The audit climate has seen dramatic changes over the last few years. With auditing standards issued and revised by the Public Company Accounting Oversight Board and the newly effective audit risk standards issued by the AICPA, there is a renewed emphasis on risk identification, evaluation of controls, and certain key financial statement areas and assertions. Whether you work in public accounting or private industry, perform external or internal audits, or work in the accounting department of a company, there are steps you can take to significantly increase the efficiency and effectiveness of your procedures.
Audit firms are continually looking for ways to increase efficiency by performing focused audit procedures, and are increasingly relying on effective internal audit departments and controls. Engagement teams are required to participate in brainstorming meetings to identify risks resulting from error or fraud, along with ways to address these risks.
As a result, audit firms are increasingly turning to Computer Assisted Auditing Tools and Techniques (CAATTs).
Although CAATTs are not new, auditors are finding it easier than ever to use these techniques to analyze large volumes of data for anomalies. And, with advances in technology, it is easier to obtain data files and have access to improved tools. You no longer need to know how to do computer programming to be able to identify, request and import the data for analysis. Two phases are essential in the CAATTs process: planning and execution.
During the planning phase, the engagement team will identify inherent and control risks to determine the risk of material misstatement. In the risk identification and classification process, the team will become aware of areas of emphasis, including areas susceptible to fraud and error. In particular, teams will likely identify revenue recognition, journal entries, accruals and reserves as areas to focus on. Auditors also may focus on analyzing accounts receivable, inventory and accounts payable transactions.
One way to focus the approach to determine the nature, timing and extent of audit procedures – and identify which procedures may be appropriate for CAATTs – is to look for procedures that include certain terms, such as analyze, re-compute, calculate, sample, age, scan and compare. Next, determine which of these procedures take quite a bit of time to complete and focus on those you could perform in a different way.
For example, re-computation and aging are procedures that can easily be performed using a CAATT, even if the tool used was a spreadsheet application. In many situations, you are able to test the entire population for the parameters you want to analyze rather than for just a sample.
Once you identify the procedures you want to perform, you must identify which data files you will need from the financial application, and how to obtain them from the accounting or IT group. Identification of the data files may be fairly straightforward if the accounting group uses packaged financial applications. Many packages have export routines, or the ability to print out key reports to a useful file type, such as a PDF.
Consult the application’s user manual for guidance on how to export data records and fields to a file. When the company has programmers involved, it may be less clear as to which specific files you need. Sometimes, for example, the data is contained on a report with an understandable heading; as a result, you can ask the programmers to give you the files used to generate that report.
Instead of obtaining a “report” of the contents of the file, it is generally more appropriate to get the detailed records of the file and use the CAATT tool to generate an equivalent report. In this case, not only are you able to re-compute key report figures, but you are more likely to be in a position to determine if items were excluded from the report. This happens intentionally in a fraud situation or unintentionally when the person generating the report mistakenly excludes certain records. Common file export types include comma or tab delimited ASCII, dBase, Microsoft Excel, Microsoft Access, PDF and XML. Many of these can be imported to commercially available CAATT tools and spreadsheets.
Once you obtain the appropriate data files and import them into your CAATT tool, it is time for the analysis. Some tools include automated routines that perform common queries – which may be similar to those you had planned during your brainstorming meetings. If so, match the audit procedures with the automated routines and run the appropriate queries. This is an efficient, repeatable process because data file structures and audit procedures may not vary much from year to year. Therefore, when you have established the links between these, you can likely assign the subsequent development and initial analysis to less experienced members of the audit team.
When anomalies are identified, it may be necessary to have the analysis performed by more experienced team members. Since you may have obtained all of the data records, you are able to analyze 100 percent of the records for the area of interest, without sampling. If your CAATT tool does not include automated routines, it may include query generating design techniques to write the queries and save them for later use.
One of the areas of focus for audit teams is the review and analysis of journal entries susceptible to error or fraud, and based on significant judgments. Consider how you may have designed tests for these. For example, you might consider scanning the general journal for unusual items, but how do you perform this scan and carefully identify items, especially when there is a high volume of transactions?
One CAATT tool includes predefined queries that perform the following scans for unusual items:
- duplicate entries;
- entries posted on unusual dates, including weekends, holidays or on specific dates;
- entries with unusual amounts, including those just below authorization thresholds;
- amounts ending in 999;
- large or rounded amounts;
- journal entries posted to certain accounts, or those to accounts not typically impacted by journal entries;
- journal entries by source code; and
- journal entries by person, where you can then look for those by people not typically entering entries or excessive entries by one person.
Of course, you could manually scan a general journal or a series of detailed transaction journals for an entire year, but it would be difficult to efficiently and effectively identify patterns. By using the CAATT, the initial scan is done by the tool and the results are generated for further analysis. The CAATT will not miss an item you defined in the query. In addition, once the initial queries are run, if the results still include a large number of items, the queries can be further refined to narrow the list for further analysis.
Another common financial statement area auditors focus on is accounts receivable. Auditors spend considerable time confirming balances, an appropriate process because confirmations are a required audit procedure. However, the auditing standards do not say how many balances to confirm or which procedures you need to complete for those when the confirmation does not come back or comes back with exceptions. This follow-up for non-replies may take a significant amount of time, and confirmations of balances or invoices may address “existence,” but not completeness or valuation. Other procedures are necessary to review transaction details to cover those.
Consider these analyses that CAATTs could performed on the entire accounts receivable balance details:
- duplicate invoices or credits;
- customers with balances greater than approved credit lines;
- overdue balances with amounts greater than a certain amount;
- aging by invoice date or due date; and
- balances, including significant credit memos.
The above analyses may identify unusual balances for further investigation and run efficiently against the entire accounts receivable detail ledger. Other techniques may be appropriate for following up on confirmation non-replies, including matching information from different locations/journals to aid in the analysis. This includes comparing open invoices to subsequent cash receipts; to credit memos, sales returns and shipping records; and to unusual patterns of transactions around the period end date.
“A” Stands for Analysis
Some examples of CAATTs for external and internal auditors to achieve efficiencies and effectiveness include IDEA Data Analysis Software, ACL Audit Analytics and Microsoft Excel and Access. Those involved in internal accounting departments also may benefit by using CAATTs because of the staff’s frequent involvement in analyzing internal company transactions. So, while the second “A” may be defined as “Audit,” it could be replaced by “Analysis.”
Advances in technology and the rapid change in the audit climate make this an ideal time to consider using CAATTs to enhance the effectiveness and improve the efficiency of audit procedures. The key is to let the Computer Assist you with your Audit Techniques, and consider trying some of these simpler techniques. As you gain more experience, move to more complex data analysis. I did, and I have never looked back!