International Seminar on IT in Audit,
September 2001, Beijing, China
Subject of Paper:
USE OF IT IN PREPARING, PLANNING AND PERFORMING AUDITS
NORWAY (Office of the Auditor General of Norway)
Information about the papers:
This paper includes three sub-themes of the theme “Use of IT in Preparing,
Planning and Performing Audit”. The two sub-themes are “PROSIT-
Processoriented IT Audit Tools” (chapter 2) and “Data Capture” (chapter 3).
Each of these sub-themes may be included or excluded the presentation as
USE OF IT IN PREPARING, PLANNING AND PERFORMING AUDITS
Knut Ystad, Christine Young and Anne Hausland – Office of the Auditor General of
OAG has 440 employees. Approximately 300 of these people work primarily on financial
auditing, of which 80 are based at one of OAG’s 21 regional offices around Norway, whilst the rest are based at OAG’s head office in Oslo.
The long-term plan of OAG includes several goals and actions concerning use of IT in OAG. Main focus is on how to improve effectiveness and efficiency of the audit in general.
Therefore goals and actions do not cover just one part of the audit process, but several. Because of this we would like to give you a short presentation of some of our thoughts before giving you more details on use of IT in preparing, planning and performing audits.
Planning phase Support methodology Data capture Electronic filing Automation (audit process)
Execution phase Analysing transactions data
In Financial auditing OAG wants to use IT:
? As support for carrying out the audit in accordance with current methodology ? As electronic filing for all involved in the audit (annual files and permanent files) ? For data capture from auditees (accounting data and payroll data, TOMAS system) ? For automation of an audit (common audit procedures are made automatically for you)
OAG wishes to develop systems that cover the items mentioned above. We also want the
systems to be integrated to another.
IT tools for Financial Auditing at OAG today
All auditors have a laptop with a 10 gigabytes storage capacity, over a 500 MB internal
memory and that is used both in office and when visiting the auditees.
Every auditor uses templates that support the planning, execution and reporting of the
audits. The templates are part of our guidelines for financial audit and the auditors are
obliged to use them.
Most auditors make analytical reviews using Excel, e.g. trend analysis. Analytical reviews
are carried out both in the planning phase and the execution phase.
Many auditors use WinIDEA for analytical reviews and controls of accuracy of
information based on transactions from the auditees accounting systems. A brilliant tool
once you have got the necessary data available. WinIDEA is used both in the planning
phase and the execution phase. An example of use of WinIDEA in the execution phase is
given later in this presentation.
? Data capture system
The IT section of OAG collects data from the auditees accounting systems and payroll
systems. More details are given later in this presentation.
? Audit procedures database
A collection of audit procedures. The auditors use the database when making audit
IT tools for Financial Auditing at OAG in future
Currently OAG is working on three large IT development projects:
? PROSIT (process oriented IT audit tools)
More details are given after this overview.
? Data capture automation system – TOMAS (accounting data from auditees)
More details are given later in this presentation
? Infrastructure (direct link between auditors laptops and main office)
OAG do not regard them as three different projects/systems, but systems that have to work
together. There are plans for further development of the systems and integration of the
2. PROSIT – PROCESSORIENTED IT AUDIT TOOLS
2.1 USE OF IT IN PREPARING AND PLANNING AUDITS
As mentioned earlier, today the auditors have word templates for preparing and planning audits. They are obliged to use templates for risk and materiality assessment and audit plan.
OAG emphasise a great deal on methodology. Standards and audit guidelines describe how to carry out an audit. Despite of guidelines and templates we have found that OAG have various audit cultures. The top management think it is necessary to reduce the gap between the audit cultures. More uniform financial auditing throughout all sections is a goal.
The most important action to achieve more uniform financial auditing is development of an IT-system that support the whole audit process; planning, execution and reporting. We have called the system PROSIT, process oriented IT-audit programme. The long-term goal of the system is Effective and uniform Financial Audit.
We believe that it is essential with an IT-audit system in which the auditors are guided through the audit-process and in that way prepare and plan an audit in accordance with agreed methodology. The audit advisors who conduct the quality assurance of the audit work will also use PROSIT in their work. Having available the auditors work and making comments directly in PROSIT.
