IT based audit

A Short Essay

CHALLENGES TO INFORMATION TECHNOLOGY-BASED AUDITS

“Support from IT/IS Auditors for Financial Audit Assignment in the Public Sector”

By: Agung Kurniawan

Challenges to Information Technology-Based Audits

Information technology-based audits implies that a variety of tools or devices is used in the field of information technology that constantly evolves, in order to support the audits. Information technology-based audits may refer to the use of electronic information systems to access and process data, as well as the use of a wide variety of audit application programs (software) to perform an audit.

Information systems/ information technology has been used in most of the activities related to state/local finance governance. Both the revenue system and the expenditure system in the state and in local governments have adapted massive and extremely fast development in information technology. In so doing, the role that information technology-based audits play is becoming increasingly vital.

The use of electronic information systems for data access and processing is known as e-audit. E-audit allows the auditor to be connected with the auditee and remote data access can be directly processed by the auditor. To perform an audit, it is very possible that both the e-audit or the field audit requires variety of data processing applications. It’s called Computer-Assisted Audit Techniques (CAATs).

The example of CAATs is using Microsoft Excel application program or more advanced application programs to perform further examinations using forensic audit tools.

CAATs is defined as the use of certain software that an auditor employs to perform an audit and to attain the objective of the audit. The most important technique of CAATs is Generalized Audit Software (GAS), a device for data processing and analysis. CAATs are used to collect/ analyze data as well as document and report the audit.

Tools used in CAATs include data processing software such as ACL, Arbutus Analyzer and SQL Server. While for the purposes of investigations that require digital forensics, a number of application programs such as Forensics

C h a l l e n g e s t o I T / I S A u d i t o r s i n T h e T r a n s f o r m a t i o n o f I n f o r m a t i o n S y s t e m Page 4

Statement on Auditing Standards (PSP) 01 Paragraph 10 letter d number 2) in State Finance Audit Standards (SPKN) reads:

“Any auditors appointed to perform an audit based on the Audit Standards shall collectively have sufficient skills for the audit that they perform, for an example:

If the audit requires an extensive review of an information system, then the audit team shall have qualified auditor with skills in the field of information technology audits.”

A Short Essay

Data (using several application programs like En case, Safe Back, Norton Ghost), Password Recovery Toolkit, restoring data after a user deletes the data (like WipeDrive and Secure Clean) and discovering changes in digital data (DriveSpy) are commonly used.

In addition to the use of various tools of information technology and data processing (both hardware and software) as mentioned above, auditors required to have competence in information technology/ systems. Auditors in the environment of state finance are also necessary to meet this competency requirement.

The state/local financial governance continues to develop. The use of information technology in various sectors of the government becomes more extensive. Electronic public services, the use of non-cash/ bank-to-bank payment systems, and fully computerized systems of governmental accounting require the control of state auditors who have competence in the field of information technology. These challenges to information technology mastery are issues that are currently included as one of the major challenges to auditors in the state finance environment.

Reflections on Technology-Based Audits Implemented by BPK and Indonesia

State Audit Board of The Republic of Indonesia (BPK RI) seeks to optimize the use of information technology to help prevent corruption, collusion and nepotism in state institutions. The information technology that is used, among others, includes electronic audit systems such as e-audit, and the use of information technology application programs to help complete audit assignments.

Through the National Synergy on Information Systems (Indonesian: Sinergi Nasional Sistem Informasi or SNSI), BPK carry out an examination with the assistance of information technology (electronic audits) which is expected to be more efficient and effective. Through electronic audits or “e-audit”, BPK can encourage increased transparency and accountability in public finance management.

BPK has signed an agreement on the implementation of electronic data access with most of local governments across Indonesia. Almost all ministries and agencies at th state level have also done the same thing. BPK have also provided online access with a total number of 177 State Treasury Service Offices (Indonesian: Kantor Pelayanan Perbendaharaan Negara or KPPN) all over Indonesia.

BPK auditors also have begun using application programs and computer-assisted audit techniques. Especially for investigative audits, BPK have also utilized forensic audit software.

However, the use of information technology devices is still very limited because of inadequate training activities for these BPK auditors. The number of auditors who can operate information technology application programs specifically designed to assist their audit assignment is also still limited unevenly distributed in all departments that require these auditors.


“Training for auditors on the mastery of information

technology application programs organized by BPK is still very

limited and there are a few number of auditors who have

certified information system with uneven distribution among

departments.”

A Short Essay

In addition, the proof to demonstrate competence of BPK RI auditors in the information technology-based audits through certification is also very limited. For an example, there are a few number of auditors in BPK RI who have received training and attained the Certified Information Systems Auditor (CISA) certificate.

Meanwhile, in Indonesia, other institutions that have implemented technology-based audits are the Ministry of Finance (Indonesian: Kementrian Keuangan) in their tax audits and Corruption Eradication Commission (Indonesian: Komisi Pemberantasan Korupsi or KPK) in some of their investigation to the audits in corruption cases.

Alternative Solutions to the Increased Capacity of Information Technology-Based Audits in BPK and Indonesia

Research by Kim et. al. on IT acceptance in the profession of internal audits suggests that for simple technological features, it is the perception of the usefulness which significantly affects the acceptance, while advanced features, it is the perception of the level of ease which affects more dominantly. These findings suggest that to increase the use of CAATs, management should develop a good training program to improve the “level of ease” associated with the use of CAATs.

In line with the research and illustrations of various things related to technology-based audits both in BPK and Indonesia, some alternative solutions to the increased capacity of information technology-based audits include:

1. BPK RI need to more intensively disseminate information and communicate to all auditors on a continuous and sustainable basis to make technology-based audits can be internalized among all the auditors. Therefore, it is expected that in the future there will be no resistance and fears, even information technology-based audits might be considered as a necessity for any auditors;

2. BPK need to prepare adequate infrastructure and facilities, as well as the appropriate technology to support more extensive application of technology-based audits (both licensed software and capable hardware);

3. BPK RI auditors need to continue developing their auditing capacity to master a wide variety of technology-based audit software and to update the IT competence of their auditor on a continuous and well-programmed basis. This


A Short Essay

can be done by providing appropriate training and as many as opportunities for the auditors to attend the training;

4. Efforts to disseminate knowledge from the auditors who have acquired education and training related to technology-based audits to (at least) their other fellow auditors in their department should always be encouraged by the management of the department in order to carry out a more massive transfer of knowledge;

5. Increasing the number of auditors with qualification and certification in the field of audit systems/ information technology, such as CISA, Certified in Risk and Information Systems Control (CRISC), and the like;

6. BPK RI also need to expand and increase the number of information technology-based audit assignments in order to provide opportunities for inspectors who have acquired the ability to perform IT-based audits and to implement the expertise that they have while enhancing the quality of the audits performed by BPK;

7. Especially for the implementation and development of e-audit in BPK, the following things are necessary:a. more detailed rules that govern the implementation of e-audit;b. improved co-operation between all the auditees and stakeholders to expand

the implementation of e-audit;c. preparing adequate infrastructure and database to support e-audit

implementation;d. preparing an adequate internal control system in order that the

implementation of e-audit is not misused for one’s vested interest;e. intense dissemination of information related to the application of e-audit

and the use of information systems by auditees8. BPK RI and a wide variety of auditing institutions as well as other professional

organizations/ institutions in the field of audits need to more frequently schedule a meeting and discussion to develop information technology-based audits.

( agung- BPK RI, West-Java Province Representative - 2014)


Documents

IT based audit