Additional notes

Computer-assisted audit techniques (CAATs) are applications of auditing procedures

using the computer as an audit tool.

The overall objectives and scope of an audit do not change when an audit is conducted in a computerised
environment. However, the application of auditing procedures may require auditors to consider techniques
that use the computer as an audit tool. These uses of the computer for audit work are known as CAATs.

CAATs may be used in performing various auditing procedures, including the following.

 Tests of details of transactions and balances

 Analytical review procedures
Tests of computer information system controls
The advantages of using CAATs are:
Auditors can test program controls as well as general internal controls associated with computers.
Auditors can test a greater number of items more quickly and accurately than would
be the case otherwise.
Auditors can test transactions rather than paper records of transactions that could be incorrect.
CAATs are cost effective in the long term if the client does not change its systems.
Results from CAATs can be compared with results from traditional testing – if the
results correlate, overall confidence is increased.

The disadvantages associated with using CAATs include:

 Setting up the software needed for CAATs can be time consuming and expensive.
Audit staff will need to be trained so they have a sufficient level of IT knowledge to apply CAATs.

 Not all client systems will be compatible with the software used with CAATs.
There is a risk that live client data is corrupted and lost during the use of CAATs.

The major steps to be undertaken by the auditors in the application of a CAAT are as follows.
Set the objective of the CAAT application

Determine the content and accessibility of the entity's files

Define the transaction types to be tested

Define the procedures to be performed on the data

Define the output requirements

 Identify the audit and computer personnel who may participate in the design and application of the
CAAT

Refine the estimates of costs and benefits

Ensure that the use of the CAAT is properly controlled and documented

Arrange the administrative activities, including the necessary skills and computer facilities

Execute the CAAT application

Evaluate the results

1
There are two particularly common types of CAAT, audit software and test data.

Audit software
Audit software consists of computer programs used by the auditors, as part of their auditing procedures,
to process data of audit significance from the entity's accounting system. It may consist of generalised
audit software or custom audit software. Audit software is used for substantive procedures.

Generalised audit software allows auditors to perform tests on computer files and databases, such as
reading and extracting data from a client's systems for further testing, selecting data that meets certain
criteria, performing arithmetic calculations on data, facilitating audit sampling and producing documents
and reports. Examples of generalised audit software are ACT and IDEA.
Custom audit software is written by auditors for specific tasks when generalised audit software cannot be
used.
The following table provides some examples of the use of audit software in the course of an audit.

Audit software: examples of use

 Perform calculations and comparisons in analytical procedures

Sampling programs to extract data for audit testing, eg select a sample
 of receivables for confirmation
Scan a file to ensure that all documents in a series have been accounted for
 or to search for large and unusual items
Compare data elements in different files for agreement (eg prices on sales
invoices to authorised prices in master file)
dit software: exales of use
Audit software – Exampes of use
Reperform
 calculations eg totalling sales ledger
Prepare documents and reports eg produce receivables' confirmation letters and monthly statements

Benefits of using audit software

Audit software can perform calculations and comparisons more quickly than those done
manually.
Audit software makes it possible to test more transactions than when
simply manually scanning printouts. For example, audit software may
facilitate searches for exceptions, such as negative or very high quantities
when auditing inventory listings. The additional information will give the
auditor increased comfort that the figure being audited is reasonably
stated.
Audit software may allow the actual computer files (the source files) to be
tested from the originating program, rather than printouts from spool or
previewed files which are dependent on other software (and therefore could
contain errors or could have been tampered with following export).

2
Using audit software is likely to be cost-effective in the long term if the
client does not change its systems.
Difficulties of using audit software
The costs of designing tests using audit software can be substantial, as
a great deal of planning time will be needed in order to gain an in-depth
understanding of the client's systems so that appropriate software can be
produced.
The audit costs in general may increase because experienced and specially trained staff will be
required to design the software, perform the testing and review the results of the testing.

If errors are made in the design of the audit software, audit time, and therefore costs,
can be wasted in investigating anomalies that have arisen because of flaws in how the
software was put together rather than by errors in the client's processing.
If audit software has been designed to carry out procedures during live running of the client's
system, there is a risk that this disrupts the client's systems. If the procedures are to be run when
the system is not live, extra costs will be incurred by carrying out procedures to verify that the
version of the system being tested is identical to that used by the client in live situations.

Test data

Examples include:
Test data used to test specific controls in computer programs, such as online password
and data access controls.
Test transactions selected from previously processed transactions or created by the auditors to
test specific processing characteristics of an entity's computer system. Such transactions are
generally processed separately from the entity's normal processing.

