Guidance Note On Computer Assisted Audit Techniques
Guidance Note On Computer Assisted Audit Techniques
1
significance contained in an entity’s information systems. CAATs may consist of package
programs, purpose-written programs, utility programs or system management program.
Regardless of the origin of the programs, the auditor substantiates their appropriateness and
validity for audit purposes before using them. A brief description of the programs commonly
used is given below.
• Package Programs are generalized computer programs designed to perform data processing
functions, such as reading data, selecting and analyzing information, performing calculations,
creating data files and reporting in a format specified by the auditor.
• Purpose-Written Programs perform audit tasks in specific circumstances. These programs
may be developed by the auditor, the entity being audited or an outside programmer hired by
the auditor. In some cases, the auditor may use an entity's existing programs in their original
or modified state because it may be more efficient than developing independent programs.
• Utility Programs are used by an entity to perform common data processing functions, such as
sorting, creating and printing files. These programs are generally not designed for audit
purposes, and therefore may not contain features such as automatic record counts or control
totals.
• System Management Programs are enhanced productivity tools that are typically part of a
sophisticated operating systems environment, for example, data retrieval software or code
comparison software. As with utility programs these tools are not specifically designed for
auditing use and their use requires additional care.
Details of some of the techniques used are mentioned in the Appendix.
2
conduct an audit in a CIS environment. It provides guidance when an auditor delegates work to
assistants with CIS skills or when the auditor uses work performed by other auditors or experts
with such skills. Specifically, the audit team should have sufficient knowledge to plan, execute
and use the results of the particular CAAT adopted. The level of knowledge required depends on
“availability of CAATs” and “suitable computer facilities”.
3
• analyzing and selecting samples from a large volume of transactions ;
• applying analytical procedures; and
• performing substantive procedures.
11. Matters relating to efficiency that an auditor might consider include:
• the time taken to plan, design, execute and evaluate CAAT;
• technical review and assistance hours;
• designing and printing of forms (for example, confirmations); and
• availability of computer resources
12. In evaluating the effectiveness and efficiency of CAAT, the auditor considers the
continuing use of CAAT application. The initial planning, design and development of CAAT will
usually benefit audits in subsequent periods.
Time Constraints
13. Certain data, such as transaction details, are often kept for a short time and may not be
available in machine-readable form by the time auditor wants them. Thus, the auditor will need
to make arrangements for the retention of data required, or may need to alter the timing of the
work that requires such data.
14. Where the time available to perform an audit is limited, the auditor may plan to use
CAAT because its use will meet the auditor’s time requirement better than other possible
procedures.
Using CAATs
15. The major steps to be undertaken by the auditor in the application of CAAT are to:
(a) set the objective of CAAT application;
(b) determine the content and accessibility of the entity’s files;
(c) identify the specific files or databases to be examined;
(d) understand the relationship between the data tables where a database is to be examined;
(e) define the specific tests or procedures and related transactions and balances affected;
(f) define the output requirements;
(g) arrange with the user and IT departments, if appropriate, for copies of the relevant files or
database tables to be made at the appropriate cut off date and time;
(h) identify the personnel who may participate in the design and application of CAAT;
(i) refine the estimates of costs and benefits;
(j) ensure that the use of CAAT is properly controlled;
4
(k) arrange the administrative activities, including the necessary skills and computer facilities;
(l) reconcile data to be used for CAAT with the accounting and other records;
(m)execute CAAT application;
(n) evaluate the results;
(o) document CAATs to be used including objectives, high level flowcharts and run instructions;
and
(p) assess the effect of changes to the programs/system on the use of CAAT.
Testing CAAT
16. The auditor should obtain reasonable assurance of the integrity, reliability, usefulness,
and security of CAAT through appropriate planning, design, testing, processing and review of
documentation. This should be done before reliance is placed upon CAAT. The nature, timing
and extent of testing is dependent on the commercial availability and stability of CAAT.
5
(g) establishing appropriate security measures to safeguard the integrity and confidentiality
of the data.
When the auditor intends to perform audit procedures concurrently with online processing, the
auditor reviews those procedures with appropriate client personnel and obtains approval before
conducting the tests to help avoid the inadvertent corruption of client records.
19. To ensure appropriate control procedures, the presence of the auditor is not necessarily
required at the computer facility during the running of CAAT. It may, however, provide practical
advantages, such as being able to control distribution of the output and ensuring the timely
correction of errors, for example, if the wrong input file were to be used.
20. Audit procedures to control test data applications may include:
• controlling the sequence of submissions of test data where it spans several processing cycles;
• performing test runs containing small amounts of test data before submitting the main audit
test data;
• predicting the results of the test data and comparing it with the actual test data output, for the
individual transactions and in total;
• confirming that the current version of the programs was used to process the test data; and
• testing whether the programs used to process the test data were the programs the entity used
throughout the applicable audit period.
21. When using CAAT, the auditor may require the cooperation of entity staff with extensive
knowledge of the computer installation. In such circumstances, the auditor considers whether the
staff improperly influenced the results of CAAT.
22. Audit procedures to control the use of audit-enabling software may include:
• verifying the completeness, accuracy and availability of the relevant data, for example,
historical data may be required to build a financial model;
• reviewing the reasonableness of assumptions used in the application of the tool set,
particularly, when using modeling software;
• verifying availability of resources skilled in the use and control of the selected tools; and
• confirming the appropriateness of the tool set to the audit objective, for example, the use of
industry specific systems may be necessary for the design of audit programs for unique
business cycles.
Documentation
23. The various stages of application of CAATs should be sufficiently documented to provide
adequate audit evidence.
