Page 623 - ITGC_Audit Guides
P. 623
GTAG — Elaboration on Key Technology Concepts
5. Elaboration on Key allows for unprecedented insight into organizational opera-
Technology Concepts tions. Suspicious transactions may be detected sooner and
corrective action initiated before problems escalate, become
material weaknesses, or require external reporting.
5.1 Technology Used for Data Analysis In recent years, data volumes have grown to the extent
that there may be too much data to consider downloading
Internal audit activities can choose either general purpose, or importing to a PC for analysis. An effective data analysis
readily available tools such as spreadsheets, or look to solution in today’s environment likely needs to incorporate
purpose-built technologies for analyzing data. The manifest server-based platform solutions that provide a robust and
advantage of data analysis technology is that it addresses the dependable technical architecture that preserves both the
specific needs of the auditor when analyzing data to evaluate integrity and controlled access to data. In such a solution,
the operating effectiveness of internal controls, adherence to data can be analyzed by the auditor within the secure IT
specific compliance requirements, assessing organizational environment, thereby reducing network traffic and mini-
risk, and detecting indicators of fraudulent activity. For mizing the risks involved in converting, duplicating, and
additional guidance related to fraud detection, see The IIA’s disseminating sensitive organizational data.
Practice Guide, Internal Auditing and Fraud and GTAG 13:
Fraud Prevention and Detection in an Automated World. Variety
When evaluating a data analysis technology for auditing,
there are a number of essential attributes that should be Most organizations rely on several applications that run on
considered. These may be divided into three areas: a variety of operating systems, collecting data in a variety of
formats or databases. While generalized data analysis soft-
• Data access. ware has become more adept at importing data, they still fall
• Audit-specific capabilities. short of being able to deal with data from different formats
and operating environments. The risk is the inadvertent
• Logging and automation. modification of the data during the conversion process.
For instance, mainframe data is usually in extended binary
5.1.1 Data Access coded decimal interchange code format and cannot be read
by a PC-based spreadsheet without conversion.
Simply accessing the data required for an audit can be a An effective data analysis solution for audit needs to be
daunting task. This is due, in part, to the amount of time able to read and compare a broad variety of data formats
it can take to receive data extracts from busy IT depart- including relational data, legacy data, spreadsheets, report
ments. Under pressure to do more in less time and with files, flat files, extensible markup language, and eXtensible
fewer resources, auditors are looking to eliminate obstacles business reporting language-formatted data. Where data
and streamline audit processes. An effective data analysis resides in databases, an effective technology needs to be able
technology enables auditors by providing them with direct to access this data quickly and efficiently to meet internal
data access either by “pulling” data on demand or by sched- audit’s needs.
uled data “push” techniques for regular data feeds in support
of continuous auditing or repetitive testing of specific data Veracity
sets. This has the joint benefit of streamlining the overall
audit process and relieving busy IT staff from repeated data Veracity, or the truthfulness or accuracy of data, is paramount
requests by the audit function. in the audit process. An effective data analysis technology for
There are three additional data access challenges that audit purposes must protect the integrity and quality of data.
need to be overcome to assist audit’s use of data analysis tools: With data extracts and format conversions, the integrity of
data can be inadvertently compromised and introduce unin-
• The volume of data required to provide effective tended audit risk into the process. An effective data analysis
assurance of organizational processes. technology must be able to access and analyze data without
altering it or subjecting it to accidental change.
• The variety of data types, formats, and sources.
Effective data analysis tools for audit need to protect the
• The veracity or truthfulness and accuracy of the user from accidentally changing values and the integrity of
data sets. the records in the data set. It must preserve the veracity of
the data to prevent the skewing of analytical results, which
Volume could lead to material errors in findings and erroneous audit
recommendations.
An effective data analysis technology for internal audit While the selected data analysis technology should protect
must be able to analyze entire data populations to ensure that the integrity and quality of the source data from alteration,
the entire picture is visible. Analysis of entire data populations often the source data itself has inherent data quality errors
9
