How do auditors use computers in performing audit?

CHAPTER 13

COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS)

Topic list

1. Effects of Client’s Computerised Accounting Systems
2. Effects of computers on audit work
3. Internal controls in computerised environment
4. Computer Assisted Audit Techniques (CAATs)

Learning outcomes

By the end of this chapter, you should be able to:

• Describe the effects of using computers in accounting
• State how computers can be used in audit
• Distinguish between ‘auditing around the computer’ and ‘auditing through the computer’
• Design and carry out appropriate tests in clients’ computerized systems, including use of computer assisted audit techniques (CAATs)  Explain the advantages and disadvantages of CAATs

Introduction

Most audit clients would be using computers to process accounting transactions, and for financial reports production.  In this chapter we look at how the client’s computerized systems impacts their operations.  These computerized systems present unique controls as compared to manual accounting system; hence we later look at controls in a computerized accounting environment.

When a client uses computers to process accounting transactions it is an opportunity for auditors to know how these computers can be used in the audit of a set of historical financial statements.  Advancement in technology has enabled the development of computer assisted audit techniques (CAATs), which auditors are using now for example in testing controls e to audit are also covered in this chapter.  Concepts like ‘auditing in the computer’ and ‘auditing around the computer’ are highlighted while advantages and disadvantages of CAATs are provided.

1        Effects of computerization of the client entity’s systems and processes;

• Computers are able to process large volumes of work at much faster speed than manual systems.
• They are also likely to have less processing errors or more accurate, except errors that occur in input data
• Large volumes of information are stored in the computer memory, greatly reducing office paperwork, except where printouts are necessary. However reduced paperwork leads to easy loss of audit trail.  An audit trail is a step by step detail of the various stages of processing transactions go through, between their initiations to their final recording or backward from the final records back to their initiation.

Features of computerised accounting systems

A computerised accounting system has unique features as compared to manual accounting system.

• There is concentration of controls in the computer department.
• There is generally lack of primary records.
• Encoded data exists.
• There is loss of audit trail.
• Data needed for audit purposes may be overwritten.
• Program controls may be important to ensure the completeness and accuracy of accounts records.
• They require specialist expertise.
• Availability of computer time. Use of CAATs involves the use of the client’s computer facilities.

2             Effect of computers on the work of auditor

The client may use a computer to produce all or part of the financial accounting data.  The auditor may be able to use a computer to assist in his audit, particularly, when the client has a computer system.  When the auditors note that the client system on which they are to audit are computerized the auditors should:

• Consider whether they are generally competent to complete the assignment successfully as required by the competence, due skill and care ethical requirement. If not they should consider withdrawal.
• Assign proficient and experienced staff in auditing computerized environment.

2.1          Uses of computers in managing an audit engagement

Computers affect the work of the auditor in two ways.  The client may use a computer to produce all or part of the financial accounting data.  Secondly the auditor may be able to use a computer to assist in his audit, particularly, when the client has a computer system.

Auditors can use computers in the following ways

(a) Flowcharting client’s systems.

• Evaluation of audit risk – a computer can record assessments of audit risk in a word processing package and may give guidance to the level of testing required via an expert systems shell.
• Preparation of audit programmes.
• Analytical procedure.
• Preparation of audit working paper. All this can be done using commercially available packages or specialist programs written in-house.
• As automated working papers
• Auditors can use software packages to perform audit functions such as analytical procedures, or drawing statistical samples on which to perform their audit tests
• Computers can also be used by auditors as a decision support system, for example, through automation of checklists, materiality estimations etc.
• Computer Assisted Audit Techniques (CAATs)

Auditors should also properly plan and determine the best or suitable approach to their computerized clients by considering ‘auditing around the computer’ and ‘auditing through the computer’.

2.1.1     Audit around the Computer 

This audit approach assumes that auditors could fulfill their function without having any detailed knowledge of what is happening inside computers. Audit tests concentrate on inputs and their corresponding outputs, ignoring the processing procedures within computer programs.   This can be a suitable approach where there is less risk of misstatements or where auditors have limited knowledge of programs and are satisfied that they can still obtain sufficient and reliable evidence from these sources only.

