Computer-assisted audit techniques (CAATs) or computer-assisted audit tools and

techniques (CAATTs) -the practice of using computers to automate the IT audit processes and the
fundamental tool which is used by auditors which facilitates them to make search of the irregularities
from the given data.With the help of this tool, the auditors and accountant of any firm will be able to
provide more analytical results. CAATS is used throughout every business environment and also in the
industry sectors too.
CAATs normally includes using basic office productivity software such as spreadsheet, word
processors and text editing programs and more advanced software packages involving use statistical
analysis and business intelligence tools.
Uses of CAATS
A. Creation of Electronic Work Papers - Auditors have many financial statements and other
documents in which they must keep safe and in an organized manner. Keeping electronic work
papers on a centralized audit file or database will allow the auditor to navigate through current
and recorded working files documents with ease, this will be save a lot of time and in return will
save money.
B. Fraud Detection - majority of the time there are always incidents where there will be unexpected
or unidentified patterns of data which obviously affect the audit. However, with the help of
CAAT’s auditors can now identify these problems quickly which will prevent fraud.
C. Analytical Test - computer technology contains many software which are able to create charts,
graphs, ratios and trends by analyzing and evaluating a set of data
D. Curb Stoning in Surveys - common problem which occurs within companies and its basically
when the person who is carrying out the surveys doesn’t actually interview anyone but instead
make up a set of data. Now for auditors it is vital that this is detected it can invalidate the survey
study results.
E. Continuous Monitoring - is an ongoing process of acquiring, analyzing and reporting of
business data to identify and respond to operational business risks.
SOFTWARE TOOLS:
1. SPREADSHEET- is a file made of rows and columns that help sort data, arrange data easily, and
calculate numerical data. What makes a spreadsheet software program unique is its
ability to calculate values using mathematical formulas and the data in cells.
EXAMPLES:
 MS EXCEL- is the most popular and widely used spreadsheet program, but there are also
many alternatives.
 GOOGLE SHEETS (online spreadsheet)
 LOTUS 123
 IWORK NUMBERS (on mac)
2. DATABASE SOFTWARE- is a collection of information that is organized so that it can be easily
accessed, managed and updated. Data is organized into rows, columns and tables, and it is indexed
to make it easier to find relevant information.
EXAMPLES:
 MS ACCESS- is used for both small and large database deployments. This is partly due to its
easy-to-use graphical interface, as well as its interoperability with other applications and
platforms such as Microsoft’s own SQL Server database engine and Visual Basic for
Applications (VBA).
 MYSQL
 SAPSYBASE
 ORACLE
3. BUSINESS INTELLIGENCE- Comprises the strategies and technologies used by enterprises for
the data analysis of business information.
EXAMPLES:
 QLIKVIEW
 IBM COGNOS
BUSINESS ANALYTICS - gather data statistically and quantitatively
BUSINESS INTELLIGENCE- through questions and reports
4. STATISTICAL ANALYSIS- Comprises the strategies and technologies used by enterprises for
the data analysis of business information. SAS also provides the SAS Fraud Framework. The
 framework's primary functionality is to monitor transactions across different applications,
networks and partners and use analytics to identify anomalies that are indicative of fraud.
BENEFITS:
 Statistical analysis allow company to make crucial decisions about projects.
 Identify trends in marketplace that can help determine whether a project is right to invest or
not.
 Business statistics also help with projecting future data or events that might occur.
 If you are considering risk factors of a specific project that your company wants to roll out
then statistics are necessary
EXAMPLE:
 IBM SPSS
 QLIKSENSE
 STATISTIX
5. GENERALIZED AUDIT SOFTWARE- refers to software designed to read, process and write
data with the help of functions performing specific audit routines and with self-made macros. It is
a tool in applying Computer Assisted Auditing Techniques. Functions of generalized audit
software include importing computerized data; thereafter other functions can be applied: the data
can be browsed, sorted, summarized, stratified, analyzed, taken samples from, and made
calculations, conversions and other operations with.
EXAMPLE:

 ACL (Audit Command Language)- a data analysis software program that helps auditors
remain current with changing technology. Its primary usefulness lies in its ability to
perform analysis and audit tests on 100% of the data available rather than merely
sampling the data.

 IDEA (Interactive Data Extraction & Analysis)- a leading e-Audit data-analytics

software package. IDEA provides audit, finance and compliance professionals in industry
and practice with an efficient and effective solution for high performance audits. It is also
used by tax authorities throughout the world (including the Revenue Commissioners) to
interrogate taxpayer transaction and system data.

