The Institute of Chartered Accountants of Bangladesh (ICAB)

Course Name: IT Application Session: March-May, 2012

Professional Stage (Application Level) Lecture Synopsis-4
Course Teacher: Abdulla-Al-Mahmud FCA, FCMA, FCS, MBA, LL.B

Chapter: Designing, implementation and evaluating information systems:

System:
A system is a set of components that interact to achieve a common goal.

Information system:
An information system is a collection of hardware, software, data, people, communications and
procedures that work together to produce quality information.

System development:
System development is the activity of creating a new business system or modifying an existing
business.

System development life cycle (SDLC):

The system development life cycle (SDLC) is based on the systems approach, which divides
problem solving into a set of interrelated activities. The system development life cycle (SDLC) is
one of the oldest and most traditional development methodologies. The development of an
information system follows a life cycle from the conception of the system to the delivery of that
system, hence the term system development life cycle.

Participants of system development:

Effective system development requires a team effort. For each system development project, the
organization usually establishes a project team to work on the project from beginning to end. The
team usually consists of:
 Stakeholders;
 Users;
 Managers;
 System development specialist;
 Various support personnel.
The development team is responsible for determining the objectives of the information system and
objectives of the organization.

Project management:
Project management is the application of knowledge, skills, tools, and techniques to project
activities in order to meet or exceed stakeholder needs and expectation from a project.

Activities of project management:

Project management includes the application of knowledge, skills, tools and techniques to achieve
specific targets within specified budget and time constraints. Project management activities
include:
 Planning the work;
 Assessing risk;
 Estimating resources required to accomplish the work;
 Organizing the work;
 Acquiring human and material resources, assigning tasks etc.;

1
  Directing activities;
 Controlling project execution;
 Reporting progress; analyzing the result.

Variables of project management:

Project management for information systems deal with five major variables:
 Scope;
 Time;
 Cost;
 Quality; and
 Risk.

Components of a project:
The following are the basic components of a project that must consider by the project leader:
 The goal, objectives and expectations of the project, collectively called the scope of the
project;
 Required activities;
 Time estimates for each activity;
 Cost estimates for each activity;
 The order in which activities must occur;
 Activities that may be performed concurrently.

Phases of SDLC:
The activities of the SDLC can be grouped into the five major phases:
1. System planning
 Problem definition;
 Planning.
2. System analysis
 Understanding the problem;
 Feasibility study;
 Requirements specification.
3. System design
4. System implementation
 Development;
 Testing;
 Implementation
5. System operation and maintenance
 Maintenance;
 Review
The systems life-cycle is a framework of the processes (stages) which need to occur in the
development of a computer system. In general terms, there are the following stages:

System planning:

Problem definition:
This stage is concerned with identifying the initial problem or idea, assessing the justification for
further action against the business objectives and setting the initial strategy and objectives of the
project.

Planning:
Planning for a project begins when the steering committee receives a project request where the
steering committee is a decision making body for an organization. During planning, four major
activities are performed:
 Reviewing and approving the project requests;
 Prioritizing the project requests;
 Allocating resources such as money, people and equipment to approved projects; and

2
  Forming a project development team for each approved project.
In the field of information systems, planning refers to the process of the translation of strategic and
organizational goals into system development plan and initiatives. The process of information
system planning is as follows:

Organizations business strategic plan

↓
Information systems planning
↓
Information systems plan
↓
System development initiative

Overall objectives of information systems are usually distilled from the relevant aspects of the
organizations business strategic plan. Importance of planning ensures that specific systems
development project to the quality of the finished system can be summarized in the following
points:
 Proper systems planning ensure that specific system development objectives support
organizational goals;
 It provides a long range view of information technology use in the organization;
 It provides guidance on how the system infrastructure of the organization should be
developed over time;
 It serves as a roadmap indicating the direction and rationale of systems development;
 It ensures better use of systems resources, including funds, systems personnel and time
for scheduling specific projects.

The steps of information system planning are given below:

Strategic plan
↓
Develop overall objectives
↓
Identify information system projects
↓
Set priorities and select projects
↓
Develop information systems plan
↓
Analyze resource requirements
↓
Set schedules and deadlines
↓
Develop information system planning document

In case of Information systems development, planning includes:

 The key management decisions concerning hardware acquisition;
 Structure of authority, data and hardware;
 Required organizational change.

