Article Preview
TopIntroduction
According to the Institute of Internal Auditors (The IIA), the definition of internal auditing is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes” (The Institute of Internal Auditors, 2011). The business process relationships diagram (Figure 1) describes these terms and shows how risk management, control and governance processes relate. Each of these is necessary for a company to successfully achieve its objectives.
Figure 1. Business process relationships
TopTechnology-Based Audit Techniques
Internal auditors always strive to improve efficiency and effectiveness of business processes. Internal audit organizations created or helped to create various frameworks such as Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information Technology (COBIT), and the International Professional Practices Framework (IPPF), to standardize the profession and share best practices. The organizations also created guidance within these frameworks for the use of automated tools to help with the efficiency and effectiveness of the auditing process itself. Technology-based audit techniques, in particular, play a part in the audit process. The IPPF references technology-based audit techniques as noted below:
- •
“1210.A3: Internal auditors must have sufficient knowledge of key information technology risks and controls available and technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing” (The Institute of Internal Auditors, 2011).
- •
“1220.A2: In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques” (The Institute of Internal Auditors, 2011).
- •
Technology-based audit techniques are defined as “any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit techniques (CAATs)” (The Institute of Internal Auditors, 2011).
Typically in non-information technology audits, technology-based audit and data analysis techniques are applied during the enterprise-wide risk assessment, project or process-specific risk assessments and CAATs for automated tests of transactions. The procedures can range from limited analytical review up to automated scripts that identify processing exceptions in real-time. According to The IIA 2010 Common Body of Knowledge (CBOK) report titled “Core Competencies for Today’s Internal Auditor,” the worldwide use of analytical review is about 65% and the adoption rate for CAATs is less than 50% (Bailey, 2010).
The tools used for technology-based audit and data analysis techniques vary widely and include software packages such as Microsoft Excel, Access, and Structure Query Language (SQL) and generalized audit software such as Audit Command Language (ACL), IDEA, and Oversight. The technology usage by type chart (Figure 2) shows relative usage percentages for the Microsoft suite and generalized audit software. The chart clearly shows the Microsoft suite is by far the most utilized software by internal audit. Internal auditors not only use Microsoft products for analysis, but also for documentation. As such, rates for every category except data analysis may not necessarily reflect cases where the tool was used for automation or analytics.
Figure 2. Technology usage by type (PCW, 2010)