IT Audit & Assurance

Chapter 8: CAATTs for Data Extraction and Analysis

Data Structures
Organization Access method

Access

INDEX File

DATA File

Organization

SEQUENTIAL -orISAM -orRANDOM

SEQUENTIAL -orISAM -orRANDOM

File Processing Operations

1. 2. 3. 4. 5. 6. 7. Retrieve a record by key Insert a record Update a record Read a file Find next record Scan a file Delete a record
Table 8-1

Individual Records

Data Structures
Flat File Structures
Sequential Structure [Figure 8-1]
All records in contiguous storage spaces in specified sequence (key field) Sequential files are simple & easy to process Application reads from beginning in sequence If only small portion of file being processed, inefficient method Does not permit accessing a record directly Efficient: 4, 5 sometimes 3 Inefficient: 1, 2, 6, 7 usually 3

Data Structures
Flat File Structures
Indexed Structure
In addition to data file, separate index file Contains physical address in data file of each indexed record

Data Structures
Flat File Structures
Indexed Random File [Figure 8-2]
Records are created without regard to physical proximity to other related records Physical organization of index file itself may be sequential or random Random indexes are easier to maintain, sequential more difficult Advantage over sequential: rapid searches Other advantages: processing individual records, efficient usage of disk storage Efficient: 1, 2, 3, 7 Inefficient: 4

Data Structures
Flat File Structures

Indexed Sequential Access Method (ISAM) [Figure 8-3]

Large files, routine batch processing Moderate degree of individual record processing Used for files across cylinders Uses number of indexes, with summarized content Access time for single record is slower than Indexed Sequential or Indexed Random Disadvantage: does not perform record insertions efficiently requires physical relocation of all records beyond that point SOS Has 3 physical components: indexes, prime data storage area, overflow area [Figure 8-4] Might have to search index, prime data area, and overflow area slowing down access time Integrating overflow records into prime data area, then reconstructing indexes reorganizes ISAM files Very Efficient: 4, 5, 6 Moderately Efficient: 1, 3 Inefficient: 2, 7

DBMS etc.

Legacy systems

Legacy systems

1960

1970

1980

1990

EVOLUTION OF ORG./ACCESS METHODS

efficient

inefficient Access single records Access entire files

Hashing Structure
Employs algorithm to convert

primary key into physical record storage address [Figure 8-5]

No separate index necessary Advantage: access speed Disadvantage Inefficient use of storage Different keys may create same address Efficient: 1, 2, 3, 6 Inefficient: 4, 5, 7

Pointer Structure

Stores the address (pointer) of related record in a field with each data record [Figure 8-6]

Records stored randomly Pointers provide connections b/w records Pointers may also provide links of records b/w files [Figure 8-7] Types of pointers [Figure 8-8]:

Physical address actual disk storage location

Advantage: Access speed Disadvantage: if related record moves, pointer must be changed & w/o logical reference, a pointer could be lost causing referenced record to be lost Must be manipulated to convert to physical address Key value is converted by hashing to physical address

Relative address relative position in the file (135th)

Logical address primary key of related record

Efficient: 1, 2, 3, 6 Inefficient: 4, 5, 7

Database Structures
Hierarchical & Network

Structures [Figure 8-9]

Uses explicit linkages b/w

records to establish relationship Figure 8-9 is M:N example Relational Structure Uses implicit linkages b/w records to establish relationship: foreign keys / primary keys

Relational Database: table rows and columns

Relational Records: Foreign Keys in one record establishes relationships to related records in other files.

CUSTOMERS

INVOICES

INVENTORY

Database Structures
Relational Structure User Views
Data a particular user needs to achieve

his/her assigned tasks A single view, or view without user input, leads to problems in meeting the diverse needs of the enterprise Trend today: capture data in sufficient detail and diversity to sustain multiple user views User views MUST be consolidated into a single logical view or schema Data in the logical view MUST be normalized

Database Structures
Relational Structure Creating Views
Designing output reports, documents, and

input screens needed by users or groups Physical documents help designer understand relationships among the data
3 user views: Table 8-2, Figure 8-12, Table 8-3

Then apply normalization principles to the

conceptual user views to design the database tables

Database Structures
Relational Structure Importance of Data Normalization

Critical to success of DBMS Effective design in grouping data Several levels: 1NF, 2NF, 3NF, etc. Un-normalized data suffers from:
Insertion anomalies Deletion anomalies Update anomalies

