Computer Assisted Audit Techniques (CAATs)

A CAAT can be defined as any computer program or application that has been used to enhance the efficiency and effectiveness of an audit process through the automation of previously manual procedures, expansion of the scope of the audit coverage, or the creation of new audit procedures (Champlain, 2003). CAATs can be used to perform tests of general controls, test of application controls and for data extraction (Hall & Singleton, 2005). Internal and external auditors of many organisations and firms have developed and implemented CAATs that have greatly increased the efficiency and effectiveness of their audits (Curtis & Payne, 2008;

Debreceny et al., 2005a). Through the use of CAATs the productivity and value of their audits and consulting services to their clients has also increased (Champlain, 2003). CAATs are often an efficient means of testing a large number of transactions or controls over a large population by analysing and selecting samples from a large volume of transactions, applying analytical procedures, and performing substantive procedures (ASOSAI, 2003; Porter et al., 2008).

CAAT‘s can be used in performing various auditing procedures such as (ASOSAI, 2003: 67, 68):

 Tests of details of transactions and balances, for example, the use of audit software for recalculating interest or the extraction of invoices over a certain value from computer records.

 Analytical review procedures, for example, to identify inconsistencies or significant fluctuations.

 Use of expert systems, for example, in the design of audit programs and in audit planning and risk assessment.

47

 Tests of general controls, for example, to test the set up of configuration of the operating system or access procedures to the program libraries.

 Sampling programs to extract data for audit testing.

 Tests of application controls, for example, to test the function of programmed control.

 Creation of electronic working papers, for example, by downloading the general ledger for audit testing.

 Recommitting calculations performed by the entity‘s accounting systems.

The most commonly used CAATs in testing the effectiveness of internal control structure among others are (Rezaee et al., 2001):

Test data: it facilitates determining whether the electronic system is correctly processing valid transactions and verifying correctness and completeness of processing. In this technique, auditors prepare dummy transactions and process them through the client‘s software at a time when the client is not processing the program.

Then the auditors compare the output from processing the dummy data with their expected output to determine whether the controls are operating effectively. Any departure from the expected results could be an indicator of a logic or control problem (Braun & Davis, 2003; Cosserat, 2000; Porter et al., 2008; Rezaee et al., 2001).

Parallel simulation: in this type of CAATs the auditor develops software that is designed to replicate the results of the client‘s application using the client‘s real data.

The results from the auditor‘s software and the client‘s system are compared. If the real system, the client system, and the auditor‘s software yield the same output, then

48

the auditor would have confidence that the client‘s system is accurate (Braun &

Davis, 2003; Cosserat, 2000; Rezaee et al., 2001).

Generalized audit software (GAS): the most frequently used of all of the CAATs, as it enables auditors to access live account data stored in various file formats that are machine-readable only (Debreceny et al., 2005a; Shaikh, 2005). GAS also can disclose useful information on client master files that are not included in reports produced by the client.

The key reason for the widespread use of GAS is its simplicity, compared to other CAATs, as a result of which auditors require only little specialised information system knowledge. Moreover, GAS is capable of handling a wide variety of different systems and with different users. Although auditors often have some degree of difficulty in preparing the data for first use, the design of effective audit procedures after this initial set-up facilitates the achievement of greater coverage than could be possible with traditional types of procedures. This coverage is achieved through queries that allow the auditor to analyse data and extract information from the client database. (Braun & Davis, 2003).

Integrated test facility (ITF): this technique provides an in-built testing facility through the creation of a dummy department or branch within the normal accounting system. This means that the dummy or simulated data are being processed with the client‘s actual system instead of running dummy data on a static basis with the client system, as in the test data approach. Once established, test data can be placed in the normal transaction stream and the results can allow the auditor to evaluate application controls during normal operations (Braun & Davis, 2003).

49 2.3.2.3.2. Continuous Auditing

Another technique auditors can use when auditing in an electronic environment is adopting the continuous auditing approach. Auditors may consider applying continuous auditing when most of the accounting information is recorded and stored in electronic form (Helms & Mancino, 1998; Kogan et al., 1999; Rezaee et al., 2002).

Continuous auditing has been defined differently in academic literature, in professional literature and in official reports issued by standard-setting bodies. For example, Rezaee et al., (2001: 151) define continuous auditing as “a systematic process of gathering electronic audit evidence as a reasonable basis to render an opinion on fair presentation of financial statements prepared under paperless, real-time accounting system.”. Helms & Mancino (1999: 61) state that ―continuous auditing historically meant using software to detect auditor-specified exceptions from among all transactions that are processed either in a real-time or near real-time environment. These exceptions could be investigated immediately or written to an auditor‟s log for subsequent work”.

The joint study of the North American accounting bodies (CICA & AICPA) defines continuous auditing as ―a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors reports issued simultaneously with, or a short period of time after, the occurrence of events underlying in the subject matter” (Study Group, 1999: 5). The Global Technology Audit Guide No. 3 issued by the Institute of Internal Auditors (IIA) defines continuous auditing as ―a method used to automatically perform control and risk assessments on a more frequent basis, technology is the key to enabling such an approach. Continuous auditing changes the audit paradigm from periodic reviews of

50

a sample of transactions to ongoing audit testing of 100 percent of transactions”

(GTAG, 2005: 3).

From the definitions, it can be seen that applying the continuous auditing technique can help auditors to reduce the cost of the basic audit assignment by enabling them to test a larger sample (up to 100%) of clients‘ transactions and examine data faster and more efficiently than the manual testing required when auditing around the computer.

Moreover, it helps the auditors to specify transaction selection criteria to choose transactions and perform both tests of controls and substantive tests throughout the year on an ongoing basis. Besides, it enables auditors to assess risk, evaluate internal controls and electronically perform a variety of audit procedures, including extracting data, downloading information for analytical review, selecting samples for tests of controls and substantive tests, identifying exceptions and unusual transactions and performing confirmations (GATAG, 2005; Kogan et al., 1999; Rezaee et al., 2002;

Study Group, 1999).

The main difference between continuous auditing and other CAATs is that continuous auditing needs to be implemented on an online computer system; an online system refers to a system that is permanently connected through computer networking between the auditors and the clients, or the auditees. This can be applied by including an embedded audit module in the client‘s shipping software (Debreceny et al., 2003; Debreceny et al., 2005b; Helms & Lilly, 2000; Higson, 2003). The auditors set a number of pre-defined attributes that monitor and analyse the client‘s real time accounting system. In case of any problem, alarm systems warn the auditors to check it out (Kogan et al., 1999; Rezaee et al., 2000). This means that the continuous auditing technique functions more as a preventive and detective

51

procedure against the misstatements of financial statements than as a corrective method (Rezaee et al., 2000).

Although there are many benefits to be gained from applying a continuous auditing approach, in practice some challenges may face its application; the great variety of software systems used by clients makes it very difficult for auditors to develop integrated online auditing systems, at least for the meanwhile (Kogan et al., 1999).

Moreover, it needs skilled auditors to be able to deal with such an approach.