Chi-Chun Chou, Assistant Professor Department of Accounting Chung-Yuan Christian University

1. The Continuous Auditing Methodology for Web-Release – An ECAM Prototype Using Object-Oriented Technology Chi-Chun Chou, Assistant Professor Department of Accounting Chung-Yuan Christian University 22 Pu-Jen, Pu-chung Li, Chung Li, Taiwan, Republic of China PHONE: 011-886-3-4563171(ext.)5316 FAX: 011-886-3-34372092 E-mail: chichun@cycu.edu.tw

2. Continuous Auditing as the Solution to Web-Release Assurance • WE NEED WEB-RELEASE, BUT HOW TO CONTROL THE ASSURANCE PROBLEM? • Is Continuous Auditing the SOLUTION? • Our Preliminary Analysis Indicates: Ceteris paribus, given the appropriate technology, the total economic welfare under continuous auditing will never be less than the real-time auditing, and the real-time auditing will never be less than the traditional periodical auditing, regardless of their information environment type.

3. But, how to Conduct it ? • Thinking on the Basic Requirements • Analyzing the Conceptual Model • Identifying the Implementation Tools • Realizing the ECAM System

4. Basic Requirements • AUTOMATION is the KEY to Continuous Auditing! • To Make Data MACHINE-READABLE is the KEY to Automated Data Extraction! • The MACHINE-EXECUTABLE PROCEDURES to Read and Analyze Data is the KEY to Automated Data Analysis! • Detail Requirements: • OLCT: Propositions 3-1 to 3-5 • CSTM: Propositions 3-6 to 3-7

5. Machine-ReadableData • How to Read? • Requiring the knowledge of Data Schema Design • Wait and Wakeup Threads (Non-Semantic Daemons) • Requiring no knowledge of Data Schema Design • Semantic Intelligent Agents -> Mission Impossible! • PRE-ARRANGED Data: Standard Data Interface (ex: XML-Based Format) • Embedded Event-Triggering Methods (ex: OO-Based EAM Gateway) • What to Read? • Can we use INTERNAL CONTROL INFORMATION? • The “Hooked” Balance-Related Transaction Data • When to Read? • On_Updates of the INTERNAL CONTROL Configuration • On_Posted of each Transaction • Where to Read? • URI of INTERNAL CONTROL Configuration Data • URI of Transaction Data

6. Machine-ExecutableProcedures • How to Perform? • Event-Triggering Threads (ex: OO-Based Audit Patterns) • What to Perform? • Workflow-Based Control Testing Logic • Automated Transaction and Balance-Related Testing Procedures • Error-Detecting Procedures • Error-Correcting Procedures • When to Perform? • On_Retrieval of the updated INTERNAL CONTROL Configuration • On_Retrieval of each Transaction Data • Where to Perform? • Continuous Auditor’s Server

7. On-Line Control Testing • Idea: • Let Client’s System Setting Talks: • Obtaining Control Configuration Data Directly from the Client’s System Setting -> Workflow Control Data • Benefits: • More Direct Results: No more Testing Data Method • Easier to achieve Continuous Monitoring • Exact Tie-in to the Substantive Testing • Determinants of a Successful OLCT • The availability of control configuration data • The reliability of system application components • The reusability of OLCT mechanism

8. Analyzing Steps for OLCT • Identify the Testing Objectives of OLCT, restricted by: • High measurability of the control element • Low “pervasiveness” of the control element • High feasibility to facilitate control testing by computer • Identify the System Control Evaluating Model • Tie-in to the Substantive Testing Patterns • Considering the Influence of Client System on OLCT • Availability of Control Configuration Data • Maintenance of Control Data Availability • Reliability of System Application Components • Data Model Requirements for OLCT • Continuing Availability of Control Configuration Data • The Maintenance and Reusability of OLCT Mechanism

9. Continuous Substantive Testing Model • Idea: • Transaction Testing REPLACES Balance Testing • Obtaining and Analyzing the Transaction on Timely Basis • Automated Transaction Testing BASED on Control Testing • Benefits: • Easier to achieve Real-time Audit Reports • Automation Decreases the Operational Costs • Exact Substantive Testing according to the OLCT Patterns • Determinants of a Successful CSTM • The availability of transaction data • The comprehensiveness of CSTM mechanism • The reusability of CSTM components

