SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES

OVERVIEW
Objective
To explain the use of computer-assisted audit techniques (CAATs) in the context of an
audit.

AUDIT
APPROACH

CAATs

“Black box”
“Systems-based”
Small installations

Possible use
Considerations
Advantages
Difficulties

TEST DATA

AUDIT SOFTWARE

Description
Uses
Precautions

Description
Uses

Precautions

2101


SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES

1

AUDIT APPROACHES

1.1

Around (“black-box”
approach)

v

Examine preparation
and control of source
documents.

1.2

INPUT

Compare with a sample
of (expected) outputs.
Ignore except for
tracing input through

control/batch details
and compare to
(expected) output.

COMPUTER

Through
Normal procedures on
authorisation and collection of
input documents and relevant
external (general) controls.

Examine controls over
development, organisation and
security.
Test input, processing and output
controls as a whole.
Use the computer to interrogate
files and test system.

Substantive testing
alone will often provide
sufficient assurance on
the basis that the
computer is effectively
an electronic
bookkeeping system.

1.3


Small installations

1.3.1

Features

Lower level of general (IT)
controls

OUTPUT

1.3.2

Substantive procedures on output
alone (output may not be
automatically generated) will
provide insuffient assurance.
Control effectiveness is essential to
provide sufficient assurance.

Consequences

⇒

Less reliance on system of internal control

⇒

Greater emphasis on tests of details of transactions
and balances and analytical procedures


⇒

Increase effectiveness of audit software

Smaller volumes of data

⇒

Manual methods may be more cost effective

Lack of technical assistance
in entity

⇒

Use of CAATs may be impracticable

Certain package programs
may not operate

⇒

Restricted choice of CAATs

⇒

Entity’s data files may be copied and processed on
another suitable computer


2102


SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES

2

COMPUTER-ASSISTED AUDIT TECHNIQUES

CAATs are computer programs and data (e.g. transactions data) used as part of the auditor’s
procedures to process data of audit significance contained in an entity’s information
systems. CAATs may consist of package programs, purpose-written programs, utility
programs or system management programs.

2.1

Possible use
Controls
IT

Manual
e.g. safe custody of
back-up

Application

Programmed
e.g. password to
system


Programmed
e.g. check digits,
sequence check

Manual
e.g. authorisation,
batch control totals

CAATs may be used

2.2

Considerations affecting use

2.2.1

Matters

2.2.2

Consequences

Computer knowledge,
expertise and experience of
auditor

⇒

Must be sufficient to plan, execute and use
results of CAAT adopted.


Availability of CAATs and
suitable computer facilities

⇒

Use of CAATs may be uneconomical or
impractical (e.g. if auditor’s package program
and entity’s computer are incompatible).

⇒

Auditor may use own laptop.

⇒

Entity personnel may be required to co-operate
with and assist. Internal audit may use 24/7
facilities

Impracticability of manual
tests when no visible
evidence is available

⇒

See Example 1 below

Effectiveness and efficiency


⇒

Execution (e.g. selecting a sample, analytical
procedure) is quicker than manual equivalent.

⇒

Design and printing of forms (e.g. for
confirmations), mail merge facilities, etc.

⇒

Certain transaction data may need to be retained
for audit purposes or the CAAT used in the short
time when such data is available. 24/7 may be
available.

Timing

2103


SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES

Example 1
Suggest an example of lack of visible evidence concerning each of the
following.

Solution
Input/initiation


−
−

Processing

−
−

Output

−
−

2.3

Advantages
Enable the auditor to test program controls – if CAATs were not used then those
controls would not be testable.
Enable the auditor to test a greater number of items (eg 100%) quickly and accurately.
This will also increase the overall confidence for the audit opinion.
Allow the auditor to test the actual accounting system and records rather than printouts
which are only a copy of those records and could be incorrect.
Are cost effective after they have been setup as long as the company does not change its
systems.
Allow the results from using CAATs to be compared with “traditional” testing – if the
two sources of evidence agree then this will increase overall audit confidence.

