USING COMPUTER
ASSISTED AUDIT
TOOLS AND
TECHNIQUES
(CAATT’S)
Computer Assisted Audit Tools and Techniques
• Has two subcomponents:
1. Software used to increase an auditor’s
personal productivity and software used
to perform data extraction and analysis,
2. Techniques to increase the efficiency
and effectiveness of the audit function.
Input Controls
• Designed to ensure that the
transactions that bring data into
the system are valid, accurate, and
complete
 Data input procedures can be
either:
 Source document-triggered (batch)
 Direct input (real-time)
 Source document input requires
human involvement and is prone to
clerical errors.
 Direct input employs real-time
editing techniques to identify and
correct errors immediately
Classes of Input Controls
1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input systems
Source Document Controls


Controls in systems using physical source
documents



To control for exposure, control
procedures are needed over source
documents to account for each one




Use pre-numbered source documents
Use source documents in sequence
Periodically audit source documents
Data Coding Controls




Checks on data integrity during processing

Transcription errors
 Addition errors
 Truncation errors
 Substitution errors

Transposition errors
 Single transposition
 Multiple transposition
Control = Check digits

Added to code when created (suffix, prefix,
embedded)
 Sum of digits (ones): transcription errors only
 Modulus 11: different weights per column:
transposition and transcription errors

Introduces storage and processing inefficiencies
Batch Controls


Method for handling high volumes of
transaction data – esp. paper-fed IS



Controls of batch continues thru all phases
of system and all processes (i.e., not JUST an
input control)
1) All records in the batch are processed together
2) No records are processed more than once
3) An audit trail is maintained from input to output



Requires grouping of similar input
transactions
Batch Controls
 Requires controlling batch throughout


Batch transmittal sheet (batch control record)







Unique batch number (serial #)
A batch date
A transaction code
Number of records in the batch
Total dollar value of financial field
Sum of unique non-financial field

• Hash total
• E.g., customer number


Batch control log



Hash totals
Validation Controls


Intended to detect errors in data
before processing



Most effective if performed close to
the source of the transaction



Some require referencing a master
file
 Field Interrogation
 Missing data checks
 Numeric-alphabetic data checks
 Zero-value checks
 Limit checks
 Range checks
 Validity checks
 Check digit
 Record Interrogation
 Reasonableness checks
 Sign checks
 Sequence checks
 File Interrogation
 Internal label checks (tape)
 Version checks
 Expiration date check
Input Error Connection


Batch – correct and resubmit



Controls to make sure errors dealt
with completely and accurately

1) Immediate Correction
2) Create an Error File
 Reverse the effects of partially

processed, resubmit corrected
records
 Reinsert corrected records in
processing stage where error was
detected
3) Reject the Entire Batch
Generalized Data Input Systems (GDIS)


Centralized procedures to manage data
input for all transaction processing systems



Eliminates need to create redundant
routines for each new application



Advantages:




Improves control by having one
common system perform all data
validation
Ensures each AIS application applies a
consistent standard of data validation
Improves systems development
efficiency
 Major components:

1) Generalized Validation
Module
2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log
Process Controls
1) Run-to-Run Controls
2) Operator Intervention Controls
3) Audit Trail Controls
Run-to-Run (Batch)

 Use batch figures to
monitor the batch as it
moves from one process
to another
1) Recalculate Control

Totals
2) Check Transaction Codes
3) Sequence Checks
Operator Intervention
 When operator manually enters
controls into the system
 Preference is to derive by logic or
provided by system
Audit Trail Controls
 Every transaction becomes
traceable from input to output
 Each processing step is documented
 Preservation is key to auditability of
AIS






Transaction logs
Log of automatic transactions
Listing of automatic transactions
Unique transaction identifiers [s/n]
Error listing
Output Controls
 Ensure system output:
1)
2)
3)
4)

Not misplaced
Not misdirected
Not corrupted
Privacy policy not violated

 Batch systems more susceptible to exposure,
require greater controls


Controlling Batch Systems Output






Many steps from printer to end user
Data control clerk check point
Unacceptable printing should be shredded
Cost/benefit basis for controls
Sensitivity of data drives levels of controls
 Output spooling – risks:
 Access the output file and change
critical data values
 Access the file and change the
number of copies to be printed
 Make a copy of the output file so
illegal output can be generated
 Destroy the output file before
printing take place
 Print Programs
 Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint after
a printer malfunction
4) Removing printer output from the printer for review and
distribution

