Session 3: Computer Assisted Audit Tools and Techniques (CAATTs)
Download
Report
Transcript Session 3: Computer Assisted Audit Tools and Techniques (CAATTs)
Session 3: Computer Assisted Audit
Tools and Techniques (CAATTs)
Presented by:
• Nancy Bennison
• Donna Webster
• Yoon-Jin Park
Australian National University
Australian National University
Australian National University
Computer Assisted
Audit Tools and Techniques
Nancy Bennison
Donna Webster
Yoon-Jin Park
Presentation Overview
•
•
•
•
•
What are CAATTs?
Benefits
CAATTs at ANU
Case Studies
Lessons Learnt
What are CAATTs?
• Computer Assisted Audit Tools and Techniques
• The use of any computerised tool or technique which
increases the efficiency and effectiveness of the audit
function
Benefits
Why are CAATTs useful?
•
Management of control deficiencies and risk;
•
Investigation of 100% data population;
•
Identifies business improvement opportunities;
•
Improves data integrity;
•
Fraud detection mechanism; and
•
Cost effective.
CAATTs at the ANU
• ANU uses Audit Command Language (ACL) software
• Program commenced January 2010
• Program focuses on 3 key areas to start with
-Purchase to Pay Process (Vendors, Purchasing, Payment)
-HR Processes (Payroll, Leave)
-Management Requested (key account validation)
• First year program designed to trial ACL tests; program is WIP
• Reports provided to the Executive Director, Administration &
Planning, CFO and the Audit & Risk Management Committee
CAATTs at the ANU
CM program with CAATTs at ANU (2010)
Report
Implementation
Design
2010
Highlight key processes to
focus on for the first year of
program (e.g. Risk-based
approach)
CAE thoroughly plan
costs, available
resources and
capabilities
Identify the CAATTs tests to
be performed to achieve
maximum coverage across
processes
Yes
Conduct planned testing in
accordance with the schedule
Explore ways of achieving
more efficient data extraction
from systems
Prepare meaningful reports to
inform stakeholders and to
guide improvement initiatives
to rectify issues identified.
Create a list of tests that was
effective and cost-efficient (by
the trial and error method) for
an iterating program
Proactively communicate with
management to ensure
management’s responsibility
to monitor risk and internal
control effectiveness
Program
approved
by the audit
committee or
equivalent?
CAATTs at ANU
Example: Annual Program
Area
Process
Risks
Tests
Testin
g
Interval
(A/H/Q
)
Month
for
Testing
System
Module
Q
May
VM/AP
Potential duplicate, incomplete or inaccurate
vendor records in the vendor master file
which can lead to incorrect payments.
Test for duplicate
vendor records.
Duplicate Purchase Order may have been
made which can lead to incorrect payments.
Identify duplicate
transactions
(purchase order
amount , quantity,
date and Vendor
ID with the
same/different
payment date).
H
1.3 Invoicing
Bills may have been processed to
illegitimate vendors.
Match vendors on
invoices against
the vendor master
file and prohibited
vendors list (if
maintained).
H
Jul
Vou/AP
1.4 Payment
Segregation of Duties may not have been
applied to all processes.
Match user ID from
each step.
H
Aug
PY/AP
1.1 Vendor
Management
1.2 Purchasing
Purchase
to
Payment
Jun
PO/AP
CAATTs at ANU
Example: Monthly Report
RMAO CONTINUOUS MONITORING PROGRAM
June 2010
1. Objectives
i. To analyse whether there is fraudulent amendment between purchase order and
voucher information; and
ii. To identify duplicate and split transactions.
2. Test Results
Description
Risks
Purchasing –
Identify potential
cases of split
purchase orders
where accumulated
figures exceed the
delegate’s limit.
(Jul 2009 - Jun
2010)
Purchases may be
split over several
purchase orders
raised within 7 days
apart.
Impacts
Split transactions may be
used to avoid procurement
requirements (e.g. obtain
competitive quotes and
comply with delegation
limits).
Findings
RMAO found # potential split
transactions (out of ###
purchase order records
analysed).
Further inquiries determined
there were no instances of split
transactions
Inherent
risk
CR4
Test
Statu
s
In
Progr
ess
Case Studies
Case Study 1 – Payment
Testing Objective: Identify duplicate payments to same
vendors
1. Obtain vendor records and payment records for the relevant period.
2. Run ‘Duplicate’ on Invoice number, Invoice Date and Amount, then
find transactions with same vendors with different ID.
Case Studies
Case Study 2 – Expense Management (Purchase Card)
Testing Objective: Look for double-dipping instances
1.
Obtain HR Per Diem records and Purchase Card reports.
2.
Run 'JOIN' on two files by a unique identifier 'Uni ID'.
Add a column to show 'AGE (Pay calendar, Transaction date)'.
Again, using a function tab, find AGE < 31.
3.
Match travel allowance to meals purchased during same trip using
purchase card
Lessons Learnt
Business Improvements Arising from Testing
•
Cooperation with Vendor Maintenance team;
•
Data input errors (e.g. extra spaces, transposed numbers, input
format);
•
Awareness about use of purchase cards (e.g. limits, appropriate
purchases, timely acquittal); and
•
Awareness that we are now looking at a range of transactions.
Lessons Learnt
Design
•
Limitations on data
•
Due care with confidential data
•
Share the plan with business units early
Implementation
•
Time taken for data request / extraction
•
Further investigation required
Reporting
•
Reporting and follow-up
•
Manage expectations of business units and Audit Committee
References
1
CAATTs and Other BEASTs for Auditors
David G. Coderre
2
Continuous Auditing: Global Technology
Auditing Guide
The IIA
3
Continuous Controls Monitoring: A Case
Study with Talecris
Danielle Lombardi and Miklos A.
Vasarhelyi, Ph.D.
4
Continuous Auditing and Continuous
Monitoring:
Transforming Internal Audit and
Management Monitoring to Create Value
KPMG
5
Continuous Monitoring and Auditing: What
is the difference?
John Verver (Protiviti)
6
Continuous Monitoring: Electronic
Corporate Governance
Jack Crawford (Enterprise Risk
Technologies Pty Ltd)
7
A Short Guide to Fraud Risk: Fraud
Resistance and Detection
Martin Samociuk and Nigel Iyer (Edited by
Helenne Doody)
Thank you.
Any questions?