COMPUTER-

ASSISTED AUDIT
TOOLS AND
TECHNIQUES
APPLICATION
RAGUIN, GELYN L.

CABILES, ERICKA O.

ARGUELLES, AILEEN L.

JIMENEZ, GLORY ANDREA MEI F.

GALLEGO, PETER A.

GIMENO RIALBERT
 CONTENTS

1. Background
2. Traditional Audit Vs. CAATTs
3. Objectives
4. Advantages
5. Disadvantages
6. Discussion of Each CAATTs
7. Advantages and Disadvantages of Each CAATTs
8. Test Data Method Application
9. References
 BACKGROUND

Nowadays, as many businesses at present use IT to process their transactions, the auditing
profession is faced with a need to give increased guidance for audits conducted in an IT
environment. Various authoritative bodies, such as the American Institute of Certified Public
Accountants (AICPA), the International Federation of Accountants (IFAC), and the Information
Systems Audit and Control Association (ISACA) have issued standards in this area. Today’s
reality requires organizations to engage in the process of adopting technology to perform
better in line with the challenges of globalization. The use of Computer-Assisted Audit Tools and
Techniques (CAATTs) has been introduced to aid auditors in this regard.

Definition of CAATTs

Today’s auditors must become more highly trained, with new skills and areas of expertise in
order to be more useful and productive. Increasingly, auditors will be required to use
computer-assisted techniques to audit electronic transactions and application controls. Laws
like the U.S. Sarbanes-Oxley Act of 2002 are pushing audit departments to find new ways to link
specialty tools into the complex business systems. By harnessing the power of the computer,
auditors can improve their ability to critically review data and information and manage their
own activities more rationally. Due to the critical shortage of these skills and talents, they will
become even more valuable and marketable.
CAATTs are defined as computer-based tools and techniques that permit auditors to increase
their personal productivity as well as that of the audit function. CAATTs can significantly
improve audit effectiveness and efficiency during the planning, conduct, reporting, and follow-
up phases of the audit, as well as improving the overall management of the audit function. In
many cases, the use of the computer can enable auditors to perform tasks that would be
impossible or extremely time-consuming to perform manually. The computer is the ideal tool
for sorting, searching, matching, and performing various types of tests and mathematical
calculations on data. Automated tools can also remove the restrictions of following rigid
manual audit programs as a series of steps that must be performed. CAATTs allow auditors to
probe data and information interactively and to react immediately to the findings by modifying
and enhancing the initial audit approach.
CAATTs is the fundamental tool which is used by auditors. This tool facilitates them to make
search from the irregularities from the given data. With the help of this tool the auditor and
accountant of any firm will be able to provide more analytical result. These tools are used
through-out every business environment and also in the industry sector too. With the help of
Computer-Assisted Audit Tools and Techniques, more forensic accounting with more analysis
can be done. It’s really a helpful tool that helps the firm auditor to work in an efficient and
productive manner.

Evolution of CAATTs

Today’s microcomputer-based audit tools and techniques have their roots in mainframe
Computer Assisted Audit Tools and Techniques (CAATTs), which in turn are surprisingly rooted
in manual audit tools and techniques. These mainframe based tools were primarily used to
verify whether or not the controls for an application or computer system were working as
intended. In the 1970s, a second type of CAATTs evolved, which sought to improve the
functionality and efficiency of the individual auditor. These CAATTs provided auditors with the
capability to extract and analyze data in order to conduct audits of organizational entities rather
than simply review the controls of an application. A third type of CAATTs, and a more recent
use of automated audit tools, focuses on the audit function and consists of tools and
techniques aimed at improving the effectiveness of the audit organization as a whole.