2.1.2     Audit through the Computer

This involves an examination of the detailed processing routines of the computers to determine whether they are adequate and reliable in processing of date. Typically, auditors use computer assisted audit techniques (CAATs), discussed below, to achieve this task.

• Internal controls in computerised accounting system

There are two classifications general controls and application controls.

3.1        General controls

These controls cover the general environment within which application controls operate.  Such controls can be expected to be relevant to all applications.

The objective of such controls is to ensure the integrity of application development and implementation and to ensure that computer operations are properly administered to protect hardware, programs and data files.

208 

The Auditing Guideline envisages controls in the following areas and the control objectives for each area:

(a)        Controls over systems development (application development)

To ensure developments are fully authorised.

To ensure proper standards are followed during development.

To ensure changes are properly tested and documented.

• Controls to prevent/detect errors during program execution
• To ensure any errors arising are noted and resolved.
• Controls to prevent/detect changes to data files
• To ensure changes are authorised.

To ensure changes are made accurately.

(d)       Controls to ensure continuity of operations

• To ensure the system can continue to function in the event of disaster or breakdown.

3.1.1    Control techniques for general controls

• Back up procedures

Prior authorisation

• Standby arrangements

Password protection

• Testing back up

Back up files                          procedures

Record of amendments  Protecting against fire for subsequent checking and

theft

Physical protection of

files                                         Maintenance agreements

• Insurance

Several Copies

Application controls

They cover the transaction and master files which are specific to an individual application. they consist of both manually – performed and computer-performed controls.

Their objective is to ensure the completeness and accuracy of all processing and the validity of the accounting entries made.

They fall under the following six main headings and the control objectives for each are:

(1)        Completeness of input

• To ensure that a document is raised for every transaction.
• To ensure that each document is input in timely fashion.

(2)        Accuracy of input

To identify the accuracy of data fields on input transactions.

(3)        Authorisation of input

• To ensure that each transaction is authorised.
• To ensure that the individual who authorised the transaction was empowered to do so.

(4)          Controls over processing (updating)

• To ensure that all input date is processed.
• To ensure that the correct version of master files and standing data files are used.
• To ensure that the processing of each transaction is accurate to produce accurately updated master files.

(5)          Control over output

• To ensure that output is checked for completeness and accuracy.
• To ensure that output is properly distributed and actioned.

(6)          Controls over master files

• To ensure that all data held on master files is accurate and up-to-date.
• To ensure that any amendment to standing data is properly authorised.

The control techniques for application controls under six headings are shown below.

3.2.1    Control techniques for application controls

It should be noted that techniques which control the accuracy of input and processing will help to control master file data.  As master file standing data items are used many times over in processing they take on a greater importance than transaction data and more costly controls such as one-for-one checks may be justified.

3.3         Some controls explained

• Physical controls

Designed to limit accesses to computer room, for example.

• Back up files

The creation and updating of an identical back-up disk for every disk in the system.

• Data filing

The need for a filing system, each disk should be labelled clearly following a certain pattern.

• Proofing

This is manual checking to control data on disk.  It is normally carried out after data has been keyed onto the disk for the first time.

Mistakes identified during proofing should be corrected and corrections proofed.

• Passwords

When a disk contains information that should not be widely available   (eg; data concerning salaries) it is possible to hide it, using a password.

• Date/Time Stamps

Most computers have their own internal controls and calendars and will automatically fill in a program’s requests concerning time and date.

• Prompts

Controls designed to ask the user if he/she is sure that the deletion command was intentional for example.

• Check digits

A means of control in that they ascertain whether or not a number is valid.  The computer will detect if the number is ever input incorrectly eg; through transposition.

(i)          Batch totals

A batch (or control) total is the sum of one of the numerical fields on the documents in the batch eg; total of the sales invoice values. The computer calculates the batch total and this is compared with the manually calculated total.

