Auditors Must Understand IT Processes, Both Internal and External, in Order to Perform

USE OF IT IN AUDIT

COUNTRY PAPER-PAKISTAN

By:

Jamal Abdul Nasir Usmani,Director, Office of the Auditor General of Pakistan

Muhammad Faheem,Dy. Director, PIFRA,Office of the Auditor General of Pakistan

THE PRESENT SCENARIO

With the advent of more and more sophisticated accounting systems, and rapid improvements in technology, a stage is coming soon when it will be unthinkable to conduct an audit without using audit software. Therefore, it’s essential that auditors sharpen their skills in the use of such tools. Auditors must keep pace with the changing environment because inevitably there will be occasions when mere working knowledge of these tools of audit will be insufficient. It is vital that in order to ensure better and more pervasive results in audits, auditors must become experts in applying audit software.

Ever since the introduction of computers in public sector, the Pakistan Audit Department has been alert to the potential of information technology in improving public accountability. Initially, PCs were used for processing audit reports, storing data and retrieving information. However, the realization was always there that we could do a much better job by giving the professional audit staff the tools to carry out their own data analysis.

There cannot be two opinions that there are countless advantages of use of information technology. For example, all relevant information pertaining to audit will be available to all audit staff, whether it be the Audit Manual, earlier audit reports, auditee profile, latest orders of the government, policy papers or guidelines. This resource of knowledge may be accessible to the auditors from their desktop computers. In order to achieve this, it is vital to develop and maintain an Internet network, which will enhance the work of the auditors by enabling them to readily carry out research and maximize their potential efficiency and effectiveness. And this is only one advantage. There are numerous other potentials like reliability of figures, easy access to more data in less time and ease in totaling, etc.

However, the maximum potential of information cannot be realized without intensive training in the use of information technology on the one hand and enabling the auditors to have access to Personal Computers on the other. Any scheme to replace the manual systems with computerized modules requires the auditors need to have adequate computing expertise, personal computers, as well as the necessary software. The auditors must understand IT processes, both internal and external, in order to perform audit in accordance with international standards. Networking, client/server environments and a dwindling paper trail are just some of the developments which will change audit approach completely. But this situation will crystallize after we encounter systems involving Electronic Data Interchange (EDI) where computers "talk" to each other with only an electronic trail.

Generally Accepted Auditing Standards require the auditor to obtain sufficient knowledge of the entity’s business to provide a basis for adequate planning and properly executing the audit. The auditor is also required to obtain a sufficient understanding of internal controls, both the control environment and control systems. When we come across a situation where the accounts are fully computerized, we shall have to maximize our use of IT, both internally and externally. If we do not do so, we shall remain behind in our profession.

Initial Challenges

One of the greatest challenges that we faced while introducing IT systems was the inherent passive resistance to any new idea. Not all auditors welcomed the idea of using CAATs without reservation. This phenomenon, which may also be called fear of the unknown, emanated from the feeling that introduction of IT would lead to a scenario when the demand for manual workers would be eliminated and their jobs might be at risk. The first challenge was to make the auditors receptive to the use of IT as a source of improvement in efficiency and professionalism.

Secondly, there was no exposure of the auditors to the use of Information technology. They did not know how to use the technology. There was the need to introduce them to the new technology through training and instruction. The objective was to prepare a core team of auditors who could apply the new technology whenever accounts were available in computerized format. At the same time, there was the need to ensure access of the auditors to personal computers in the face of limited financial resources.

Then there was the fact that the accounting in public sector was not computerized. Pakistan has not yet attained the status of a paper less society and the hard copy is still taken to be more reliable than a soft copy on a diskette. Auditors also feel more at home with using files and folders to scrutinize the data. They could not imagine producing an audit certificate without any documents in their hands. And even if they agreed to conduct audit in an IT environment, they did not find computerized accounts.

In such an environment, any forward action on our human resource planning and further development of CAATs had to be placed on hold and our efforts were directed to creating awareness of IT in the auditors and giving them maximum training in the use of computers in the first stage.

Induction of Computers in The Department

Since the Auditor General of Pakistan had both accounting and auditing functions in his mandate till July 2001, he ordered that use of computers should be introduced for both accounting and auditing. Initially, stand alone PCs were provided on large scale in every office and the staff was encouraged to use PCs extensively. A separate Directorate General of Computerization was established in the Department to oversee computerization of both accounting and auditing functions.