Books written on computer controls and audit in the 1970s did not include sections on end user
computing or, at best, mentioned audit software only in passing. In fact, for the most part,
auditors avoided dealing with the computer and treated it as the black box. Audit
methodologies discussed the input and output controls, but largely ignored the processing
controls of the system. The methodology employed was one of auditing around the computer.
The main audit tools included questionnaires, control flowcharts, and application control
matrices. Audit software was specifically written in general-purpose programming languages,
was used primarily to verify controls, and parallel simulation was only beginning to gain ground.
Audit software packages were considered as specialized programming languages to meet the
needs of the auditor and required a great deal of programming expertise. The packages were
mainframe-family dependent and consequently were limited in data access flexibility and
completely batch-oriented.
By the 1980s, some of the more commonly used tools to verify an application system were test
decks, Integrated Test Facilities (ITF), System Control Audit Review File (SCARF), and Sample
Audit Review File (SARF) (Mair, Wood, and Davis [1978]). Other techniques included parallel
simulations, reasonableness tests and exception reports, and systematic transaction samples.
Some organizations were still achieving very effective results with these types of audit tools in
the 1990s.

Audit Tools and Techniques (Computer Systems Audit)

1970s 1980s 1990s 2000s

Programming 3rd Generation 4th Generation Web- enabled

language Programming Programming Software (XBRL)
Applications Language Language
Applications Applications

1st Generation 2nd -Generation 3rd - Generation Continuous

Audit Software Audit Software Audit Software Auditing
(Batch) (PC – based
(Interactive and
interactive and
Batch)
batch)

Simple Parallel Extensive Parallel Comprehensive Digital Analysis

Simulations Simulations Date Analysis
and Testing

Test Decks / Test Decks / ITF

Integrated Test
Facilities (ITF)

Input / Output SCARF/SARF Audit Software

Testing

Internal Control Automated ICR Integrated ICR Control Self-

Review (ICR) Questionnaires Questionnaires Assessment
 Questionnaire Program Flow Process Flows Visualization
Controls Flow Charting Emphasis on Software
Charts Data Auditing

1st Computer More Developed Diverse Sampling Less Emphasis

based Monetary Dollar – Unit Options including on Sampling
Unit Sampling Sampling Stratified

Control Matrices Improved Control Expert Systems Neutral Networks

and Artificial
Intelligence
Matrices

TRADITIONAL AUDIT vs. CAATTs

Computer auditing is one aspect of internal auditing that enables internal auditors to extract
data from information systems and identify exceptions. Computer auditing differs from
traditional auditing. The traditional auditing method employs sample and manual to execute
audit work. Traditional audits require considerable human resources and time to execute.
Furthermore, because traditional audits do not retain the audit trail in an information system,
auditors cannot obtain sufficient and appropriate evidence to conduct comprehensive audit
activities and maintain audit quality.

Traditional auditing Computer auditing/ CAATTs

 Uses sampling to conduct  Obtains all available data to

audits conduct audits

 Adopts manual methods to  Automatically performs

perform audits audits

 Requires substantial time  Timely executes audits and

submits the audit analysis
results

 Incurs significant costs  Reduces internal audit costs

 Cannot retain audit trails in  Saves audit trails in

the Information system information system

 Repeat audit work must be  Audit programs can

conducted manually automatically repeat audit
work

Among computer auditing techniques, CAATTs are commonly employed to audit application
controls. CAATTs can integrate various system or database formats, and facilitate analysis to
achieve the audit objective. CAATTs can be applied to the accounts payable, accounts
receivable, anti-money laundering efforts, banking compliance, SOD, order-to-cash (OTC)
processes, etc. These applications include a number of general controls and all application
controls. CAATTs can also be used to write script for automated periodic audits and achieving
continuous auditing and continuous monitoring according to management objectives. The
analytic capabilities of CAATTs are data analysis, applied analytics, managed analytics,
continuous auditing, and continuous monitoring.

OBJECTIVES

1. To obtain sufficient knowledge about Computer-Assisted Audit Tools and Techniques

2. To identify the major primary Computer-Assisted Audit Tools and Techniques(CAATTs) types
and their usage

3. To identify the benefits and limitations of different types of CAATTs

4. To have knowledge of the Test Data Method Application in Auditing

Advantages of CAATTs

CAATs allow the auditor to:

 Independently access the data stored on a computer system without dependence on

the client;
 Test the reliability of client software, i.e. the IT application controls (the results of which
can then be used to assess control risk and design further audit procedures);
 Increase the accuracy of audit tests; and
  Perform audit tests more efficiently, which in the long-term will result in a more cost
effective audit.
 Examination of data is more rapid.
 It is the only practical method of examining large amount of data.
 Provides information to system staff on meeting of objectives.