• Hash total

Works in a similar manner as batch total.  Unlike the batch total the value of the hash total is  meaningless but it is still useful for control purposes to detect errors on input or omissions (eg; a total of customer account numbers).

• Reasonableness checks

The program will check to ensure that the data input is reasonable given the type of input it is eg; hours recorded for a week should fall between 30 and 50.

• Existence checks

The computers will check to ensure that the data input is valid by checking that the entity already exists in the system.

• Dependency checks

Data input fields can be compared with other fields for reasonableness eg; check that tax is a sensible amount as compared with the net amount.

3.4        The relationship between application and general controls 

It may be appropriate for the auditor to concentrate upon application controls before deciding how far to proceed with examining general controls.  The reasons for this are as follows:

• Application controls can be more easily related to a specific control objective, and therefore a specific audit objective, than can general controls.
• Application controls can be more easily tested by using specific transactions to act as a medium for the test which is then performed either clerically or by using computer-assisted audit techniques.
• As a result of (a) and (b) the testing of application controls may be effective than general controls.

There are, however, certain reasons for still considering general controls may be highly relevant to the auditor:

• If application controls become concentrated in the computer department, the environment within which the application controls function will be fundamental.
• If certain application controls are lacking the auditor may attempt to limit his substantive testing by placing more reliance on general controls.

Auditing guideline sets out these basic rules relating to audit testing of controls:

• The auditor can test and rely on general controls alone without having to test application controls.
• The auditor can test and rely on manual application controls alone without having to test general controls.
• In order to rely on programmed application controls the auditor must first be satisfied with general controls. This is because if the controls covering the whole

computer environment are poor, then the programmed application controls within it will be worthless.

4           Use of Computer Assisted Audit Techniques (CAATs)

These are audit techniques that use computer applications as the primary tool. Uses generally include sampling, statistical analyses and exception reporting. The internal audit department uses specialized software for this purpose.

4.1        Audit software

Audit software comprises computer programs used by the auditor to examine an enterprise’s computer file.  It may consist of generalized package programs, specially written programs or the client’s own programs.

These are programs already written either by the auditor or a specialist software company which are designed to be used on different types of machines.  They need to be tailored to each specific case by defining the format of the files to be interrogated and by specifying the parameters of output data required and the form of that output.  In some cases supplementary program coding is required.

In some cases it is not possible to adapt program due to the type of machine, processing or file organisation used.  In such cases a purpose-written program is required.  It could be written by the auditor himself, by a software specialist or by the client acting on the instructions of the auditor.  In all cases it should be fully tested before being  used ‘live’.

These can often be useful to the auditor.  For example, when using a terminal it is necessary to use the existing enquiry programs to refer to data held on files, or to obtain a print-out of parts of a file.  In many cases, however, the client’s own programs will not provide all the facilities needed by the auditor.  It is likely that the team responsible for writing the enquiry programs produced the rest of the system and there is therefore a danger that the defects apply to all such programs in the system.

Uses of audit software

Audit software may be used during many audit testing procedures.  Its use is particularly appropriate during substantive testing of transactions and balances, as it may scrutinise large volumes of data and extract information leaving skilled manual resources to concentrate upon the investigation of the results.

Typical uses of such programs include:

• Calculation checks

Here the program adds the value of open items on a file to ensure that they agree with control records which are maintained.

• Detecting violation of systems rules

The program checks all accounts on the sales ledger to ensure that no customer has a balance above a specified credit limit.

• Detecting unreasonable items

This is a check that no customer is allowed trade discount of more than 50%, or that no sales ledger balance is more than total sales made to that customer.

• Conducting new calculation and analyses

This involves obtaining a statistical analysis of stock movements to identify slow-moving items.

• Selection of items for audit testing

This involves obtaining a stratified sample of sales ledger balances to be used as a basis for a debtors circularisation.

• Completeness checks

This does checking continuity of sales invoices to ensure they are all accounted for.

Difficulties in using computer audit programs

• Costs

There will be substantial set-up costs even in using a generalised package.  This is because the client’s procedures and files need to be investigated thoroughly prior to identifying audit tests.  The use of specially written programs will be even more expensive.

