Sie sind auf Seite 1von 38

USING CAATTS

LBYMODT
OVERVIEW
Introduction to CAATTs
Audit Productivity Software
Generalized Audit Software
Computer Assisted IT Audit Techniques
Continuous Auditing Techniques
DEFINITION
CAATTS (Computer Assisted Auditing Tools and
Techniques)
Software used to increase an auditors personal productivity and
software used to perform data extraction and analysis
CAATS (Computer Assisted Auditing Techniques)
Techniques to increase the efficiency and effectiveness of the audit
function
Tools (Productivity tools)
E-workpapers
Groupware
Time and Billing Software
Reference Libraries
Document management
DEFINITION
Tools
Generalized audit software tools
ACL (Audit Command Language)
Audit Command Language (ACL) is one of the most popular Computer
Aided Audit Tools (CAATs) among auditors
enables auditors to identify trends, highlight exceptions, locate errors and
potential fraud, analyse financial and time-sensitive transactions, cleanse
and normalize data to ensure consistency and accuracy
Audit Expert Systems
Expert systems are computer programs that are built to mimic human
behavior and knowledge
Utility Software
system software designed to help analyze, configure, optimize or maintain
a computer
Statistical Software
specialized computer programs for statistical analysis and econometric
analysis.
DEFINITION
Techniques
CAATS to verify data integrity
CAATs for Data Extraction and Analysis
CAATs to Detect Fraud
Continuous Auditing Techniques
CAATs to Validate Application Integrity
Test Decks
Integrated Test Facility
Parallel Simulation
TOOLS: Types of CAATTs
Audit Productivity Software
Any software that facilitates the auditors personal
productivity
Electronic Working papers (ex. GAMx, MS office)
Import clients raw data from legacy systems
Automatically generate working papers and their references
Export to Excel and other file formats
Drill down and see underlying transactions from financial
statements
Enter adjusting journal entries
Breakdown accounts into subcomponents
TOOLS: Types of CAATTs
Create consolidated FS
Map accounts from ead to detailed schdues to the
clients GL
Populate report templates
Calculate predefined ratios
Compare versions of a document and highlight changes
Generate risk analysis and business cycle analysis
Conduct file interrogation
Share files among other members of engagement
Generate audit programs from predetermined audit
objectives
Generate internal control questionnaires
TOOLS: Types of CAATTs
Groupware (ex. LN, Sametime, Groove) multi-
user calendaring, scheduling and file sharing
Time and billing software
Reference libraries (ex. GAIIT-PE)
Document manager (ex. RMS record keeping
systems)
TOOLS: Types of CAATTs
Generalized Audit Software (GAS) Tools (ex.
ACL and IDEA)
Data Extraction and Analysis
Statistical Analysis
Audit Expert Systems
if-then production rules
inference engine runs the commands and returns an
answer
TOOLS: Types of CAATTs
Audit Experts Systems
Advantages:
unbiased decision making
incorporation of expertise of multiple experts
constant availability

Disadvantages:
Difficulty in eliciting the decision-making process and criteria from the
experts
Difficulty in updating the knowledge base and rules contained therein
Time required to develop and test the system
Expense develop and maintain the system
Difficulty in modeling uncertainty in decisions
Mechanical adherence to the process no room for intuition or human
reasoning
COMPUTER ASSISTED IT AUDIT
TECHNIQUES
Professional Standards and Guidelines
1. Planning
2. Performance of Audit Work
3. Documentation
4. Reporting
PLANNING
Determining whether to use CAATs, the following
should be considered:
Computer knowledge, expertise, and experience
Availability of suitable CAATs and IS facilities
Efficiency and effectiveness of using CAATs over
manual techniques
Time constraints
Integrity of information system and IT environment
Level of audit risk
PLANNING
Steps in preparing for application of CAATs:
Set the audit objective of the CAATs
Determine the accessibility and availability of the
organizations IS facilities, system and data
Define the procedures to be undertaken
Define output requirements
Determine resource requirements
Obtain access to the organizations IS facilities
Document CAATs to be used
Performance of Audit Work
CAATs should be controlled by:
Performing a reconciliation of control totals
Review output for reasonableness
Perform a review of logic, parameters, or other
characteristics of the CAATs
Review the organizations general IS control
Documentation
Step-by-step CAATs should be sufficiently
documented
Planning
CAATs objectives, CAATs be used, controls to be
exercised, staffing and timing
Execution and Audit Evidence
CAATs preparation and testing procedures and
controls
Details of the tests performed by the CAATs
Details of inputs, processing and outputs
Listing of relevant parameters or source codes
Reporting
The objectives, scope and methodology
section should contain a clear description of
the CAATs used.
The description of the CAATs used should be in
the report, where the specific finding relating
to the use of the CAATs discussed
10 Steps to Using CAATs
1. Set key audit objectives during audit planning
based on risk assessment
2. Identify which CAATs will help achieve key audit
objectives
3. Identify which data files are needed from the
client
4. Determine in which format you prefer to receive
the data
5. Request data files from client in the preferred
format
10 Steps to Using CAATs
6. Import the data into ACL
7. Use CAATs to verify the integrity of the data
import process
8. Perform specific CAATs as planned to meet
key audit objectives
9. Investigate and reconcile exceptions
10.Document results in the audit working
papers
TESTING COMPUTER APPLICATION
CONTROLS
Black-box approach
Understand the functional characteristics of the
application by analyzing flowcharts and interviewing
knowledgeable personnel in the clients organization