Organizational changes are usually described, including:

 Management and employee training requirement;
 Recruiting efforts, changes in business processes;
 Changes in authority, structure or management practice.
Importance of planning:

3
  Consistency;
 Efficiency;
 Cutting edge;
 Lower costs;
 Adaptability.

Importance of control:
Control consists of four major activities:
 Conducting a post-implementation system review;
 Correcting errors;
 Identifying enhancements; and
 Monitoring system performance.

Internal controls system must ensure the following things:

 Laws and enterprise policies are properly implemented;
 Accounting records are accurate;
 Enterprise assets are used effectively;
 Steps are taken to reduce chances of losing assets or incurring liabilities from fraudulent
or similar activities, such as the carelessness or dishonesty of employees, customers or
suppliers.

Major activities of control:

 Conducting a post implementation system review;
 Correcting errors;
 Identifying enhancements;
 Monitoring system performance.

System analysis:
System analysis is the process of developing a detailed analysis of the problem so that developers
can better understand the nature, scope, feasibility and requirements of the new system. There are
three main activities in this phase gaining a thorough understanding of the problem, conducting a
feasibility study and establishing system requirements.

Understanding the problem:

Developers and users should fully understand the existing problems and the strengths and
weaknesses of the existing system. In some cases, the problem may be that there is no system, in
others the problem may be that the existing system is outdated or incapable of meeting user
needs. Other activities in this step include identifying the overall implications and benefits of the
new system for the entire organization, taking an inventory of existing hardware and software and
identifying the information needs of existing and potential users.

Feasibility analysis:
The system analysis phase also involves a feasibility study, which determines whether the system
is feasible within the socio-technical framework of the organization. It is a high-level overview
analysis of the problem area to identify the boundary of the area for investigation and the outline of
requirements. The feasibility study carefully examines technical, economic, operational,
scheduling, legal and strategic factors.
Technical feasibility analysis determines whether the proposed system can be developed and
implemented using existing technologies or whether new technologies are required. Hardware,
software and network requirements for the new system are also determined in this step.
Economic feasibility analysis evaluates the financial aspects of the project by performing a cost-
benefit analysis and assessing both the tangible and the intangible benefits of the system.
Establishing economic feasibility is such a difficult task and is often so badly done that poor project
estimates are cited as one of the top reasons for system failures.
Operational feasibility analysis determines whether there will be any problems in implementing
the system in its operational environment, looks at issues such as integrating the new system with
existing systems in the organization and assesses how the system fits with the strategic business
plan and the strategic information plan of the organization.

4
Schedule feasibility studies address the time it will take to complete the project. In this step,
decision makers must take into account available resources, such as manpower, time, money and
equipment. It also helps to identify any additional resources that may be required to complete the
project on time. Although this may sound like a simple task, determining project completion time is
often very difficult. This is one of the primary reasons why so many software projects are behind
schedule.
Legal feasibility studies take into account factors such as copyrights, patents and other
regulations, if any. As the number of lawsuits in the computer industry increases, organizations are
being more cautious about the legal implications of system development. In the case of life-
threatening systems, legal feasibility can become a deciding factor.
Finally, strategic feasibility analysis looks into factors such as the ability of the system to
increase market share, give the organization a competitive edge in the marketplace, enhance the
productivity of knowledge workers and achieve other strategic goals of the organization.

Role of accountant in feasibility analysis:

The first activity of accountant is preparation of feasibility reports that assist management in
assessing the viability/profitability or otherwise of proposed capital expenditure, cash budget or
cash flow projection etc. Then the accountant should investigate the performance/operations of
competing business organizations to assist management in policy formulation.

Requirements specification:
This is an in-depth analysis to establish the environment and the exact business requirement. It
will also produce definition of what the business requirements mean in terms of a new system and
the detailed description of the requirements is in a form in which they can be interpreted by the
technical designer who will eventually develop the new system. The accountant must have the
knowledge about the following technical information and system requirements to develop new
accounting information:
 Hardware requirement;
 Software requirements;
 Required interfaces;
 Functional capabilities;
 Performance levels;
 Reliability;
 Security/privacy;
 Quality;
 Constraints and limitations;
 System modules;
 System architecture.

