Computer Assisted Audit Tools

ISA 330

 A16. The use of computer-assisted audit techniques

(CAATs) may enable more extensive testing of electronic
transactions and account files, which may be useful when
the auditor decides to modify the extent of testing, for
example, in responding to the risks of material misstatement
due to fraud. Such techniques can be used to select sample
transactions from key electronic files, to sort transactions
with specific characteristics, or to test an entire population
instead of a sample.
 ISA 330

 A24. The nature of the particular control influences the type of

procedure required to obtain audit evidence about whether the control
was operating effectively. For example, if operating effectiveness is
evidenced by documentation, the auditor may decide to inspect it to
obtain audit evidence about operating effectiveness. For other controls,
however, documentation may not be available or relevant. For example,
documentation of operation may not exist for some factors in the control
environment, such as assignment of authority and responsibility, or for
some types of control activities, such as control activities performed by a
computer. In such circumstances, audit evidence about operating
effectiveness may be obtained through inquiry in combination with other
audit procedures such as observation or the use of CAATs.
 IT Influence on Business

 Electronic data interchange and payment transfer

systems that electronically transmit (paperless)
orders and payments from one computer system to
another
 Systems that provide electronic services to
customers. In these situations, the IT system
automatically initiates bills for the services
rendered and processes the billing transactions
 IT Influence on Business
 Automated reasoning systems (ARS) (e.g., artificial
intelligence systems) that employ complex if/then
rules to make decisions (for instance, dynamic
tariffing system that automatically changes the
tariff based on time of day and level of congestion)
 Computer programs containing algorithms or
formulas that make complex calculations, such as
automatically computing commissions, allowance
for doubtful accounts, reorder points, loan reserves
and pension funding calculations
 Implications

 Loss of visibility of records

 Possibility of systematic error
 Controls have changed in two ways:
 Manual controls and unsophisticated
computer-based controls being imbedded
 New control techniques dependent purely on
computers
 IT Influence on Audit
Approach
 Controls that are operating over millions of
transactions
 An increase in computerisation, which is
wiping out the physical paper trail that
Auditors rely on
 Much greater regulatory focus on fraud and
controls
 IT Influence on Audit
Approach
 Huge pressure on costs and getting more out of
current resources
 The need to manage increasing risk effectively
 Pressure on Internal audit to justify and demonstrate
the value they deliver to the organization
 Auditing standards that advocate or require the use
of data analysis
 Traditional approaches to auditing no longer
adequate
 Today’s Environment

 Internal Auditors are advising organizations

on internal control attributes and ways to
gain assurance from information.
 SOX compliance efforts have led companies
to delve more deeply into their financial
statement reporting elements and into the
data that feeds and supports the financial
data.
 Today’s Environment

 Internal Audit groups faced with growing

workloads and heightened accountability
 Discovering that Computer Assisted
Auditing Tools (CAATs) offer much needed
help
 Audit technology tools facilitate more granular
analysis of data and help to determine the
accuracy of the information
 What Are CAATS?
 All the techniques and aids which allow an
auditor to access and view system data or the
operation of software using the computer
itself
 CAATS include continuous monitoring tools
 CAATs- Review 100% of data

 Comprehensive approach of testing contrasts with

traditional audit sampling methods (extracting small
data sets and extrapolating conclusions about the
population of transactions)
 Sampling techniques require audit judgment and
confidence levels; whereas CAATs deliver more
definitive results because the entire population of data
can be tested
 CAATs- Review 100% of data

 Filtering large volumes of data is much more

practical and effective
 Work with greater quantities of data
 Work with data that is more complex
 Ability to identify financial leakage, policy
noncompliance, and mistakes or errors in data
processing
 For example: duplicate vendor payments; fraudulent
transactions, circumvention of invoice approval limits
 CAATs Uses

CAATs may be used in performing various

audit procedures including:
 Tests of details of transactions and balances
 Analytical review procedures
 Compliance tests of IS general controls
 Compliance tests of IS application controls
 Penetration testing
 Why Apply CAATs?
 Perform audit test over 100% of population
 Save significant amount of time
 Perform tests that are impossible to do
manually
 Views of data that the client can’t produce
 Fraud and error detection
 CAATS Functions (Basic) –
Data Analysis
 Count  Classify
 Total  Stratify
 Statistics  Age
 Filters  Summarize
 Extract  Filters
 Export
 Examples Of CAATS
Applications
 Recomputation of interest receivable/payable
(Banks) – Includes completeness tests
 Recomputation of billed calls (Fixed &
Mobile Networks) – includes tests for
completeness of billing
 Recomputation of bills (Utility)
 Reconciliation between Subledgers and
General ledger postings
 Examples Of CAATS
Applications

 Verification of the accuracy or system

generated reports
 Tests of controls within debtors, creditors,
inventory, payroll, fixed assets applications
 Data integrity tests
 Segregation of Duties tests
 CAATs

Interrogation Utility Software

Software (GAS) • Sekchek
• ACL • Dumpacl
• IDEA • Microsoft Baseline Test Data
• SAS Analyser
• Cognos • ACTT
• Excel • EQSmart
 Audit software

 Audit software is used to interrogate a client's

system. It can be either packaged, off-the-shelf
software or it can be purpose written to work on a
client's system. The main advantage of these
programs is that they can be used to scrutinize large
volumes of data, which it would be inefficient to do
manually. The programs can then present the results
so that they can be investigated further.
 Audit software

 Specific procedures they can perform include:

