Computer Assisted Audit Techniques

advertisement
Computer Assisted Audit Techniques
Readers' rating: 4 out of 5
By John Yu, CDP, FCGA
As I previously reported, in March 2000, the International Audit Practice Committee
(IAPC) of IFAC released an exposure draft on four topics which form a supplement to
ISA (International Standard on Auditing) 401 "Auditing in a Computer Information
Systems Environment (CIS)." The four topics are:




CIS Environments – Stand-Alone Microcomputers
CIS Environments – On-Line Computer Systems
CIS Environments – Database Systems
Computer Assisted Audit Techniques
Author’s note: Although this set of exposure drafts was published in March with comments due by July
31, 2000, a final version of these practice statements has not yet appeared on the IFAC Web site as of
early November 2000.
To review the first three articles on the exposure draft, see "Auditing Standalone Microcomputers",
"Auditing Online Computer Systems", and "Auditing Database Systems." In this article, you’ll learn about
the last topic, CAATs.
According to the exposure draft, the purpose of the statement on CAATs "…is to provide guidance in the
use of Computer Assisted Audit Techniques (CAATs), which are techniques that use the computer as an
audit tool." The exposure draft "applies to all uses of CAATs involving a computer of any type or size."
As with the other three topics, this segment of the exposure draft reads like a tutorial on CAATs, devoting
a substantial amount of space describing the basics.
Description of CAATs
Paragraph 5 provides examples of where CAATs may be applied when performing various auditing
procedures. These include the traditional data analysis procedures, as well as the use of any computer
means in any aspect of an audit. To illustrate, one of the examples cited is the "creation of electronic
working papers by downloading the general ledger for audit testing." The "use of expert systems in the
design of audit programs and in audit planning and risk assessment" is also considered a form of CAAT.
However, in light of the importance of e-commerce in this day and age, at least one e-commerce example
should have been included in the list.
Paragraph 6 lists various CAAT tools, but these two paragraphs (this one and the preceding one) are
poorly organized. The list in Paragraph 6 consists of various types of computer programs that can be
used in CAATs (package programs, purpose-written programs, utility programs, and systems
management programs). The rest of the list consists of descriptions of various test data techniques. This
disjointed presentation is confusing. It is better to organize the material on test data techniques into its
own paragraph.
Paragraph 7 describes "evolving techniques that emanate from using the power and sophistication of
microcomputers, particularly laptop computers…," then goes onto provide examples that do not
specifically apply to microcomputers and laptop computers. One of the techniques attributed to the power
and sophistication of microcomputers is "expert systems, which can design specific tests for use by the
auditor." You might well question the validity of this statement. In any case, the narrow distinction made
between "microcomputers" and "laptop computers" in this paragraph is an obsolete view of the computing
world. In the client-server model and the Application Service Provider (ASP) model, there is no need to
make the distinction between the workstation and the server, both forming an integral computing unit to
the user.
Manual tests
Paragraph 12 focuses on the impracticality of manual tests where there is lack of hard copy evidence.
This paragraph takes a negative approach and describes conditions under which manual tests cannot be
carried out, implying that there is no other choice but to use CAATs. This reflects old school thinking, in
which examining hard copy audit evidence is still considered the primary auditing method. Increasingly,
as organizations embrace the Internet as a means of conducting their business externally and internally,
there will be no hard copies. CAATs should be used by all auditors as a standard approach to auditing.
Using CAATs
Paragraphs 18 to 26 describe various steps required to use CAATs in a mainframe environment despite
earlier statements in the exposure draft describing CAATs as the use of any computing means in carrying
out an audit. Therefore, this narrow focus on mainframe environments where CAAT programs are run
against the auditee’s data files is inadequate when providing a full and accurate description of how
CAATs should be used.
Several references are made to the need for the cooperation of the auditee’s IT staff, stating the obvious.
But the exposure draft provides no guidance on how to proceed if cooperation is not forthcoming.
Paragraph 21 states that the "presence of the auditor is not necessarily required at the computer facility
during the running of a CAAT to ensure appropriate control procedures." This statement is puzzling. If the
auditor relies on the auditee’s staff to run CAAT procedures, what is there to prevent manipulation or
distortion of the results?
Using CAATs in small business computer environments
Paragraph 27 deals with the use of CAATs in a small computer environment. This paragraph, as it
currently stands, provides little guidance on what constitutes a "small computer environment." Another
example of incomplete guidance is "in cases where smaller volumes of data are processed, manual
methods may be more cost-effective." There is no direction on what constitutes "smaller volumes of data"
such that manual methods may be better.
Furthermore, the points raised in this paragraph again reveal antiquated thinking. To illustrate, one of the
points raised states "certain audit package programs may not operate on small computers, thus restricting
the auditor’s choice of CAATs." There are a number of powerful CAAT tools that can work with virtually
any type of data files from computers of any size. ACL is an example of such a tool.
Using CAATs in e-commerce environments
The exposure draft is silent on this very important area. More guidance should be provided. Some of the
audit techniques developed in the AICPA WebTrust program could be incorporated.
Dated approach
Of the four topics in the IAPC exposure draft on the supplement to ISA (International Standard on
Auditing) 401 "Auditing in a Computer Information Systems Environment (CIS)," the material on CAATs is
the most dated and requires a more innovative approach.
Download