DATA ANALYTICS
MODULE 9
Data analytics is an important tool for an IS auditor.
Through the use of technology, an IS auditor can
select and analyze full data sets to continuously
audit or monitor key organizational data for
abnormalities or variances that can be used to
identify and evaluate organizational risk and
compliance with control and regulatory requirements.
DATA ANALYTICS
Data analytics is the science of fusing
heterogeneous data from various sources, drawing
relations and causalities among them, making
predictions to gain insights, and supporting
decision-making
- Data science and data analytics are often being
interchanged.
- However, the two topics are distinct from each
other.
- Data science covers tasks related to finding
patterns in large data sets, training machine
learning models, and deploying AI application.
- Data analytics on the other hand is one of the
tasks that resides under data science umbrella.
- Specialization of data science focuses on
querying, interpreting, and visualizing data sets
which are basically the procedures performed by
IS auditors when analyzing evidences.
DATA ANALYTICS IN AUDIT
- Data analytics is data-driven and relies with the
availability of data.
- For big company with voluminous data, the
usage of data analytics greatly help the IS
auditors during audit fieldwork.
- The IS auditor may set goals and parameters
that are within the IS auditors’ threshold and
materiality level or even those that may be
considered red flags for checking.
- Hence, the data analytics may be used in:
● Determination of the operational
effectiveness of the current control
environment
● Determination of the effectiveness of
antifraud procedures and controls
● Identification of business process errors
● Identification of business process
improvements and inefficiencies in the control
environment
● Identification of exceptions or unusual
business rules
● Identification of fraud
MARIA BERNISE DIMZON • ELEINA BEA BERNARDO
● Identification of areas where poor data
quality exists
● Performance of risk assessment at the
planning phase of an audit
PROCESS IN DATA ANALYTICS IN AUDIT
1. Setting the scope - determining audit/review
objectives; defining data needs, sources and
reliability
- This is the starting point, all of the procedures
should be related to the scope.
2. Identifying and obtaining the data -
requesting data from responsible sources,
testing a sample of data, extracting the data
for use
- We need to identify where will we get the data
(external or internal sources).
3. Validating the data - determining if the data
are sufficient and reliable to perform audit
tests by:
○ Validating balances independent of the
data set extracted
○ Reconciling detailed data to report control
totals
○ Validating numeric, character and date
fields
○ Verifying the time period of the data set
(i.e., meets scope and purpose)
○ Verifying that all necessary fields in
scoping are actually included in the
acquired data set
- In this process, we are going to apply the
learnings from the previous module with
regards to the standards of the audit
evidences.
- You must ensure that the data you obtained
from the second process is sufficient and
reliable.
4. Executing the tests - running scripts and
performing other analytical tests
5. Documenting the results - recording the
testing purpose, data sources and conclusions
reached
- All procedures performed and the purpose
should be included as well in your
documentation in the working paper.
6. Reviewing the results - ensuring that the
testing procedures have been adequately
performed and reviewed by a qualified person
- This is the supervisory process in the audit
review because after the procedures are
performed, of course in the audit, still someone
is going to review your work.
7. Retaining the results - maintaining important
test elements, such as:
1
 Module 9: Data Analytics
○ Program files
○ Scripts
○ Macros/automated command tests
○ Data files
- You must just be familiarized with the steps
but Sir Jordan would not include this process
in your exams in the quiz 4 and the finals.
Data analytics can be effective for an IS auditor in
both the planning and fieldwork phases of the audit.
POSSIBLE APPLICATIONS
● Combining logical access files with human
resources employee master files for
authorized users
● Combining file library settings with data from
the change management systems and dates
of file changes that can be matched to dates
of authorized events
● Matching ingress with egress records to
identify tailgating in physical security logs
- Ingress - enter; egress; exit
● Reviewing table or system configuration
settings
● Reviewing system logs for unauthorized
access or unusual activities
● Testing system conversion
● Testing logical access SoD (e.g., analyzing
Active Directory data combined with job
descriptions)
COMPUTER-ASSISTED AUDIT TECHNIQUES
● Used to gather and analyze data during an IS
audit or review
● Enable an IS auditor to gather information
independently
● Provide a means to gain access and analyze
data for a predetermined audit objective and
to report the audit findings with emphasis on
the reliability of the records produced and
maintained in the system
- CAATs are needed because of the large volumes
of data in multiple locations involved in the
managing of the complex business environment.
- It involves the merging of software in the audit
program.
- In order for this to be effective, key control
questions must be predefined in order to facilitate
the use of the technology to analyze the data and
provide the answers.
- Advantages from the auditors’ perspective
includes increase in productivity, creativity, and
the application of consistent methodology.
