J OURNALO NLINE 1
Copyright © 2006 ISACA. All rights reserved. www.isaca.org.
Generalized Audit Software:
Effective and Efficient Tool for Today’s IT Audits
By Tommie Singleton, Ph.D., CISA, CMA, CPA, CITP
Because the author’s experience and knowledge of GAS is
primarily limited to ACL, that is the software used to
demonstrate the value of implementing GAS in this article. For
more software products, see the exhibit in the Bagranoff and
Henry article, cited in footnote 3, and the list of GAS in the
Sayana article, cited in footnote 1.
Experts say that generalized audit software (GAS) is the
most common computer-assisted audit tool (CAAT) used in
recent years. There are many reasons today for IT auditors to
use a GAS, but to quote an article from this Journal,
“Performing audits without using information technology is
hardly an option.
”1
This article will inform IT auditors of the
profitable return on learning and using GAS.
A number of issues motivate IT auditors to use GAS products,
such as ACL, CAs Easytrieve, Statistical Analysis System (SAS),
Statistical Package for Social Sciences (SPSS) and IDEA. First,
there is the focus on fraud in recent years. According to the
Association of Certified Fraud Examiners (ACFE) and its 2004
“Report to the Nation” survey on fraud, more than 60 percent of
all frauds are detected either by a tip or by accident. While
internal audit has moved up on the list, there is clearly room for
more proactive antifraud programs. One of the best ways to be
proactive is to use a GAS to develop a cornucopia of
computerized antifraud audit procedures that are run regularly
against organizational databases.
Second, there is the issue of US Sarbanes-Oxley Act section
404. In a Journal article on Sarbanes-Oxley software, several
GAS software products are included in the list provided in the
authors’ exhibit on data manipulation software.
2
This indicates
that GAS can be useful in testing internal controls embedded in
information systems.
A third issue motivating auditors to use GAS software is that
the demands on IT and internal auditors are increasing.
Auditors will need to become more efficient to fulfill all of the
responsibilities and tasks assigned them, and using GAS is one
way to do so.
Therefore, IT auditors in the early stages of their careers
could leverage their time and abilities into more productivity by
becoming at least competent in a GAS product. Having a
moderate level of knowledge in using a GAS, for example, can
be useful in a variety of duties, such as fighting fraud,
Sarbanes-Oxley compliance and everyday audits. Also, the
more proficient an IT auditor becomes,
the more valuable he/she becomes to the organization. This
article encourages
IT auditors to learn how to use ACL or
a similar GAS.
Benefits of Using a GAS
The benefits of using a GAS have been explained by others,
but a review of the benefits here will hopefully generate
motivation to become more knowledgeable about GAS.
As many others have pointed out, using a GAS such as ACL
means the auditor does not review a sample of the data, but
rather reviews or examines 100 percent of the data and
transactions. This difference is not trivial. Some fraudsters have
not bothered to conceal their fraud because they assume that the
transactions involved have little chance of being picked in a
statistical random sample. For example, in one fraud, the
fraudster had written approximately 50 checks to himself out of
organizational accounts (i.e., check tampering). When he was
finally caught, he was asked why he did not try to conceal the
fraud. He simply said he doubted that one of those checks would
ever show up in a statistical random sample because the
organization wrote thousands of checks each year. He was right
and got caught without the benefit of those checks. All frauds
that are “on the books” have the potential of being discovered by
using, for examle, ACL effectively, because there is some kind of
evidence in the database and the transactional data and ACL can
be used to examine 100 percent of the data.
Using ACL empowers the auditor to possibly have a better
sense of direction in his/her audit procedures. Using ACL to
analyze transactions, or data mine, is a lot like peeling an
onion. The auditor will perform some audit procedures to gain
an understanding of the data (e.g., using PROFILE,
STATISTICS commands in ACL). During these procedures, the
conscientious, trained auditor may spot an anomaly or red flag
(e.g., negative amounts where there should be none). At that
point, the auditor is focusing directly upon certain suspicious
data and/or transactions. In ACL, these transactions are usually
linked via the table or chart in the display window, so
employing drill-down procedures is extremely simple when the
auditor needs them. The same is true as the auditor progresses
through more precision audit procedures (e.g., using FILTER
for certain anomalies or red flags).
The data in ACL are locked down as read-only. There is no
chance for the auditor to inadvertently change the data. This
inadvertent risk is much higher for IT auditors who choose to
use a spreadsheet for analyzing and presenting transactions.
While one can lock cells or sheets in Microsoft Excel, there is
still the possibility of human error. It is almost nonexistent
in ACL.
The commands in ACL are auditor-friendly. ACL commands
are compatible with the average IT auditor’s understanding,
experience, training and education. It is fairly easy to grasp what
a command will do once it is explained adequately. For example,
J OURNALO NLINE
auditors know what it means to look for gaps or duplicates in
numbers (invoices, checks, etc.). The learning curve, therefore,
is reasonably short.
At most, the IT auditor will need training and
encouragement to “think outside the box” with those
commands. Most IT auditors will pick up on this flexibility
without additional training. The ACL commands are effective
in a variety of applications other than the obvious. For
example, the AGE command is obviously useful in generating
an aged trail balance. However, it is really a measure between
dates, so it could be used to do other antifraud procedures. For
example, it can send confirmations to credit card users for a
recent charge where the card had been inactive for a certain
number of months (six or 12 or whatever is appropriate) or be
used in conjunction with the CLASSIFY command to measure
the number of days between receipt of invoices and payment of
invoices by vendor (in shell company, pass-through vendors
and other fraudulent disbursement schemes, the fraudster tends
to make sure the phony invoices are paid quicker than normal
invoices). Another example is the CLASSIFY command itself.
