Activity Based Risk Evaluation Model of Auditing

HOME >> BASIC CONCEPTS >> AUDIT ACTIVITIES >> EVIDENCE GATHERING >> CAATs

Computer Assisted Audit Techniques (CAATs)

Computer assisted audit techniques are ways in which the computer may be used by the auditor in a computerized information system to gather, or assist in gathering, audit evidence ^[fn].

Different CAATs may be used for different purposes. (See The CPA Journal article entitled Traditional and Emerging Methods of Electronic Assurance.) For example:

• commercial software, such as Microsoft Excel, Word, etc., may be used by the auditor for analyzing data imported from client files, writing audit programs, etc.. Many firms now employ electronic working papers, using either software developed in-house or commercial forms of e-working papers. See the three Journal of Accountancy articles on using Excel entitled (a) The Power of Arrays, (b) A Risk-Based Approach to Journal Entry Testing and (c) Add Muscle to Excel.
• generalized audit software comes in a variety of forms. It may either be commercial software or developed by an auditing firm. The purpose of the audit software is to interrogate, extract and sometimes analyse information from management's computer information system. Expert audit systems are another example of such software. Generalized audit software may be used to gather evidence in relation to both the effectiveness of operation of a programmed control procedure and the extent of misstatements in account balances and underlying classes of transactions. In other words, this audit software may be used as either a test of control or as a substantive procedure.
• embedded audit module is a CAAT in which code prepared by the auditor is embedded in the client's software. The code may be designed, for example, to replicate a specific aspect of a control procedure, or to record details of certain transactions in a file accessible only to the auditor. Thus, this audit software may be used as both a test of control ^[fn] or as a substantive procedure. (This CAAT is particularly applicable to continuous auditing ^[fn]).
• integrated test facility is a facility forming part of the client's software that enables the auditor's test data to be integrated and processed with the client's live input data. The facility ensures that the test data updates special dummy files, rather than actual operating files. The dummy files are examined to ensure that the test data has been processed in the manner expected. This procedure provides evidence of the effectiveness of design of programmed control procedures as well as aspects of the effectiveness of operation.
• parallel simulation, in which actual client data is processed using a copy of the client's software that has undergone program code analysis by the auditor (see below) and is under the control of the auditor. The data processed on the auditor's copy of the software is compared to the data previously processed by the client to ensure that the processing is identical. This procedure provides evidence as to the effectiveness of design of programmed control procedures as well as aspects of the effectiveness of operation.
• program code analysis is the analysis of the client's program code to ensure that the instructions given to the computer are the same instructions that the auditor has previously identified when reviewing the systems documentation. The analysis may be performed using specialized audit software (see below) owned by the auditor. This audit software provides evidence as to the effectiveness of the design of programmed control procedures.
• test data is a CAAT in which test data prepared by the auditor is processed on the current production version of the client's software, but separately from the client's normal input data. The test data that is processed updates the auditor's copies of the client's data files. The updated files are examined to ensure that the transactions were processed in the manner expected. This procedure is typically used to gather evidence as to the effectiveness of design of programmed control procedures, as well as aspects of the effectiveness of operation.
• specialized audit software is audit software designed to perform specific tasks in specific circumstances, such as comparison of source and object code, the analysis of unexecuted code and the generation of test data. It is used to gather evidence as to the design effectiveness of client's software.

Refer to ISACA's Information Systems Auditing Guideline Use of Computer Assisted Audit Techniques (CAATs).

Copyright, Australian Educational Research Pty Ltd. Any person accessing this site agrees to the Terms of Use.