Disadvantages of CAATTs

 CAATTs can be expensive and time consuming to set up, the software must either be
purchased or designed (in which case specialist IT staff will be needed);
 Client permission and cooperation may be difficult to obtain;
 Potential incompatibility with the client's computer system;
 The audit team may not have sufficient IT skills and knowledge to create the complex
data extracts and programming required;
 The audit team may not have the knowledge or training needed to understand the
results of the CAATTs; and
 Data may be corrupted or lost during the application of CAATTs

TYPES OF CAATTs

A. Test Data Method

The test data method is used to establish application integrity by processing specially prepared
sets of input data through production applications that are under review. The results of each
test are compared to predetermined expectations to obtain an objective assessment of
application logic and control effectiveness. To perform the test data technique, the auditor
must obtain a copy of the production version of the application. In addition, test transaction
files and test master files must be created. In addition, the auditor must review the updated
master files to determine that account balances have been correctly updated. The test results
are then compared with the auditor’s expected results to determine if the application is
functioning properly. This comparison may be performed manually or through special computer
software.
B. Base Case System Evaluation

Base case system evaluation (BCSE) is a variant of the test data approach. BCSE tests are
conducted with a set of test transactions containing all possible transaction types. These are
processed through repeated iterations during systems development testing until consistent and
valid results are obtained. These results are the base case. When subsequent changes to the
application occur during maintenance, their effects are evaluated by comparing current results
with base case results.

C. Tracing

Tracing performs an electronic walk-through of the application’s internal logic. The tracing
procedure involves three steps:

1. The application under review must undergo a special compilation to activate the trace
option.

2. Specific transactions or types of transactions are created as test data.

3. The test data transactions are traced through all processing stages of the program, and a
listing is produced of all programmed instructions that were executed during the test.

D. Integrated Test Facility

The integrated test facility (ITF) approach is an automated technique that enables the auditor
to test an application’s logic and controls during its normal operation. The ITF involves one or
more audit modules designed into the application during the systems development process. In
addition, ITF databases contain dummy or test master file records integrated among legitimate
records. Some firms create a dummy company to which test transactions are posted. During
normal operations, test transactions are merged into the input stream of regular (production)
transactions and are processed against the files of the dummy company.

E. Parallel simulation
Parallel Simulation involves creating a program that simulates key features or processes of the
application under review. The simulated application is then used to reprocess transactions that
the production application previously processed. The results obtained from the simulation are
reconciled with the results of the original production run to determine if application processes
and controls are functioning correctly. Parallel Simulation involves the auditor writing a
computer program that replicates some part of a client's application system, processes actual
client data through an auditor's generalized audit software program and compares the output
obtained with output obtained from the client .The method verifies processing of actual
transactions and allows the auditor to verify actual client results.

F. Embedded Audit Module

Embedded audit module (EAM) techniques use one or more programmed modules embedded
in a host application to select, for subsequent analysis, transactions that meet predetermined
conditions. As the host application processes the selected transaction, a copy of it is stored on
an audit file for subsequent review. The EAM approach allows material transactions to be
captured throughout the audit period. The auditor retrieves captured transactions at period-
end or at any time during the period, thus significantly reducing the amount of work the auditor
must do to identify significant transactions for substantive testing. To begin data capturing, the
auditor specifies to the EAM the parameters and materiality thresholdof the transactions set to
be captured. Although primarily a substantive testing technique, EAMs may also be used to
monitor application controls on an ongoing basis.

G. Generalized Audit Software

Generalized audit software (GAS) refers to software designed to use particular audit routines
and self-made functions to read, process and write data with the aid of functions. It is an
instrument for the application of computer aided auditing techniques. Generalized audit
software functions include the import of computerized data; other functions can be added
thereafter: data can be browsed, sorted, summarized, stratified, evaluated, sampled,
measured, transformed and other operations with, and made. GAS is the most widely used
CAATT for IT auditing. GAS allows auditors to access electronically coded data files and perform
various operations on their contents.