Test data can for example be used to check the controls that prevent the processing of invalid
data by entering data with, say, a non-existent customer code or worth an unreasonable
amount, or a transaction which may if processed break customer credit limits.

Test transactions used in an integrated test facility. This is where a 'dummy' unit (eg a department or
employee) is established, and to which test transactions are posted during the normal processing cycle.

Benefits of using test data techniques are:

Test data provides evidence that the software or computer system used by the client are working
effectively by testing the program controls and in some cases there may be no other way to test some
program controls.
Once the basic test data have been designed, the level of ongoing time needed and costs incurred is
likely to be relatively low until the client's systems change.

However, there are some problems with using test data.

3
A significant problem with test data is that any resulting corruption of data files has to be
corrected. This is difficult with modern real-time systems, which often have built-in (and highly
desirable) controls to ensure that data entered cannot be easily removed without leaving a mark.
Test data only tests the operation of the system at a single point of time and therefore the results do not
prove that the program was in use throughout the period under review.
Initial computer time and costs can be high and the client may change its programs in
subsequent years.

Using the work of an expert

An auditor's expert is an individual or organisation possessing expertise in a field other than auditing or
accounting, whose work in that field is used by the auditor to assist the auditor in obtaining sufficient
appropriate audit evidence. An auditor's expert may be either an auditor's internal expert (who is a partner
or staff, including temporary staff, of the auditor's firm or a network firm) or an auditor's external expert.
Management's expert is an individual or organisation possessing expertise in a field other than
accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the
financial statements.

Professional audit staff are highly trained and educated, but their experience and training is limited to
accountancy and audit matters. In certain situations it will therefore be necessary to employ an uditor's
expert.
Examples of areas in which an auditor's expert may be needed to help gain audit evidence include:
Valuations of land and buildings
Valuation of inventory or work in progress, including the determination of the physical condition of
inventory
Legal opinions, including expert opinions on the possible outcomes of litigation or disputes

Guidance on this area is provided by ISA 620 Using the work of an auditor's expert.
An auditor's expert could be employed by the auditor to assist in:
Obtaining an understanding of the entity and its environment, including its internal control

Identifying and assessing the risks of material misstatement

Determining and implementing overall responses to assessed risks at the financial statement level

Designing and performing further audit procedures to respond to assessed risks at the
assertion level

Evaluating the sufficiency and appropriateness of audit evidence obtained in forming an
opinion on the financial statements

Competence, capabilities and objectivity of the auditor's expert

ISA 620 requires the auditor to evaluate whether the auditor's expert has the necessary
competence, capabilities and objectivity. Where the auditor's expert is external, the evaluation
of objectivity will include enquiry of interests and relationships that could create a threat to
objectivity.
Information on these areas may come from the following sources:

4
Personal experience with previous work done by the expert

Discussions with the expert

Discussions with other people who are familiar with the expert's work

Knowledge of the expert's qualifications, membership of a professional body or
industry association, licence to practise etc

Published papers or books by the expert

The auditor's firm's quality control policies and procedures

Obtaining an understanding of the field of expertise

The auditor shall obtain a sufficient understanding of the auditor's expert's field of expertise
to allow the auditor to determine the nature, scope and objectives of the work and to
evaluate the adequacy of the work done.

Agreement
ISA 620 requires the auditor to agree in writing the following with the auditor's expert.
Nature, scope and objectives of the work

Respective roles and responsibilities of the auditor and the auditor's expert

Nature, timing and extent of communication between the auditor and the
auditor's expert, including the form of any report

Confidentiality requirements
The agreement between the auditor and the auditor's expert is often in the form of an engagement letter.
The Appendix to ISA 620 lists matters to consider for inclusion in the engagement letter.

Evaluating the work of the auditor's expert

The auditor shall evaluate the adequacy of the auditor's expert's work, which will include the following:
The relevance and reasonableness of the expert's work and consistency with other audit evidence
The relevance and reasonableness of any assumptions and methods used
The relevance, completeness and accuracy of any source data used
If the auditor's evaluation results in a conclusion that the expert's work is not adequate,
the auditor must agree on the nature and extent of further work to be done by the expert,
and perform additional audit procedures that may be necessary in the circumstances.

Reference to the auditor's expert in the auditor's report

The auditor must not refer to the work of an auditor's expert in the auditor's report containing an
unmodified opinion (unless required by law or regulation). If the auditor makes reference to the work of an
auditor's expert in the auditor's report because it is relevant to understanding a modification to the
opinion, the auditor must state in the auditor's report that this reference does not reduce the auditor's
responsibility for the opinion.