 Print Program Controls


Production of unauthorized copies
 Employ output document controls similar to source
document controls

 Unauthorized browsing of sensitive data by
employees
 Special multi-part paper that blocks certain fields
 Bursting
 Supervision

 Waste
 Proper disposal of aborted
copies and carbon copies

 Data control
 Data control group – verify
and log

 Report distribution
 Supervision
 End user controls


End user detection

 Report retention:





Statutory requirements (gov’t)
Number of copies in existence
Existence of softcopies (backups)
Destroyed in a manner consistent
with the sensitivity of its
contents
 Controlling real-time systems
output


Eliminates intermediaries



Threats:







Interception
Disruption
Destruction
Corruption

Exposures:
 Equipment failure
 Subversive acts



Systems performance controls



Chain of custody controls
TESTING COMPUTER
APPLICATION CONTROLS
1) Black box (around)
2) White box (through)
Black Box Testing



Ignore internal logic of application
Use functional characteristics





Advantages:




Flowcharts
Interview key personnel
Do not have to remove application from
operations to test it

Appropriately applied:



Simple applications
Relative low level of risk
White Box Testing





Relies on in-depth understanding of
the internal logic of the application
Uses small volume of carefully
crafted, custom test transactions to
verify specific aspects of logic and
controls
Allows auditors to conduct precise
test with known outcomes, which
can be compared objectively to
actual results
White Box Tests Methods
1) Authenticity tests:




Individuals / users
Programmed procedure
Messages to access system (e.g., logons)
 All-American University, student lab:

logon, reboot, logon *

2) Accuracy tests:


System only processes data values that
conform to specified tolerances

3) Completeness tests:


Identify missing data (field, records,
files)
4) Redundancy tests:


Process each record exactly once

5) Audit trail tests:


Ensure application and/or system
creates an adequate audit trail
 Transactions listing
 Error files or reports for all exceptions

6) Rounding error tests:



“Salami slicing”
Monitor activities – excessive ones are
serious exceptions; e.g, rounding and
thousands of entries into a single
account for $1 or 1¢
Computer Aided Audit Tools and
Controls (CAATTs)
1)
2)
3)
4)
5)
6)

Test data method
Base case system evaluation
Tracing
Integrated Test Facility [ITF]
Parallel simulation
GAS
Test Data Method


Used to establish the application
processing integrity



Uses a “test deck”




Valid data
Purposefully selected invalid data
Every possible:
 Input error
 Logical processes
 Irregularity



Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare
Base Case System Evaluation


Variant of Test Data method



Comprehensive test data



Repetitive testing throughout SDLC



When application is modified,
subsequent test (new) results can
be compared with previous results
(base)
Tracing


Test data technique that takes stepby-step walk through application
1) The trace option must be enabled for

the application
2) Specific data or types of transactions are

created as test data
3) Test data is “traced” through all

processing steps of the application, and
a listing is produced of all lines of code
as executed (variables, results, etc.)



Excellent means of debugging a
faculty program
Test Data: Pro’s and Cons
Pro’s
– They employ white

box approach, thus
providing explicit
evidence
– Can be employed

with minimal
disruption to
operations
– They require

minimal computer
expertise on the
part of the auditors

Cons
– Auditors must rely

on IS personnel to
obtain a copy of the
application for
testing
– Audit evidence is not
entirely independent
– Provides static
picture of
application integrity
– Relatively high cost
to implement,
auditing inefficiency
Integrated Test Facility


ITF is an automated technique that
allows auditors to test logic and
controls during normal operations



Set up a dummy entity within the
application system
1) Set up a dummy entity within the

application system
2) System able to discriminate between ITF
audit module transactions and routine
transactions
3) Auditor analyzes ITF results against
expected results
Parallel Simulation


Auditor writes or obtains a copy of
the program that simulates key
features or processes to be
reviewed / tested
1) Auditor gains a thorough

2)
3)

4)
5)

understanding of the application under
review
Auditor identifies those processes and
controls critical to the application
Auditor creates the simulation using
program or Generalized Audit Software
(GAS)
Auditor runs the simulated program
using selected data and files
Auditor evaluates results and reconciles
differences

