logic and error
computations. checking routines.
○ One example of GAS is the Audit Command - Test transactions should be designed to test all
Language (ACL). possible input errors, logical process, and
irregularities.
COMMON FUNCTIONS SUPPORTED BY GAS
UTILITY SOFTWARE
● File access—Enables the reading of different
● Utility software is a subset of software—such
record formats and file structures
as report generators of the database
○ When accessing the file, you harness the
management system—that provides evidence
information from their system.
about system control effectiveness.
● File reorganization—Enables indexing,
- Utility software is already covered in AIS 5135 -
sorting, merging and linking with another file
ISOM.
● Data selection—Enables global filtration
conditions and selection criteria
○ In here, you filter the data that is within the DEBUGGING/TRACING/MAPPING
parameters that you set. ● The review of an application system will
● Statistical functions—Enables sampling, provide information about internal controls
stratification and frequency analysis built in the system
○ Will aid you in the selection of sample size - Debugging is usually associated with the
that we discussed in our previous modules. testing of the systems development cycle, but
● Arithmetical functions—Enables arithmetic might as well helpful during audits since you
operators and functions can have an overview or map of the system.
○ This includes the basic addition,
subtraction, multiplication, division, or some EXPERT SYSTEMS
other algebraic functions.
● Gives direction and valuable information to all
levels of auditors while carrying out the audit
TEST DATA because the query-based system is built on
● Test data involve an IS auditor using a sample the knowledge base of senior auditors or
set of data to assess whether logic errors exist managers
in a program and whether the program meets - This is already discussed in Module 2.
its objectives. The review of an application
system will provide information about internal
AUDIT APPLICATION OF CAATS
controls built in the system. The audit-expert
system will give direction and valuable ● Tests of the details of transactions and
information to all levels of auditors while balances
carrying out the audit because the ● Analytical review procedures
● Compliance tests of IS general controls
implementation and must make greater use of management adopting continuous monitoring as a
automated tools that are suitable for their process on a day-to-day basis. Often, the audit
organization’s automated environment. This takes function will hand over the techniques used in
the form of the continuous audit approach continuous auditing to the business, which will then
run the continuous monitoring. This collaboration has
CONTINUOUS AUDITING AND MONITORING led to increased appreciation among process owners
of the value that the audit function brings to the
Continuous auditing is an approach used by IS organization, leading to greater confidence and trust
auditors to monitor system reliability on a between the business and the audit function.
continuous basis and gather selective audit Nevertheless, the lack of independence and
evidence through the computer. A distinctive objectivity inherent in continuous monitoring should
characteristic of continuous auditing is the short time not be overlooked, and continuous monitoring should
lapse between the facts to be audited, the collection never be considered as a substitute for the audit
of evidence and audit reporting. function.
It is important to validate the source of the data 2. Continuous and intermittent simulation (CIS)
used for continuous auditing and note the possibility
● During a process run of a transaction, the
of manual changes.
computer system simulates the instruction
execution of the application. As each
CONTINUOUS AUDITING TECHNIQUES transaction is entered, the simulator decides
whether the transaction meets certain
Continuous audit techniques are important IS audit
predetermined criteria and, if so, audits the
tools, particularly when they are used in time-sharing
transaction. If not, the simulator waits until it
environments that process a large number of
encounters the next transaction that meets the
transactions but leave a scarce paper trail. By
criteria.
permitting an IS auditor to evaluate operating
● Useful when only transactions meeting certain
controls on a continuous basis without disrupting the
criteria need to be examined
organization’s usual operations, continuous audit
● Complexity: MEDIUM
techniques improve the security of a system. When a
- The application software always tests for
system is misused by someone withdrawing money
transactions that meet a certain criteria.
from an inoperative account, a continuous audit
- When a criteria is met, the software runs an
technique will report this withdrawal in a timely
audit of the transaction—this is what we call
fashion to an IS auditor. Thus, the time lag between
the intermittent test.
the misuse of the system and the detection of that
- Then the computer waits until the next
misuse is reduced. The realization that failures,
transaction meeting those criteria occurs.
improper manipulation and lack of controls will be
- This provides for the continuous audit as a
detected on a timely basis by the use of continuous
selected transaction occurs.