Audit specialized software may perform the following functions:

 Data queries - Data query languages (DQLs) are computer languages used to make
queries in databases and information systems. (Ex. SQL)
 Data stratification - is the separation of data into smaller, more defined strata based on
a predetermined set of criteria.
 Sample extractions - Sampling risk is the possibility that the items selected in a sample
are not truly representative of the population being tested.
 Missing sequence identification
 Statistical analysis
 Calculations
 Duplicate transaction identification
 Pivot table creation - a great way to summarize, analyze, explore, and present your
data, and you can create them with just a few clicks.
AUDITING IN THE CIS ENVIRONMENT
o IT AUDIT – any audit that encompasses review and evaluation of automated information
processing systems, related non-automated processes and the interfaces among them.
o IT GOVERNANCE - A process that ensures the effectiveness and efficiency of IT in enabling an
organization to achieve its goals.
o IT GOVERNANCE FRAMEWORK - Framework that ensures the organization IT
infrastructure supports and enables the achievement of its strategies and objectives.
 ITIL
 COBIT
 ISO7002
Work of an IT Auditor
  Responsibilities - Responsible for internal controls and risks of a company’s technology network.
Identify weakness in systems network and create action plans (solutions)
 Skills Required - IT auditors typically have a bachelor degree in IT, information system,
accounting or business administration. They must develop solid communication skills to not only
understand technical jargon but to translate that into business related decisions for management
and clients.
 Work Environment - IT auditor work on financial institution (bank), accounting and IT
companies, but some travel depends on work.
 Certification – People are happier working for an organization that are invested in their
professional development and committed helping them take the next steps and gives your clients
greater confidence if it holds highest professional standards and will feel safer and more secure
knowing they’re in certified hands.

Some of the certifications for IT Auditor

 American Institute of Certified Public Accountants (AICPA)
o The national professional organization of Certified Public Accountants (CPAs) in
the United States
o The AICPA's mission is to "Power the success of global business, CPAs, CGMAs and
specialty credentials by providing the most relevant knowledge, resources and advocacy,
and protecting the evolving public interest."
 Association of Certified Fraud Examiners (ACFE)
o Establish in 1988
o A professional organization of fraud examiner
o The ACFE is the world's largest anti-fraud organization
 Institute of Internal Auditors (IIA)
o Establish in 1941
o An international organization of internal auditing professionals
o The stated mission of The Institute of Internal Auditors is to provide "dynamic
leadership" for the global profession of internal auditing
 Information Systems Audit and Control Association (ISACA)
o Founded in 1969
o The largest professional organization of IT auditors
o ISACA is an independent, nonprofit, global association that engages in the development,
adoption and use of globally accepted informationsystem (IS) knowledge and practices.

LEGAL AND ETHICAL ISSUES FOR IT AUDITORS

 Ethicsor moral philosophy is a branch of philosophy that involves systematizing, defending, and
recommending concepts of right and wrong conduct
 Ethical Codes are lists of codes that is adopted by organizations to assist members in
understanding the difference between right and wrong and in applying that understanding to their
decisions.
 Irregular act reflects either an intentional violation of corporate policies or regulations or an
unintentional breach of law
 Illegal act represents a willful violation of law
IRREGULAR AND ILLEGAL ACT: MANAGEMENT RESPONLIBITIES
 Establish policies and procedures aiming at governing employee conduct.
 Responsible for the prevention and detection of irregular and illegal acts.

IRREGULAR AND ILLEGAL ACT: IT AUDITOR REPONSIBILITIES

 Plan the IT audit engagement based on an assessed level of risk that irregular and illegal
acts might occur and that such acts could be material to the subject matter of the IT
auditor’s report.
 Design audit procedures that consider the assessed risk level for irregular and illegal acts.
 Review the results of audit procedures for indications of irregular and illegal acts
 Report suspected irregular and illegal acts
 Determine how the act slipped through the internal control system
 Evaluate the results of audit procedures
  Consult legal counsel and possibly corporate governance bodies to estimate the
potential impact of the irregular and illegal acts
COMMON TYPES OF REGULATORY AND LEGAL ISSUES
1. LEGAL CONTRACT – an agreement between or among two or more persons or entities to do,
or to abstain from doing, something in return for an exchange of consideration.
ELEMENTS IN A CONTRACT
 OFFER – nature or subject of agreement
 CONSIDERATION – states what the offeror expects in return from the offeree
 ACCEPTANCE – clearly identify the offeror and offeree, and both must sign and date
the contract
TYPES OF LEGAL CONTRACT