One or more of these anomalies will

exist in tables < 3NF

Database Structures
Relational Structure Normalization Process
Un-normalized data [Table 8-4] Eliminates the 3 anomalies if: All non-key attributes are dependent on the primary key There are no partial dependencies (on part of the primary key) There are no transitive dependencies; non-key attributes are not dependent on other non-key attributes Split tables are linked via embedded

foreign keys Normalized database tables examples: Figures 8-13, 8-14

Database Structures
Relational Structure Creating Physical Tables

Created on paper so far Then create physical files and populate data Physical views can be produced from DBMS

Query Function Allows users to create customized lists from database Users stipulate, using English-like commands, which tables, records, fields, filtering criteria needed to produce the desired list Result is virtual table derived from actual database tables SQL

SELECT, FROM, WHERE [Figure 8-16] De facto standard query language

Database Structures
Relational Structure Auditors and Data Normalization
Database normalization is a technical matter that is usually the responsibility of systems professionals. The subject has implications for internal control that make it the concern of auditors also. Most auditors will never be responsible for normalizing an organizations databases; they should have an understanding of the process and be able to determine whether a table is properly normalized. In order to extract data from tables to perform audit procedures, the auditor first needs to know how the data are structured.

Embedded Audit Module

Identify important transactions live

while they are being processed and extract them [Figure 8-18]
Examples Errors Fraud Compliance
SAS 78, SAS 94

SAS 78: Consideration of Internal Control in a Financial Statement Audit

COSO (Treadway Commission) the control environment risk assessment information & communication monitoring control activities

SAS No. 94: The Effect of IT on the Auditors Consideration of Internal Control in a Financial Statement Audit It is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests. That is, it is necessary for the auditor to test computer controls Decision to test is based on complexity of IT environment, not the size of the firm

SAS No. 94: The Effect of IT on the Auditors Consideration of Internal Control in a Financial Statement Audit Examples: IT systems that significantly automate the process of initiating, recording, processing, or reporting financial information (e.g., ERP) EDI and payment transfer systems that electronically transmit (paperless) orders and payments from one computer system to another Systems that provide electronic services to customers

SAS No. 94: The Effect of IT on the Auditors Consideration of Internal Control in a Financial Statement Audit Automated Reasoning Systems (ARS), or Artificial Intelligence systems, that employ complex heuristical if/then rules to make decisions (e.g., automatic preparation of journal entries for complex transactions, or ANN that uses financial ratios as independent variables to predict bankruptcy) Computer programs containing algorithms or formulas that make complex calculations (e.g., commission, reorder points, etc.)

SAS No. 94: The Effect of IT on the Auditors Consideration of Internal Control in a Financial Statement Audit Audit through the computer
26 of 91 Fortune 500 firms did (28.6%)

Audit around the computer

Ignores whether program logic is correct Does not reveal how the automated controls respond to a variety of transactions containing errors Therefore, may overlook potentially significant errors and may be ineffective in restricting DR in complex IS

Audit with the computer - CAATs

Embedded Audit Module

Disadvantages: Operational Efficiency can decrease performance, especially if testing is extensive Verifying EAM integrity - such as environments with a high level of program maintenance Status: increasing need, demand, and usage of COA/EAM/CA

Generalized Audit Software

Brief history Most widely used CAATT [Figure 8-19] Usages include: Footing and balancing entire files or selected data items (e.g., extending inventory) Selecting and reporting detail data Selecting stratified statistical samples from data files Formatting results into audit reports (auto workpapers!) Printing confirmations Screening / filtering data Comparing multiple files for differences Recalculating values in data

Generalized Audit Software

Popular because: 1. GAS software is easy to use and requires little computer background 2. Many products are platform independent, works on mainframes and PCs 3. Auditors can perform tests independently of IT staff 4. GAS can be used to audit the data currently being stored in most file structures and formats

Generalized Audit Software

Simple structures [Figure 8-19] Complex structures [Figures 8-20, 8-

21] Auditing issues:

Auditor must sometime rely on IT

personnel to produce files/data Risk that data integrity is compromised by extraction procedures Auditors skilled in programming better prepared to avoid these pitfalls

ACL
ACL is a proprietary version of

GAS Leader in the industry Designed as an auditor-friendly meta-language (i.e., contains commonly used auditor tests) Access to data generally easy with ODBC interface

ACL
See ACL tutorial #1 Input File Definition Customizing a View

[Figure 8-23] Filtering Data [Figures 8-24 thru 8-27] Stratifying Data [Figure 8-28] Statistical Analysis

IT Audit & Assurance

Chapter 8: CAATTs for Data Extraction and Analysis