SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES OVERVIEW Objective To explain the use of computer-assisted audit techniques (CAATs) in the context of an audit AUDIT APPROACH CAATs “Black box” “Systems-based” Small installations Possible use Considerations Advantages Difficulties TEST DATA AUDIT SOFTWARE Description Uses Precautions Description Uses Precautions 2101 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES AUDIT APPROACHES 1.1 Around (“black-box” approach) v Examine preparation and control of source documents 1.2 INPUT Compare with a sample of (expected) outputs Ignore except for tracing input through control/batch details and compare to (expected) output COMPUTER Through Normal procedures on authorisation and collection of input documents and relevant external (general) controls Examine controls over development, organisation and security Test input, processing and output controls as a whole Use the computer to interrogate files and test system Substantive testing alone will often provide sufficient assurance on the basis that the computer is effectively an electronic bookkeeping system 1.3 Small installations 1.3.1 Features Lower level of general (IT) controls OUTPUT 1.3.2 Substantive procedures on output alone (output may not be automatically generated) will provide insuffient assurance Control effectiveness is essential to provide sufficient assurance Consequences ⇒ Less reliance on system of internal control ⇒ Greater emphasis on tests of details of transactions and balances and analytical procedures ⇒ Increase effectiveness of audit software Smaller volumes of data ⇒ Manual methods may be more cost effective Lack of technical assistance in entity ⇒ Use of CAATs may be impracticable Certain package programs may not operate ⇒ Restricted choice of CAATs ⇒ Entity’s data files may be copied and processed on another suitable computer 2102 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES COMPUTER-ASSISTED AUDIT TECHNIQUES CAATs are computer programs and data (e.g transactions data) used as part of the auditor’s procedures to process data of audit significance contained in an entity’s information systems CAATs may consist of package programs, purpose-written programs, utility programs or system management programs 2.1 Possible use Controls IT Manual e.g safe custody of back-up Application Programmed e.g password to system Programmed e.g check digits, sequence check Manual e.g authorisation, batch control totals CAATs may be used 2.2 Considerations affecting use 2.2.1 Matters 2.2.2 Consequences Computer knowledge, expertise and experience of auditor ⇒ Must be sufficient to plan, execute and use results of CAAT adopted Availability of CAATs and suitable computer facilities ⇒ Use of CAATs may be uneconomical or impractical (e.g if auditor’s package program and entity’s computer are incompatible) ⇒ Auditor may use own laptop ⇒ Entity personnel may be required to co-operate with and assist Internal audit may use 24/7 facilities Impracticability of manual tests when no visible evidence is available ⇒ See Example below Effectiveness and efficiency ⇒ Execution (e.g selecting a sample, analytical procedure) is quicker than manual equivalent ⇒ Design and printing of forms (e.g for confirmations), mail merge facilities, etc ⇒ Certain transaction data may need to be retained for audit purposes or the CAAT used in the short time when such data is available 24/7 may be available Timing 2103 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES Example Suggest an example of lack of visible evidence concerning each of the following Solution Input/initiation − − Processing − − Output − − 2.3 Advantages Enable the auditor to test program controls – if CAATs were not used then those controls would not be testable Enable the auditor to test a greater number of items (eg 100%) quickly and accurately This will also increase the overall confidence for the audit opinion Allow the auditor to test the actual accounting system and records rather than printouts which are only a copy of those records and could be incorrect Are cost effective after they have been setup as long as the company does not change its systems Allow the results from using CAATs to be compared with “traditional” testing – if the two sources of evidence agree then this will increase overall audit confidence 2.4 Difficulties Substantial setup costs in developing the CAAT programs and testing them However, once established, providing the client’s system does not change, they can be used as many times as necessary with only the parameters being changed Standard audit software may not be available for the specific systems setup by the client, especially if those systems are bespoke The cost of writing audit software to test those systems may be difficult to justify against the possible benefits on the audit 2104 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES However, in most cases specific bespoke interrogation programmes will have been written as part of the system This will certainly be the case where an internal audit function is operating and may well have been designed for the specific use of internal audit The external auditor will need to access the usefulness of such systems for their own use In addition provided the data held within the system can be exported, eg into Excel, Access or ASCII format, it can be interrogated by the auditor on their own laptops (for example) The software may produce too much output either due to poor design or using inappropriate parameters on a test The auditor may waste considerable time checking what appear to be transactions with errors in them when the fault is actually in the audit software Checking the client’s files in a live situation There is the danger that the client’s systems are disrupted by the audit program The data files can be used offline, but this will mean ensuring that the files are true copies of the live files TEST DATA 3.1 Description Data generated by the auditor which is then processed using the client’s systems The objective of test data is to ensure that the controls within the system are operating properly If this is the case, then erroneous items should be rejected Consequently, test data should contain data of both a valid and an invalid nature Test data Test of programmed controls “Live” “Dead” Audit test data consists of data submitted by the auditor for processing by the enterprise’s CIS It may be: selected from previously processed transactions; or created specifically by the auditor It may be processed during a normal production run (“live” test data) or a special run at a point in time outside the normal cycle (“dead” test data) 2105 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES An integrated test facility requires the establishment of a “dummy” unit (e.g department or employee) against which the auditor’s test data transactions are processed during the normal production cycle 3.2 Process A full understanding of how the system operates and the programmed control environment is required by the auditor 3.2.1 Use of accurate data Initially, the auditor must test that the system processes data as intended Data entered into the system correctly flows through the system, updating controls and balances Using a sales system as an example, procedure may be: Establish a dummy customer profile (eg name, address, discounts, credit limit, current balance) on the system or select a live client for testing Ensure that the system being used is the actual client system and not a copy Identify the current control balances, eg receivables control, sales, VAT, customer ledger balance Prepare test data (eg place