Auditing the Role of Databases

Auditing

The role of databases in the auditing function is to analyze a much larger volume of information more quickly and accurately than what has been done in the past (Cascarino, 2012). That role is important because manual systems were far less reliable than systems that utilize computers, and those old systems could cause auditors to easily make mistakes that they would not otherwise have made. Now, there are fewer mistakes because of the databases. Companies can get their auditing needs addressed more quickly, as well, and auditors are able to do more work in a shorter period of time (Cascarino, 2012). Both privacy and security are parts of the database role, as well (Cascarino, 2012). Manual systems were more prone to being examined by those who did not have business looking at them, and it was harder for the auditors and the company to protect privileged information. Databases can lock information down much tighter, reducing the chance that the information on the database will be seen by someone who should not be viewing it.

Declarative Definition Language is also used, and its role in the ability to describe security specifications is significant (Cascarino, 2012). Specifications are made more clear by using DDL, and that ensures that the environment is audited more easily (Cascarino, 2012). The controls that are part of the original application can be migrated over to the environment through DDL, thus not changing anything while still protecting all of it (Cascarino, 2012). In short, DDL and databases make things much safer and faster for the company or department that is being audited, and for the company or department doing the auditing. They reduce the chance that something will be misinterpreted or mishandled, and they also lower the chance that there will be any illegal or inappropriate activity on either end of the auditing equation (Cascarino, 2012). That protects all interested parties.

There are qualities and roles of an auditor that go beyond the skill set of normal corporate managers, including an understanding that control does not necessarily come from top management (Cascarino, 2012). Instead, auditors see that control in the business environment of today should focus the control ability on the people who are "owning" the process in which they are engaged (Cascarino, 2012). Management of the project at hand and the auditing environment are part of the roles and qualities of the auditor. It is not that other managers do not have control of their environments, but only that other managers are focused on the top-down approach that does not work well with auditing. Internal controls are vital to the success of an auditor and his or her department, so auditors must be able to control their environments more thoroughly than they would be able to if they were placed under stringent restrictions by upper management (Cascarino, 2012).

Designing and implementing controls are one of the things that auditors do best, because it is part of their jobs (Cascarino, 2012). Since they are so capable of the creation of controls and they understand how those controls should be implemented, their mindsets are different than what would be seen from a standard manager (Cascarino, 2012). Auditors, despite their relatively rigid jobs, are generally more flexible when it comes to management skill, because they know that their field is always changing and they must be able to adapt. Control, for the auditor, is something that comes from within and not something that has to be imposed upon him or her by a manager (Cascarino, 2012). The auditors also understand how to implement and monitor their controls, unlike upper management that often sets controls or rules and then simply allows them to continue being enforced without any regard as to whether they should be changed, amended, updated, or removed altogether (Cascarino, 2012). Auditors look at the world differently, which is part of what keeps them successful.

There are many risks involved in examining evidence in order to arrive at an audit conclusion, and it is important to incorporate the concepts of independence and objectivity (Cascarino, 2012). Auditors that are not objective end up doing a large disservice to their clients. They interject their personal opinion and thoughts into the auditing process, which can create too many concerns regarding what the company has already done, what it should be doing, and why there are differences of opinion on so many issues (Cascarino, 2012). Because auditors are focused on internal controls, it is easy for them to steer the evidence creation and collection a particular way. However, objectivity and independence are the most important traits they can possess. As long as auditing rules are properly followed and no rules of conduct are broken, the way that a particular company handles its business should not be affected by the opinions of the auditors (Cascarino, 2012).

The independence of any auditor is such a significant issue for a company. Auditors can take a long time to arrive at a decision, and if they get that decision wrong they can do serious damage to a company or its stakeholders, as well as tarnishing their own reputations (Cascarino, 2012). Because that is such an issue, auditors have to take care of their clients but also be mindful that they do not get too close to the clients on a personal or professional level. Getting too close to clients can cause a lack of independence and objectivity in an auditor (Cascarino, 2012). While many people who work in companies get close to one another and make friends both inside and outside of the office, auditors must be careful to maintain distance from those they actually audit. Not doing so can mean an auditor who is not objective and who does not maintain enough independence to audit a company properly. Overall, auditors are a different breed and they must remember that so they can do their jobs correctly and keep their work separate.

If auditors do not follow proper rules of conduct, they can have legal action taken against them. This has happened to auditors in the past that do not follow Sarbanes-Oxley and other rules of corporate governance (Cascarino, 2012). Each auditor has rules that he or she follows because they are required for the profession. Additionally, auditors may have opinions that they consider valid and from which they will not deviate. Some of these are their own "rules," and they live by them professionally. Others are rules and opinions that belong to others and which they have taken as their own. Regardless of those, however, the main rules of conduct that are followed by auditors are those which are required by law and that cannot be changed based on the opinion of the auditor (Cascarino, 2012). Auditors who are not willing to follow the rules of conduct end up in trouble, because breaking rules where company audits are concerned can be grounds for prosecution and criminal charges (Cascarino, 2012).

