Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 Using ACL Scripts to Teach Continuous Auditing/Monitoring: The Tremeg Case Jill Joseph Daigle Ronald J. Daigle James C. Lampe* This paper presents a two-part case to help students better understand how computer assisted audit tools (CAATs) can be used in either a continuous auditing (CA) or continuous monitoring (CM) context. If an instructor desires to emphasize CA, students can assume the role of an information technology (IT) auditor within the internal audit function of a fictitious company, Tremeg Corporation. If an instructor desires to emphasize CM, students can assume the role of a management accountant responsible for security monitoring. In either scenario, students are concerned with identifying and examining potential threats to IT security. The fictitious company is described as a growing electronic components manufacturer that has recently been awarded a large multi-year defense contract. High among the many concerns and goals of company executives is improving security over network access to data. This concern is one strongly suggested by IT audit guidance and frameworks to be taken seriously by organizations (Warren Gorman & Lamont 2010; ITGI 2007). Many companies in today’s business environment recognize the risk of faulty systems security (Ernst & Young 2009). The first part of the case provides instructions and screenshots for guiding students through the step-by-step development of an Audit Control Language (ACL) script that can be run as often as desired, likely weekly or monthly in a practical situation, to detect employees who have been terminated but still have access to network resources. Such accounts should have access immediately disabled because of the threat of fraud and sabotage by the terminated * The authors are, respectively, Internal Audit Supervisor at Zions Bancorporation – Amegy Bank of Texas, Associate Professor at Sam Houston State University, and Associate Professor at Missouri State University. 277 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 employee or another individual obtaining password access. Automating the process by creating a script that can be run on a repetitive and recurring basis for investigative follow-up on results gives students practical insights into CA/CM. The scenario in this case is one that is consistent with IT audit guidance, which strongly suggests that systems security be monitored on an ongoing basis (Warren Gorman & Lamont 2010). The second part of the case gives students more experience with ACL and CA/CM through the creation of another script for detecting active employees who have dormant network accounts. Such employees may have been terminated but did not have their access status changed to “inactive” by the human resources and/or IT functions. Some employees having dormant accounts may still be active but should no longer have network access. In both situations, the accounts identified should have access immediately disabled because dormant accounts can be an opportunity for fraud and data breaches. Part two can be used as a second step-by-step tutorial, or as an assignment or take-home exam without the detailed instructions and screenshots. Treating part two as an assignment or take-home exam helps determine if students are able to apply the knowledge and skills learned from part one. Students are also required to respond in each part to ethical questions brought about by technology such as ACL, CA and CM and use critical thinking skills as professional auditors or accountants. This two-part case has been successfully used in multiple graduate IT issues and audit courses at two universities with students having no prior knowledge or experience with ACL. Exit survey results collected show that students perceived that the case objectives were met. Students also provided enthusiastic anecdotal feedback. Besides IT audit courses, we believe the case would also be useful in graduate AIS, audit and managerial accounting courses for exposing students to fraud investigation and CA/CM via the use of CAATs. 278 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 We strongly believe that accounting curricula need to continue a trend toward holism. Courses intended to teach primarily financial, managerial, tax, audit or systems not only need cases that include state of the art technology and fresh techniques being adopted in audit and accounting practice, but also cases that allow students to develop the ethical reasoning and critical thinking required of auditing and accounting professionals. We believe the answer to the question of whether accounting ethics should be integrated into multiple existing technical classes in the curricula versus being taught exclusively in a stand alone course is YES. The Tremeg case allows students to exercise and expand skills in managerial control, auditing, fraud investigation, IT, written communication skills and ethics in one holistic case. We further believe that the scenario provided in the Tremeg case may be useful for behavioral researchers interested in studying some particular aspect of CA/CM. The central concern control of system security is consistent with that highly expressed by business professionals (Ernst & Young 2009), as well as specifically cited as an area deserving attention within organizations (ITGI 2007), including on a continuous basis (Warren Gorman & Lamont 2010). The need for behavioral research in CA and CM has been noted in the literature (for example, Hunton et al. 2004). The scenario in the case, or one similar, could also be used to design research experiments studying some particular aspect of CA/CM. The next section discusses the importance of teaching IT skills in controls monitoring and auditing, including the performance of CA and CM for detecting and investigating potential fraud and errors. Later sections provide an overview of each part of the case, including example screenshots, discussion of how the second part of the case can be modified to be an assignment or take-home exam, and student feedback to the two-part case. Appendices provide tutorials (solutions), an example modification of the second part as a take-home exam, and teaching notes. 