audit procedures gives an IS auditor and
management greater confidence in a system’s
reliability. 3. Snapshots
● This technique involves taking what might be
termed “pictures” of the processing path that
FIVE TYPES OF AUTOMATED EVALUATION
a transaction follows, from the input to the
TECHNIQUES APPLICABLE TO CONTINUOUS
output stage. With the use of this technique,
AUDITING
transactions are tagged by applying
identifiers to input data and recording
1. Audit hooks selected information about what occurs for an
● This technique involves taking what might be IS auditor’s subsequent review.
termed “pictures” of the processing path that a ● Useful when an audit trail is required
transaction follows, from the input to the output ● Complexity: MEDIUM
stage. With the use of this technique, - This technique involves the use of special audit
transactions are tagged by applying identifiers modules embedded in samples of specific
to input data and recording selected transactions.
information about what occurs for an IS - The modules make copies of the key parts of
auditor’s subsequent review. the transactions often by copying database
● involves embedding hooks in application records and storing them independently.
systems to function as red flags and induce IS - This allows an auditor to trace specific
security and auditors to act before an error or transactions through an application to view
irregularity gets out of hand the state of transactions as they flow through
● Useful when only select transactions or the entire application.
processes need to be examined
● Complexity: LOW 4. Integrated test facility (ITF)
- Audit hooks are special audit modules which ● In this technique, dummy entities are set up
are placed in key points in the application and and included in an auditee’s production files.
are designed to trigger if a specific audit An IS auditor can make the system either
exception or special condition occurs. process live transactions or test transactions
- This can alert the auditors with the situation during regular processing runs and have these
permitting them to decide whether additional transactions update the records of the
action is required. dummy entity. The operator enters the test
transactions simultaneously with the live
transactions that are entered for processing. An to understand and evaluate the system with and
auditor then compares the output with the data without the use of continuous audit techniques. In
that have been independently calculated to addition, an IS auditor must recognize that
verify the correctness of the continuous audit techniques are not a cure for all
computer-processed data. control problems and the use of these techniques
● Useful when it is not beneficial to use test provides only limited assurance that the information
data processing systems examined are operating as they
● Complexity: HIGH were intended to function.
- ITF permits test transactions to be processed
in a live application environment.
Techniques that are used to operate in a
- A separate test entity is required however so
continuous auditing environment must work at
that the test data does not alter financial or
all data levels—single input, transaction and
business results because test data does not
databases—and include:
present actual transactions.
- Test data are only simulated
transactions—those data that are created by Techniques that are used to operate in a continuous
auditors includes all the possible errors and auditing environment must work at all data
good data. levels—single input, transaction and databases—and
- Like in the ITF, we are using live data here. include:
● Transaction logging
5. Systems control audit review file and ● Query tools
embedded audit modules (SCARF/EAM) ● Statistics and data analysis
● DBMS
● The use of this technique involves embedding
● Data warehouses, data marts, data mining
specially written audit software in the
● Intelligent agents
organization’s host application system so the
● EAM
application systems are monitored on a
● Neural network technology
selective basis.
● Standards such as Extensible Business
● Useful when regular monitoring cannot be
Reporting Language (XBRL)
interrupted
● Complexity: VERY HIGH
Intelligent software agents may be used to automate
- Special audit software modules are embedded
the evaluation processes and allow for flexibility and
in the application and these modules perform
dynamic analysis capabilities. The configuration and
continuous auditing and create independent
application of intelligent agents (sometimes referred
log of audit results.
to as bots) allow for continuous monitoring of
- System level audit program used to monitor
systems settings and the delivery of alert messages
multiple embedded audit modules inside the
when certain thresholds are exceeded or certain
application software.
conditions are met.
- This is usually considered a mainframe class of
control.
Full continuous auditing processes have to be
carefully built into applications and work in layers.
The auditing tools must operate in parallel to normal
RELATIVE ADVANTAGES AND processing—capturing real-time data, extracting
DISADVANTAGES OF THE VARIOUS standardized profiles or descriptors, and passing the
CONTINUOUS AUDIT TOOLS result to the auditing layers.