It was realized that computerized auditing could not be started as long as accounting system was not computerized. Therefore, priority was given to computerize payment function and accounting. Initially, in early 80s, the Pakistan Computer Bureau, the official agency responsible for computerization in Government Departments in Pakistan was given the contract to computerize the payroll and preparation of accounts.

Simultaneously, a massive campaign was launched to impart initial computers training to the officers and staff. The Audit and Accounts Training Institute, which is located in Lahore and has regional offices at the Federal and provincial capitalsintroduced a number of short courses for the officials and staff. At first the training was limited to use of general software packages like MS DOS, Windows, word processing, spread sheets and data base etc. But gradually, people were encouraged to undertake training in computer languages like Basic, Foxpro, Visual Basic, Cobol, C+ etc. for programming. With the advent of software packages for accounting and auditing, the staffs as well as officers were encouraged to learn and apply these packages. Resultantly, now we have got a sizeable number of workforce, quite conversant with the use of computers both for accounting and audit. Some of our auditors have also got training in the specialized audit software like IDEA and ACL and at present we have a team of auditors who can undertake audit in IT environment with confidence.

Gradually the Department took over the job from the Pakistan Computer Bureau and is now processing and making monthly payments to all the Federal and provincial Government employees paid from civil estimates through computers.

Methods of Auditing Computer Systems

Auditing Around The Computer

Auditing around the computer is generally the approach taken by our auditors in case they audit in IT environment, which is rare till date as already explained. Our overall audit strategy is substantive, i.e. we generally do not rely on controls, manual or computerized, given the general lack of controls in the auditee environment.

Auditing Through The Computer

We do not audit through the computer because we feel that we get efficient, effective (and economical) results by auditing with the computer.

Auditing With The Computer

Auditing with the computer is for which we have got a core team of auditors available, but we have not yet got the chance to apply the knowledge on universal basis. For large audits, CAATs may be developed and applied in order to complete the audit in the most efficient and effective way. The auditors may also perform data extraction analyses.

Potential of IT Audit

While applying an audit software, audit tests and evaluations are greatly supported by the use of simple commands such as sorting, statistical analysis, totaling and subtotaling, grouping, indexing and filtering. By using software, an auditor can carry out three types of audit checks:

• data input or validation checks through tests of sequential control, and use of commands for scanning missing numbers and record counts

• data processing or report validation checks through simple and standard re-performance tests; for example, reprocessing the debtors aging report using software and comparing it with the auditee’s aging report

• output control checks through distribution and access tests and verification of exception reports

Similarly, investigation software can help an auditor to apply certain commands for detecting duplicate invoices/ checks / payment vouchers. Even ghost recipients can be spotted and certain software can even detect suppliers with the same addresses or telephone numbers, and can perform interesting and effective tests for audit and fraud detection.

Such tests are usually not possible manually, especially in sophisticated computerized accounting systems and where audit populations have massive amounts of data. Thus it may be appreciated that auditors would not be able to conduct such tests without using sophisticated computer tools,.

However, the actual creativity, imagination and expertise of the auditor have not yet been used, or if used, only marginally; auditors can scale greater heights and achieve much more meaningful, penetrative and focussed results if they build their own experience, foresight, judgement and vision in the audit software.

Pakistan Audit Department is fully conscious of the potential of IT audit and our future strategy places a lot of emphasis on this important dimension of audit.

THE FUTURE-NEW PARADIGM

1. PROJECT FOR IMPROVING FINANCIAL REPORTING AND AUDITING (PIFRA)

As has been mentioned earlier the Auditor-General of Pakistan was traditionally responsible for both payments and their accounting and the audit. There has been a realisation within the Department that ideally the Accounting agency should be separate from the Auditing Agency. The 1st step towards separation of two functions was taken in 1988 when Audit Offices, independent of Accountants General were established. This undercurrent could only be transformed into a reality when a project envisaging major reforms was conceptualised about a decade ago. The project is named as Project for Improvements to the Accounting and Auditing in Pakistan. Shortly we call it PIFRA. The Auditor General of Pakistan is implementing PIFRA with the assistance of the World Bank. The project aims at not only automation of the Public Sector Accounting, installation of an integrated financial management system but also handing over of the post automation accounting function to the executive in a gradual manner.

The Project for Improving Financial Reporting and Auditing (PIFRA) was conceived to bring about important improvements in both areas. With respect to the AGP’s functional area, the Project has four components:

• Government accounting and financial reporting,
• Government auditing,
• Human resource management,
• Training,

While elaborating upon the PIFRA project, we shall restrict our discussion to only two components which, we think, are relevant to the theme of the seminar. Among these, the 1stone is the Government Accounting and Financial Reporting.

