Towards Online Auditing

Towards Online Auditing. The database environment

Stefan Popa[1], Claudia Ionescu[2]

Romanian Court of Accounts

011948 Bucharest 1, Romania

Str. Lev Tolstoi Nr. 22-24

Abstract. This paper gives an overview of recent evolutions in the field of audit, induced by the advances to the network economy and to the information society.

A new form of audit, the online auditing is emmerging and it can be defined as auditing through a database. The paper describes the main features of this online auditing, together with some considerations concerning its feasibility.

Key words. Online audit; systems interoperability; data integration; auditing through a database.

Introduction

The emmerging information society, characterized by integration, automation of processes and controls, increased reliability of (and dependence on) systems is also accompanied by an increased need for accurate and timely information. This creates the need for new approaches in audit procedures and auditing architectures, especially in the large–scale socio–economic systems, such as those in financial and related fields or the so called ”e”-systems covering social and technical systems as well (e-governance, e-commerce, e–learning, e-health and so on).

To state it concisely, an important side effect (as observed elsewhere, see for example, Eurosai – IT WG), is the fact that the intangible nature of automated systems and the associated technical intricacies raised considerably the complexity of the related audits.

The audit institution and the audit institutions too have to adapt in the best possible way to the present high–degree automation in all fields by taking into account and integrating the information technologies (IT) and the related issues in all audits and in the functioning of the audit institutions.

The major challenge is to redesign the auditing architectures (as we will show later on in this paper), but a general challenge for every SAI is to strengthen the capacity to meet its strategic goals through proper use of IT, both internally (improved management, increased staff skills) and externally (more effective audits).

The objective of this short paper is to identify the main characteristics that distinguish the new ”online” audit from other (say, classic) types of audit by presenting a practical, real life financial application, and to describe the

conceptual framework for the online

audit.

The database – driven audit

In this section, we will briefly describe a prototype application concerning the reimbursement of VAT (value-added tax), currently under development in the Romanian Court of Accounts.

The system architecture is shown in the figure Controlling VAT Reimbursement Application attached at the end of this document.

Databases containing financial data (but non limited to this type of data) are really useful in control if supplemented with the necessary querying and reporting procedures. Their use is primarily intended to ”legality” and ”regularity” control which can be more easily transposed in algorithmic procedures.

Specific uses of a database in financial control include:

processing of primary documents according to different criteria and the decision (goals selection) for detailed, formal analisys;
simultaneous control of several agents;
cross control of business partners, in order to asses the ”reality” of their cooperation, by processing multiple databases.

It is possible, and this is an important feedback of the audit (control), that innacuracies in the database design and / or management can be detected at this stage and thus improve the controlled entity’s management.

Developing the adequate control (audit) procedures is not an easy task and it is strongly influenced by the existence of common (preferably, unique) coding schemes as well as by the availability of a high degree of standardization.

This integrated online auditing must also deal with the great variety of legacy systems, having only reduced networking capabilities, and also with the security issues and the associated risks.

But it is an economically feasible approach, both in terms of the audit costs reduction and of the technology costs (hardware, software, networks).

An important gain, also, is that the audit can be done with higher frequencies, thus improving the information content and timeliness.

To illustrate the above considerations, we refer, as already mentioned, to a practical application currently conducted by The Romanian Court of Accounts.

The VAT (value-added tax) reimbursement is handled by the Ministry of Public Finances, which maintains a number of distinct databases for reimbursement applications and reimbursement payments.

The objective of the audit in this case is to check if the reimbursement approval given by the Ministry of Public Finances was legal.

The search space is defined by means of the specific risk criteria (e.g., such factors or instances as: small capital amount, newly setup companies, availability of VAT declarations, ”ghost” companies and so on). The use of such criteria during the investigation is made possible by the availability of another database maintained by the Romanian Chamber of Commerce, which can be accessed online (using our special allocated password) and which gives up-to-date information about all companies in Romania.

The investigation is then completed by consulting the balance sheets database, a public online database, setup by the Ministry of Public Finances.

This way we have all the information (including the historical one) to make a judgement whether such or such reimbursement under concern was legal or not. Generally, illegal VAT reimbursement refers to either investments (fake or overestimated) or exports (also fake or overestimated).

Here again, a specialized database storing documents with controlled circulation, such as the invoices, is available. The detection of fake invoices is facilitated by this database (e.g., in case of non-valid invoice number or in case the invoice date is later than the buying operation).

The key concept in deploying such an investigation is the interoperability of the respective database applications.

The Online Audit

As shown in the preceding section, one form of the online auditing is auditing through a database.

This is a natural choice as long as the relational database technology is the cornerstone of modern enterprise information systems or of the county level or nation-wide databases (statistical, financial, population, etc.).

It is also a realistic, feasible choice, as shown by the considerations below.

(1) The main premise for such an approach is the technological feasability: the accounting information is now generally recorded and stored on electronic (or alternative, but accessible) support, while the network allows online and remote access to this information.

(2) But, from the technological point of view, there are also a number of factors subjects to further reflexion:

- the variety of legacy systems and their poor networking facilities;

- the risks induced by the security exposure in case of online access;

- the fact that certain accounts simply cannot be audited on line.

(3) As for the economic feasability, the costs seem to be an attractive feature of the online audit, because:

- on one side, the online status greatly diminishes costs (travel, manual evidence collection, daily allowances, etc.);

- whilst, on the other side, additional technological costs, if any, for the implementation are very low.

In a more general perspective, the online audit in our acception means the transition from the insulated audit to auditing in a network environment.

The necessary and sufficient condition to make it work is the auditor’s access to the auditee’s network (or to the administrative network) for the direct capture of the information through the auditor.

It can be seen, to a certain extent, as a process aiming at the dematerialization of the auditing procedures. Such a process is visible also in the realization of the e-administration projects.

As for the resources to support such a transition, the most important is the interoperability of the systems, the definition of the appropriate standards. Other useful resources, are the capitalization of the initiatives and experiences and the mutualization of knowledge and platforms.

From the practical realization point of view, it is worth mentioning here the Jin-shen model, adopted in China, which provides for the development of an auditing information system in the frame of China’s e-government plan. The scope of the project is global, starting with the infrastructure and ending up with personnel training.

The main advantage of such an approach is that it allows keeping the structural components compatible with each other, aligning to common standards and thus ensure increased interoperability and integration.

In Romania also, as one part of the efforts to develop e-government services, a common framework for systems interconnecting and data integration (standards, policies) has been established by the Ministry of Communications and Information Technologies. This should help The Romanian Court of Accounts to promote online auditing projects to a greater extent.

Conclusions

This paper presents a new form of the online auditing, that is called auditing through a database. The main features of this online auditing are described, together with some considerations concerning its feasibility.

This is a natural evolution as long as the relational database technology is the cornerstone of modern enterprise information systems or of the county level or nation-wide databases (statistical, financial, population, etc.).

In a more general perspective, the online audit in our acception means the transition from the insulated audit to auditing in a network environment.

As for the resources to support such a transition, the most important is the interoperability of the systems the definition of the appropriate standards.

[1] Counsellor of Accounts

[2] IT Auditor