Data Analytics
DA is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information. DA plays an important role in modern audit execution, as it enhances the auditor’s ability to assess risks, identify anomalies, and provide more insightful findings.
The following are some example use cases of DA:
- To determine whether a user is authorized by combining logical access files with the human resources employee database
- To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
- To identify tailgating by combining input records with output records
- To review system configuration settings
- To review logs for unauthorized access
CAATs take the data analysis process a step further by simplifying the examination of complex data. CAATs are discussed in detail in the next section.
CAATs
CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.
The following table presents a breakdown of the functions of CAAT tools:
|
CAAT Tools |
Functions |
|
General audit software |
This is a standard type of software that is used to read and access data directly from various database platforms. |
|
Utility and scanning software |
This helps in generating reports of the database management system. It scans all the vulnerabilities in the system. |
|
Debugging |
This helps in identifying and removing errors from computer hardware or software. |
|
Test data |
This is used to test processing logic, computations, and controls programmed in computer applications. |
Table 2.10: Breakdown of CAAT functions
A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable than the manual process.
The following are some example use cases for CAAT tools:
- To determine the accuracy of transactions and balances
- For a detailed analysis of any given process
- To ascertain compliance with IS general controls
- To ascertain compliance with IS application controls
- To assess network and operating system controls
- For vulnerability scanning and penetration testing
- For the security scanning of source code and AppSec testing
Precautions While Using CAAT
An auditor should be aware of the following precautions when using CAAT tools:
- Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality.
- Obtain approval for installing the CAAT software on the auditee servers.
- Obtain only read-only access when using CAATs on production data. This will ensure that no one can edit the data.
- Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured.
Continuous Auditing and Monitoring
Continuous auditing and monitoring processes are used to regularly review and assess an organization’s IT activities as well as data to detect anomalies, trends, and potential issues as they occur and to ensure compliance and improve overall performance.
A CISA candidate should understand the difference between continuous auditing and continuous monitoring:
|
Continuous Auditing |
Continuous Monitoring |
|
In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach. |
In continuous monitoring, the relevant process of a system is observed on a continuous basis. |
|
For example, high payouts are audited immediately after a payment is made. |
For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities. |
Table 2.11: Differences between continuous auditing and continuous monitoring
Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor to the introduction of a continuous monitoring process.
The following subsections discuss five widely used continuous audit tools.
Integrated Test Facility
An integrated test facility (ITF) is a technique used in auditing to test a system’s processes and controls by inserting test data into a live production system without affecting the actual data. This helps auditors evaluate how well the system handles transactions and identify any potential issues.
In an ITF, a fictitious transaction is created in the production environment.
The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness. Then, the auditor evaluates the processed results and expected results to verify the proper functioning of the systems. If the processed results match the expected results, then the auditor determines that the processing is correct. Once the verification is complete, test data is deleted from the system.
System Control Audit Review File
A system control audit review file (SCARF) is a technique in which an audit module is embedded into (built in) the organization’s host application to track transactions on an ongoing basis. A SCARF is used to obtain data or information for audit purposes. SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor. For example, a company may decide to capture a payout greater than $10,000 in a separate file and then such transactions can be reviewed by the auditor to verify whether the limit has been adhered to.
SCARFs are useful when regular processing cannot be interrupted, such as in an online banking system.
Snapshot Technique
The snapshot technique captures snapshots or pictures of a transaction as it is processed at different stages in the system. Details are captured both before and after the execution of the transaction. The correctness of a transaction is verified by validating its pre-processing and post-processing snapshots. Snapshots are useful when an audit trail is required.
The IS auditor should consider the following significant factors when working with the snapshot technique:
- The location at which snapshots are captured
- The time at which snapshots are captured
- The manner in which the snapshot data is reported
Audit Hook
An audit hook is a tool used in auditing to help detect and report unusual or suspicious activities in a system in real time. It acts like a trigger that alerts auditors or security personnel when certain predefined conditions are met, allowing for quick investigation and response.
Audit hooks are embedded in an application system to capture exceptions. The auditor can set different criteria to capture exceptions or suspicious transactions. For example, to closely monitor cash transactions, an auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions can then be reviewed by the auditor to identify fraud, if any.
Audit hooks are helpful in the early identification of irregularities, such as fraud or errors. They are generally applied when only selected transactions need to be evaluated.
Continuous and Intermittent Simulation
Continuous and intermittent simulation (CIS) replicates or simulates the processing of the application system. In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review. CIS compares its own results with the results produced by application systems. If any discrepancies are noted, they are written to the exception log file. CIS is useful for identifying the transactions as per predefined criteria in a complex environment.
The following table summarizes the features of continuous audit tools:
|
Audit Tool |
Usage |
|
SCARF/embedded audit module (EAM) |
This is useful when regular processing cannot be interrupted |
|
Snapshots |
Pictures or snapshots are used when an audit trail is required |
|
Audit hooks |
When early detection of fraud or an error is required |
|
ITF |
Test data is used in a production environment |
|
CIS |
CIS is useful for the identification of transactions as per predefined criteria in a complex environment |
Table 2.12: Types of continuous audit tools and their features
Key Aspects for the CISA Exam
The following table covers important aspects from the CISA exam perspective:
|
Questions |
Possible Answers |
|
What is the first step of conducting data analytics? |
The first step is determining the objective and scope of analytics |
|
Which is the most effective online audit technique when an audit trail is required? |
The snapshot technique |
|
What is the advantage of an ITF? |
Setting up a separate test environment/test process is not required. An ITF helps validate the accuracy of the system processing. |
|
Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria? |
CIS is most useful for identifying transactions as per predefined criteria in a complex environment |
Table 2.13: Key aspects for the CISA exam
An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. Effectively reporting audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.