MARIA BERNISE DIMZON • ELEINA BEA BERNARDO
- CAATs are capable of executing a variety of
automated compliance tests and substantive
tests that would be nearly impossible to perform
manually due to the volume of transactions.
- These specialized tools may include multifunction
audit utilities which can analyze logs, perform
variability tests, or verify specific implementation
of compliance in a system configuration
compared to the expected or intended controls.
- Though not necessarily required, programming
skills is a useful or additional knowledge that can
be advantageous for an IS auditor to possess.
- But before using CAATs, you must first request the
permission of the auditee, especially if you are a
third-party auditor since you are going to access
their system.
CAATs are important tools that an IS auditor uses to
gather and analyze data during an IS audit or
review. When systems have different hardware and
software environments, data structures, record
formats or processing functions, it is almost
impossible for an IS auditor to collect certain
evidence without using such a software tool.
CAATs also enable an IS auditor to gather
information independently. They provide a means
to gain access and analyze data for a
predetermined audit objective and to report the
audit findings with emphasis on the reliability of the
records produced and maintained in the system.
The reliability of the source of the information used
provides reassurance on findings generated.
Here are some examples of CAATs:
CAATs include many types of tools and techniques
such as:
● generalized audit software (GAS)
● utility software
● debugging and scanning software
● test data
● application software tracing and mapping
● expert systems
CAATS include many types of tools and
techniques such as:
GENERALIZED AUDIT SOFTWARE
● GAS refers to standard software that has the
capability to directly read and access data
from various database platforms, flat-file
systems and ASCII formats.
○ ASCII stands for American Standard Code
for Information Interchange.
2
 Module 9: Data Analytics
○ If you are familiar with the numbering
system, this includes the binary,
hexadecimal, and decimal.
○ When you say flat-file, it consists of a single
table of data.
● GAS provides an IS auditor with an
independent means to gain access to data for
analysis and the ability to use high-level,
problem-solving software to invoke functions
to be performed on data files. Features include
mathematical computations, stratification,
statistical analysis, sequence checking,
duplicate checking and recomputations
○ GAS is designed specifically for auditors in
order to provide a user-friendly audit to
carry out a variety of standard tasks
required by the auditor, such as examining
records, testing calculations, and making
computations.
○ One example of GAS is the Audit Command
Language (ACL).
COMMON FUNCTIONS SUPPORTED BY GAS
● File access—Enables the reading of different
record formats and file structures
○ When accessing the file, you harness the
information from their system.
● File reorganization—Enables indexing,
sorting, merging and linking with another file
● Data selection—Enables global filtration
conditions and selection criteria
○ In here, you filter the data that is within the
parameters that you set.
● Statistical functions—Enables sampling,
stratification and frequency analysis
○ Will aid you in the selection of sample size
that we discussed in our previous modules.
● Arithmetical functions—Enables arithmetic
operators and functions
○ This includes the basic addition,
subtraction, multiplication, division, or some
other algebraic functions.
TEST DATA
● Test data involve an IS auditor using a sample
set of data to assess whether logic errors exist
in a program and whether the program meets
its objectives. The review of an application
system will provide information about internal
controls built in the system. The audit-expert
system will give direction and valuable
information to all levels of auditors while
carrying out the audit because the
MARIA BERNISE DIMZON • ELEINA BEA BERNARDO
query-based system is built on the knowledge
base of senior auditors or managers.
● results of each test are compared to
predetermined expectations to obtain an
objective assessment of application logic and
control effectiveness
- This technique involves the utilization of a copy
of the live computer system through which a
series of transactions is passed in order to
produce predetermined results.
- This technique, while effective in searching for
defects, is limited by the volume of data that
can be handled.
- Creating a test data requires a complete set of
valid and invalid transactions.
- Incomplete test data may explore critical
branches of application logic and error
checking routines.
- Test transactions should be designed to test all
possible input errors, logical process, and
irregularities.
UTILITY SOFTWARE
● Utility software is a subset of software—such
as report generators of the database
management system—that provides evidence
about system control effectiveness.
- Utility software is already covered in AIS 5135 -
ISOM.
DEBUGGING/TRACING/MAPPING
● The review of an application system will
provide information about internal controls
built in the system
- Debugging is usually associated with the
testing of the systems development cycle, but
might as well helpful during audits since you
can have an overview or map of the system.
EXPERT SYSTEMS
● Gives direction and valuable information to all
levels of auditors while carrying out the audit
because the query-based system is built on
the knowledge base of senior auditors or
managers
- This is already discussed in Module 2.
