IT Audit Basics
Using CAATs to Support IS Audit
S. Anantha Sayana, CISA, CIA
S. Anantha Sayana, CISA, CIA, is deputy general manager of corporate IT with Larsen & Toubro Limited, Mumbai, India. Anantha has more than 13 years of experience in IS audit and internal audit in banking, manufacturing and serviceindustries spanning a wide variety of applications and technical platforms. He is a past president of the ISACA Mumbai Chapter. He can be contacted by e-mail at email@example.com. CAAT refers to computer-assisted audit technique. This implies that an auditor’s use of a computer-assisted audit technique is something special—normally the techniques used by an auditor are not computer assisted.Today, in most large and medium-sized enterprises, there are few business processes that are not driven by computers. The business does not refer to them as computer-assisted business processing. The use of computers and information technology for doing business is taken for granted, so why should auditors talk about something special called CAAT? Performing audits without using information technologyis hardly an option. When all the information needed for doing an audit is on computer systems, how can one carry out an audit without using the computer? While the audit world will likely grow out of using this terminology, for the purpose of this article, the term CAAT refers to the use of certain software that can be used by the auditor to perform audits and to achieve the goals of auditing.CAATs can be classified into four broad categories: • Data analysis software • Network security evaluation software/ utilities • OS and DBMS security evaluation software/utilities • Software and code testing tools cal analysis and calculations. This software also can perform operations after combining and joining files and tables. The list of features grows with each version of this software and arecent added feature is Benford analysis.
Need for Audit Software
Going back to the very basics, the IS audit methodology starts with risk analysis, which translates into, “What can go wrong?” The next step is to evaluate controls associated with the situation to mitigate risks, or, “What controls it?” The evaluation of controls goes into not only the design of the controls, but also theiractual operation and compliance. Most observations, interviews, scrutiny and compliance testing are to determine whether controls exist, are designed well, are understood, operate effectively and are being complied with by the operating personnel. At the end of this phase the IS auditor could have observations about some controls that exist and are operating satisfactorily or some controls that arenonexistent, badly designed or not in compliance. The following is an example of an IS auditor performing a payroll review. While doing an application review, the IS auditor observed that many of the required validations relating to the salary ranges and admissible allowances and perks were not built into the application software and concluded that it was possible to process values that did notmeet the rules. When performing compliance testing, the auditor also observed that the modification logs and exception reports were not being checked regularly by the payroll officer. The application was in use at the organization for more than two years. While the observations were noted and corrective action was immediately taken on modifications to the software to include the validations,management’s concerns were, “Have any errors or fraud really taken place? Have we lost any money? Have we erred in any payrollrelated tax compliances?” The IS auditor’s job is not really complete until these questions are answered. The IS auditor’s job is not only to notify concerns and alarms but also to recommend corrective action and provide concrete assurances and 21 1
Data Analysis Software...