ADVANTAGES AND DISADVANTAGES OF EACH CAATTs

Types of CAAT’s Advantages Disadvantages

A. Test Data Method  They employ  Auditors rely on

through-the- the client’s IT
computer testing, personnel to
thus providing the obtain a copy of
auditor with the production
explicit evidence application
concerning under test. The
application audit risk here
functions. is that the IT
 If properly personnel may
planned, test data intentionally or
runs can be accidentally
employed with provide the
only minimal auditor with the
disruption to the wrong version of
organization’s
 operations. the application.
 They require only  Test Data
minimal computer Method produce
expertise on the a static picture
part of auditors. of application
integrity at a
single point in
time. They do
not provide a
convenient
means for
gathering
evidence of
ongoing
application
functionality.

 High cost of
implementation

B. Generalize Audit  Relatively easy to  The high cost of

Software learn and use. their
 Improved development.
efficiencies by  It provides a
automating limited ability to
manual verify
procedures programming
 Reduce risk by logic because its
testing entire application is
 populations usually directed
reducing reliance to testing client
on sampling. files or
 GAS can be applied databases
to wide variety of  It involves
clients with auditing after
minimal the client has
customization. processed the
This is a single data rather than
program that can while the data is
be applied to a being processes.
wide range of task
without having to
incur the cost or
inconvenience of
developing
individualized
programs.
 Provides
documentation of
each test
performed in the
software that can
be used as
documentation in
auditor's work
papers.
 Independent of the
system being
audited and needs
 a ready-only copy
of the file.

C. Integrated Test  Support  The potential of

Facility continuous corrupting data
monitoring of files with test
controls. data that may
 Economically end up in the
tested without financial
disrupting the reporting
user's operations process.
and without the
intervention of
computer services
personnel.
 Testing can be
unscheduled and
unknown to other
staff.
 It provides prima
facie evidence of
correct program
functions.

D. Parallel Simulation  The auditor can verify  Time consuming

the transactions.  Incompatibility

 The size of the sample between auditor and

can be greatly expanded client software

at relatively little  significant cost of

additional cost. audit programming if

 The auditor can written uniquely for

independently run the one client

 test
 To emphasize exception
helps auditor to focus
on items where there
are differences
 Enables the valuation of
effects of nonexistent
control procedures

E. Embedded Audit  Information about  the auditor

Module control violations experiences
and dollar errors extra overhead
is captured on a in using extra
continuous, real programs to
time basis. install into the
 Using EAMs the company's
audit organization software.
is not confined to  The auditor
sampling must note when
processes at the an unusual
traditional interim transaction
or year-end happens, which
periods. Since may be difficult
properly designed if not
EAMs should understanding
capture all the normal
transaction errors, types of
substantive business
testing at year end transactions.
should be virtually  The auditor also
eliminated when runs the risk of
compared to security issues if
 traditional unauthorized
sampling- users access the
approaches. software
 EAMs provide a program.
superior method
of ensuring that
material errors or
control violations
are trapped. Even
if EAMs are
operative only
intermittently,
sampling risk is
reduced, since the
auditor has
knowledge of all
errors in the
periods sampled.
 Since the audit
organization can
capture control
violations and
dollar errors at
will, this approach
would seemingly
reduce the extent
of compliance
testing compared
to approaches
where EAMs are
 not used.
 Where EAMs are
to be used only
intermittently,
their use provides
a “surprise” test
capability, since
the application
personnel should
not be aware that
the auditor has
activated the
EAMs.

F. Base Case System  It develops test  Time consuming

Evaluation data that purports
to test every
possible condition  Expensive to
that an auditor develop
expects a client's
software will
confront.
 Provides auditor
with much more
assurance that
test data alone.

G. Tracing  Usually fairly simple to  Confined to test of

operate control only
 Helps the auditor learn  It only confirms the
how the system operation of the
operates program at the time
 that it is tested

TEST DATA METHOD: AUDIT THROUGH THE COMPUTER

BRIEF DESCRIPTION

In auditing through a computer, the test data method is used by auditors to test the procedures
contained within the program (also referred to as programmed controls). It is a method used to
establish application integrity by processing specially prepared sets of input data through
production applications that are under review. Test data is created by auditors to run through
the client's system testing audit procedures therein.

