S. Anantha Sayana, CISA, CIA
Volume 1, 2003 | | |CAAT refers to computer-assisted audit technique. This implies that an auditor's use of a computer-assisted audit technique is something special- normally the techniques used by an auditor are not computer assisted. Today, in most large and medium-sized enterprises, there are few business processes that are notdriven by computers. The business does not refer to them as computer-assisted business processing. The use of computers and information technology for doing business is taken for granted, so why should auditors talk about something special called CAAT?
Performing audits without using information technology is hardly an option. When all the information needed for doing an audit is on computersystems, how can one carry out an audit without using the computer? While the audit world will likely grow out of using this terminology, for the purpose of this article, the term CAAT refers to the use of certain software that can be used by the auditor to perform audits and to achieve the goals of auditing. CAATs can be classified into four broad categories:
▪ Data analysis software
▪ Networksecurity evaluation software/ utilities
▪ OS and DBMS security evaluation software/utilities
▪ Software and code testing tools
Data Analysis Software
Data analysis software is the most popular of the four and is loosely referred to as audit software. The generic products available under this segment are termed as general purpose audit software, also known in some parts as GAS or generalized auditsoftware. This software has the ability to extract data from commonly used file formats and the tables of most database systems. Thus, these systems can be used during the audits of almost any application on any technology platform. The audit software can perform a variety of queries and other analyses on the data. Some of the features are: data queries, data stratification, sample extractions,missing sequence identification, statistical analysis and calculations. This software also can perform operations after combining and joining files and tables. The list of features grows with each version of this software and a recent added feature is Benford analysis.
Need for Audit Software
Going back to the very basics, the IS audit methodology starts with risk analysis, which translates into,"What can go wrong?" The next step is to evaluate controls associated with the situation to mitigate risks, or, "What controls it?" The evaluation of controls goes into not only the design of the controls, but also their actual operation and compliance. Most observations, interviews, scrutiny and compliance testing are to determine whether controls exist, are designed well, are understood,operate effectively and are being complied with by the operating personnel. At the end of this phase the IS auditor could have observations about some controls that exist and are operating satisfactorily or some controls that are nonexistent, badly designed or not in compliance.
The following is an example of an IS auditor performing a payroll review. While doing an application review, the IS auditorobserved that many of the required validations relating to the salary ranges and admissible allowances and perks were not built into the application software and concluded that it was possible to process values that did not meet the rules. When performing compliance testing, the auditor also observed that the modification logs and exception reports were not being checked regularly by the payrollofficer. The application was in use at the organization for more than two years. While the observations were noted and corrective action was immediately taken on modifications to the software to include the validations, management's concerns were, "Have any errors or fraud really taken place? Have we lost any money? Have we erred in any payroll-related tax compliances?"
The IS auditor's job is...