Using IDEA to Meet Professional & Regulatory Requirements
While standards and regulatory requirements serve good purposes including higher levels of accountability, protection of assets, best-practices and more, they also add more responsibility and expectations to already overloaded accounting and audit professionals. This is where technology can help. Our product suite helps analyze and test the entire population of relevant transactions to highlight anomalies and search for fraud and errors. Here are just a few examples:
ICAI - Auditing and Assurance Standard (AAS) 29
Recognising the developments in the field of technology and its impact on the accounting profession in India, Auditing and Assurance Standards Board had issued Auditing and Assurance Standard (AAS) 29, Audit in Computer Information Systems Environment. This Guidance Note on Computer Assisted Audit Techniques comes as a sequel to that AAS. The Guidance Note deals extensively, with the concept of CAATs and related pertinent issues such what CAATs are, where they may be used, considerations in use of CAATs, how to use CAATs, testing of CAATs, controlling application of CAATs, documentation required when using CAATs, use of CAATs in small entities, etc. The Guidance Note also contains a comprehensive appendix containing examples of CAATs, their description and comparable advantages and disadvantages of each of these CAATs.
IIA - GTAG 16: Data Analysis Technologies
The IIA has released a practice guide entitled “GTAG 16: Data Analysis Technologies.” This guide aims to help CAEs understand how to move beyond the tried and true methods of manual auditing toward improved data analysis using technology. After reading this guide, you will:
- Understand why data analysis is significant to your organization.
- Know how to provide assurance more efficiently with the use of data analysis technology.
- Be familiar with the challenges and risks that you will face when implementing data analysis technology within your department.
- Know how to incorporate data analysis at your organization through adequate planning and appropriate resource structures.
- Recognize opportunities, trends, and advantages of making use of data analysis technology.
The AICPA’s Statement on Auditing Standards (SAS) No. 99 on Consideration of Fraud in a Financial Statement Audit shifted audits from awareness to assumption of fraud risks. The result is elevated responsibility of CPAs. SAS 99 recommends the use of computer assisted audit techniques (CAATs) to search through electronic files for evidence of fraudulent or unusual transactions that require additional investigation. With IDEA Data Analysis, you can obtain detailed downloads of the general ledger, then
- Stratify data and sort it into categories for analysis to search for errors, or
- Compare data between years, or
- Sample 100% of the data population and much more.
Many IDEA users have incorporated the standardized tests available in SmartAnalyzer to support the requirements of SAS 99 and apply them on a routine basis to supplement their SAS 99 test work.
The Sarbanes-Oxley Act prompted many privately owned companies and nonprofit organizations to evaluate their internal controls using The Committee Of Sponsoring Organizations of the Treadway Commission (COSO) recommendations. The COSO framework consists of the following five interrelated components: control environment; risk assessment; control activities; information and communication; and monitoring. COSO principles 19 & 20 specifically cite monitoring procedures and provide guidance on how internal control systems should operate effectively. Deficiencies must be identified and communicated in a timely manner to those responsible for taking corrective action. To achieve this, organizations are moving towards continuous monitoring. Continuous Monitoring improves compliance and controls through customizable business rules and automated alerts. Communicating through a single portal, all stakeholders can independently monitor controls and anomalies across multiple business processes and systems and document corrective responses.
FCPA and UK Bribery Act
The United States, the United Kingdom and a number of other countries have significantly increased their attention to acts of bribery committed within their jurisdiction. While the Foreign Corrupt Practices Act has been on the books for some time, a number of other countries have passed new legislation in recent years. These laws are designed to hold companies responsible for failing to prevent bribery committed on their behalf by employees, agents or subsidiaries. According to the UK Bribery Act’s guidelines, companies must have ongoing risk reviews and monitoring, coupled with a compliance program, which are all reviewed regularly. Recent FCPA judgments indicate that having proactive and detective procedures in place may mitigate penalties.
Data analysis and monitoring also applies to compliance related to these laws. Ongoing review of disbursements by employees or agents identifies payments or gifts, especially to government officials, that could be classified as bribery. High-risk companies, those with significant overseas operations or doing business in high-risk locations should consider external verification or assurance of the effectiveness of anti-bribery policies. David King, CFE, with Navigant Consulting Inc. has successfully used IDEA Data Analysis to help clients meet FCPA compliance requirements:
'IDEA has simplified the work we do to help clients check compliance and identify exposures relating to the Foreign Corrupt Practices Act. For instance at the beginning of an investigation, we are provided with a variety of general ledger information, which we then test to produce a subset of transactions and request documentary evidence. The tests we conducted included looking for round amounts, zero dollar invoices, duplicate invoice numbers, invoices paid with checks where the check date is before the invoice date, employees with the same address as vendors and many others. IDEA performs all these tasks with ease, and in many cases, has preprogrammed functions (such as detecting duplicates) that allow the test to be run in a single step. IDEA is also helpful in completing SAS99 work (consideration of fraud), which involves running similar tests to those used for FCPA purposes.'
CaseWare Monitor can also serve as an effective tool for reviewing financial information continuously to search for bribery, misuse of funds and other abuses. Monitor’s intuitive dashboard provides information about risk levels and routes exceptions to the appropriate parties for resolution.
Office of Management and Budget (OMB)
Federal agencies and individual managers must take systematic and proactive measures to ensure proper controls are in place, working effectively and corrective action is taken if needed. The OMB lists numerous Acts including information, recovery and auditing – all designed to protect taxpayer dollars. IDEA Data Analysis can be applied to meet these requirements such as the ability to summarize and calculate averages by program, compare expenditures to budget, analyze expenditures using different variables, compare vendors to excluded lists, and much more.
Payment Card Industry Data Security Standard’s (PCI DSS) goal is to ensure that credit card transactions are secure and consumers' sensitive data is protected. IDEA’s query tools can be used to
- Review user access and identify inappropriate permissions and usage,
- Sift through extensive security logs to quickly identify unauthorized access, or
- Verify that PCI data is not being stored in operational databases to meet self assessment requirements.
In 1996, the Health Insurance Portability and Accountability ACT was put into place to provide rights and protections for participants and beneficiaries in group health plans. HIPAA’s Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. While IDEA does not encrypt data nor enforce security, Collaborative Analytics, which resides behind an organization’s firewall, can assist with HIPAA regulations by providing an extra layer of security. In order to access an organization's sensitive data and information, users log into the network using company provided credentials. IDEA Server requires a separate login procedure to access Server based projects and files in addition to standard network access. All data is stored within project folders protected within the network, and all processing is done on the server, rather than on the PC.