Caa ts

  • 1.
    USING COMPUTER ASSISTED AUDIT TOOLSAND TECHNIQUES (CAATT’S)
  • 2.
    Computer Assisted AuditTools and Techniques • Has two subcomponents: 1. Software used to increase an auditor’s personal productivity and software used to perform data extraction and analysis, 2. Techniques to increase the efficiency and effectiveness of the audit function.
  • 3.
    Input Controls • Designedto ensure that the transactions that bring data into the system are valid, accurate, and complete  Data input procedures can be either:  Source document-triggered (batch)  Direct input (real-time)
  • 4.
     Source documentinput requires human involvement and is prone to clerical errors.  Direct input employs real-time editing techniques to identify and correct errors immediately
  • 5.
    Classes of InputControls 1) Source document controls 2) Data coding controls 3) Batch controls 4) Validation controls 5) Input error correction 6) Generalized data input systems
  • 6.
    Source Document Controls  Controlsin systems using physical source documents  To control for exposure, control procedures are needed over source documents to account for each one    Use pre-numbered source documents Use source documents in sequence Periodically audit source documents
  • 7.
    Data Coding Controls   Checkson data integrity during processing  Transcription errors  Addition errors  Truncation errors  Substitution errors  Transposition errors  Single transposition  Multiple transposition Control = Check digits  Added to code when created (suffix, prefix, embedded)  Sum of digits (ones): transcription errors only  Modulus 11: different weights per column: transposition and transcription errors  Introduces storage and processing inefficiencies
  • 8.
    Batch Controls  Method forhandling high volumes of transaction data – esp. paper-fed IS  Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control) 1) All records in the batch are processed together 2) No records are processed more than once 3) An audit trail is maintained from input to output  Requires grouping of similar input transactions
  • 9.
    Batch Controls  Requirescontrolling batch throughout  Batch transmittal sheet (batch control record)       Unique batch number (serial #) A batch date A transaction code Number of records in the batch Total dollar value of financial field Sum of unique non-financial field • Hash total • E.g., customer number  Batch control log  Hash totals
  • 10.
    Validation Controls  Intended todetect errors in data before processing  Most effective if performed close to the source of the transaction  Some require referencing a master file
  • 11.
     Field Interrogation Missing data checks  Numeric-alphabetic data checks  Zero-value checks  Limit checks  Range checks  Validity checks  Check digit  Record Interrogation  Reasonableness checks  Sign checks  Sequence checks
  • 12.
     File Interrogation Internal label checks (tape)  Version checks  Expiration date check
  • 13.
    Input Error Connection  Batch– correct and resubmit  Controls to make sure errors dealt with completely and accurately 1) Immediate Correction 2) Create an Error File  Reverse the effects of partially processed, resubmit corrected records  Reinsert corrected records in processing stage where error was detected 3) Reject the Entire Batch
  • 14.
    Generalized Data InputSystems (GDIS)  Centralized procedures to manage data input for all transaction processing systems  Eliminates need to create redundant routines for each new application  Advantages:    Improves control by having one common system perform all data validation Ensures each AIS application applies a consistent standard of data validation Improves systems development efficiency
  • 15.
     Major components: 1)Generalized Validation Module 2) Validated Data File 3) Error File 4) Error Reports 5) Transaction Log
  • 16.
    Process Controls 1) Run-to-RunControls 2) Operator Intervention Controls 3) Audit Trail Controls
  • 17.
    Run-to-Run (Batch)  Usebatch figures to monitor the batch as it moves from one process to another 1) Recalculate Control Totals 2) Check Transaction Codes 3) Sequence Checks
  • 18.
    Operator Intervention  Whenoperator manually enters controls into the system  Preference is to derive by logic or provided by system
  • 19.
    Audit Trail Controls Every transaction becomes traceable from input to output  Each processing step is documented  Preservation is key to auditability of AIS      Transaction logs Log of automatic transactions Listing of automatic transactions Unique transaction identifiers [s/n] Error listing
  • 20.
    Output Controls  Ensuresystem output: 1) 2) 3) 4) Not misplaced Not misdirected Not corrupted Privacy policy not violated  Batch systems more susceptible to exposure, require greater controls  Controlling Batch Systems Output      Many steps from printer to end user Data control clerk check point Unacceptable printing should be shredded Cost/benefit basis for controls Sensitivity of data drives levels of controls
  • 21.