279 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 IMPORTANCE OF TEACHING IT AUDIT SKILLS Whether for a career in industry or public practice, all accounting student graduates entering the workforce are required to have substantial IT literacy. From a financial statement audit perspective, the issuance of Statement of Auditing Standard (SAS) #94 in 2001 recognizes that financial statement auditors must consider the impact of IT on internal control when gaining an understanding, documenting and assessing internal control during audit planning. This coupled with increasing IT complexity in business has created recognition and demand for IT audit specialists, both external and internal to organizations. As demand continues to rise, more students desire the education and training to help them become IT audit specialists. The requirements for studying and transitioning to become a practicing Certified Fraud Examiner (CFE) involve knowledge and experience in four areas: 1) fraud prevention and deterrence; 2) financial transactions; 3) fraud investigation; and 4) legal elements of fraud.1 The requirements for becoming a Certified Information Systems Auditor (CISA) are also very comprehensive and include the need for knowledge and experience with CAATs.2 Knowledge and experience in using CAATs for performing CA and CM are helpful to all accounting students, but essential for students working towards specialization in IT audit and fraud investigation in today’s business environment. IT knowledge, including its application to auditing and fraud investigation, is also important to management accountants. This is evidenced by the requirements for successfully becoming a Certified Management Accountant (CMA). The CMA exam specifically tests for in-depth IT knowledge and application (IMA 2010): 1 Go to www.acfe.com and link into “Membership & Certification” then “Become a CFE” for further detail. 2 Go to www.isaca.org and link into “Certification” for further detail. 280 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 • The Financial Planning, Performance and Control section includes a subsection on Internal Controls, which covers risk assessment; internal control environment, procedures, and standards; responsibility and authority for internal auditing; types of audits; and assessing the adequacy of the accounting information system. Automated CAATs are being used in business as a means of repeatedly testing and reporting on subsets of data being processed by a complex IT system – i.e., CA and CM. CA is defined as (AICPA/CICA 1999): “A methodology that enables independent auditors to provide assurance on a subject matter…using a series of auditor reports issued virtually simultaneously with, or a short time period after, the occurrence of events underlying the subject matter.” A similar, yet different, activity to CA is CM. CM is a recurring and repetitive management process for determining if particular activities of interest are in compliance with policies and procedures implemented by management (ISACA Standards Board 2002). While both CA and CM incorporate similar techniques, CM is a management process (an internal control activity) while CA is an independent audit process (either conducted by an internal or external auditor) (Daigle et al. 2008; Coderre 2005; ISACA Standards Board 2002). The automation of a CAAT allows auditors and accountants to very efficiently test 100% of new transactions or entries in subject matter areas of interest or particular controls, and express results as often as desired with little marginal cost incurred. Results of a 2006 survey of internal auditors report that 50% of the 392 respondents perform CA or CM within their companies, while another 31% plan to develop a CA or CM program (PwC 2006). Results of a 2009 survey of 305 organizations by the Institute of Internal Auditors note that 32% of respondents perform CA within their organization (McCann 2009). These survey results show 281 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 that CA and CM should be an important topic of coverage for those seeking a career as an IT- oriented auditor, fraud investigator or management accountant. One of the most commonly used CAATs is referred to as Generalized Audit Software (GAS). Two of the most commonly used GAS packages are ACL and IDEA. The Tremeg case uses ACL. Due to the importance of the topics of IT auditing, CA and CM for detecting fraud and errors, ACL (or similar software such as IDEA) is receiving attention in several auditing and AIS textbooks. Many current textbooks are accompanied by ACL software and provide several short problems for students to solve using the software. ACL also produces an educational version with a site license that allows students to access a more extensive list of problems. At this time, it does not appear that any problems or short cases are available that provide students with experience in using GAS (such as ACL) to perform CA/CM. The two-part case presented here serves to compliment the problems found in current textbooks and the educational version of ACL as a means of providing students with insight to, and some practical experience with, using ACL to perform CA/CM for the purpose of identifying potential fraudulent threats in a fictitious setting. The case can be performed fully on most recent versions of ACL software (such as Versions 8 and 9, with minimal screenshot variations between the two versions), including the educational versions packaged with audit textbooks.3 The next two sections give an overview of each part of the case. The first part of the case is referred to as the “terminated user” case while the second part is referred to as the “dormant account” case. OVERVIEW OF TERMINATED USER CASE The terminated user case has five objectives: 3 An instructor teaching graduate IT auditing has used the basic structure and data of the two-part Tremeg case using IDEA, and reports to us anecdotal evidence of successful use and adaptation. 282 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 1) Help understand the concept and application of CA/CM. 2) Help learn how to perform basic ACL activities of: a) Importing data. b) Extracting data. c) Creating tables. d) Joining tables to create a new table. e) Filtering data in a table. f) Exporting data. 3) Help learn how to automate basic ACL activities through the creation of scripts. 