Input

Application Auditor reconciles input


Master under transactions with outpu
files review produced by application

Output
TESTING COMPUTER APPLICATION
CONTROLS
Advantages of the Black-box approach
The application need not be removed from service
and tested directly.
This approach is feasible for testing applications
that are relatively simple.
However, complex applications require a more
focused testing approach to provide the auditor
with evidence of application integrity.
TESTING COMPUTER APPLICATION
CONTROLS
White-box approach
Relies on an in-depth understanding of the internal logic
of the application being tested.
Authenticity tests (IDs, passwords, valid vendor codes, and
authority tables)
Accuracy tests (range tests, field tests, and limit tests)
Completeness tests (field tests, record sequence tests, hash
totals, and control totals)
Redundancy tests (reconciliation of batch totals, record
counts, hash totals, and financial control totals)
Access tests (passwords, authority tables, user defined
procedures, data encryption, and inference controls)
Audit trail tests (transaction logs, transaction listings,
exception reports)
Rounding error tests
CAATTS
FOR TESTING CONTROLS
Test data
Integrated Test Facility (ITF)
Parallel simulation
TEST DATA METHOD
Used to establish application integrity by processing specially
prepared sets of input data through production applications
that are under review.
TEST DATA METHOD
TEST DATA METHOD
Creating Test Data
auditors must prepare a complete set of both valid and
invalid transactions
test every possible input error, logical process, and
irregularity
Base Case System Evaluation
conducted with a set of test transactions containing all
possible transaction types
Tracing
performs an electronic walkthrough of the applications
internal logic
TEST DATA METHOD
Advantages of Test Data Techniques
Provides the auditor with explicit evidence concerning
application functions.
Test data runs can be employed with only minimal disruption
to the organizations operations.
Require only minimal computer expertise on the part of
auditors.

Disadvantages of Test Data Techniques


auditors must rely on computer services personnel to obtain a
copy of the application for test purposes
provide a static picture of application integrity at a single point
in time
relatively high cost of implementation
INTEGRATED TEST FACILITY (ITF)
An automated technique that enables the
auditor to test an applications logic and
controls during its normal operation
INTEGRATED TEST FACILITY (ITF)
Advantages of Integrated Test Facility (ITF)
Supports on-going monitoring of controls as required
by SAS 78
Applications with ITF can be economically tested
without disrupting the users operations and without
intervention of computer services personnel.
Improves efficiency of the audit and increases
reliability of the audit evidence gathered.
Disadvantages of Integrated Test Facility (ITF)
Potential for corrupting the data files of the
organization with test data
PARALLEL SIMULATION
Requires the auditor to
write a program that
simulates key features
of processes of the
application under
review.
The simulated application
is then used to
reprocess transactions
that were previously
processed by the
production application.
PARALLEL SIMULATION
Creating a Simulation Program:
1. Gain thorough understanding of the application
2. Identify those processes and controls in the application that
are critical to the audit
3. Create simulation using a 4GL or generalized audit software
(GAS)
4. Run simulation program using selected production
transactions and master files to produce set of results
5. Evaluates and reconciles the test results with the production
results produced in a previous run
CAATs to Verify Data Integrity
CAATs to Extract and Analyze Data
Importing the Data into ACL
Counting
Verifying
Statistics
Stratify
Age
Gaps and duplicates
ACL
CAATs to Detect Fraud
Digital Analysis
Data query models
CAATS BY FUNCTIONAL AREA TO
DETECT FRAUD
Payroll
Expenditures / Payables
Revenue / Receivables
PAYROLL
Ghost Employees
No taxes or benefits
Invalid SSS no.
More than one employee with same address and
phone but with different surnames
PO box, Drop box address
Unusual work location, no work phone
No annual or sick leave used over a reasonable time
No evaluations, raises or promotion
PAYROLL
Excessive Pay Rates
Non-market pay rates or pay rates in excess of authorized
More than one pay increase without position change
Employees with the same address in the same unit (preferential
hiring)
Excess pay rates or comparison of pay rates by unit/location
Excess overtime or continual pattern of overtime
Commissions or binuses are excessive or dont agree to
performance factors

Nepotism
Same department, same address
EXPENDITURES / PAYABLES
Duplicate Claims
Conflict of Interest
Fraudulent Vendor
Vendor Kickbacks / Bid Rigging
Theft of Services
REVENUE/RECEIVABLES
Skimming
The process by which cash is removed from the
entity before it enters the accounting system.
Lapping Receivables
the recording of payment on a customers account
sometime after the payment has been received
Borrowing
Writing Off Debts Collected
Kickbacks/Conflict of Interest