     Output spooling– risks:  Access the output file and change critical data values  Access the file and change the number of copies to be printed  Make a copy of the output file so illegal output can be generated  Destroy the output file before printing take place
  • 22.
     Print Programs Operator Intervention: 1) Pausing the print program to load output paper 2) Entering parameters needed by the print run 3) Restarting the print run at a prescribed checkpoint after a printer malfunction 4) Removing printer output from the printer for review and distribution  Print Program Controls  Production of unauthorized copies  Employ output document controls similar to source document controls  Unauthorized browsing of sensitive data by employees  Special multi-part paper that blocks certain fields
  • 23.
     Bursting  Supervision Waste  Proper disposal of aborted copies and carbon copies  Data control  Data control group – verify and log  Report distribution  Supervision
  • 24.
     End usercontrols  End user detection  Report retention:     Statutory requirements (gov’t) Number of copies in existence Existence of softcopies (backups) Destroyed in a manner consistent with the sensitivity of its contents
  • 25.
     Controlling real-timesystems output  Eliminates intermediaries  Threats:      Interception Disruption Destruction Corruption Exposures:  Equipment failure  Subversive acts  Systems performance controls  Chain of custody controls
  • 26.
  • 27.
    1) Black box(around) 2) White box (through)
  • 28.
    Black Box Testing   Ignoreinternal logic of application Use functional characteristics    Advantages:   Flowcharts Interview key personnel Do not have to remove application from operations to test it Appropriately applied:   Simple applications Relative low level of risk
  • 29.
    White Box Testing    Relieson in-depth understanding of the internal logic of the application Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results
  • 30.
    White Box TestsMethods 1) Authenticity tests:    Individuals / users Programmed procedure Messages to access system (e.g., logons)  All-American University, student lab: logon, reboot, logon * 2) Accuracy tests:  System only processes data values that conform to specified tolerances 3) Completeness tests:  Identify missing data (field, records, files)
  • 31.
    4) Redundancy tests:  Processeach record exactly once 5) Audit trail tests:  Ensure application and/or system creates an adequate audit trail  Transactions listing  Error files or reports for all exceptions 6) Rounding error tests:   “Salami slicing” Monitor activities – excessive ones are serious exceptions; e.g, rounding and thousands of entries into a single account for $1 or 1¢
  • 32.
    Computer Aided AuditTools and Controls (CAATTs) 1) 2) 3) 4) 5) 6) Test data method Base case system evaluation Tracing Integrated Test Facility [ITF] Parallel simulation GAS
  • 33.
    Test Data Method  Usedto establish the application processing integrity  Uses a “test deck”    Valid data Purposefully selected invalid data Every possible:  Input error  Logical processes  Irregularity  Procedures: 1) Predetermined results and expectations 2) Run test deck 3) Compare
  • 34.
    Base Case SystemEvaluation  Variant of Test Data method  Comprehensive test data  Repetitive testing throughout SDLC  When application is modified, subsequent test (new) results can be compared with previous results (base)
  • 35.
    Tracing  Test data techniquethat takes stepby-step walk through application 1) The trace option must be enabled for the application 2) Specific data or types of transactions are created as test data 3) Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.)  Excellent means of debugging a faculty program
  • 36.
    Test Data: Pro’sand Cons Pro’s – They employ white box approach, thus providing explicit evidence – Can be employed with minimal disruption to operations – They require minimal computer expertise on the part of the auditors Cons – Auditors must rely on IS personnel to obtain a copy of the application for testing – Audit evidence is not entirely independent – Provides static picture of application integrity – Relatively high cost to implement, auditing inefficiency
  • 37.
    Integrated Test Facility  ITFis an automated technique that allows auditors to test logic and controls during normal operations  Set up a dummy entity within the application system 1) Set up a dummy entity within the application system 2) System able to discriminate between ITF audit module transactions and routine transactions 3) Auditor analyzes ITF results against expected results
  • 38.
    Parallel Simulation  Auditor writesor obtains a copy of the program that simulates key features or processes to be reviewed / tested 1) Auditor gains a thorough 2) 3) 4) 5) understanding of the application under review Auditor identifies those processes and controls critical to the application Auditor creates the simulation using program or Generalized Audit Software (GAS) Auditor runs the simulated program using selected data and files Auditor evaluates results and reconciles differences