Test Data involves the auditor submitting, "dummy" data into the client's system to ensure that
the system correctly processes it and it prevents or detects and corrects mistatements. The
objective of test data method is to test the operation of application controls within the system.

NOTES:
1. Best test data is not the client's data, but data created by the auditor and procedures run on
test data do not reflect the accuracy or validity of the client's data.

2. Test Data are inputs containing both valid and invalid data.

QUESTIONS ASKED IN TEST DATA:

1. Are control procedures functioning?

2. Is the computer application processing transactions correctly?

Illustration of Test Data Approach

 EXAMPLE OF TEST DATA METHOD

Scenario: An auditor will examine the Sales Order Processing Application of one of the
leading Musical Instrument Manufacturing Company in the Philippines.

Steps of Test Data Approach

1. The Auditor has a pre-determined expectation or already set an expected output before
testing the operation of application controls within the system. The system is expected to
accept valid transactions and reject those that are invalid like the sales over credit limit.

2. To perform the test data technique, the auditor must first obtain a copy of the client's
production version of the Sales Order Processing Application.
3. The Auditor must create test transaction files and test master files. The test data created
by the Auditor contains both valid and invalid data. The Auditor use the Account Receivable
Master File.

Test Transaction File

REC CUST CUSTOMER PART DESCRIPTION QNTY UNIT TOTAL

NUM NUM NAME NUM PRICE PRICE

1 175961 Cruz, Angela L- 165 Acoustic Guitar 1 3,500 3,500

2 175961 Courtney, J-209 Violin 1 2,100 2,100

Spencer

3 186810 Cabigas, Carl EA-456 Piano 1 3,900 3,900

4 187912 Santiago, FE-174 Ukulele 2 1,500 3,000

Dimple

5 188613 Reyes, Louise EN-201 Guitar Capo 10 130 1,295

6 191012 Villa, Y-443 Violin Bow 5 300 1,500

Beatrice

7 193124 Flores, Lucas U-143 Ukulele Bag 12 150 1,795

8 160148 Lucio, AK-378 Piano Lamps 3 250 750

Antonio

9 198657 De Guzman, M-123 Guitar Pick 15 30 450

Unica

10 201659 Victor, O-621 Flute 1 800 800

Tracey
 ORIGINAL TEST ACCOUNT RECEIVABLE MASTER FILE

CUST CUSTOMER CUSTOMER CREDIT LIMIT CURRENT

ADDRESS BALANCE
NUM NAME

175961 Cruz, Angela Block 123, San 10,000 5,000

Isidro,
Parañaque City

186810 Cabigas, Carl 103 Manggahan 11,000 2,100

St., Quezon City

191012 Villa, Beatrice Purok 12 12,000 3,000

Masagana,
Alabang,
Muntinlupa City

198657 De Guzman, Block 265, 13,000 7,000

Unica Camella Homes,
Muntinlupa City

201659 Victor, Tracey 573 St., San Jose 15,000 14,300

Village, Alabang,
Muntinlupa City

3. Test transactions may enter the system from magnetic tape, disk, or via an input terminal.

4. The auditor must review the updated master files to determine that account balances have
been correctly updated. The following tables show the listing of the updated accounts
receivable master file.
 ORIGINAL TEST ACCOUNT RECEIVABLE MASTER FILE