It is normally used to subtotal amounts and the number of
invoices for vendors or some similar application on other data
files. However, one could use CLASSIFY to examine the
number of credit memos by authorizing party or key-punch
personnel. Because credit memos are a relatively common
method of concealing a fraud, if a fraud is being perpetrated
and the fraudster is using credit memos to hide the fraud, that
person has an inordinate number of credit memos compared to
everyone else. This anomaly would be evident by running
CLASSIFY on a credit memo file. The possibilities are limited
only by the IT auditor’s imagination.
Additionally, ACL automatically records all of the
commands that are run and the results of the procedures in its
log, so the LOG feature becomes a way to automate much of
the working papers an IT auditor will need to generate in most
audits. ACL has a simple means to export that log to a word
processor or other types of files, even selectively choosing
which procedures to export.
The most compelling benefit in learning to use ACL may be
the BATCH feature. As the IT auditor develops audit
procedures to run in ACL, he/she can put the various routines
together in a batch (similar to a macro). Next time, the IT
auditor can run one command (push a button), and all of those
procedures will run on autopilot, and ACL will dump the
commands and results into the log. That feature provides a
great opportunity to be efficient over time. The first year might
take some time, but future years will be much quicker. In
addition, as new procedures come into being, they are simply
added to the BATCH and will run with all the others next time
around. There is a great opportunity for sharing among all the
auditors in the same entity, thus expanding upon the batch
procedures of various teams or among different areas of audit.
In summary, there are many benefits to using ACL—it just
becomes a matter of budgeting for the cost of the software and
implementing the use of ACL effectively.
Implementation
There are several ways for one to become moderately
proficient in a GAS. Most IT auditors know how to use Excel
and are fairly competent at it. With a little training in GAS in
general, the IT auditor could first use an intermediate product,
such as Information Active’s Active Data or Active Audit
tools.
3
These tools are plug-ins to Excel; thus, the learning
curve is fairly short. They contain many of the same
commands, occasionally by another name, as those mentioned
previously (e.g., GAPS and DUPLICATES). This approach
uses a “gear up” methodology. However, there are drawbacks
to Excel in terms of integrity, the amount of data that can be
handled and the limited power it has, even with Information
Active products. But it might serve as an effective interim
means for some IT auditors, particularly for reasons of cost
constraints. In fact, for some smaller audit units, it might be
the ultimate means and not just an intermediate one.
With some training, the IT auditor can become moderately
proficient in GAS in a relatively short period of time. Of
course, it might be better to get the training in GAS, some
training in a specific product, and jump straight into the
specific product—especially if the internal audit shop or audit
entity already has the product.
Keys to Success
There are some keys to success for the internal audit (IA)
shop or audit entity to make it possible for the IT auditors to
effectively use GAS. First, the audit entity needs to identify a
champion for the implementation. Research is replete with
evidence that technology innovations and implementations
need a champion to be successful. A champion is simply the
person with the ability to motivate, supervise and generally
make sure the technology is employed and becomes successful.
In an internal audit shop, the IT audit manager could take on
that role.
Second, there should be general training for the audit staff
regarding GAS. Next, the champion or IT audit manager
should identify the power users of GAS. These people are
given specific training if necessary, but they become the
leaders of implementing the chosen GAS product. They set up
the servers—that is, they would build the appropriate data files
from the operational system and make them available to all the
auditors. They also write or assist auditors in writing batches.
They could also conduct ongoing in-house training on the
product. If necessary, a consultant can be brought in to assist
the power users in developing the server and customized
services.
While these things are outside the control of most IT
auditors, they are facilitating or empowering approaches to
effectively using GAS.
Conclusion
When thinking about one’s career as an IT auditor, perhaps
no other skill or ability is as valuable as being an expert at
using GAS. Such expertise can be used in a variety of ways,
including regular financial audits, operational audits, Sarbanes-
Oxley-related tests and antifraud audit programs. In fact, it can
possibly make an IT auditor indispensable.
2
3
J
OURNALO NLINE
Endnotes
1
Sayana, S. Anantha; “Using CAATs to Support IS Audit,
Information Systems Control Journal, vol. 1, 2003
2
Bagranoff, Nancy A.; Laurie Henry; “Choosing and Using
Sarbanes-Oxley Software,Information Systems Control
Journal, vol. 2, 2005
3
See www.informationactive.com
Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
is an assistant professor of information systems at the University
of Alabama at Birmingham (USA), Marshall IS Scholar, and
director of the Forensic Accounting Program. Prior to obtaining
his doctorate in accountancy from the University of Mississippi
(USA) in 1995, Singleton was president of a small value-added
dealer of accounting information systems using microcomputers.
In 1999, the Alabama Society of CPAs awarded Singleton the
1998-1999 Innovative User of Technology Award. Singleton is
the ISACA academic advocate at the University of Alabama at
Birmingham. His publications on fraud, IT/IS, IT auditing and
IT governance have appeared in numerous journals, including
the Information Systems Control Journal.
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.
© Copyright 2006 by ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.
www.isaca.org