J OURNALO NLINE
auditors know what it means to look for gaps or duplicates in
numbers (invoices, checks, etc.). The learning curve, therefore,
is reasonably short.
At most, the IT auditor will need training and
encouragement to “think outside the box” with those
commands. Most IT auditors will pick up on this flexibility
without additional training. The ACL commands are effective
in a variety of applications other than the obvious. For
example, the AGE command is obviously useful in generating
an aged trail balance. However, it is really a measure between
dates, so it could be used to do other antifraud procedures. For
example, it can send confirmations to credit card users for a
recent charge where the card had been inactive for a certain
number of months (six or 12 or whatever is appropriate) or be
used in conjunction with the CLASSIFY command to measure
the number of days between receipt of invoices and payment of
invoices by vendor (in shell company, pass-through vendors
and other fraudulent disbursement schemes, the fraudster tends
to make sure the phony invoices are paid quicker than normal
invoices). Another example is the CLASSIFY command itself.
It is normally used to subtotal amounts and the number of
invoices for vendors or some similar application on other data
files. However, one could use CLASSIFY to examine the
number of credit memos by authorizing party or key-punch
personnel. Because credit memos are a relatively common
method of concealing a fraud, if a fraud is being perpetrated
and the fraudster is using credit memos to hide the fraud, that
person has an inordinate number of credit memos compared to
everyone else. This anomaly would be evident by running
CLASSIFY on a credit memo file. The possibilities are limited
only by the IT auditor’s imagination.
Additionally, ACL automatically records all of the
commands that are run and the results of the procedures in its
log, so the LOG feature becomes a way to automate much of
the working papers an IT auditor will need to generate in most
audits. ACL has a simple means to export that log to a word
processor or other types of files, even selectively choosing
which procedures to export.
The most compelling benefit in learning to use ACL may be
the BATCH feature. As the IT auditor develops audit
procedures to run in ACL, he/she can put the various routines
together in a batch (similar to a macro). Next time, the IT
auditor can run one command (push a button), and all of those
procedures will run on autopilot, and ACL will dump the
commands and results into the log. That feature provides a
great opportunity to be efficient over time. The first year might
take some time, but future years will be much quicker. In
addition, as new procedures come into being, they are simply
added to the BATCH and will run with all the others next time
around. There is a great opportunity for sharing among all the
auditors in the same entity, thus expanding upon the batch
procedures of various teams or among different areas of audit.
In summary, there are many benefits to using ACL—it just
becomes a matter of budgeting for the cost of the software and
implementing the use of ACL effectively.
Implementation
There are several ways for one to become moderately
proficient in a GAS. Most IT auditors know how to use Excel
and are fairly competent at it. With a little training in GAS in
general, the IT auditor could first use an intermediate product,
such as Information Active’s Active Data or Active Audit
tools.
3
These tools are plug-ins to Excel; thus, the learning
curve is fairly short. They contain many of the same
commands, occasionally by another name, as those mentioned
previously (e.g., GAPS and DUPLICATES). This approach
uses a “gear up” methodology. However, there are drawbacks
to Excel in terms of integrity, the amount of data that can be
handled and the limited power it has, even with Information
Active products. But it might serve as an effective interim
means for some IT auditors, particularly for reasons of cost
constraints. In fact, for some smaller audit units, it might be
the ultimate means and not just an intermediate one.
With some training, the IT auditor can become moderately
proficient in GAS in a relatively short period of time. Of
course, it might be better to get the training in GAS, some
training in a specific product, and jump straight into the
specific product—especially if the internal audit shop or audit
entity already has the product.
Keys to Success
There are some keys to success for the internal audit (IA)
shop or audit entity to make it possible for the IT auditors to
effectively use GAS. First, the audit entity needs to identify a
champion for the implementation. Research is replete with
evidence that technology innovations and implementations
need a champion to be successful. A champion is simply the
person with the ability to motivate, supervise and generally
make sure the technology is employed and becomes successful.
In an internal audit shop, the IT audit manager could take on
that role.
Second, there should be general training for the audit staff
regarding GAS. Next, the champion or IT audit manager
should identify the power users of GAS. These people are
given specific training if necessary, but they become the
leaders of implementing the chosen GAS product. They set up
the servers—that is, they would build the appropriate data files
from the operational system and make them available to all the
auditors. They also write or assist auditors in writing batches.
They could also conduct ongoing in-house training on the
product. If necessary, a consultant can be brought in to assist
the power users in developing the server and customized
services.
While these things are outside the control of most IT
auditors, they are facilitating or empowering approaches to
effectively using GAS.
Conclusion
When thinking about one’s career as an IT auditor, perhaps
no other skill or ability is as valuable as being an expert at
using GAS. Such expertise can be used in a variety of ways,
including regular financial audits, operational audits, Sarbanes-
Oxley-related tests and antifraud audit programs. In fact, it can
possibly make an IT auditor indispensable.
2