2.4


Difficulties
Substantial setup costs in developing the CAAT programs and testing them. However,
once established, providing the client’s system does not change, they can be used as
many times as necessary with only the parameters being changed.
Standard audit software may not be available for the specific systems setup by the
client, especially if those systems are bespoke. The cost of writing audit software to test
those systems may be difficult to justify against the possible benefits on the audit.

2104


SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES
However, in most cases specific bespoke interrogation programmes will have been
written as part of the system. This will certainly be the case where an internal audit
function is operating and may well have been designed for the specific use of
internal audit. The external auditor will need to access the usefulness of such
systems for their own use.
In addition provided the data held within the system can be exported, eg into Excel,
Access or ASCII format, it can be interrogated by the auditor on their own laptops
(for example).
The software may produce too much output either due to poor design or using
inappropriate parameters on a test. The auditor may waste considerable time checking
what appear to be transactions with errors in them when the fault is actually in the
audit software.
Checking the client’s files in a live situation. There is the danger that the client’s systems
are disrupted by the audit program. The data files can be used offline, but this will
mean ensuring that the files are true copies of the live files.

3


TEST DATA

3.1

Description

Data generated by the auditor which is then processed using the client’s systems. The
objective of test data is to ensure that the controls within the system are operating properly.
If this is the case, then erroneous items should be rejected. Consequently, test data should
contain data of both a valid and an invalid nature.

Test data

Test of programmed
controls

“Live”

“Dead”

Audit test data consists of data submitted by the auditor for processing by the
enterprise’s CIS. It may be:
selected from previously processed transactions; or
created specifically by the auditor.
It may be processed during
a normal production run (“live” test data) or
a special run at a point in time outside the normal cycle (“dead” test data).

2105



SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES
An integrated test facility requires the establishment of a “dummy” unit (e.g.
department or employee) against which the auditor’s test data transactions are
processed during the normal production cycle.

3.2

Process
A full understanding of how the system operates and the programmed control
environment is required by the auditor.

3.2.1

Use of accurate data

Initially, the auditor must test that the system processes data as intended. Data entered
into the system correctly flows through the system, updating controls and balances.
Using a sales system as an example, procedure may be:
Establish a dummy customer profile (eg name, address, discounts, credit limit,
current balance) on the system or select a live client for testing. Ensure that the
system being used is the actual client system and not a copy.
Identify the current control balances, eg receivables control, sales, VAT, customer
ledger balance.
Prepare test data (eg place an order through the entity’s website) and establish the
expected impact on the process (eg changes in receivables control, sales, VAT,
ledger balance).
Enter the test data and compare the results with what was expected. If agreed, the
system is operating as expected. If not agreed, the reason(s) why must be
established.

Review reports that are necessarily produced by the system to ensure the test data
is reflected within them.
Remove test data from the system including the dummy customer and details.
This test could be incorporated into the auditor’s walk through procedure in order to
understand the system (plus the design of and implementation of controls – see next).

3.2.2

Use of false data

If correct data is input and processed by the system, many of the application controls
that are designed to prevent errors will not have been tested.
In understanding the system, the auditor must establish what application controls
should be in operation and what they are designed to do. Each control must be tested
for “error trapping”, ie input false data such that the control will identify incorrect data
and reject it. Examples of such data would include:
Data outside of a specified accepted range (eg age, units ordered, delivery date).
Incorrect customer codes, product codes (incorrect format and non-existent) etc.
Incorrect dates (eg 31 February)
Negative numbers

2106


SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES
Incorrect payment details (e.g. VISA code when payment is required on-line before
delivery)
Invalid user names and passwords
All of the above examples should result in error messages plus error reports. The
system should not be able to “go to the nearest” and complete the process, eg the

nearest product code or a default substitute.
Again, as the auditor must assess the design of the controls and that they have been
implemented, using CAAT test data is an effective (and usually the only) way of doing
so.

