International Seminar on IT in Audit,
September 2001, Beijing, China
Subject of Paper:
USE OF IT IN PREPARING, PLANNING AND PERFORMING AUDITS
Country:
NORWAY (Office of the Auditor General of Norway)
Information about the papers:
This paper includes three sub-themes of the theme “Use of IT in Preparing, Planning and Performing Audit”. The two sub-themes are “PROSIT-Processoriented IT Audit Tools” (chapter 2) and “Data Capture” (chapter 3). Each of these sub-themes may be included or excluded the presentation as preferred.
USE OF IT IN PREPARING, PLANNING AND PERFORMING AUDITS
Knut Ystad, Christine Young and Anne Hausland – Office of the Auditor General of Norway (OAG)
1. OVERVIEW
OAG has 440 employees. Approximately 300 of these people work primarily on financial auditing, of which 80 are based at one of OAG’s 21 regional offices around Norway, whilst the rest are based at OAG’s head office in Oslo.
The long-term plan of OAG includes several goals and actions concerning use of IT in OAG. Main focus is on how to improve effectiveness and efficiency of the audit in general. Therefore goals and actions do not cover just one part of the audit process, but several. Because of this we would like to give you a short presentation of some of our thoughts before giving you more details on use of IT in preparing, planning and performing audits.
In Financial auditing OAG wants to use IT:
· As support for carrying out the audit in accordance with current methodology
· As electronic filing for all involved in the audit (annual files and permanent files)
· For data capture from auditees (accounting data and payroll data, TOMAS system)
· For automation of an audit (common audit procedures are made automatically for you)
OAG wishes to develop systems that cover the items mentioned above. We also want the systems to be integrated to another.
IT tools for Financial Auditing at OAG today
All auditors have a laptop with a 10 gigabytes storage capacity, over a 500 MB internal memory and that is used both in office and when visiting the auditees.
· Word
Every auditor uses templates that support the planning, execution and reporting of the audits. The templates are part of our guidelines for financial audit and the auditors are obliged to use them.
· Excel
Most auditors make analytical reviews using Excel, e.g. trend analysis. Analytical reviews are carried out both in the planning phase and the execution phase.
· WinIDEA
Many auditors use WinIDEA for analytical reviews and controls of accuracy of information based on transactions from the auditees accounting systems. A brilliant tool once you have got the necessary data available. WinIDEA is used both in the planning phase and the execution phase. An example of use of WinIDEA in the execution phase is given later in this presentation.
· Data capture system
The IT section of OAG collects data from the auditees accounting systems and payroll systems. More details are given later in this presentation.
· Audit procedures database
A collection of audit procedures. The auditors use the database when making audit programmes.
IT tools for Financial Auditing at OAG in future
Currently OAG is working on three large IT development projects:
· PROSIT (process oriented IT audit tools)
More details are given after this overview.
· Data capture automation system – TOMAS (accounting data from auditees)
More details are given later in this presentation
· Infrastructure (direct link between auditors laptops and main office)
OAG do not regard them as three different projects/systems, but systems that have to work together. There are plans for further development of the systems and integration of the systems.
2. PROSIT – PROCESSORIENTED IT AUDIT TOOLS
2.1 USE OF IT IN PREPARING AND PLANNING AUDITS
As mentioned earlier, today the auditors have word templates for preparing and planning audits. They are obliged to use templates for risk and materiality assessment and audit plan.
Support methodology
OAG emphasise a great deal on methodology. Standards and audit guidelines describe how to carry out an audit. Despite of guidelines and templates we have found that OAG have various audit cultures. The top management think it is necessary to reduce the gap between the audit cultures. More uniform financial auditing throughout all sections is a goal.
The most important action to achieve more uniform financial auditing is development of an IT-system that support the whole audit process; planning, execution and reporting. We have called the system PROSIT, process oriented IT-audit programme. The long-term goal of the system is Effective and uniform Financial Audit.
We believe that it is essential with an IT-audit system in which the auditors are guided through the audit-process and in that way prepare and plan an audit in accordance with agreed methodology. The audit advisors who conduct the quality assurance of the audit work will also use PROSIT in their work. Having available the auditors work and making comments directly in PROSIT.
It has been a long way before we decided that we ought to develop a system for OAG instead of buying an existing system or making changes to a system that is already developed. Testing of available audit systems has been necessary. Although our guidelines are based on international audit methodology, there are some distinctions between our methodology and the educational books in financial auditing. We feel that one of the conditions that PROSIT has to fulfill, is that our auditors find that PROSIT support and describes the financial audit methodology of OAG. Not just international audit methodology or the methodology of another organisation. Our office has spent a lot of time in preparing new audit standard and guidelines. The IT system must be adapted to our methodology - not the other way round - that we have to adapt our methodology to be able to use the system in the best possible way.
Electronic filing
PROSIT is also an electronic filing system for all audits. To be able to execute effective and efficient planning of the audit it is important to have necessary data available. Electronic filing cover both annual files and permanent files. For most audits several people are involved. When information about the auditees is stored in a central database everyone can access the data when needed. There is no need to search for manual folders which are not stored where they should be, or when you find the folder discover that the information you need has been removed from the folder. Since everyone involved in an audit work towards the same database, the whole audit team has access to the same information. Information stored in the database is available for everyone involved in the audit immediately after registration.