10. Analyzing Steps for CSTM • Identify the Testing Objectives of CSTM • Identify the Continuous Substantive Testing Model • Considering the Influence of Client System on CSTM • Continuing Availability of Transaction Data • Data Model Requirements for OLCT • The Comprehensiveness of CSTM Mechanism • The Maintenance and Reusability of CSTM Components

11. Realizing ECAM • System Architecture of ECAM • OOAD is the Best Solution! • Implementation Tools: • Prototype Demonstration: • http://chichun.ac.cycu.edu.tw/research.htm • Concluding Remarks and Future Study

12. The Comparisons of Three Audit Approaches

13. Determinant Factors for an Efficient OLCT

14. DIST1 stands for the least deficient situation that we call “inconsistency”. Using ICDL words, DIST1 collects the inconsistent deficiencies describes as follows: “For each (nl, rk) in {PC} under auditing, it is found a corresponding pair (nl, rk)* in {PC*} and each nl in (nl, rk) will be identical to nl* in (nl, rk)*. However, there exists some rk is not equal to rk*.” DIST2 is the moderate case of deficiency that we call “incomprehensiveness” deficiency. Using ICDL terms, DIST2 is the case when each ni in {PC} has an identical node ni* in {PC*}, there exists some rk* in {PC*} but rk*not in {PC}. DIST3 has the worst situation is the “incompleteness”, represented by DIST3, which means there exists some nl*in {PC*} but nl* not in {PC}, as well as its related preconditions rk*. This deficiency might increase the possibility of fictitious transactions so that a serious further investigation on the existence assertion might be necessary. System Control Evaluating Model using ICDL

17. An ASP Framework for ECAM

18. ECAM Data Model Client System Data Model Class Diagram – an Illustration of ECAM Data Model

19. System Design Approach Client System ECAM Audit Risk Availability of Control Configuration Data[1] Maintenance of Control Data Retrieval Maintenance of OLCT and CSTM Mechanism Reusability of OLCT and CSTM Mechanism Continuing Retrieval of Transaction Data and Control Data Transaction Data Accessibility Reliability of System Components Pure Procedural Low Low Low Low High Low Low High Procedural System with DBMS High Low Low Low High High Low High Modular System High Medium Medium Low High High Low Medium – High Component-Based System High High High Medium High High Medium Medium Object-Oriented System High High High High High High High Low Audit Risk Induced by Various System Design Approaches

20. Illustration of the Transaction-Basis Testing Scheme

21. Illustration of CSTM Processes

23. Development Process Development Tools Internet Resources System Control Analysis ICDL, IDEF3 Bailey et al. (1985), http://www.idef.com/ OOAD UML, Rational Rose 2000 http://www.rational.com/rose/ Middle Ware for Audit Objects 1. IBM San Francisco Framework 1.40 2. IBM San Francisco Application Development with CBO Labs 3. IBM San Francisco Code Generator http://www.ibm.com/Java/Sanfrancisco/ Application Development Kits Java Development Kit 1.1.7, Borland Jbuilder 3.0 Professional http://java.sun.com/products/jdk/1.1/docs/ http://www.borland.com/jbuilder/ Web Client and Server Program HTML 4.0, JavaScript, Java Applets, Java Servlets and Java Server Pages http://java.sun.com/products/servlet/ http://java.sun.com/products/jsp/ http://java.sun.com/ Application Server IBM WebSphere Application Server 2.0 http://www-4.ibm.com/software/webservers/ Database Server IBM SF Posix Store http://www.ibm.com/Java/Sanfrancisco/ Web Server Microsoft Internet Information Server 4.0 http://www.microsoft.com/technet/iis/default.asp Operating Platform Microsoft NT 4.0 http://www.microsoft.com/technet/winnt/default.asp Summary of the Analysis, Design and Implementation Tools for ECAM Prototype