4) Gain confidence in the future application of developing computer automation procedures for performing CA/CM after completing the first part of the case. 5) Help better recognize potential ethical issues with an organization’s ability to analyze employee network activity. In the terminated user case, students act, at the discretion of the instructor, in either the role of either an IT auditor or a management accountant of a fictitious company, Tremeg Corporation, and complete six technical activities with associated deliverables. Students are first guided through five ACL activities designed to identify terminated employees who may continue to have access to the company network. The sixth activity involves automating the first five activities by developing an ACL script. The script can then be run repetitively, likely weekly or monthly, for investigating whether any terminated users have access to the company network. The script provides an excellent example to students of performing CA/CM at a low marginal cost for testing controls and investigating threats of potential fraud and data breaches. Following successful completion of the technical aspects of using ACL, students are required to perform a 283 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 seventh activity, which involves considering certain ethical ramifications regarding the analysis of employee network activity, and writing a response in the form of a memo. The task of identifying terminated users who continue to have access to network resources is purposely selected because it is likely a key general control commonly identified by IT management, as well as internal and external auditors testing controls for both internal effectiveness and efficiency and for financial statement audits. For publicly traded companies, the assessment of internal control over financial reporting is the direct responsibility of the CEO and CFO aided by management accountants and compliance officers who provide for the CEO and CFO assurance needed to sign the required report on internal controls. As evidence of the importance of preventing terminated users from having continued network access, a survey of nearly 1,900 senior executives in more than 60 countries reports that 75% of respondents are concerned with IT security threats and data breaches by former employees (Ernst & Young 2009). One conclusion drawn from the survey results is that CA/CM should be implemented to reduce IT security threats and data breaches (Ernst & Young 2009). The overall concern for access security is reflected in numerous parts of COBIT 4.1 Framework (ITGI 2007). The Framework notes “access to programs and data” as one of the four IT general control categories. The Framework also notes “manage changes” and “ensure systems security” as two of the twelve control objectives. The Framework further states that “job change and termination” requires management to “ensure that appropriate and timely actions are taken regarding job changes and job terminations so that internal controls and security are not impaired.” Emphasis is provided when further stating that “user account management” requires management to “establish procedures to ensure timely action relating to …suspending and 284 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 closing user accounts” (ITGI 2007). Other IT audit guidance also emphasizes the importance of preventing security breaches when specifying that “system access security logs” deserve “ongoing monitoring” (Warren Gorman & Lamont 2010). The use of CA/CM to identify control deficiencies, fraud, waste and abuse is referred to as “continuous control assessment” (Coderre 2005). IT security deficiencies could be judged by the external auditor to be significant or even material to the likelihood of the financial statements containing misstatements. The terminated user case, therefore, gives students experience with testing a very important general control that should exist and be tested in many current organizations, and to implement a type of test being suggested by practice. Step-by-step instructions and screenshots allow students to see the incremental value of each task, culminating in the automation of all activities for repetitive use. Each activity involves a deliverable, typically a printed report that is straightforward to grade. Table 1 provides an overview of the seven activities in the terminated user case. The complete set of instructions and screenshots for the terminated user case is included in Appendix A. All Excel files referred to can be obtained directly from the authors (Please see Table 1). Description of Terminated User Case Activities The first activity of the terminated user case involves using the Import command to create a table in ACL populated by the data from an Excel file of all Tremeg employees, whether active or terminated. This activity gives students experience with one of the most basic uses of ACL, importing data for subsequent testing and analysis. The second activity involves using the Extract command to populate a new table with data of terminated employees from the table created in the first activity. This second activity 285 Journal of Forensic & Investigative Accounting Vol. 3, Issue 2, Special Issue, 2011 builds upon the first by giving students experience with identifying criteria (terminated employees) for extracting specified records from the larger table of all employees. The resulting distilled table is then available for further testing and analysis in later activities of the case. The third activity involves using the Import command to create a third table populated by all data from a second Excel file of active directory users at Tremeg. This activity is similar to the first activity but using different data. Both the resulting table created in this activity and table extracted in the second activity are subsequently used by students in the fourth activity to determine which terminated users continue to have network access. The fourth activity involves using the Join command to create a fourth table of data for analysis, which is based on data in the tables created in the second and third activities. A report of the data in HTML format is also generated. This activity is the test that identifies those terminated users who continue to have network access, as well as the most recent time of access. Both are important to identify and investigate, but the second item more so because it indicates potential misuse of network resources by terminated employees or some other individual (such as a current employee) who has obtained access through the terminated employee’s account. Students are told in the tutorial that these terminated employees should be reported to the System Administrator immediately so that access is disabled to prevent any further unauthorized access and an examination be made of activity after the date of termination. The Join command is used to accomplish the two tasks of identifying terminated employees for whom network access has not yet been disabled and determining if unauthorized access has occurred after the date of termination. The Join command matches employee numbers from the active directory users table with employee numbers in the terminated employees table. A second test is then performed to determine if the associated user account has 286
Description: