Because the author's experience and knowledge of GAS is primarily limited to ACL, that is the software used to demonstrate the value of implementing GAS in this article. For more software products, see the exhibit in the Bagranoff and Henry article, cited in footnote 3, and the list of GAS in the Sayana article, cited in footnote 1.
Experts say that generalized audit software (GAS) is the most common computer-assisted audit tool (CAAT) used in recent years. There are many reasons today for IT auditors to use a GAS, but to quote an article from this Journal, "Performing audits without using information technology is hardly an option."1 This article will inform IT auditors of the profitable return on learning and using GAS.
A number of issues motivate IT auditors to use GAS products, such as ACL, CA's Easytrieve, Statistical Analysis System (SAS), Statistical Package for Social Sciences (SPSS) and IDEA. First, there is the focus on fraud in recent years. According to the Association of Certified Fraud Examiners (ACFE) and its 2004 "Report to the Nation" survey on fraud, more than 60 percent of all frauds are detected either by a tip or by accident. While internal audit has moved up on the list, there is clearly room for more proactive antifraud programs. One of the best ways to be proactive is to use a GAS to develop a cornucopia of computerized antifraud audit procedures that are run regularly against organizational databases.
Second, there is the issue of US Sarbanes-Oxley Act section 404. In a Journal article on Sarbanes-Oxley software, several GAS software products are included in the list provided in the authors' exhibit on data manipulation software.2 This indicates that GAS can be useful in testing internal controls embedded in information systems.
A third issue motivating auditors to use GAS software is that the demands on IT and internal auditors are increasing. Auditors will need to become more efficient to fulfill all of the responsibilities and tasks assigned them, and using GAS is one way to do so.
Therefore, IT auditors in the early stages of their careers could leverage their time and abilities into more productivity by becoming at least competent in a GAS product. Having a moderate level of knowledge in using a GAS, for example, can be useful in a variety of duties, such as fighting fraud, Sarbanes-Oxley compliance and everyday audits. Also, the more proficient an IT auditor becomes, the more valuable he/she becomes to the organization. This article encourages IT auditors to learn how to use ACL or a similar GAS.
Benefits of Using a GAS
The benefits of using a GAS have been explained by others, but a review of the benefits here will hopefully generate motivation to become more knowledgeable about GAS.
As many others have pointed out, using a GAS such as ACL means the auditor does not review a sample of the data, but rather reviews or examines 100 percent of the data and transactions. This difference is not trivial. Some fraudsters have not bothered to conceal their fraud because they assume that the transactions involved have little chance of being picked in a statistical random sample. For example, in one fraud, the fraudster had written approximately 50 checks to himself out of organizational accounts (i.e., check tampering). When he was finally caught, he was asked why he did not try to conceal the fraud. He simply said he doubted that one of those checks would ever show up in a statistical random sample because the organization wrote thousands of checks each year. He was right and got caught without the benefit of those checks. All frauds that are "on the books" have the potential of being discovered by using, for examle, ACL effectively, because there is some kind of evidence in the database and the transactional data and ACL can be used to examine 100 percent of the data.
Using ACL empowers the auditor to possibly have a better sense of direction in his/her audit procedures. Using ACL to analyze transactions, or data mine, is a lot like peeling an onion. The auditor will perform some audit procedures to gain an understanding of the data (e.g., using PROFILE, STATISTICS commands in ACL). During these procedures, the conscientious, trained auditor may spot an anomaly or red flag (e.g., negative amounts where there should be none). At that point, the auditor is focusing directly upon certain suspicious data and/or transactions. In ACL, these transactions are usually linked via the table or chart in the display window, so employing drill-down procedures is extremely simple when the auditor needs them. The same is true as the auditor progresses through more precision audit procedures (e.g., using FILTER for certain anomalies or red flags).
The data in ACL are locked down as read-only. There is no chance for the auditor to inadvertently change the data. This inadvertent risk is much higher for IT auditors who choose to use a spreadsheet for analyzing and presenting transactions. While one can lock cells or sheets in Microsoft Excel, there is still the possibility of human error. It is almost nonexistent in ACL.
The commands in ACL are auditor-friendly. ACL commands are compatible with the average IT auditor's understanding, experience, training and education. It is fairly easy to grasp what a command will do once it is explained adequately. For example, auditors know what it means to look for gaps or duplicates in numbers (invoices, checks, etc.). The learning curve, therefore, is reasonably short.
At most, the IT auditor will need training and encouragement to "think outside the box" with those commands. Most IT auditors will pick up on this flexibility without additional training. The ACL commands are effective in a variety of applications other than the obvious. For example, the AGE command is obviously useful in generating an aged trail balance. However, it is really a measure between dates, so it could be used to do other antifraud procedures. For example, it can send confirmations to credit card users for a recent charge where the card had been inactive for a certain number of months (six or 12 or whatever is appropriate) or be used in conjunction with the CLASSIFY command to measure the number of days between receipt of invoices and payment of invoices by vendor (in shell company, pass-through vendors and other fraudulent disbursement schemes, the fraudster tends to make sure the phony invoices are paid quicker than normal invoices). Another example is the CLASSIFY command itself. It is normally used to subtotal amounts and the number of invoices for vendors or some similar application on other data files. However, one could use CLASSIFY to examine the number of credit memos by authorizing party or key-punch personnel. Because credit memos are a relatively common method of concealing a fraud, if a fraud is being perpetrated and the fraudster is using credit memos to hide the fraud, that person has an inordinate number of credit memos compared to everyone else. This anomaly would be evident by running CLASSIFY on a credit memo file. The possibilities are limited only by the IT auditor's imagination.
Additionally, ACL automatically records all of the commands that are run and the results of the procedures in its log, so the LOG feature becomes a way to automate much of the working papers an IT auditor will need to generate in most audits. ACL has a simple means to export that log to a word processor or other types of files, even selectively choosing which procedures to export.
The most compelling benefit in learning to use ACL may be the BATCH feature. As the IT auditor develops audit procedures to run in ACL, he/she can put the various routines together in a batch (similar to a macro). Next time, the IT auditor can run one command (push a button), and all of those procedures will run on autopilot, and ACL will dump the commands and results into the log. That feature provides a great opportunity to be efficient over time. The first year might take some time, but future years will be much quicker. In addition, as new procedures come into being, they are simply added to the BATCH and will run with all the others next time around. There is a great opportunity for sharing among all the auditors in the same entity, thus expanding upon the batch procedures of various teams or among different areas of audit.
In summary, there are many benefits to using ACL—it just becomes a matter of budgeting for the cost of the software and implementing the use of ACL effectively.
Implementation
There are several ways for one to become moderately proficient in a GAS. Most IT auditors know how to use Excel and are fairly competent at it. With a little training in GAS in general, the IT auditor could first use an intermediate product, such as Information Active's Active Data or Active Audit tools.3 These tools are plug-ins to Excel; thus, the learning curve is fairly short. They contain many of the same commands, occasionally by another name, as those mentioned previously (e.g., GAPS and DUPLICATES). This approach uses a "gear up" methodology. However, there are drawbacks to Excel in terms of integrity, the amount of data that can be handled and the limited power it has, even with Information Active products. But it might serve as an effective interim means for some IT auditors, particularly for reasons of cost constraints. In fact, for some smaller audit units, it might be the ultimate means and not just an intermediate one.
With some training, the IT auditor can become moderately proficient in GAS in a relatively short period of time. Of course, it might be better to get the training in GAS, some training in a specific product, and jump straight into the specific product—especially if the internal audit shop or audit entity already has the product.
Keys to Success
There are some keys to success for the internal audit (IA) shop or audit entity to make it possible for the IT auditors to effectively use GAS. First, the audit entity needs to identify a champion for the implementation. Research is replete with evidence that technology innovations and implementations need a champion to be successful. A champion is simply the person with the ability to motivate, supervise and generally make sure the technology is employed and becomes successful. In an internal audit shop, the IT audit manager could take on that role.
Second, there should be general training for the audit staff regarding GAS. Next, the champion or IT audit manager should identify the power users of GAS. These people are given specific training if necessary, but they become the leaders of implementing the chosen GAS product. They set up the servers—that is, they would build the appropriate data files from the operational system and make them available to all the auditors. They also write or assist auditors in writing batches. They could also conduct ongoing in-house training on the product. If necessary, a consultant can be brought in to assist the power users in developing the server and customized services.
While these things are outside the control of most IT auditors, they are facilitating or empowering approaches to effectively using GAS.
Conclusion
When thinking about one's career as an IT auditor, perhaps no other skill or ability is as valuable as being an expert at using GAS. Such expertise can be used in a variety of ways, including regular financial audits, operational audits, Sarbanes-Oxley-related tests and antifraud audit programs. In fact, it can possibly make an IT auditor indispensable.
Endnotes
1 Sayana, S. Anantha; "Using CAATs to Support IS Audit," Information Systems Control Journal, vol. 1, 2003 2 Bagranoff, Nancy A.; Laurie Henry; "Choosing and Using Sarbanes-Oxley Software," Information Systems Control Journal, vol. 2, 2005 3 See www.informationactive.com
Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
is an assistant professor of information systems at the University of Alabama at Birmingham (USA), Marshall IS Scholar, and director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small value-added dealer of accounting information systems using microcomputers. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous journals, including the Information Systems Control Journal.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