It has been a long way before we decided that we ought to develop a system for OAG instead of buying an existing system or making changes to a system that is already developed. Testing of available audit systems has been necessary. Although our guidelines are based on international audit methodology, there are some distinctions between our methodology and the educational books in financial auditing. We feel that one of the conditions that PROSIT has to fulfill, is that our auditors find that PROSIT support and describes the financial audit methodology of OAG. Not just international audit methodology or the methodology of another organisation. Our office has spent a lot of time in preparing new audit standard and guidelines. The IT system must be adapted to our methodology - not the other way round - that we have to adapt our methodology to be able to use the system in the best possible way.
PROSIT is also an electronic filing system for all audits. To be able to execute effective and efficient planning of the audit it is important to have necessary data available. Electronic filing cover both annual files and permanent files. For most audits several people are involved. When information about the auditees is stored in a central database everyone can access the data when needed. There is no need to search for manual folders which are not stored where they should be, or when you find the folder discover that the information you need has been removed from the folder. Since everyone involved in an audit work towards the same database, the whole audit team has access to the same information. Information stored in the database is available for everyone involved in the audit immediately after registration.
In PROSIT it is easy to compare information, e.g. look at last year risk assessment or the risk assessment of a similar auditee, when making this year’s risk assessment. You can copy the information if appropriate and in this way save time.
All information that is registered in PROSIT about an auditee will be stored in the database. However, not all necessary information about the audit is stored electronically. We receive documents from the auditees. In addition auditors make copies of vouchers. It is possible to scan such documents, but so far we think that a reference to a manual file satisfies our needs. Scanning might be a part of later versions of PROSIT.
When you are planning and preparing the audit it is necessary with budget and financial statements from the auditees. Our IT-section receives data from the auditees accounting system and we want such data to be imported directly in PROSIT
Conclusion OAG wants the auditors and executives to have IT-tools that help them in performing effective and efficient planning. We’ve been through a process of writing requirement
specification and assessing available audit tools. The tools that best suits our needs are systems that are tailor made the needs of OAG - that mean develop in house. Our plan is to have first version of PROSIT available late spring 2002.
2.2 USE OF IT IN PERFORMING AUDITS
PROSIT will be used also in the execution phase. The audit programme is made in PROSIT based on information from the planning phase. The audit findings are also registered in PROSIT.
We have experienced that many auditors seem to forget the results of the planning phase when they start performing the audits. They have made risk and materiality assessment, set targets for the audit. When the auditors later on make the detailed audit programme it might be difficult to see the connection between the conclusions in the planning phase and the chosen audit procedures.
In PROSIT the auditors have available important information from the planning phase when making the audit programme. Each audit procedure is linked to one or several targets set in the planning phase. In that way the auditors are forced to have the targets in their mind when making the audit programme. When they are closing the audit they have to conclude on the same targets having the audit findings available. In this way OAG force the auditors to focus on central elements in the methodology throughout the audit process.
PROSIT will contain a database with audit procedures. The database exists today and will be a part of PROSIT. These are not audit procedures that are compulsory, but suggestions. Audit procedures are picked from the database based on risk assessment, materiality assessment and audit targets set for the audit. In addition the auditors make their own audit procedures to cover the targets for that particular audit. Today the database contains few audit procedures intended for WinIDEA. OAG have a project group that is working on this matter now. Audit procedures for WinIDEA will also be available through the database in PROSIT.
OAG had some years ago discussion about introducing a system for automatic generation of audit programme based on registered data containing risk, size etc. We do not longer believe in this. We have found that an automatic generated audit programme can not cover up for the
auditor’s judgement. There are too many elements that affect which audit procedures that best cover the risk and targets for one particular audit.
However we do believe in automation for other purposes. OAG collects accounting data covering all transactions from the auditees, the data capture system (TOMAS). Today the accounting data are stored in OAG to be used in WinIDEA. Some time in the future we hope to integrate PROSIT and the data capture system. There are some audit procedures that many auditors find useful, e.g. analytical reviews as trend analysis. Analyses that can be executed by writing quite simple SQL-queries and use the query on the accounting data available in the data capture system. We want to make it possible to execute those audit procedures automatically. The auditor pick the audit procedure from the database and the result of the query is given back to the auditor by the data capture system. The auditor does not have to import the data into WinIDEA and then make the analysis, but gets the result back directly from the data capture system.
