CAATTs for Data Extraction and Analysis Chapter 7 CAATTs • See CAATT from Wikipedia in relevant links • Auditors make extensive use of CAATTs in gathering accounting data for testing application controls and in performing substantive tests. • This chapter discusses data extraction tools that are used to analyze the data processed by an application rather than the application itself. • By analyzing data retrieved from computer files, the auditor can make inferences about the presence and functionality of controls in the application that processed the data. Data Extraction Software • An important use of such software is in performing substantive tests. • Most audit testing occurs in the substantive-testing phase of the audit. • These procedures are called substantive tests because they are used to substantiate dollar amounts in account balances. Substantive tests • Include, but are not limited to, the following: – Determining the correct value of inventory – Determining the accuracy of prepayments and accruals – Confirming accounts receivable with customers – Searching for unrecorded liabilities Substantive tests (Cont) • In an IT environment, the records needed to perform such tests are stored in computer files and databases. • Before substantive tests can be performed, the data need to be extracted from the host system and presented to the auditor in a usable format. Data Extraction Software • Two types: – embedded audit modules (EAM) – general audit software (GAS) Embedded Audit Module • The objective of EAM is to identify important transactions while they are being processed and extract copies of them in real-time. • An EAM is a specially programmed module embedded in a host application to capture predetermined transaction types for subsequent analysis. See Figure 7-20. Embedded Audit Module (Cont) • As the selected transaction is being processed by the host application, a copy of the transaction is stored in an audit file for subsequent review. • The EAM approach allows selected transactions to be captured throughout the audit period, or at any time during the period, thus significantly reducing the amount of work the auditor must do to identify significant transactions for substantive testing. Embedded Audit Module (Cont) • To begin data capturing, the auditor specifies to the EAM the parameters and materiality threshold of the transactions set to be captured. • For example, let’s assume that the auditor establishes a $50,000 materiality threshold for transactions processed by a sales order processing system. • Transactions equal to or greater than $50,000 will be copied to the audit file. • From this set of transactions, the auditor may select a subset to be used for substantive tests. Risks in using EAM • Operational efficiency: EAM may decrease operational performance because executing EAM incurs extra system overhead. • Verifying EAM integrity: When application logic is modified, corresponding EAM logic may also need to be changed. Generalized Audit Software (GAS) • Most widely used CAATT for IS auditing. • GAS allows auditors to access electronic coded data files and perform various operations on their contents. • Some of the more common uses for GAS are shown in page 274…. GAS is popular • GAS languages are easy to use and require little computer background on the part of the auditor. • Many GAS products can be used on both mainframe and PC. • Auditors can perform their tests independent of the computer service’s staff. • GAS can be used to audit the data stored in most file structures and formats. Using GAS to access complex structures • See Figures 7-22, 7-23, 7-24 ACL software • Designed as a meta-language for auditors to access most data stored by electronic means and test them comprehensively • Many of the problems associated with accessing complex data structures have been solved by ACL’s Open Data Base Connectivity (ODBC) interface. • Definition of ODBC ODBC Illustration ODBC-compliant DBMS MS SQL Application Program Driver SQL commands Driver Oracle Driver DB 2