 Employee Contracts – special type of contract between employer and employee—

contains the position title, performance criteria, compensation schemes, working hours,
etc.)
 Confidentiality Agreements – a legal contract that outlines confidential material,
knowledge, or information that the parties wish to share with one another for certain
purposesbut wish to restrict access to third parties.
 Trade Secret Agreements – a contract that protect secrets, such as a formula, pattern,
compilation, method, technique or process, that derives independent economic value.
 Discovery Agreements – agreement between employer and employee which allows the
transfer of ownership of discovery to the employer.
 Non-compete Agreements – also known as covenant not compete, it is an agreement
from the employee about not to enter into or start a similar business in competition
against the employer.
 Trading Partner Contracts – written agreement between companies and their trading
partners, e.g. customers and suppliers.
2. COMPUTER CRIME – also known as cybercrime refers to the direct or indirect use of
computer and communication technologies to perpetrate a criminal act.
 Hacking - refers to the practice of modifying or altering computer software and
hardware to accomplish a goal that differs from the original purpose of the system.
 Keylogger - a technology that tracks and records consecutive key strokes on a keyboard.
Because sensitive information such as usernames and passwords are often entered on a
keyboard, a keylogger can be a very dangerous technology.

 Phishing - the fraudulent act of acquiring private and sensitive information, such as
credit card numbers, personal identification and account usernames and passwords.
 Spoofing - A technique used to gain unauthorized access to computers, whereby the
intruder sends messages to a computer with an IP address indicating that the message is
coming from a trusted host.
 Skimming - the illegal copying of information from the magnetic strips found on credit
and debit cards. Card skimming is considered a more direct version of a phishing scam

3. INTELLECTUAL PROPERTY – refers to the valuable creations of the human mind.

INFORMATION TECHNOLOGY RISKS AND CONTROLS
Executives should know the right question to ask and right answer:
 Why should I understand IT risks and controls? Assurance and Reliability
 What is to be protected? Trust
 When should IT risks and controls be assessed? Always
 How much control is enough? Management must decide based on risk appetite and risk
tolerance
IT Governance - Provides framework to ensure that IT can support the organization's overall business
needs.
Key components:
 • Leadership - evaluate the relationship between IT objectives and the organization's current strategic
needs.
• Organization structures - review how business and IT personnel are interacting and
communicating current and future needs through the existing organizational structure.
• IT Processes - evaluate IT process activities and controls in place to manage the needs of the
business while providing necessary assurance.
• Risk Management - review the IT activity's processes to identify, assess, and monitor/mitigate risks
within the IT environment.
• Control activities - assess the IT defined key control activities to manage its business and the
support of the overall organization.
PERFORMING A RISK ANALYSIS
Basic questions associated with the risk assessment process include:
1. Which IT assets (includes both tangible and intangible, ex. Information, reputation) are at risk
and what is the value of their confidentiality, integrity, and availability?
2. If a threat event happened, how bad its impact be?
3. How often might the event be expected to occur?
4. What can be done to reduce the risk?
5. How much will it cost?
6. Is it cost efficient?

Risk mitigation strategies

1. Accept the risk 3. Share the risk
2. Eliminate the risk 4. Control/mitigate the risk

THE 5 MOST COMMON IT PROBLEMS

1. Network Security/Data Security 4. No IT plans
2. Data back-up issues 5. The cloud confusion
3. Hardware and software issues

IT CONTROLS - Specific activities performed by persons/systems designed to ensure that business

objectives are met.

Two categories of IT Controls

1. IT General controls - represent the foundation of the IT control structure. They help ensure the
reliability of data generated by IT systems.

Types of controls
•Control Environment - or those controls designed to shape the corporate culture.
•Change management procedures - controls designed to ensure the changes meet business
requirement and are authorized.
•Source code/Document version control - controls design to protect the integrity of program
code.
•Software development life cycle - controls designed to ensure IT projects are effectively
managed.
•Logical access policies, standards, and processes - controls designed to manage access based
on business need.
•Disaster recovery/Backup and recovery procedures - enable continued processing despite
adverse conditions.
•Physical security - controls to ensure the physical security of IT from individuals and from
environmental risks.
2. IT Application controls - fully automated (performed automatically by systems) designed to
ensure the complete and accurate processing of data, from input through output.
Types of controls
•Completeness of checks - controls that ensure all records were processed from initiation to
completion.
•Validity checks - controls that ensure only valid data is input or processed.
•Identification - controls that ensure all users are uniquely and irrefutably identified.
•Authentication - controls that provide an authentication mechanism in the application system.
•Authorization - controls that ensure only approved business users have access to the application
system.
•Input controls - controls that ensure data integrity fed from upstream sources into the
applicaution system.
•Forensic controls - controls that ensure data is scientifically correct and mathematically correct
based on inputs and outputs.