24. The audit working papers should contain sufficient documentation to describe CAAT
application, including the details set out in the sections below.
6
(a) Planning
• CAAT objectives;
• CAAT to be used;
• Controls to be exercised; and
• Staffing, timing and cost.
(b) Execution
• CAAT preparation and testing procedures and controls;
• Details of the tests performed by CAAT;
• Details of inputs (e.g., data used, file layouts), processing (e.g., CAATs high-level flowcharts,
logic) and outputs (e.g., log files, reports);
• Listing of relevant parameters or source code; and
• Relevant technical information about the entity's accounting system, such as file layouts.
(d) Other
• Recommendations to the entity management; and
In addition, it may be useful to document suggestions for using CAAT in future years.
7
(a) The level of general controls may be such that the auditor will place less reliance on the
system of internal control. This will result in greater emphasis on tests of details of
transactions and balances and analytical review procedures, which may increase the
effectiveness of certain CAATs, particularly, audit software.
(b) Where smaller volumes of data are processed, manual methods may be more cost effective.
(c) A small entity may not be able to provide adequate technical assistance to the auditor,
making the use of CAATs impracticable.
(d) Certain audit package programs may not operate on small computers, thus restricting the
auditor’s choice of CAATs. The entity’s data files may, however, be copied and processed on
another suitable computer.
8
Appendix
10
Embedded Software used by the auditor to • Performs a wide • There is a
Code examine transactions passing variety of audit processing
through the system by placing tasks overhead
his own program in the suite of • Examines each involved because
programs used for processing transaction as it of the extra
passes through programs
the system • Definition of
• Operates what constitutes
continuously an unusual
• Capable of transaction needs
identifying to be very
unusual precise
transactions • Precautions need
passing through to be taken over
the system the output from
the programs to
ensure is security
• Precautions need
to be taken to
ensure that the
program cannot
be suppressed or
tampered with
• Requires some
degree of skill to
use and to
interpret the
results
Log Software used by the auditor to • Provides detailed • Requires a high
Analysers read and analyse records of information on degree of skill to
machine activity machine usage use and to
• Long term interpret the
economics results
• Effective when • Limited
testing integrity availability as
controls regards machine
types
• High volume of
records restricts
extent of test
11
Mapping Software used by the auditor to • Identifies • Very specific
list unused program instructions program code objective
which may be • Requires a high
there for degree of skill to
fraudulent use and to
reasons interpret the
results
• Adaptation
needed from
machine to
machine
Modelling A variety of software, usually • Can be a very • A high volume
associated with a powerful of data may need
microcomputer, enabling the analytical tool to be entered
auditor to carry out analytical • Can enable the initially
reviews of client's results, to auditor to • Results require
alter conditions so as to identify examine careful
amounts for provisions or provisions on a interpretation
claims, or to project results and number of
compare actual results with different bases
those expected • Very flexible in
use
• Can provide the
auditor with
useful
information on
trends and
patterns
On-line Techniques whereby the auditor • Very widely • Each use
Testing arranges or manipulates data applicable satisfies only one
either real or fictitious, in order • Easy to use particular
to see that a specific program or • Can be targetted objective
screen edit test is doing its work for specific • Care must be
functions carried taken to ensure
out by programs that "live" data
does not impact
actual results
12
Program An examination by the auditor • Gives a • The auditor must
Code of the source code of a reasonable degree understand the
Analysis particular program with a view of comfort about program
to following the logic of the the program logic language
program so as to satisfy himself • The auditor can • The auditor
that it will perform according to examine every needs to check
his understanding function of the that the source
program code code represents
the version in the
source library,
and that this
version equates
to the executable
version
Program Software used by the auditor to • Provides the • Requires a high
Library examine dates of changes made auditor with degree of skill to
Analysers to the executable library and the useful use and to
use of utilities to amend information interpret the
programs concerning the results
program library • Availability
• Identifies restricted to
abnormal certain machine
changes to the types
library • Only relevant
• Useful when when testing
testing program integrity controls
security
Snapshots Software used by the auditor to • Permits the • Can be
take a "picture" of a file of data auditor to expensive to set
or a transaction passing through examine up
the system at a particular point processing at a
in time specific point in
time to carry out
tests, or to
confirm the way
a particular
aspect of the
system operates
13
Source Software used by the auditor to • Compares source • Other procedures
Comparison compare the source version of a code line by line are necessary to
program with a secure master and identifies all ensure that the
copy differences executable
• Useful when version reflects
testing integrity the source code
controls or examined
particularly • Requires some
important degree of skill to
program use and to
procedures interpret the
results
• Availability
restricted to
certain machine
types
Test Data - Fictitious data applied against • Performs a wide • "Dead" test data
"Live", the client's programs either variety of tasks requires
"Dead", whilst they are running or in an • Gives additional work
Integrated entirely separate operation. considerable for the auditor to
Test Facility comfort about the satisfy himself
or Base Case The results of processing the operation of the right
System fictitious data are compared programs programs were
Evaluation with the expected results based • Can be precisely used
on the auditor's understanding targetted for • Care must be
of the programs involved specific taken to ensure
procedures within that "live" data
programs does not impact
• Long term actual results
economies • Technique can
be expensive to
set up and
cumbersome to
use
• Adequate for
detection of
major error but
less likely to
detect deep-
seated fraud
Tracing Software used by the auditor to • Helps to analyse • There may be
identify which instructions were the way in which less costly ways
used in a program and in what a program to achieve the
order operates same objectives,
although not in
14
the same detail
• Requires a high
degree of skill to
use and to
interpret the
results
• Adaptation
needed from
machine to
machine
BACK HOME
15