OAG wants the auditors to have IT-tools so they can spend their time on what they are really good at; that’s auditing. We think that some of the tasks our auditors perform today are not
really audit work. Although many of our auditors are excellent at filing and retrieving information and at downloading and conversion of data for use in IDEA, we think they should spend as little time as possible on such tasks.
The attitude of OAG is to exploit the IT technology to improve effectiveness and efficiency of the audit work. PROSIT together with our data capture system (TOMAS) and new infrastructure are our main actions at the moment to satisfy our auditors needs.
3. DATA CAPTURE
OAG wants to be able to perform computer analyses on the basic raw data stored in auditees’ financial management systems in connection with its financial audits. Data used in the financial management systems in the audited entities in Norway are stored in a number of different systems and databases across the whole country that in turn use a number of different servers and network operating systems. For many years, OAG has used the IDEA system to this end. However, over the years, it has often proven itself to be technically very complicated to get access to the desired data in an audited entity, to process them and to transfer them to IDEA before the actual computer analysis work can begin. A variety of security issues have also been raised regarding connecting machines on different networks and in different agencies.
The introduction of a new Financial Management Regulation for the Central Government in Norway in 1996 meant that most central-government agencies had to change to new financial management and accounting systems. Although each individual agency was responsible for buying and implementing its own system, the overall result was that most of the agencies in the government administration now have more uniform, modern client-server systems. This in turn made it possible for OAG to introduce a more uniform and standardised solution for access to the basic data in the audited entities’ financial management system.
3.1 DATA CAPTURE – CURRENT PILOT SOLUTION
In order to promote efficient and quality-assured work processes and to ensure that the auditors’ work to get access to the basic data stored in financial management and accounting systems did not pose an increased security risk for either the auditees or OAG, OAG decided that the audited entities (or the service providers they used) should periodically transfer central data from the agencies’ financial management system to OAG. It was also decided that the processing of the data that was necessary for the auditors’ analyses would be performed
internally by OAG. For security reasons, OAG stipulated the objective that the people who were responsible for the operation of a network should also bear the full responsibility for all equipment and all systems connected to this network. OAG’s security requirements also
entailed that the Office’s computer equipment could not be connected to any other network systems than OAG’s own internal network.
OAG appointed a working group that, on the basis of OAG’s methodology, formulated a set of specifications regarding which information the auditors needed from the audited entities’
financial management systems for their data analysis in connection with normal financial audits and at what times these data had to be available. These specifications were then sent to the suppliers of the most commonly used financial management and accounting systems in the central government, who provided OAG with a list of the tables and fields in which this information was stored in their particular financial management system.
A pilot project was then instituted in connection with two major service providers and a sample of agencies of different sizes and geographical distribution, whereby a simple standardised database script was implemented that makes a copy of the tables in the financial management systems that contains the information that the auditors need in their analysis work. These tables are packed using standard compression software, burned onto CDs and sent to OAG. At OAG, the data packets are unpacked and imported into new databases on a
separate server, meaning that OAG has an identical copy of central data from the agencies’ financial management system as of the date of delivery.
Standardised SQL extracts are made from the various financial management systems that generate data capture files suitable for IDEA import for the main information in the different types of financial management and accounting systems. An application wizard was then established in connection with OAG’s Intranet portal, whereby the individual auditor could
select the agency, main information and period he is interested in. The wizard generates an electronic order form that is then automatically effectuated by a data capture application that produces the ordered file from the selected agency’s financial management system, packs the
results into a packet, puts it in the area on the server belonging to the auditor that placed the order, and sends an email to the auditor stating that the requested file is ready for import into IDEA.
The pilot project is compatible with the Agresso accounting system, the Oracle Financial accounting system and the Formula payroll and personnel system and functions on the database platforms Oracle and Sybase. Data can be collected from both Windows NT and a variety of Unix database servers. The pilot system is currently in use and offers access to the accounting data in a total of approx. 350 audited entities, one of which has 18 subordinate units with their own separate accounting systems. This solution also allows access to payroll data for approx. 50 audited entities.
3.2 DATA CAPTURE AUTOMATION - THE TOMAS SYSTEM
In general, our experiences with the pilot solution have been very positive. Regardless of their geographical situation, the auditors have quick and easy access to the basic data in those auditees that are accessible by means of this system, meaning they can use their time to analyse the data for auditing purposes. When computer equipment is not physically connected across agencies and networks and OAG’s data analyses and extractions are not performed
directly on systems in operation, this new system also is more orderly in terms of security for the audited entities and for OAG.