• Changes to client’s systems

These can mean costly alterations to the programs or at least require the programs to be run regularly during the year to test the system at different dates.

• Small installations

There may be no suitable audit software package for use on mini-computer or microcomputer installations.  Software documentation may be incomplete so that it is very difficult to identify all procedures.  It may be impossible to justify and hence recover the cost of specially written audit software.

• Over-elaboration

There may be a tendency to produce over-elaborate enquiry programs which are expensive to develop, take up considerable computer running time and extensive reviewing time.  The auditor should be able to justify the costs of using the program to the benefit in audit terms of its use.

• Quantities of output

An enquiry program may produce huge quantities of output.  This may be because the system is wrong or the enquiry program was badly designed.  To avoid this problem some packages can be set to terminate after a given number of items have been included in the count. The auditor must distinguish between cases when he has merely misjudged the parameters and obtained too large a sample and cases where the print-out is long because lots of items are wrong.  In the latter case he must follow the audit work through and consider the implications of the problems encountered.

• Version of files used in the test

The audit software only tests the files against which it is run.  It is therefore preferable to use the software on the actual files of the client.  The permission of the client is needed and the software must be carefully tested prior to its use on ‘live’ data.

An alternative approach is to run the programs against copies of the data file.  To be valid there must be adequate general controls to ensure that the client uses the same file.  Provided this is so the use of copy files enables the auditor to be more flexible in deciding when to test and to retain the copy files for further testing.

4.2          Test data

Audit test data consists of data submitted by the auditor for processing by the client’s computer-based accounting system.  It may be processed during a normal production run (running test data ‘live’) or during a special run  at a point in time outside the normal cycle (running the test data ‘dead’.)

Test data could be held in the form of a batch of documents put through the system to test both manual and computer controls.  It is more often meant to refer to  data recorded on magnetic tape or disk used to test programmed controls.  Its primary use is in the testing of application controls.

Note that the use of test data is not confined to the external auditor.  It is a method used by programmers, analysts and internal auditors as part of systems development and monitoring  procedures.  There may be scope for co-operation between internal and external auditor in creating such test data.

Use of test data

There are three major approaches:

• Using live data

At its simplest level the auditor could use real data that has been processed which involves the controls he wants to test.  The auditor should then predetermine the results which he would expect from the processing of the data.  Later checks are done to confirm that the actual processing has been carried out in the expected way and investigate any differences.

This method is not usually feasible.  The auditor will usually want to use a collection of normal, exceptional and even absurd data to test controls.  He is unlikely to find all these conditions in a batch of data.  The vast bulk of day-to-day items will contain few exceptions and no absurd data.  It would take the auditor a long time to find a suitable range of data items to use.

• Dummy data in a normal production run

The auditor constructs a series of dummy transaction which contain the required condition.  These are processed along with normal data.  Actual results are then compared with predetermined results.

This method has the advantage of producing a realistic test environment.  The client’s actual programs and data files are being used in the test.

The dangers of this method are, however, considerable.  Computer-generated documentation may have to be intercepted before it is released.  There may be a need to reverse the transactions after testing to eliminate the effects of test data.  This may be time-consuming and require program amendments.  It may distort management information by swelling the number of cancelled orders and credit notes.  It would indeed be ironic if a client’s accounting records were corrupted by the auditor’s own test data.  Therefore great care is needed in planning and  controlling the test.

• Dummy data in a special run

In this method the auditor creates special data and uses it against copies of the client’s data files.  The dangers associated with ‘live’ testing are therefore largely eliminated although the interaction of one file with another must still be carefully considered.

It is still essential to obtain the client’s permission which reduces the independence of the test.  It is also necessary to obtain assurance that the program being used in the test is identical to that used by the client for production runs and not a special program kept aside for the auditor’s use!

Difficulties in using audit test data

• Costs

There may be considerable costs involved in ascertaining the relevant controls and in constructing test data from scratch.  It may be very difficult to identify all relevant conditions.  The need to predetermine the results manually may be both time-consuming and tedious.  These costs, however, are normally substantially less than for audit software.