In PROSIT it is easy to compare information, e.g. look at last year risk assessment or the risk assessment of a similar auditee, when making this year’s risk assessment. You can copy the information if appropriate and in this way save time.
All information that is registered in PROSIT about an auditee will be stored in the database. However, not all necessary information about the audit is stored electronically. We receive documents from the auditees. In addition auditors make copies of vouchers. It is possible to scan such documents, but so far we think that a reference to a manual file satisfies our needs. Scanning might be a part of later versions of PROSIT.
When you are planning and preparing the audit it is necessary with budget and financial statements from the auditees. Our IT-section receives data from the auditees accounting system and we want such data to be imported directly in PROSIT
Conclusion
OAG wants the auditors and executives to have IT-tools that help them in performing effective and efficient planning. We’ve been through a process of writing requirement specification and assessing available audit tools. The tools that best suits our needs are systems that are tailor made the needs of OAG - that mean develop in house. Our plan is to have first version of PROSIT available late spring 2002.
2.2 USE OF IT IN PERFORMING AUDITS
PROSIT will be used also in the execution phase. The audit programme is made in PROSIT based on information from the planning phase. The audit findings are also registered in PROSIT.
We have experienced that many auditors seem to forget the results of the planning phase when they start performing the audits. They have made risk and materiality assessment, set targets for the audit. When the auditors later on make the detailed audit programme it might be difficult to see the connection between the conclusions in the planning phase and the chosen audit procedures.
In PROSIT the auditors have available important information from the planning phase when making the audit programme. Each audit procedure is linked to one or several targets set in the planning phase. In that way the auditors are forced to have the targets in their mind when making the audit programme. When they are closing the audit they have to conclude on the same targets having the audit findings available. In this way OAG force the auditors to focus on central elements in the methodology throughout the audit process.
PROSIT will contain a database with audit procedures. The database exists today and will be a part of PROSIT. These are not audit procedures that are compulsory, but suggestions. Audit procedures are picked from the database based on risk assessment, materiality assessment and audit targets set for the audit. In addition the auditors make their own audit procedures to cover the targets for that particular audit. Today the database contains few audit procedures intended for WinIDEA. OAG have a project group that is working on this matter now. Audit procedures for WinIDEA will also be available through the database in PROSIT.
OAG had some years ago discussion about introducing a system for automatic generation of audit programme based on registered data containing risk, size etc. We do not longer believe in this. We have found that an automatic generated audit programme can not cover up for the auditor’s judgement. There are too many elements that affect which audit procedures that best cover the risk and targets for one particular audit.
However we do believe in automation for other purposes. OAG collects accounting data covering all transactions from the auditees, the data capture system (TOMAS). Today the accounting data are stored in OAG to be used in WinIDEA. Some time in the future we hope to integrate PROSIT and the data capture system. There are some audit procedures that many auditors find useful, e.g. analytical reviews as trend analysis. Analyses that can be executed by writing quite simple SQL-queries and use the query on the accounting data available in the data capture system. We want to make it possible to execute those audit procedures automatically. The auditor pick the audit procedure from the database and the result of the query is given back to the auditor by the data capture system. The auditor does not have to import the data into WinIDEA and then make the analysis, but gets the result back directly from the data capture system.
OAG wants the auditors to have IT-tools so they can spend their time on what they are really good at; that’s auditing. We think that some of the tasks our auditors perform today are not really audit work. Although many of our auditors are excellent at filing and retrieving information and at downloading and conversion of data for use in IDEA, we think they should spend as little time as possible on such tasks.
The attitude of OAG is to exploit the IT technology to improve effectiveness and efficiency of the audit work. PROSIT together with our data capture system (TOMAS) and new infrastructure are our main actions at the moment to satisfy our auditors needs.
3. DATA CAPTURE
OAG wants to be able to perform computer analyses on the basic raw data stored in auditees’ financial management systems in connection with its financial audits. Data used in the financial management systems in the audited entities in Norway are stored in a number of different systems and databases across the whole country that in turn use a number of different servers and network operating systems. For many years, OAG has used the IDEA system to this end. However, over the years, it has often proven itself to be technically very complicated to get access to the desired data in an audited entity, to process them and to transfer them to IDEA before the actual computer analysis work can begin. A variety of security issues have also been raised regarding connecting machines on different networks and in different agencies.
The introduction of a new Financial Management Regulation for the Central Government in Norway in 1996 meant that most central-government agencies had to change to new financial management and accounting systems. Although each individual agency was responsible for buying and implementing its own system, the overall result was that most of the agencies in the government administration now have more uniform, modern client-server systems. This in turn made it possible for OAG to introduce a more uniform and standardised solution for access to the basic data in the audited entities’ financial management system.
3.1 DATA CAPTURE – CURRENT PILOT SOLUTION
In order to promote efficient and quality-assured work processes and to ensure that the auditors’ work to get access to the basic data stored in financial management and accounting systems did not pose an increased security risk for either the auditees or OAG, OAG decided that the audited entities (or the service providers they used) should periodically transfer central data from the agencies’ financial management system to OAG. It was also decided that the processing of the data that was necessary for the auditors’ analyses would be performed internally by OAG. For security reasons, OAG stipulated the objective that the people who were responsible for the operation of a network should also bear the full responsibility for all equipment and all systems connected to this network. OAG’s security requirements also entailed that the Office’s computer equipment could not be connected to any other network systems than OAG’s own internal network.