an order through the entity’s website) and establish the expected impact on the process (eg changes in receivables control, sales, VAT, ledger balance) Enter the test data and compare the results with what was expected If agreed, the system is operating as expected If not agreed, the reason(s) why must be established Review reports that are necessarily produced by the system to ensure the test data is reflected within them Remove test data from the system including the dummy customer and details This test could be incorporated into the auditor’s walk through procedure in order to understand the system (plus the design of and implementation of controls – see next) 3.2.2 Use of false data If correct data is input and processed by the system, many of the application controls that are designed to prevent errors will not have been tested In understanding the system, the auditor must establish what application controls should be in operation and what they are designed to Each control must be tested for “error trapping”, ie input false data such that the control will identify incorrect data and reject it Examples of such data would include: Data outside of a specified accepted range (eg age, units ordered, delivery date) Incorrect customer codes, product codes (incorrect format and non-existent) etc Incorrect dates (eg 31 February) Negative numbers 2106 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES Incorrect payment details (e.g VISA code when payment is required on-line before delivery) Invalid user names and passwords All of the above examples should result in error messages plus error reports The system should not be able to “go to the nearest” and complete the process, eg the nearest product code or a default substitute Again, as the auditor must assess the design of the controls and that they have been implemented, using CAAT test data is an effective (and usually the only) way of doing so 3.3 Precautions Test data should be run “live” if possible If not possible it is necessary to ensure that programs used are identical to or are the actual programs used by the client Any fictitious items included as test data must be retrieved/eliminated from files before the client uses those files in normal processing If test data is to be run “dead”, there must be adequate computer time available and the special run required must not prove unduly expensive Since controls are being tested, all discrepancies between predicted and actual results must be fully resolved and documented, irrespective of financial amounts involved AUDIT SOFTWARE 4.1 Description Software specially designed for audit purposes It is used to process the client’s data in order to check that the figures themselves are correct Typically, audit software is used for reperformance tests and re–analysis of information Can be an off the shelf package program designed to: read computer files select information perform calculations create data files print reports in a format specified by the auditor; or Purpose-written bespoke program designed to perform audit tasks in specific circumstances on specific systems; or 2107 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES Embedded audit routines built into an entity’s computer system to provide data for later use by the auditor: Snapshots – i.e taking a picture of a transaction as it flows through the computer systems Routines are embedded at different points in the processing logic to capture images of the transaction as it goes through the various stages of the processing The technique allows the auditor to track data and evaluate the computer processes applied to it System control audit review file – provides continuous monitoring of the system’s transactions using audit software modules embedded within an application system Information is collected into a special computer file for the auditor to examine Note that: Utility programs are used by the entity to perform common functions (e.g sorting, creating and printing files) They are not specifically designed for audit purposes; and System management programs are typically part of a sophisticated operating systems environment (e.g data retrieval software or code comparison software) As with utility programs, they are not specifically designed for auditing use 4.2 Uses (not exhaustive) Basically: what you can with data within a database management system (eg Access) you can with audit software; everything you within a manual audit in selecting, analysing and sorting data, can be done using audit software Examples include: Selecting a sample of records from a file (e.g random selection of goods despatched notes or selection of all inventory items valued over a certain amount) Printing out transactions or balances over a specified amount (e.g of invoices, inventory items or accounts receivable) for investigation Checking computations and calculations by reperformance e.g.: − − − verifying the accuracy of an aged receivables listing or stratification of an inventory file; recalculating depreciation charges; recalculating interest charges Confirming application controls (e.g when testing input controls over completeness, a computer audit program can identify any missing items from a sequence) Reorganising data into a form for audit use (e.g sorting a file of purchases grouped by product into a file grouped by supplier and product for a year-end “cutoff” test) 2108 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES Comparing two or more different files (e.g comparing sales invoices with the sales ledger to ensure that all invoices have been posted, or comparing inventory held at two different dates) Recalculating closing balances, extracting balances (eg receivables listing) Re-performing allocation of invoices, payments, journals etc Identifying duplicate suppliers and/or employees (and/or duplicate addresses) which may be a source of possible error or fraud Selecting exceptions (e.g invoices approved on a national holiday, credit limits exceeded, excess overtime, payments above a set limit) Identifying fields missing data (e.g references not obtained for new customers and/or employees) Conducting analytical review 4.3 Precautions Client’s files must not be corrupted or damaged Files used for testing must be complete and accurate and identical to, if not the same as, files currently used by the client Computer audit programs must be amended to account for developments in the client’s applications FOCUS You should now be able to: explain the use of computer-assisted audit techniques in the context of an audit; discuss and provide relevant examples of the use of test data 2109 SESSION 21 – COMPUTER-ASSISTED AUDIT TECHNIQUES EXAMPLE SOLUTION Solution — No visible evidence Input/initiation sales orders entered on-line or voice activated input discounts and interest calculations generated by computer program Processing delivery notes and suppliers’ invoices matched by computer program checking customer credit limits Output output reports not produced printed report only contains summary totals 2110 ... equivalent ⇒ Design and printing of forms (e.g for confirmations), mail merge facilities, etc ⇒ Certain transaction data may need to be retained for audit purposes or the CAAT used in the short time when... re–analysis of information Can be an off the shelf package program designed to: read computer files select information perform calculations create data files print reports in a format specified... Reorganising data into a form for audit use (e.g sorting a file of purchases grouped by product into a file grouped by supplier and product for a year-end “cutoff” test) 2108 SESSION 21 – COMPUTER-ASSISTED