• Objectives of the test

Test data is likely to be confined to tests of control and therefore may be less valuable in audit terms than using audit software.

• Dangers of live testing

Careful planning and control is needed to expurgate the test data from the records.

iv  Dangers from testing during a special run

If special test runs are used, an artificial testing environment is created.  Assurance is needed that the normal programs and files have been used.

• Recording

The use of test data does not necessarily provide visible evidence of the audit work performed.  Working papers should therefore include details of the controls to be tested, an explanation of how they are to be tested, details of the transactions and files used, details of the predicted results, the  actual results and evidence of the predicted and actual results having being compared.

 4.3         Other techniques

There are other more sophisticated techniques do exist and they could be tested perhaps in part of a question. Try to grasp the main principles and don’t spend too much time on this section.  In many cases the techniques were first developed for internal purposes e.g. during program development. They often require considerable IT expertise to be used accurately.

4.3.1       Integrated test facilities (ITF)

This is an extension of the test data technique. The system is designed at the output stage to handle audit test data without unwanted side effects. The auditor uses test data, input as part of a normal run, and applied to ‘dummy’ test records held on master files.  The weakness of this is that there is a danger of test data being subject to special procedures which are not applied to normal transactions.

ITF allows test data to be left in the system to see what happens eg; a dummy sale record eventually creates an overdue sales ledger balance.  The auditor can use ITF to carry out regular testing of the system without using a special test run and indeed without being present during processing.

ITF is used largely to test application controls.

4.3.2       Embedded audit facilities

A wide variety of terms is used to describe this technique, including ‘intergrated audit monitors’, ‘resident audit software’ and ‘intergrated audit modules’.  It consists of a module of a computer program written by the auditor which is incorporated into the client’s computer system either temporarily or permanently.

This technique allows tests to be made at the time the data is being processed.  It is ‘real time auditing’.  it is useful where the audit trail is deficient so that historical audit work is difficult, or where files are constantly being updated eg; in a real time or database system.  The facilities may allow results to be printed immediately or to be written onto tape or disk for later evaluation by the auditor.

This technique may achieve the following objectives:

• To store information as it is processed for subsequent audit review.
• To check the integrity of files which are being processed.
• To spot and record items which are of some special audit interest, as previously defined by the auditor.

4.4        Considerations affecting use

The main issues the auditor needs to consider whether to use CAATs are.

• Computer knowledge, expertise and experience of the audit team
• Cost/benefit analysis
• Availability of CAATS and suitable computer facilities.
• Impracticability of manual tests if no visible evidence is available.
• Time available

4.5       Advantages and disadvantages of Computer Assisted Audit Techniques Using CAATs can benefit the auditor in a number of ways as noted below.

4.5.1 Advantages of Computer Assisted Audit Techniques

(i) In a computer-based system the large volume of transactions is likely to force the auditor to rely upon programmed controls.  CAATs are likely to be the only effective way of testing programmed controls.

• The use of CAATs will enable the auditor to test a much larger number of items quickly and accurately and therefore increase the confidence he has in his opinion.
• CAATs enable the auditor to test the accounting system and its records (ie, the tapes and disk files) rather than relying upon testing printouts of what he believes to be a copy of those records.
• Once set up CAATs are likely to be a cost effective way of obtaining audit evidence provided that the enterprise does not regularly change its systems.

(v)         Careful planning by the auditor should enable the results of his work using

4.5.2 Disadvantages of Computer Assisted Audit Techniques

However, using CAATs has its challenges, which are listed below.

• CAATs can be expensive and time consuming to set up, the software must either be purchased or designed (in which case specialist IT staff will be needed);
• Client permission and cooperation may be difficult to obtain;
• Potential incompatibility with the client’s computer system;
• The audit team may not have sufficient IT skills and knowledge to create the complex data extracts and programming required;
• The audit team may not have the knowledge or training needed to understand the results of the CAATs; and
• Data may be corrupted or lost during the application of CAATs.

(Visited 782 times, 1 visits today)