AUDIT APPLICATION OF CAATS
● Tests of the details of transactions and
balances
● Analytical review procedures
● Compliance tests of IS general controls
3
 Module 9: Data Analytics
● Compliance tests of IS application controls
● Network and OS vulnerability assessments
● Penetration testing
○ Secured exercise where a cyber security
expert attempts to find and exploit the
weaknesses or vulnerabilities of a computer
system
● Application security testing and source code
security scans
An IS auditor should have a thorough understanding
of CAATs and know where and when to apply them.
For example, an IS auditor should review the results
of engagement procedures to determine whether
there are indications that irregularities or illegal acts
may have occurred. Using CAATs could aid
significantly in the effective and efficient detection of
irregularities or illegal acts.
An IS auditor should weigh the costs and benefits of
using CAATs before going through the effort, time
and expense of purchasing or developing them.
THINGS TO CONSIDER
Issues to consider include:
● Ease of use for existing and future audit staff
● Training requirements
● Complexity of coding and maintenance
● Flexibility of uses
● Installation requirements
● Processing efficiencies
● Effort required to bring the source data into
the CAATs for analysis
● Ensuring the integrity of imported data by
safeguarding their authenticity
● Recording the time stamp of data
downloaded at critical processing points to
sustain the credibility of the review
● Obtaining permission to install the software
on the auditee servers
● Reliability of the software
● Confidentiality of the data being processed
- To summarize, we should first consider the
cost-benefit analysis in securing CAATs.
- Aside from the acquisition, there are also costs
such as the installation, maintenance, periodic
updates, as well as the training of the IS
auditors who will use the CAATs.
- The CAATs should be aligned with the audit
objectives and we should also take into
consideration any laws and regulations if any,
with regards to the usage of CAATs.
MARIA BERNISE DIMZON • ELEINA BEA BERNARDO
When developing CAATs, the following are
examples of documentation to be retained:
● Online reports detailing high-risk issues for
review
● Commented program listings
● Flowcharts
● Sample reports
● Record and file layouts
● Field definitions
● Operating instructions
● Description of applicable source documents
WHEN USING CAATS
● CAATs documentation should be referenced to
the audit program and clearly identify the
audit procedures and objectives being served.
○ The usage of CAATS, purpose, and
application should be likewise be
documented in the working papers.
● When requesting access to production data for
use with CAATs, an IS auditor should request
read-only access.
○ This is a cardinal rule in audit. Auditors
should only have a read-only access and
should not in any way given the opportunity
to alter and tamper the live production data
files.
● Any data manipulation by an IS auditor
should be applied to copies of production files
in a controlled environment to ensure that
production data are not exposed to
unauthorized updating.
○ This is in relation to the second bullet. A
master file should still be maintained and
procedures such as indexing, filtering, and
analysis should be done on the duplicate
copy.
● Most CAATs allow for production data to be
downloaded from production systems to a
stand-alone platform and then analyzed from
the standalone platform, thereby insulating the
production systems from any adverse impact.
CAATS AS A CONTINUOUS ONLINE AUDIT
APPROACH
An important advantage of CAATs is the ability to
improve audit efficiency through continuous online
auditing techniques. To this end, an IS auditor must
develop audit techniques that are appropriate for
use with advanced information systems. In addition,
they must be involved in the creation of advanced
systems at the early stages of development and
4
 Module 9: Data Analytics
implementation and must make greater use of
automated tools that are suitable for their
organization’s automated environment. This takes
the form of the continuous audit approach
CONTINUOUS AUDITING AND MONITORING
Continuous auditing is an approach used by IS
auditors to monitor system reliability on a
continuous basis and gather selective audit
evidence through the computer. A distinctive
characteristic of continuous auditing is the short time
lapse between the facts to be audited, the collection
of evidence and audit reporting.
CONTINUOUS AUDITING
● Enables an IS auditor to perform tests and
assessments in a real-time or near-real-time
environment.
● Continuous auditing is designed to enable an
IS auditor to report results on the subject
matter being audited within a much shorter
time frame than under a traditional audit
approach.
- Continuous auditing permits the IS auditor to
conduct audits of an online environment in a
way that is less disruptive to the business
operations.
- Instead of the more costly and invasive audits,
IS auditors can test the system while they are
running and with minimum or no involvement
from the IT staff.
CONTINUOUS MONITORING
● Used by an organization to observe the
performance of one or many processes,
systems or types of data. For example,
real-time antivirus, IPS, or IDSs may operate
in a continuous monitoring fashion.
Continuous auditing should be independent of
continuous control or monitoring activities which is
being implemented by the management.
- Eventually, the IS audit may share this the
continuous auditing techniques or the parameters
being set to the management for their usage to
create a higher level of assurance as part of their
continuous monitoring.