Financial issues are among some of the most significant problems that auditors face, since they have their own reputations on the line along with the reputations of the clients they audit (Cascarino, 2012). Accounting and auditing firms can cause national and international scandals, like the Enron debacle. When a company attempts to hide what it is doing and its misdeeds are discovered in an audit, that company can attempt to put the blame onto the auditor and make it appear that the auditor did not do his job correctly. Auditors who have been found not to follow the rules at any point in their careers will have a great deal of trouble being trusted when they do legitimately discover a problem in the financials of a company. The rules can occasionally change for auditors, however, just like the tax code and other financial requirements. Auditors need to make sure they keep up with the rules and requirements of their professions, in order to be as successful as possible and do the best job for their clients who are trusting in them (Cascarino, 2012).

There are several goals that have to be attended to within the control process. One of these is preventive controls, and they relate to the overall auditing process through an assurance that everything is working as expected from the beginning (Cascarino, 2012). When preventive controls are employed, there is less of a chance of needing other types of controls that would occur later, after a problem has already taken place and has to be corrected or accounted for in some way (Cascarino, 2012). Preventive controls cannot catch everything, of course, because they are not completely infallible. They can fall victim to misuse and abuse just like any other controls in the auditing profession. There are no infallible controls. However, preventive controls are better at catching more serious issues and stopping them from ever getting started (Cascarino, 2012). That can give auditors and their clients peace of mind, and also reduce the number of errors seen during the auditing process.

Preventive measures provide clients with an assurance that they will not have financial trouble later if they use a trusted auditor (Cascarino, 2012). In other words, if the financial difficulties they encounter are the fault of the auditing firm, they will have protection from any legal ramifications they may have encountered from faulty accounting or auditing measures. Preventive measures are also part of the internal controls of the auditing firm itself, so that each person who works with that firm knows the measures that are to be taken to make sure auditing is performed correctly (Cascarino, 2012). The more preventive measures a company has, the more likely that company will be to have good, strong audits that work out acceptably for everyone involved. That may not always be the case, because having preventive measures does not mean that nothing can go wrong. Still, preventive measures typically cost less money and take less time than working to correct a problem after it has already occurred (Cascarino, 2012). Problems can quickly spread, becoming very expensive.

Risk has a strong relationship to the auditing process. There is always some risk in financial transactions, no matter how successful the business actually is or how much it has to offer. The business takes a risk in trusting the auditor, of course, but the auditor also takes a risk in trusting the business to provide it with the correct information on which the audit can be conducted (Cascarino, 2012). Some businesses will go out of their way to have books (or computer programs) that provide information that is not factual. By doing that, they assume that they can turn that information over to be audited and get through the audit without being detected. While companies may have gotten away with that in the past, and some may still be able to do so, most of the issues that could be covered up and hidden by companies can no longer be easily disguised. The auditing company takes on risk when it decides to audit a company and determine that the company has handled its financial transactional appropriately (Cascarino, 2012). Once the audit comes back "clean," the company is assumed to be safe and financially sound.

That is good news for the company, but it may be a problem for stakeholders if the company really is not as sound as was assumed. Those who invest their money into the company can lose out based on a bad audit (Cascarino, 2012). Overall, there are many good auditors available. There are also some that are less well-prepared and some that can be guided to take the direction the company they are auditing wants them to take. Enron was not the only scandal that showed accounting and auditing in a bad light, as there have been plenty of others where financial information that was assumed correct has changed and been a serious problem for the investors and stakeholders of the company who were not expecting any difficulties with the investment they had chosen. Investments are always risks, but poor auditing can provide more risk than would otherwise be expected.

There are advantages and disadvantages to audit planning. These audit plans are difficult or nearly impossible to accurately follow, however, because there are so many concerns that surround them. Depending on the database used, the information provided by the company, and the work done by the particular auditor, the plan may seem to differ greatly from another plan for another company (Cascarino, 2012). By planning an audit, it is easy to have a "blueprint" of sorts for the way it will be carried out (Cascarino, 2012). The work gets done faster and more easily and conveniently, because the auditor has a specific plan to follow (Cascarino, 2012). Any time a person has a good plan for the work he or she must do, it is possible for that person to move forward with courage and conviction, and to focus more directly on the task at hand (Cascarino, 2012). That is good news for the auditor, but it is also good news for the client who would like to see the audit completed as easily as possible in order to ensure that it does not take up too much time (Cascarino, 2012).