GOVERNMENT ACCOUNTING AND FINANCIAL REPORTINGCOMPONENT

Under the Government Accounting and Financial Reporting Component an integrated accounting and financial reporting system known as New Accounting Model (NAM) has been developed for the Federal and Provincial governments. The system covers budget preparation, budget execution, appropriation, funds allocation, recording / accounting of the payment process, abstracting and reporting of financial and accounting data to appropriate agencies. The Core Accounting System would be fully automated with strong interface features and would be implemented in conjugation with modern accounting standards and expenditure classification systems. As it should be with a composite project, there is a strong inter-relationship among all the components, especially the Government Accounting and Financial Reporting component and the Auditing component.

The changes which the Government Accounting component will bring about would impact the audit environment. The NAM would make much greater data available for Audit primarily in an IT environment. The overall impact would be to create greater opportunities for effective audit – which the auditing component would seek to optimise – and also pose a challenge which the auditing component would seek to address. SAP R/3, the package solution has been selected for implementing NAM.

GOVERNMENT AUDITING COMPONENT

This component focuses on audit systems improvement and systems development. It will re-orient the traditional audit process towards system based approach leading to an opinion on the accounts of the audited entity and promote the use of IT and equip the Department to carry out in fully computerised accounting environments.

This component aims to develop an IT based core audit system parallel with the core accounting system developed under the New Accounting Model. The system would be based on auditing procedures following the features of the new accounting system. Based on principles of system based audit, it will lay down procedures for the entire audit cycle. It will be based on INTOSAI auditing standards modified to suit the needs of the PAD. The core audit system would branch out into specialised applications to suit different functional areas of PAD like: Railway Audit, Defence Audit, WAPDA Audit, Foreign Missions audit, Public Works Audit, Post and Telecommunication Audit, Audit of Public sector commercial entities including financial institutions and Audit of projects, especially foreign aided projects. For each of these specialisations, suitable modifications of the core system would be suggested. Also included in the system would be software for audit of computerised data of audited entities.The sub components are:

Audit Standards and Techniques: This activity aims at preparing guidelines for the introduction of international auditing standards, modern auditing techniques and concepts, review of PAD’s audit policies, processes and procedures, output, workload, efficiency and quality assurance for the audit function, advise on methodologies to enhance PAD’s communications with stake holders, for internal audit of PAD’s systems under development, development and use of automated audit tools and standard audit programs where appropriate, improve communication of audit results and develop quality assurance programmes.

Automated Tools: Selection / modification / development of suitable software for audit planning, sampling and documentation, and for audit of automated accounting systems and acquisition and provision of appropriate hardware.

Capacity Development: Consultancy to support revised human resource management procedures through international training in a modern financial system environment and through arranging attachments with other Supreme Audit Institutions.

International consultants have been engaged to carry out the above mentioned tasks. The consultant are to provide the following specific deliverables:

• Develop a kit of audit work papers to be used by the auditors in the field. This kit will be specific to each audit office.
• Develop a set of supervision instruments to facilitate monitoring and oversight of the field audit work.
• Advise the PAD on selection of software to enable the auditors to use computers for auditing, analyzing and reporting results of audit and its effective utilization by FAOs and at the Headquarters.
• Select / customize / install software for audit planning and monitoring at the level of the Auditor General’s office.
• Implementation of new auditing procedures and software in selected FAOs.
• Train a core group of audit technicians in each FAO and in the Auditor General’s office in programming and software maintenance for handling any future contingencies.
• Train a core group of auditors and officers in new auditing procedures and auditing software.
• Arrange exposure of a selected group of officers to international IT auditing practices, for at least 3 months of on the job training with private sector auditing firms of international repute who have been engaged by SAIs to undertake audits of government agencies or programmes.
• Review and evaluate the existing internal auditing institutions and their practices in the federal and provincial governments and prepare a proposal, supplemented with costs and implementation plan for creating new internal auditing offices and also for strengthening the existing ones.
• A policy framework for collaboration with the Private Sector Auditing Firms, identifying the focus areas in which it would be most productive to forge partnerships. By taking into account the types of expertise offered by the public and private sector auditing professions in Pakistan, the consultants will explore the possibility of cross fertilisation of expertise and joint audit efforts.

CONCLUDING REMARKS