- But still, the review under the continuous auditing
should still be independent.
When both continuous monitoring and auditing take
place, continuous assurance can be established. In
practice, continuous auditing is the precursor to
MARIA BERNISE DIMZON • ELEINA BEA BERNARDO
management adopting continuous monitoring as a
process on a day-to-day basis. Often, the audit
function will hand over the techniques used in
continuous auditing to the business, which will then
run the continuous monitoring. This collaboration has
led to increased appreciation among process owners
of the value that the audit function brings to the
organization, leading to greater confidence and trust
between the business and the audit function.
Nevertheless, the lack of independence and
objectivity inherent in continuous monitoring should
not be overlooked, and continuous monitoring should
never be considered as a substitute for the audit
function.
Continuous auditing efforts often incorporate new IT
developments; increased processing capabilities of
current hardware, software, standards and AI tools;
and attempts to collect and analyze data at the
moment of the transaction. Data must be gathered
from different applications working within different
environments, transactions must be screened, the
transaction environment has to be analyzed to
detect trends and exceptions, and atypical patterns
(i.e., a transaction with significantly higher or lower
value than typical for a given business partner) must
be exposed. If all this must happen in real time,
perhaps even before final sign-off of a transaction, it
is mandatory to adopt and combine various top-level
IT techniques. The IT environment is a natural
enabler for the application of continuous auditing
because of the intrinsic automated nature of its
underlying processes.
Continuous auditing aims to provide a more secure
platform to avoid fraud and a real-time process
aimed at ensuring a high level of financial control.
Continuous auditing and monitoring tools are often
built into many enterprise resource planning
packages and most OS and network security
packages. These environments, if appropriately
configured and populated with rules, parameters and
formulas, can output exception lists on request while
operating against actual data. Therefore, they
represent an instance of continuous auditing. The
difficulty, but significant added value, of using these
features is that they postulate a definition of what
would be a “dangerous” or exception condition. For
example, whether a set of granted IS access
permissions is to be deemed risk-free will depend on
having well defined SoD. On the other hand, it may
be much harder to decide if a given sequence of
steps taken to modify and maintain a database
record points to a potential risk.
5
 Module 9: Data Analytics
It is important to validate the source of the data
used for continuous auditing and note the possibility
of manual changes.
CONTINUOUS AUDITING TECHNIQUES
Continuous audit techniques are important IS audit
tools, particularly when they are used in time-sharing
environments that process a large number of
transactions but leave a scarce paper trail. By
permitting an IS auditor to evaluate operating
controls on a continuous basis without disrupting the
organization’s usual operations, continuous audit
techniques improve the security of a system. When a
system is misused by someone withdrawing money
from an inoperative account, a continuous audit
technique will report this withdrawal in a timely
fashion to an IS auditor. Thus, the time lag between
the misuse of the system and the detection of that
misuse is reduced. The realization that failures,
improper manipulation and lack of controls will be
detected on a timely basis by the use of continuous
audit procedures gives an IS auditor and
management greater confidence in a system’s
reliability.
FIVE TYPES OF AUTOMATED EVALUATION
TECHNIQUES APPLICABLE TO CONTINUOUS
AUDITING
1. Audit hooks
● This technique involves taking what might be
termed “pictures” of the processing path that a
transaction follows, from the input to the output
stage. With the use of this technique,
transactions are tagged by applying identifiers
to input data and recording selected
information about what occurs for an IS
auditor’s subsequent review.
● involves embedding hooks in application
systems to function as red flags and induce IS
security and auditors to act before an error or
irregularity gets out of hand
● Useful when only select transactions or
processes need to be examined
● Complexity: LOW
- Audit hooks are special audit modules which
are placed in key points in the application and
are designed to trigger if a specific audit
exception or special condition occurs.
- This can alert the auditors with the situation
permitting them to decide whether additional
action is required.
MARIA BERNISE DIMZON • ELEINA BEA BERNARDO
2. Continuous and intermittent simulation (CIS)
● During a process run of a transaction, the
computer system simulates the instruction
execution of the application. As each
transaction is entered, the simulator decides
whether the transaction meets certain
predetermined criteria and, if so, audits the
transaction. If not, the simulator waits until it
encounters the next transaction that meets the
criteria.
● Useful when only transactions meeting certain
criteria need to be examined
● Complexity: MEDIUM
- The application software always tests for
transactions that meet a certain criteria.
- When a criteria is met, the software runs an
audit of the transaction—this is what we call
the intermittent test.
- Then the computer waits until the next
transaction meeting those criteria occurs.
- This provides for the continuous audit as a
selected transaction occurs.
3. Snapshots
● This technique involves taking what might be
termed “pictures” of the processing path that
a transaction follows, from the input to the
output stage. With the use of this technique,
transactions are tagged by applying
identifiers to input data and recording
selected information about what occurs for an
IS auditor’s subsequent review.
● Useful when an audit trail is required
● Complexity: MEDIUM
- This technique involves the use of special audit
modules embedded in samples of specific
transactions.
- The modules make copies of the key parts of
the transactions often by copying database
records and storing them independently.
- This allows an auditor to trace specific
transactions through an application to view
the state of transactions as they flow through
the entire application.
4. Integrated test facility (ITF)
● In this technique, dummy entities are set up
and included in an auditee’s production files.
An IS auditor can make the system either
process live transactions or test transactions
during regular processing runs and have these
transactions update the records of the
dummy entity. The operator enters the test
transactions simultaneously with the live
6
 Module 9: Data Analytics
transactions that are entered for processing. An
auditor then compares the output with the data
that have been independently calculated to
verify the correctness of the
computer-processed data.
● Useful when it is not beneficial to use test
data
● Complexity: HIGH
- ITF permits test transactions to be processed
in a live application environment.
- A separate test entity is required however so
that the test data does not alter financial or
business results because test data does not
present actual transactions.
- Test data are only simulated
transactions—those data that are created by
auditors includes all the possible errors and
good data.
- Like in the ITF, we are using live data here.
5. Systems control audit review file and
embedded audit modules (SCARF/EAM)
● The use of this technique involves embedding
specially written audit software in the
organization’s host application system so the
application systems are monitored on a
selective basis.
● Useful when regular monitoring cannot be
interrupted
● Complexity: VERY HIGH
- Special audit software modules are embedded
in the application and these modules perform
continuous auditing and create independent
log of audit results.
- System level audit program used to monitor
multiple embedded audit modules inside the
application software.
- This is usually considered a mainframe class of
control.
RELATIVE ADVANTAGES AND
DISADVANTAGES OF THE VARIOUS
CONTINUOUS AUDIT TOOLS
The use of each of the continuous audit techniques
has advantages and disadvantages. Their selection
and implementation depends, to a large extent, on
the complexity of an organization’s computer
systems and applications, and an IS auditor’s ability
MARIA BERNISE DIMZON • ELEINA BEA BERNARDO
to understand and evaluate the system with and
without the use of continuous audit techniques. In
addition, an IS auditor must recognize that
continuous audit techniques are not a cure for all
control problems and the use of these techniques
provides only limited assurance that the information
processing systems examined are operating as they
were intended to function.
Techniques that are used to operate in a
continuous auditing environment must work at
all data levels—single input, transaction and
databases—and include:
Techniques that are used to operate in a continuous
auditing environment must work at all data
levels—single input, transaction and databases—and
include:
● Transaction logging
● Query tools
● Statistics and data analysis
● DBMS
● Data warehouses, data marts, data mining
● Intelligent agents
● EAM
● Neural network technology
● Standards such as Extensible Business
Reporting Language (XBRL)
Intelligent software agents may be used to automate
the evaluation processes and allow for flexibility and
dynamic analysis capabilities. The configuration and
application of intelligent agents (sometimes referred
to as bots) allow for continuous monitoring of
systems settings and the delivery of alert messages
when certain thresholds are exceeded or certain
conditions are met.
Full continuous auditing processes have to be
carefully built into applications and work in layers.
The auditing tools must operate in parallel to normal
processing—capturing real-time data, extracting
standardized profiles or descriptors, and passing the
result to the auditing layers.
Continuous auditing has an intrinsic edge over
point-in-time or periodic auditing because it
captures internal control problems as they occur,
preventing negative effects. Implementation can
also reduce possible or intrinsic audit inefficiencies
such as delays, planning time, inefficiencies of the
audit process, overhead due to work segmentation,
multiple quality or supervisory reviews, or discussions
concerning the validity of findings.
7
 Module 9: Data Analytics

Full top management support, dedication, and

extensive experience and technical knowledge are all
necessary to accomplish continuous auditing, while
minimizing the impact on the underlying audited
business processes. The auditing layers and settings
may also need continual adjustment and updating.

Besides difficulty and cost, continuous auditing has

an inherent disadvantage in that internal control
experts and auditors might be resistant to trust an
automated tool in lieu of their personal judgment
and evaluation. Also, mechanisms have to be put in
place to eliminate false negatives and false positives
in the reports generated by such audits so that the
report generated continues to inspire stakeholders’
confidence in its accuracy.

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO 8