The reporting of the audit and the allocation of the work will be better with a plan (Cascarino, 2012). However, plans can be a detriment in some ways, because they provide too much structure and rigidity (Cascarino, 2012). If an auditor is not willing to have any flexibility, or if a company is too strict about the way their auditors process information, it is possible that the plans the auditor has to follow will actually slow them down, because they will be required to perform steps that could easily be avoided otherwise (Cascarino, 2012). That does not mean that auditors should take shortcuts, but only that there are often several ways to do something - including auditing a company properly and ensuring that it is continuing to perform its financial duties correctly. Each company that struggles to keep its finances in order could find itself with a serious issue due to an audit, and audit planning must be flexible enough to be adjusted when necessary to catch these kinds of problems (Cascarino, 2012).

There is a strong relationship between audit management and audit quality assurance. Audit management is just what it sounds like - managing audits and ensuring that they are taking place correctly. Audits have to be managed by the auditors who are handling them in order to ensure that they have not been manipulated or that there is nothing deceitful taking place (Cascarino, 2012). Audit quality assurance is part of good audit management, since each auditor must ensure that he or she is performing duties correctly and following all rules that pertain to auditing companies (Cascarino, 2012). That does not mean that every auditor will do everything exactly the same, because there is room for flexibility. However, each auditor must work within the confines of the overall rules. Those auditors also have to work with the rules provided to them by each company (Cascarino, 2012). That is where audit management comes into play, because the company manages its auditors and the auditors must also manage themselves (Cascarino, 2012).

Internal control is very important to auditors, because they must have a high level of control over the processes in which they are engaged. They cannot be swayed by their clients, and they must be sure of the rules and regulations they are following (Cascarino, 2012). Performing quality control on an audit is similar to a management function and often falls under management, but is also considered to be more significant than that because quality control allows the company to see what its auditors are actually doing each time they perform an audit (Cascarino, 2012). The goal is to ensure that the auditors are consistently doing things correctly, and that they are clear about the regulations and the rules they must follow. If there are quality control problems, it is vital that they are caught quickly so that they can be corrected (Cascarino, 2012). Allowing a quality control problem to continue could be highly detrimental to the auditor and also the company being audited.

In the auditing evidence process there is certainty of risk. The risk can be reduced in other evidence processes by various methods. The use of simulations such as the Monte Carlo, game theory, and queuing theory allow for the determination or classification of risk. This is done through using specific methods to decide just how much risk is being undertaken by a certain aspect or a specific choice (Cascarino, 2012). Some companies are much more risk averse than others, and those companies often do not end up with great rewards because they do not take the kinds of risks that can result in bigger rewards (Cascarino, 2012). Great risk can equal great reward, but great risk can also backfire and end up causing many problems for a company. Those problems can extend to the stakeholders and investors for that company, as well (Cascarino, 2012). When an investor is considering a company, he or she will want to know how the audits have been done and what they have shown. Risk has to be measured, or it will not be possible to accurately audit the company and provide enough information to the potential investors and stakeholders (Cascarino, 2012).

Running simulations will allow an auditor to see what could, potentially take place in any given scenario. Once the auditor sees that, he or she will be able to better determine which scenarios have acceptable risk and reward, and which are too much and too dangerous for investors and stakeholders (Cascarino, 2012). Not all simulations are appropriate for all scenarios and all companies, of course, and it is also a good idea to try more than one simulation for a company, because the risk may come out much differently in one scenario than it may in another, just based on the model that was used (Cascarino, 2012). Some auditors also prefer a particular model over others, so it depends on the auditor and the company as to what model will be used (Cascarino, 2012). There is nothing wrong with using one model over the others, as they all work acceptably well.

Audit reporting is necessary in order to apprise management of the various results from the objectives of the audit. This feedback to management is sometimes the more difficult task of an audit process. When an audit is processed, there will be conclusions drawn and impressions made. That allows the auditors to make a final determination as to whether the audit provided all the necessary information on the company for stakeholders and investors (Cascarino, 2012). Providing the report takes time, because it is more than just sticking all of the audited information into a document (Cascarino, 2012). When an auditor prepares a report, that auditor is taking everything he or she learned during the audit and putting it together, along with addressing any concerns or issues that have come to light (Cascarino, 2012). Just placing figures into a spreadsheet or adding them to a "boilerplate" report is not the way an auditor handles issues with reporting (Cascarino, 2012). Audits have objectives, because not all audits are the same. Determining the objectives early on will help the auditor decide how to proceed (Cascarino, 2012).