However, the established pilot scheme does entail a fair amount of manual follow-up for OAG’s IT division in terms of work in connection with the import procedures and dealing with the CDs. Indeed, this is the main obstacle stopping us from expanding the system to include more auditees and financial management systems. The system has also entailed extra work for some auditees in connection with the implementation, depending on the agency’s level of competence in computer systems.
Against the background of the experiences with the pilot system, work has now started to establish an automated system called TOMAS (which is an acronym in Norwegian for technical transfer and reception system). This system consists of three elements: a simple application that must be installed in audited entities that are to submit data, a reception station for temporary storage of the transferred data, and an application at OAG that imports the received data and updates a central database about the data transmissions.
The application in audited entities runs basically the same back-up scripts from the financial management systems as in the current pilot system, the extracts are compressed and the data
packet is given a unique identification tag for the agency before it is encrypted using PGP (Pretty Good Privacy).
Auditees that submit very large amounts of data will continue to burn the data onto a CD and send the CD to OAG, whereas in small and medium-sized agencies, the program will automatically transfer the data packet electronically via the agency’s existing external communication port to a special receiving station run by OAG. This receiving station is outside OAG’s network and is protected by a firewall that allows this type of data transfer from specified users. Once the data transfer is complete, the auditee will automatically be sent an electronic receipt from the receiving server stating whether the transfer was successful.
The application at OAG brings the data packets from the receiving server into OAG’s network, decrypts the packet, unpacks it, identifies the agency that submitted it and the type of financial management system and database platform that the tables in the data packet come from, and imports them into the correct database system in the same way as in the pilot scheme. This application will also contain error management tools and a central database containing information about which agencies have submitted data from which financial management system, from which type of database and at what time.
We are currently talking to the suppliers of the other brands of financial management and accounting systems used in the central government in order to determine in which tables the information that the auditors need is stored in these systems. The results of this dialogue will be implemented in the export application installed in the auditees, in the import application at OAG and in the wizard that generates the IDEA-compatible data analysis files for the auditors.
The export and import software is expected to be completed by summer 2001. The audited entities will then be sent the export application and will be able to start submitting accounting data periodically. By virtue of the wizard in OAG’s Intranet portal, the auditors will have quick and easy access to these data shortly after they have been submitted by the agencies.
3.3 FUTURE PROSPECTS
A number of new opportunities for further improvements in efficiency and quality in the audit work will be yielded as a result of OAG having a standardised copy of the central financial data for the audited agencies available internally via its network and an internal database of information about which agencies’ data are stored, where, and in what format.
OAG is currently also working on a process-oriented IT auditing tool (PROSIT), which was presented earlier. A unique auditee identification code and the co-ordinated structuring of auditees in both TOMAS and PROSIT will render possible direct transfer of budgeting and accounting data from the auditees’ financial management system to PROSIT, thus by-passing
the various export, conversion and import procedures, some of which are still technically arduous.
As mentioned in the PROSIT presentation, OAG has a joint audit-procedures database for the most common audit procedures in financial audits. This database is currently being expanded to include an associated database of computer auditing procedures, i.e. audit procedures that are wholly or partly performed using computer analysis tools on raw data from the audited
agencies’ financial management system. Both audit-procedures databases are expected to be
integrated as a part of PROSIT.
In addition, it has been registered that many of the computerised audit procedures that are usually performed using WinIDEA today, can in principle be implemented as standardised queries and program codes in the databases for the individual financial management systems, regardless of which agencies are being audited.
The introduction of unique auditee identification codes in TOMAS and PROSIT and the co-ordinated structuring of which auditees’ financial data are stored will thus also create the
possibility that in the future, once the auditor has chosen an audit procedure in PROSIT, he will also be able to have an associated computer audit procedure carried out automatically. The auditor will simply receive the results of the computer audit procedure directly without having to export the data from the agency’s financial management system, import them into a data analysis tool and himself carry out a set of operations in the data analysis tool. In this way, auditors will be able to spend more of their time and focus more clearly on applying their auditing skills, on assessing the results of the audit procedures and performing other concrete audit activities – as opposed to performing technical operations that can be
These are some of the possibilities that OAG is trying to keep open in connection with the implementation of both TOMAS and PROSIT and which we will look at more closely once the first version of both systems are up and running.