CUST CUSTOMER CUSTOMER CREDIT LIMIT CURRENT

ADDRESS BALANCE
NUM NAME

175961 Cruz, Angela Block 123, San 10,000 5,000

Isidro,
Parañaque City

186810 Cabigas, Carl 103 Manggahan 11,000 2,100

St., Quezon City

191012 Villa, Beatrice Purok 12 12,000 3,000

Masagana,
Alabang,
Muntinlupa City

198657 De Guzman, Block 265, 13,000 7,000

Unica Camella Homes,
Muntinlupa City

201659 Victor, Tracey 573 St., San Jose 15,000 14,300

Village, Alabang,
Muntinlupa City

UPDATED TEST ACCOUNT RECEIVABLE MASTER FILE

CUST CUSTOMER CUSTOMER CREDIT LIMIT CURRENT

ADDRESS BALANCE
NUM NAME

175961 Cruz, Angela Block 123, San 10,000 8,500

Isidro,
 Parañaque City

186810 Cabigas, Carl 103 Manggahan 11,000 6,000

St., Quezon City

191012 Villa, Beatrice Purok 12 12,000 4,500

Masagana,
Alabang,
Muntinlupa City

198657 De Guzman, Block 265, 13,000 7,450

Unica Camella Homes,
Muntinlupa City

201659 Victor, Tracey 573 St., San Jose 15,000 14,300

Village, Alabang,
Muntinlupa City

5. Results from the test run will be in the form of routine output reports, transaction listings,
and error reports. The table shows an error report of rejected transactions.

ERROR REPORT

REC CUST CUSTOMER PART DESCRIPTION QNTY UNIT TOTAL EXPLANATION

OF ERROR
NUM NUM NAME NUM PRICE PRICE

2 175961 Courtney, J-209 Violin 1 2,100 2,100 Customer Name

Spencer does not
correspond to
X customer #
175961

4 187912 Santiago, FE-174 Ukulele 2 1,500 3,000 Check digit error

Dimple in CUST # Field
X
 5 188613 Reyes, Louise EN- Guitar Capo 10 130 1,295 Price Extension
201 Error
X

7 193124 Flores, Lucas U-143 Ukulele Bag 12 150 1,795 Price Extension
Error
X

8 160148 Lucio, AK- Piano Lamps 3 250 750 Record out of

Antonio 378 Sequence
X

10 201659 Victor, Tracey O-621 Flute 1 800 800 Credit Limit

Error
X X

6. The test results are then compared with the auditor’s expected results to determine if the
application is functioning properly and to assess the effectiveness of the application
program's automated controls. This comparison may be performed manually or through
special computer software.

7. Any deviations between the actual results and those the auditor expects may indicate a
logic or control problem.

REFERENCES

https://kfknowledgebank.kaplan.co.uk/audit-and-assurance/audit-evidence/computer-
assisted-audit-technique

https://www.accaglobal.com/in/en/student/exam-support-resources/fundamentals-exams-
study-resources/f8/technical-articles/auditing-computer-environment.html

https://www.slideshare.net/mobile/kzoe1996/test-data-approach
https://www.ispartnersllc.com/blog/five-types-testing-methods-used-audits/

https://youtube.com/watch?v=dYCW9UKBCs8&feature=share

https:// /mobile/kzoe1996/parallel-simulation

https://www.slideshare.net/kzoe1996/integrated-test-facility

http://www.ef.uns.ac.rs/mis/archive-pdf/2009%20-%20No1/MIS2009_1_2.pdf

https://www.hkicpa.org.hk/professionaltechnical/pronouncements/handbook/volume3b/pn
1009.htm

https://www.google.com/url?
sa=t&source=web&rct=j&url=http://droidcode11.blogspot.com/2013/03/traditional-
auditing-vs-caats-computer.html%3Fm%3D1&ved=2ahUKEwjdr-
CZosHuAhV0KqYKHSQKARMQFjACegQIDhAB&usg=AOvVaw06Pmpmw9SAfv9y7kLIMWlw&cs
hid=1611927643774

https://www.google.com/url?
sa=t&source=web&rct=j&url=https://nscpolteksby.ac.id/ebook/files/Ebook/Accounting/Inter
nal%2520Audit%2520(2009)/4.%2520Chapter%25201%2520-%2520CAATTs
%2520History.pdf&ved=2ahUKEwjf3YGDosHuAhUUhZQKHYwJDEUQFjAAegQIARAB&usg=AO
vVaw3TvNBbGyqG7oVLw_mHSOSB

Resource: Chan and Vasarhelji (2011)

https://www.accountingtools.com/articles/2017/5/6/embedded-audit-module

https://en.m.wikipedia.org/wiki/Integrated_test_facility