Computer Assisted Audit Techniques Readers' rating: 4 out of 5 By John Yu, CDP, FCGA As I previously reported, in March 2000, the International Audit Practice Committee (IAPC) of IFAC released an exposure draft on four topics which form a supplement to ISA (International Standard on Auditing) 401 "Auditing in a Computer Information Systems Environment (CIS)." The four topics are: CIS Environments – Stand-Alone Microcomputers CIS Environments – On-Line Computer Systems CIS Environments – Database Systems Computer Assisted Audit Techniques Author’s note: Although this set of exposure drafts was published in March with comments due by July 31, 2000, a final version of these practice statements has not yet appeared on the IFAC Web site as of early November 2000. To review the first three articles on the exposure draft, see "Auditing Standalone Microcomputers", "Auditing Online Computer Systems", and "Auditing Database Systems." In this article, you’ll learn about the last topic, CAATs. According to the exposure draft, the purpose of the statement on CAATs "…is to provide guidance in the use of Computer Assisted Audit Techniques (CAATs), which are techniques that use the computer as an audit tool." The exposure draft "applies to all uses of CAATs involving a computer of any type or size." As with the other three topics, this segment of the exposure draft reads like a tutorial on CAATs, devoting a substantial amount of space describing the basics. Description of CAATs Paragraph 5 provides examples of where CAATs may be applied when performing various auditing procedures. These include the traditional data analysis procedures, as well as the use of any computer means in any aspect of an audit. To illustrate, one of the examples cited is the "creation of electronic working papers by downloading the general ledger for audit testing." The "use of expert systems in the design of audit programs and in audit planning and risk assessment" is also considered a form of CAAT. However, in light of the importance of e-commerce in this day and age, at least one e-commerce example should have been included in the list. Paragraph 6 lists various CAAT tools, but these two paragraphs (this one and the preceding one) are poorly organized. The list in Paragraph 6 consists of various types of computer programs that can be used in CAATs (package programs, purpose-written programs, utility programs, and systems management programs). The rest of the list consists of descriptions of various test data techniques. This disjointed presentation is confusing. It is better to organize the material on test data techniques into its own paragraph. Paragraph 7 describes "evolving techniques that emanate from using the power and sophistication of microcomputers, particularly laptop computers…," then goes onto provide examples that do not specifically apply to microcomputers and laptop computers. One of the techniques attributed to the power and sophistication of microcomputers is "expert systems, which can design specific tests for use by the auditor." You might well question the validity of this statement. In any case, the narrow distinction made between "microcomputers" and "laptop computers" in this paragraph is an obsolete view of the computing world. In the client-server model and the Application Service Provider (ASP) model, there is no need to make the distinction between the workstation and the server, both forming an integral computing unit to the user. Manual tests Paragraph 12 focuses on the impracticality of manual tests where there is lack of hard copy evidence. This paragraph takes a negative approach and describes conditions under which manual tests cannot be carried out, implying that there is no other choice but to use CAATs. This reflects old school thinking, in which examining hard copy audit evidence is still considered the primary auditing method. Increasingly, as organizations embrace the Internet as a means of conducting their business externally and internally, there will be no hard copies. CAATs should be used by all auditors as a standard approach to auditing. Using CAATs Paragraphs 18 to 26 describe various steps required to use CAATs in a mainframe environment despite earlier statements in the exposure draft describing CAATs as the use of any computing means in carrying out an audit. Therefore, this narrow focus on mainframe environments where CAAT programs are run against the auditee’s data files is inadequate when providing a full and accurate description of how CAATs should be used. Several references are made to the need for the cooperation of the auditee’s IT staff, stating the obvious. But the exposure draft provides no guidance on how to proceed if cooperation is not forthcoming. Paragraph 21 states that the "presence of the auditor is not necessarily required at the computer facility during the running of a CAAT to ensure appropriate control procedures." This statement is puzzling. If the auditor relies on the auditee’s staff to run CAAT procedures, what is there to prevent manipulation or distortion of the results? Using CAATs in small business computer environments Paragraph 27 deals with the use of CAATs in a small computer environment. This paragraph, as it currently stands, provides little guidance on what constitutes a "small computer environment." Another example of incomplete guidance is "in cases where smaller volumes of data are processed, manual methods may be more cost-effective." There is no direction on what constitutes "smaller volumes of data" such that manual methods may be better. Furthermore, the points raised in this paragraph again reveal antiquated thinking. To illustrate, one of the points raised states "certain audit package programs may not operate on small computers, thus restricting the auditor’s choice of CAATs." There are a number of powerful CAAT tools that can work with virtually any type of data files from computers of any size. ACL is an example of such a tool. Using CAATs in e-commerce environments The exposure draft is silent on this very important area. More guidance should be provided. Some of the audit techniques developed in the AICPA WebTrust program could be incorporated. Dated approach Of the four topics in the IAPC exposure draft on the supplement to ISA (International Standard on Auditing) 401 "Auditing in a Computer Information Systems Environment (CIS)," the material on CAATs is the most dated and requires a more innovative approach.