3.3

Precautions
Test data should be run “live” if possible. If not possible it is necessary to ensure that
programs used are identical to or are the actual programs used by the client.
Any fictitious items included as test data must be retrieved/eliminated from files before
the client uses those files in normal processing.
If test data is to be run “dead”, there must be adequate computer time available and the
special run required must not prove unduly expensive.
Since controls are being tested, all discrepancies between predicted and actual results
must be fully resolved and documented, irrespective of financial amounts involved.

4

AUDIT SOFTWARE

4.1

Description

Software specially designed for audit purposes. It is used to process the client’s data in
order to check that the figures themselves are correct. Typically, audit software is used for
reperformance tests and re–analysis of information.
Can be an off the shelf package program designed to:
read computer files

select information
perform calculations
create data files
print reports in a format specified by the auditor; or
Purpose-written bespoke program designed to perform audit tasks in specific
circumstances on specific systems; or

2107


SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES
Embedded audit routines built into an entity’s computer system to provide data for
later use by the auditor:
Snapshots – i.e. taking a picture of a transaction as it flows through the computer
systems. Routines are embedded at different points in the processing logic to
capture images of the transaction as it goes through the various stages of the
processing. The technique allows the auditor to track data and evaluate the
computer processes applied to it.
System control audit review file – provides continuous monitoring of the system’s
transactions using audit software modules embedded within an application system.
Information is collected into a special computer file for the auditor to examine.
Note that:
Utility programs are used by the entity to perform common functions (e.g. sorting,
creating and printing files). They are not specifically designed for audit purposes;
and
System management programs are typically part of a sophisticated operating
systems environment (e.g. data retrieval software or code comparison software).
As with utility programs, they are not specifically designed for auditing use.

4.2


Uses (not exhaustive)
Basically:
what you can do with data within a database management system (eg Access) you
can do with audit software;
everything you do within a manual audit in selecting, analysing and sorting data,
can be done using audit software.
Examples include:
Selecting a sample of records from a file (e.g. random selection of goods despatched
notes or selection of all inventory items valued over a certain amount).
Printing out transactions or balances over a specified amount (e.g. of invoices,
inventory items or accounts receivable) for investigation.
Checking computations and calculations by reperformance e.g.:

−
−
−

verifying the accuracy of an aged receivables listing or stratification of an
inventory file;
recalculating depreciation charges;
recalculating interest charges.

Confirming application controls (e.g. when testing input controls over
completeness, a computer audit program can identify any missing items from a
sequence).
Reorganising data into a form for audit use (e.g. sorting a file of purchases grouped
by product into a file grouped by supplier and product for a year-end “cutoff” test).

2108



SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES
Comparing two or more different files (e.g. comparing sales invoices with the sales
ledger to ensure that all invoices have been posted, or comparing inventory held at
two different dates).
Recalculating closing balances, extracting balances (eg receivables listing).
Re-performing allocation of invoices, payments, journals etc.
Identifying duplicate suppliers and/or employees (and/or duplicate addresses)
which may be a source of possible error or fraud.
Selecting exceptions (e.g. invoices approved on a national holiday, credit limits
exceeded, excess overtime, payments above a set limit).
Identifying fields missing data (e.g. references not obtained for new customers
and/or employees).
Conducting analytical review

4.3

Precautions
Client’s files must not be corrupted or damaged.
Files used for testing must be complete and accurate and identical to, if not the same as,
files currently used by the client.
Computer audit programs must be amended to account for developments in the client’s
applications.

FOCUS
You should now be able to:
explain the use of computer-assisted audit techniques in the context of an audit;
discuss and provide relevant examples of the use of test data.


2109


SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES

EXAMPLE SOLUTION
Solution 1 — No visible evidence
Input/initiation

sales orders entered on-line or voice
activated input
discounts and interest calculations
generated by computer program

Processing

delivery notes and suppliers’ invoices
matched by computer program
checking customer credit limits

Output

output reports not produced
printed report only contains summary
totals

2110