Utilizing the identified red flags or symptoms, various software and hardware tools can be deployed to source information and data. Analysis can then be done against the data and information obtained. If issues are identified, automated technology can be used to minimize or prevent future occurrences.

With a list of symptoms in hand, one can decide what data is needed to perform meaningful analysis to conform to the audit objectives. With data in hand, analytical software such as IDEA can do tests to target the selected areas. It should be noted that some general tests, such as Benford’s Law, highlight anomalies and can be used to compliment the specific testing.

The audit plan needs to be expanded to review and investigate suspicious items or anomalies. Most of the anomalies will be false positives that can be explained after additional investigation. Actual fraudulent transactions are normally few and far apart. If actual issues are determined, automated procedures and processes, such as continuous monitoring, can be implemented to immediately flag the issue to mitigate the risk of reoccurrence. Continuous monitoring can be both proactive and detective. This may come after the audit and investigative stage.

No amount of technology can confirm a fraud. Technology can merely provide a starting point or identify potential transactions that may or may not indicate fraud. Technology reduces the amount of daily routine transactions to those that are high risk and require further review. Risk analysis is used to dictate whether further resources should be allocated to expand the audit or to investigate specific transactions. The audit trail must be followed and source documents should be reviewed. It may also be necessary to interview staff to obtain additional information, clarification, or reasoning behind the transaction. This may cycle back to the need for better understanding the business in more detail in the evaluation and analysis stage.

Once a fraudulent transaction is identified, technology may be able to assist in quantifying or for rooting out additional fraudulent transactions of the same type. The result of the audit or investigation determines additional procedures necessary to be implemented or included in the automated monitoring procedures.

The three stages of the cycle are ever evolving and continuous. They need to be proactive as new methods of fraud are constantly arising, especially with the rapid changes in technology. While technology may assist the auditor or investigator with new detection methods, technology also provides new tools for the fraudster to attack systems and perpetrate fraud. Where one area may be secured by various controls today, it may be compromised tomorrow. An auditor must include routine checks, like a night watchman on patrol who checks that doors are locked properly several times during the routine patrol. Have a plan but constantly adjust the plan accordingly!

Data exists in various formats, maybe in a single file, possibly within a database, or perhaps even spread over a number of business systems that are not linked to one another. The audit objectives should be the determining factor of the data requirements.

For example, a routine financial audit using IDEA—whether it be to verify mechanical accuracy, valuation, existence, validity, completeness, cut-off, and analysis for other audit steps—may only require data from the accounting system. Files may include the general ledger, detail transactions, accounts payable, inventory, and sales.

For a fraud audit, in conjunction with the accounting system files, data both from access logs and from human resources may be needed. Computer or physical entry log date and times may be compared with accounting postings or authorizations. Personnel records of addresses may be matched to vendor records.

Additional electronic data may be required for forensic and other specific-purpose audits and reviews.

IDEA is most useful when there is a problem to solve on an audit or used for substantive testing. IDEA should always be used subject to consideration of data volume and the cost of obtaining the required electronic data.

Data analysis techniques are necessary where there is a large volume of transactions. The greater the number of records, the more valuable IDEA is. When the number of records is low, using IDEA may not provide much benefit over a manual audit.

Consideration must also be given to the costs incurred in obtaining the data. Costs may be direct monetary cost in using outside services or cost in time for both the auditors and IT specialists. There may be major costs involved in determining the files and fields needed, writing queries, processing, and transferring the resulting data from the host computer to the auditor’s computer or IDEA server. Time needs to be budgeted to examine the resulting files to ensure completeness and accuracy. Additional time may be required to investigate and correct data issues.

Once the audit objectives have been well defined and it is determined that IDEA is the appropriate tool, the next step is to determine the data requirements. In order to do so, you must first identify the business or computer system, the business software used, and the files and fields needed to meet the audit objectives.