 Extracting samples according to specified criteria, such as:
 Random;
 Over a certain amount;
 Below a certain amount;
 At certain dates.
 Calculating ratios and select indicators that fail to meet certain pre-defined
criteria (i.e. benchmarking);
 Check arithmetical accuracy (for example additions);
 Preparing reports (budget vs actual);
 Stratification of data (such as invoices by customer or age);
 Produce letters to send out to customers and suppliers; and
 Tracing transactions through the computerised system.
 Test data

 Test data involves the auditor submitting

'dummy' data into the client's system to
ensure that the system correctly processes it
and that it prevents or detects and corrects
misstatements. The objective of this is to test
the operation of application controls within
the system.
 Test data

 To be successful test data should include both data with

errors built into it and data without errors. Examples of
errors include:
 codes that do not exist, e.g. customer, supplier and
employee;
 transactions above pre-determined limits, e.g. salaries
above contracted amounts, credit above limits agreed
with customer;
 invoices with arithmetical errors; and
 submitting data with incorrect batch control totals.
 Test data

Data maybe processed during a normal operational cycle ('live'

test data) or during a special run at a point in time outside the
normal operational cycle ('dead' test data). Both has their
advantages and disadvantages:
 Live tests could interfere with the operation of the system or
corrupt master files/standing data;
 Dead testing avoids this scenario but only gives assurance
that the system works when not operating live. This may not
be reflective of the strains the system is put under in normal
conditions.
 Tool selection

 The challenge
 Make sure you are looking at the right tools to
deliver the benefits your company needs
 It is the user’s responsibility to become familiar
with the tools available in order to pick the right
one
 Have a solid knowledge of your business, your
data, and the accounting practices in your
industry
 Tool selection

 The IIA conducted an audit software analysis and

reported several key recommendations for internal
auditors to consider in the selection of CAATs:
1. Determine the enterprise’s audit mission, objectives and
priorities
2. Determine the types and scope of audits
3. Consider the enterprise’s technology environment
4. Be aware of the risks
 1. Determine the enterprise’s audit
mission, objectives and priorities

 Auditors must consult with management regarding what

audit functions are of the highest priority and where
computer audit tools may be applied to help meet those
priorities.
 2. Determine the types and scope of audits

 What is the stated objective of the audits?

 What kinds of questions will auditors be asking and what
will be the boundaries?
 Arriving at answers to these questions will be critical in
making an appropriate software decision.
 3. Consider the enterprise’s technology
environment

 Any audit tools selected will have to mesh with the other
software, hardware and network systems already in place.
 In some cases, the existing IT infrastructure may incorporate
tools that auditors can use in concert with automated
software tools for improved effect.
 4. Be aware of the risks

 Applying software to any mission-critical function carries

some risks, and auditing software is no different.
 Automated software tools can prompt auditors to jump to
faulty conclusions or make assumptions that run counter to
enterprise operations.
 Tool Selection
 Consider:
 How many data sources you have
 Volume of transactions

 Characteristics to look for in CAATs:

 Ease of use
 Ease of data extraction
 Ability to access a wide variety of data files from different platforms
 Ability to integrate data with different format
 Ability to define fields and select from standard formats
 Menu-driven functionality for processing analysis commands
 Simplified query building and adjustments
 Logging features
 Audit data analysis techniques
 Execute tests for virtually all industries and almost all types
of data:
 Accounts Receivable
 Payroll
 Cash Disbursements
 Purchasing
 Sales
 General Ledger
 Work in Progress
 Loss Prevention
 Asset Management
 Limiting factors:
 Access to data
 Understanding of the data fields
 Creativity of the auditor
 Using Test Data
 Auditor processes transactions either the live
system or a testing platform to test the
functionality of the application
 Where a testing platform is used, the auditor
should check that the system configuration is
the same as on the live platform
 Using Test Data
Auditor should be aware that
 test data only point out the potential for erroneous
processing;
 this technique does not evaluate actual production data.
 test data analysis can be extremely complex and time
consuming, depending on the number of transactions
processed, the number of programs tested, and the
complexity of the programs/system.
 Before using test data on the live platform, the auditor
should verify that the test data will not permanently affect
the live system
 Demystifying CAATs

 You do not need to be a computer specialist to run

most CAATS applications
 Tests performed using CAATS are subject to the
ISACA and IIA planning and documentation
standards
 Knowledge of the business processes is important
 Personal initiative and drive is key
 Additional Keys to Success

 Identify a Champion- person with ability to

motivate, supervise, and generally make sure the
technology is employed and becomes successful
 General Training- for the users of the software
(www.acl.com)
 Identify power users- given more specific training
and become leaders of implementing the chosen
software; assist other auditors; conduct in-house
training.
 Audit data analysis techniques

 CAATs especially valuable in environments

that have:
 High volumes of transactions
 Complex processes

 Distributed operations

 Unrelated applications and systems

 Advantage of CAATs

 Organizations gain assurance about the

accuracy of transactional data, and the extent
to which business transactions adhere to
controls and comply with policies
 Consistent use of automated transaction
analysis and continuous monitoring, CAATs
enable real-time independent testing and
validation of critical enterprise data.
 Advantage to Management

 Management can use such information to

proactively identify exceptions to controls
and compliance policies and take immediate
action.
 Implementing these programs can lead to
increased confidence in the corporate data
underlying financial reporting.
 The End

 References:
 Selection and application of computer assisted audit tools; Mark M.
Stephenson
 Generalized Audit Software: Effective and Efficient Tool for Today's
IT Audits; Tommie Singleton
 ISA 330
 Deloitte “The use of CAATS in Auditing Application Controls”