Page 624 - ITGC_Audit Guides
P. 624
GTAG — Elaboration on Key Technology Concepts
or deficiencies. When using data analysis, auditors should the auditor needs to have a data analysis tool that allows
always check the data for validity errors. Getting the correct them to visually present these data files in relationship to
and complete data is a prerequisite of effective data analysis. one another.
For instance, do the numeric fields in the source data contain When using data analysis, auditors need to compare and
valid numbers — or are characters present in this field or contrast diverse sources of information, validate data integ-
are there blank entries? Do key fields, such as social security rity and accuracy, and look for patterns and anomalies
or social insurance numbers, contain valid entries? Does the in data. The audit process may need to support assertions
data contain records within the expected date range or is it inherent in published financial statements such as complete-
under- or overrepresented in the data set? When source data ness, accuracy, occurrence, valuation, and presentation. Data
errors are identified, data extracts should be repeated to get analysis software may have algorithms designed to perform
the expected data range, data cleansing activities should be these tests without having to program custom queries or
conducted to correct faulty data fields, or “bad data” should macros to reduce the audit risk in user developed applica-
be isolated from the main analysis and subsequently investi- tions (UDAs). For additional guidance related to UDAs, see
gated to see if it substantially impacts the overall assessment GTAG 14: Auditing User-developed Applications.
of the audit. Purpose-built data analysis software will have commands
and functions that look for duplicates; detect gaps in numeric
5.1.2 Audit-specific Capabilities sequences; and group transactions by type, numeric range,
and age. The ability to filter vast amounts of data quickly
Data analysis technology for internal audit’s use needs to and efficiently also is a key requirement. Advanced pattern
have the features and functionality that auditors require detection techniques, such as digital analysis, are extremely
to do their job effectively. Not only should it deal with the helpful when seeking anomalies in data.
data access challenges, but it also needs to support the way When comparative analysis is required, the technology
in which auditors work and the types of analytics that are needs the ability to merge data files (often from different
appropriate to the audit task. sources and in different formats) and look for matched or
Some aspects of data analysis involve assessing the integ- unmatched records. For tasks requiring the comparison of
rity of organizational processes and practices, evaluating the data from numerous sources, the ability to relate diverse data
efficacy of controls, conducting risk assessments, and, in sets together also may be necessary. Because the audit process
some cases, fraud detection. Invariably this means that data often involves retrospective analysis of vast amounts of data,
must be analyzed from a diversity of sources to seek patterns an effective data analysis technology needs highly efficient
and relationships. Auditors need to organize their view of the read algorithms to process millions of records rapidly. These
company data in a way that suits the audit objectives. algorithms must be powerful and reliable to perform tasks
This view gives users the ability to set an appropriate either quickly in interactive data analysis or for sustained
context from which to compare and contrast data from periods of time in lengthy and complex automated analysis.
diverse sources. For example, if part of an audit process is Depending on the nature of the audit work being done, this
fraud detection, data analysis may be used to great effec- interactive work can be ad hoc for planning, initial scoping,
tiveness. One might compare an employee master file with or investigative work. It also can be scripted for repetitive
an approved vendor database. If there is a match between analysis of organizational processes from period to period,
an employee’s address and the address of a vendor, it might such as quarterly reviews of key controls. In organizations
indicate the presence of a “phantom vendor” and that an that want to implement a continuous auditing methodology,
employee is attempting to perpetrate fraud. In such a case,
Data analysis tasks can be grouped into three types:
Ad Hoc Repetitive Continuous
Explorative and investigative in Periodic analysis of processes from multiple data “Always on” — scripted auditing and monitoring
nature. sources. of key processes.
Seeking documented conclusions Seeking to improve the efficiency, consistency, and Seeking timely notification of trends, patterns
and recommendations. quality of audits. and exceptions.
Supporting risk assessment and enabling audit
efficiency.
Specific analytic queries — per- Managed analytics — created by specialists — and Continual execution of automated audit tests to
formed at a point in time — for the deployed from a centralized, secure environment, identify errors, anomalies, patterns and excep-
purpose of generating audit report accessible to all appropriate staff. tions as they occur.
findings.
10