Once an auditor is aware of how best to proceed, he or she can carefully consider all issues surrounding the audit and how best to provide an informational report that will offer the proper information to those who read it (Cascarino, 2012). Some audit reports are more complex and specialized than others, of course, and that is something that the auditor must address. Who the report is being prepared for and the purpose of the audit will affect what is studied and how the information is later presented to the requesting party (Cascarino, 2012). Internal audits are often less formal and complex than audits that are requested by governmental agencies, for example. While all audits must use the same facts and figures, more complex reports can sometimes make a company look better or worse than less complicated reports that are not as in-depth.

Audit management covers a wide area, such as projects, quality control, operations and production, performance and technical services. For someone at the management level, these areas would be qualified and efforts prioritized based on the need for information (Cascarino, 2012). In other words, what kind of information is required from the audit? The objectives and information that matter the most in the audit should be prioritized. For managers, though, projects are vital and the quality control for those projects means that management has something on which to focus. Operations and production, along with performance and technical services, all have to be managed. Managers must consider which is more important to them - the detailed and fine control of all the operations and production, or the less aggressive control of the overall performance (Cascarino, 2012). If the auditors are able to focus on what they do best without being deeply constrained by specific management rules that are too demanding, they will generally perform better (Cascarino, 2012).

In other words, managers must "pick their battles" and determine what they really want from their auditors. In general, managers who are not as aggressive with their control of the auditors who work for them will have better outcomes (Cascarino, 2012). They allow their auditors more of a free reign, and auditors who have that develop more of an internal control mechanism that they can then use in order to adjust their personal style to do the best job possible, quickly and efficiently (Cascarino, 2012). Quick and efficient auditors means that the firm for which they work is going to make more money and be able to care for more clients in a timely manner (Cascarino, 2012). Naturally, that is very important for the auditors and also for the clients they are attempting to help with their skills. Whether the audit was requested by the client or required by a governmental or other agency, it is in everyone's best interest to manage it correctly.

One of the systems used to analyze the workings of a company is the process-oriented system. This can be used to look at management, customers, operations, staff, and technical support, among other areas of the company (Cascarino, 2012). Being process oriented is very significant, because the processes in an auditing firm are so vital (Cascarino, 2012). Management has a process it follows, as does the overall operations of the company. The staff, technical support personnel, and even the customers have processes they follow. By analyzing those processes and determining how to make them efficient and effective for everyone, each person involved in the process can benefit (Cascarino, 2012). It is not always easy to create a process oriented system, but that does not mean attempting to do so should be avoided. Once the system has been created and adjusted to work properly, it needs only occasional, minor adjustment in order to remain effective (Cascarino, 2012).

Process oriented systems also make the people who are engaged in them feel as though they matter and that they have value (Cascarino, 2012). When a company is focused on the processes through which every system and every person must move, there is an efficiency that cannot be had with other types of systems - as those have a different orientation (Cascarino, 2012). That does not mean that a process oriented system is the only way to go, of course, but only that it is highly efficient and can work very well when it comes to ensuring that customers are happy and auditors are comfortable with the work they have been asked to do (Cascarino, 2012). No matter which process is set by a company that does auditing, that process can be streamlined in order to ensure that all of the people who come into contact with that system have the highest level of success and are able to get what they need from the interaction (Cascarino, 2012). Firms who provide streamlined systems not only get more done, but they also keep their customers happier (Cascarino, 2012).

Oracle can be used to manage areas such as configuration and change management, capacity management, and business continuity management (Cascarino, 2012). While Oracle does not work for everything in an auditing firm on all levels, there are so many areas of an auditing firm that are background systems and not specifically designed to be a part of the auditing function. Managing the business continuity and change management issues, for example, can be handled with Oracle. Business continuity is a vital part of any business or company. If something causes the main systems of the business to fail, such as a manmade or natural disaster, the business must be able to continue to provide for its customers (Cascarino, 2012). Without a good business continuity plan, that will simply not be the case. A business can fail very quickly if that happens, because each and every business needs to stay in the minds of its customers. When customers forget about a business, that business can easily disappear - and continuity plans can keep that from happening.

Change management is also highly significant from a business standpoint. Every business must be able to offer change as it is needed (Cascarino, 2012). That keeps customers coming back, because they know that they are going to get proper service and their concerns are going to be taken into account. To many customers, that is just as important as the actual product or service they receive from the company (Cascarino, 2012). If there are problems and complaints, and then nothing ever changes or improves, customers will eventually stop returning to the business. Change management has to take into account what works and what does not work, along with what customers and employees are saying they need in order to feel good about the business (Cascarino, 2012). While it is generally not possible to ensure that everything a customer wants is given to him or her, there is certainly a possibility for management to be open to change.