Hardware and software specification:

Hardware specifications:
Performance:
What is it’s speed, capacity and throughput?
Reliability:
What are the risk of malfunction and its maintenance requirements?
What are its error control and diagnostic features?
Comparability:
Is it comparable with existing hardware and software? Is it compatible with hardware and software
provided by competing supplies?
Technology:
In what year of its product life cycle is it? Does it use a new untested technology or does it run the
risk of obsolescence?
Ergonomics:
Has it been "human factor engineered” with the user in mind? Is it user-friendly, designed to be
safe, comfortable and easy to use?
Connectivity:

5
Can it be easily connected to wide area and local area networks that use different types of network
technologies and bandwidth alternatives?
Scalability:
Can it handle the processing demands of a wide range of end users, transactions, queries and
other information processing requirements?
Software:
Is system and application software available that can best use this hardware?
Support:
Are the services required to support and maintain it available?

Software specifications:
Quality:
Is it bugged free or does it have many errors in its program code?
Efficiency:
Is the software a well developed system of program code that does not use much CPU time,
memory capacity or disk space?
Flexibility:
Can it handle our e-business processes easily without major modification?
Connectivity:
Is it web-enabled so it can easily access the Internet, intranets and extranets on its own or by
working with Web browsers or other network software?
Language:
Is it written in a programming language that is familiar to our own software developers?
Documentation:
Is the software well documented? Does it include help screens and helpful software agents?
Hardware:
Does existing hardware have the features required to best use this software?
Other Factors:
What are its performance, cost, reliability, availability, compatibility, modularity, technology,
ergonomics, scalability and support characteristics?

System design:
System design is the creation of a roadmap that shows system developers how to convert system
requirements into a workable, operational system by exploring different designs and identifying the
best design for the project. A number of technical, organizational and managerial considerations,
along with user preferences and resource constraints should be taken into account before
designing a system. This stage produces the detailed technical plan for the new system.
System design involves carefully scrutinizing each system requirement and converting it into a
sequence of detailed procedural steps and system specifications. For example, an architect looks
at the blueprint of a house and identifies the specifications-the amount of concrete, wood, wiring
and so on, that are required to convert the blueprint into a reality. Similarly, the system developer
must analyze each requirement and determine how to make the system meet it.
There are two types of design: logical and physical design. Logical design identifies the records
and relationships to be handled by the system. It focuses on the logic or the reasoning, behind the
system by breaking down the system into sub-systems and each sub-system into smaller sub-
systems, until the process cannot be repeated any further. The logical design establishes the
relationships among the various sub-systems, the records and variables in the sub-systems, and
the interrelationships among variables and sub-systems. The logical design defines the database
as seen by end-users and programmers.
Physical design, on the other hand, addresses the physical aspects of the system, input and
output devices, hardware, configurations for the network, memory and storage, physical security
and so on. The physical design also defines data structures, access methods, file organization,
indexes, blocking, pointers and other attributes of the system. In particular, system design involves
three main activities:
1. Identify the technology required to implement the system:
System designers and developers must identify the hardware, software and network
requirements of the new system. In some cases, the required technologies may already be
present; in others, new technologies may have to be acquired;
2. Ensure that the design is rigorous and reliable:

6
 System design is not an isolated activity, but is interwoven with other activities in the
development cycle. Hence, activities in the design phase must be coordinated with other
phases in the development life cycle. A key factor is ensuring a robust and reliable design is
to involve users from the early stages of system development. Although the role of the user
appears to be obvious, many organizations fail to involve users; this failure leads not only to
resentment and frustration, but also to system abandonment.
3. Provide detailed specifications and a one-to-one mapping of the specifications and system
objectives: The system designer should map system specifications against system objectives
so that all people involved in the project clearly understand their contributions to the overall
system. By linking each specification to a specific system objective, developers can better
understand how the specification will contribute to overall system goals.

Initial system design: The initial system design is a working version of an information system or
part of the system, but it meant to be only a preliminary model.

System analysis
↓
Evaluate design alternativesPrepare design specificationPrepare conceptual system design report

Figure: System design in operation

The major activities of initial systems design are:

 User interface design, data manipulation and output analysis;
 Process design, output design and output analysis;
 User interface design, data design and process design;
 Data design, input validation and processing.

