Page 1 of 4

Citrayudha Komaladi
From:
Sent:
To:
Subject:

Goh Kheng Leng [gohkl@income.com.sg]

Monday, April 24, 2006 11:26 AM
Ng Sai Wei; Eddie Heng (IA); Citrayudha Komaladi
RiskBasedDataAnalysisACL

Internal Audit and Risk Management Community

May 24, 2004

Risk Based Data Analysis: Ways that ACL Can Help

By Jeff Barrett

Protiviti, Inc.

The benefits of utilizing computer assisted auditing tools (CAATs) are certainly not new to internal audit shops, although extending the use and
application of various techniques can be an ongoing challenge.
Extending the application of tools like ACL (ACL Services Ltd ) to risk assessments can help internal auditors to better understand the business or
processes under review. Risk assessment is key to audit work and critical to organizations planning more robust or formal enterprise risk
management (ERM) programs.
Internal auditors are expected to play a significant role in identifying, testing, and helping to mitigate risk across their organizations. Internal auditors
trained on data analysis tools are not only more familiar with a broad range of auditing techniques but are empowered to perform assessments for
risk attributes, fraud, and other data characteristics.
Jan Beckmann, an ACL certified training professional, says that, One primary benefit of training internal auditors is to show them a different way of
attacking what they do. ACL allows them to get away from sampling and develop other highly effective testing techniques.
Transaction analysis can tell an auditor whether controls under review are operating effectively since it allows 100% of those transactions to be
tested versus a sample that could, theoretically, lead to a false conclusion. Therefore, developing alternatives to sampling techniques using data
analysis tools cannot only increase confidence in the results of the tests being performed but also reassure parties that may question sampling
techniques.
6/2/2010 6:23 PM

Page 2 of 4

ACL tools can also be used in calculating samples where such techniques may prove necessary. For example, tests of manual controls such as paperbased authorization typically require the physical review of vouchers for signatures. It is not possible to assess compliance by reviewing an electronic
field in a database. However, ACL can help generate a random sample of transactions to physically review or help identify transactions that, through
analysis, may have possible control issues.
Assurance in a Changing Landscape
Several changes in the internal audit landscape such as the Sarbanes-Oxley Act (SOA) and the Institute of Internal Auditors (IIA) International
Standards for the Professional Practice of Internal Auditing align internal audit functions with opportunities to add more value to their organizations.
Meeting the new requirements of The IIA Standards, which went into effect January 1, 2004, means improving the IT skills of all internal audit
practice personnel. All internal auditors are subject to additional standards for:
1) Technical proficiency: understanding IT risks, controls, and awareness of IT audit testing techniques; and
2) Due professional care: consider IT testing techniques (such as ACL) when approaching projects.
Beckmann and other ACL trainers are busy preparing internal audit functions with tools and approaches for performing analysis beyond traditional
queries.
The training sessions have surprised many of the attendees since our focus is to use ACL techniques that utilize their knowledge of the business and
review what is found in the subsequent ACL queries.
Sarbanes-Oxley compliance efforts require that companies evaluate in more detail their financial statement reporting elements -- including the data
and processes that roll up and support the financial statements. Use of ACL and other tools can help leveraging internal controls knowledge of the
processing areas under review and deliver increased levels of assurance. For example, ACL queries on payables transactions could identify transaction
amounts that coalesce around spending limit authorization thresholds. Are there a significant number of transactions that fall just below the limit that
would require signature authorization?
Certain tests may identify situations where a large expenditure has been divided into multiple smaller vouchers to circumvent controls. Data analysis
may also help identify indicators of vendor collusion or fictitious vendors.
ACL Training and Approach
Automated tools make filtering large volumes of data more practical and effective, giving auditors the ability to work with greater quantities of data,
and with data that is more complex. Peter Pan, a Protiviti consultant that attended ACL training led by Beckmann said, The one major benefit of ACL
is that we can perform objective and comprehensive testing. For example, Pan continued, we can effectively massage a clients entire payables data
to pinpoint the exact employee who may have erroneously printed two identical checks in on pay period. Further, instead of subjectively picking 5 or
10 samples to test, we can test the entire population to ensure completeness and accuracy.
Other uses and advantages of comprehensive data testing include the ability to identify financial leakage, policy noncompliance, and mistakes or
errors in data processing. For example, data analysis techniques can help identify:
6/2/2010 6:23 PM

Page 3 of 4

Duplicate vendor payments

Fraudulent transactions
Circumvention of invoice approval limits

Using ACL reduces the time we spend on testing, which allows us to allocate our time to other critical areas, Pan added.
The keys to setting up these tests are understanding the data file structures, formats and fields and knowing what questions to ask the IT
department to ensure that the correct data is received for the analysis. The basics of preparing data analysis testing are well within the capabilities of
most internal audit personnel after receiving initial foundations training. Use of computer-assisted testing and data extraction is an opportunity for
cross training on integrated operational, financial, and IT audits.
ACL foundations training covers the basics of how the application works including:

Reviewing the data analysis process

Data integrity and verification
Performing analysis and related audit tests
Report results

Internal Audit Proficiency

The Institute of Internal Auditors adopted Proficiency Standard 1210.A3 requiring all internal auditors to have "general knowledge of key information
technology risks and controls and available technology-based audit techniques."
Although this pronouncement does not require all internal auditors to be proficient to the depth of a specialized IT auditor, this general IT knowledge
proficiency requirement is consistent with the fact that most accounting systems are dependent upon technology. To develop basic proficiency may
require training on data analysis software solutions, elements of access security, technology change control, and disaster recovery planning.
Arming internal auditors with the ability to analyze large data sets and an understanding of IT controls allows them to identify relationships in
company data that were previously unknown and then help pinpoint specific problem transactions.
IT audit team members typically work with the company database administrators to understand and advise the audit team on data composition and
to assist in developing tests. However, keep in mind that most current data analysis applications today are GUI (graphical user interface) based with
a focus on ease of use. Users do not need to specialize in IT auditing to understand and execute most computer-assisted audit tests.
Related resources
Audit Test Selection: Case Studies
Audit Tests: Types, Advantages, & Disadvantages

Material from the KnowledgeLeaderSM Internal Audit and Risk Management Community
http://www.knowledgeleader.com

6/2/2010 6:23 PM

Page 4 of 4
2006 Protiviti Inc. EOE. All rights reserved. Access Agreement Privacy Policy

6/2/2010 6:23 PM