System designs is divided between accountants and IT professionals as follows:

 The accounting function is responsible for conceptual systems;
 The IT function is responsible for physical systems.

Designing is considered the most important stage in SDLC.”-Do you agree with this
statement?
System design is a road map that shows system developers how to convert system requirements
into system features. The design of information system is the overall plan or model for the system.
Like the blue print of a building or house, it consists of all the specifications, form and structure of
the system. Here the responsibility of a designer is so important because in this stage produces
the detailed technical plan for the new system. So, the system design is the most important stage.
It can consider as the focal point of SLDC.

System implementation:
This system implementation phase consists of two primary parts: construction and delivery which
are also three sub-stages namely development, testing and implementation.

Development:
Programming is only one phase in the system development life cycle. Programming is a very time-
consuming and labor intensive task. In some projects, programming alone may take many years.
Large to medium-sized systems usually involve a team of programmers. This stage contains the
coding of the processes of the new system, if a computer system has been specified.

Testing:
It involves thoroughly probing the system to ensure that its performance matches system
requirements and meets the expectations of end-users. Testing is one of the most difficult tasks in
system development. It requires creativity, persistence and a thorough understanding of the
system and the principles of computer science. Good testers find creative ways to make the
system fail, because this will arduously test the boundaries of the system and make it less likely to
fail in the future.

7
Organizations find it extremely difficult to estimate the resources required for testing. Simply
because it is difficult to estimate how many ‘bugs” (problems) will be found in the system. Some
software manufacturers are reluctant to commit resources to testing because they are eager to get
the product “out the door” as quickly as possible. This is one reason why may programs already on
sale are riddled with errors and why software companies often bring out several versions of a
given program before major errors are eliminated.
There are four types of testing: unit testing, system testing, integration testing and acceptance
testing. If a system is viewed as a collection of programs (units), in unit testing, each program is
individually tested. However, this does not guarantee that the system is free of errors. The second
type of testing is system testing, in which the system is tested in its entirety to ensure that its
component units will function effectively when brought together as a system. System testing also
involves other system-related issues, such as performance time, memory requirements, back-up
functions and security controls. Integration testing verifies that the information system works well
with other systems. Finally, in acceptance testing, developers and actual users test the system is
ready for its operational environment and whether its performance is acceptable to users.

Implementation:
This stage involves the conversion of the business procedures from current working practices to
new ones and of data from current forms of storage to new formats. During this stage user
manuals have to be produced, training given and a strategy for change-over to the system has to
be finalized and executed.
After testing is completed, the next step is to implement the system in its operational environment.
Systems should be implemented without disrupting the daily operations of the organization; this
requires careful planning and coordination. If the system is new and not a replacement system,
implementation is fairly straight forward. If the system is replacing and existing one,
implementation becomes critical.

Different conversion strategies for conversion from a manual to a computerized system:

The initial operation of a new business system can be a difficult task. This typically requires a
conversion process from the use of a present system to the operation of a new or improved
application. Conversion methods can often the impact of introducing new information technologies
into an organization. Following acceptance testing, a planned conversion to the new system is
performed. The implementation measures have to be completed during this stage. There are four
common conversion strategies are as follows:
Parallel strategy: This is the safest method. The old and new systems run simultaneously until
sufficient confidence is gained in the new system. Parallel basis of conversion strategy is the best
method of conversion because it has some major advantages. Here both the old and new systems
are operating until the project development team and end user management agree to switch
completely over the new system. It is during this time that the operations and results of both
systems are compared and evaluated. Errors can be identified and corrected, and the operating
problems can be solved before the old system is abandoned. The disadvantage of this approach,
however, is that it is expensive for two systems to be run in parallel.
Direct cutover strategy: This is the most risky method. At a certain point, the old system is
completely replaced by the new one. The advantage of this strategy is that it requires no
transaction costs and is a quick implementation technique. The disadvantage is that it is extremely
risky and can disrupt operations seriously if the new system does not work correctly, since there is
no other system to fall back on.
Phased strategy: The new system is introduced at incremental stages. Each function or
organizational unit is converted separately at different times using either a direct cutover or parallel
conversion. The strategy is often used with larger systems that are split into individual sites.
Pilot strategy: This method relies on introducing a part of the system into one carefully
designated organizational area, learning from this experience and then introducing the complete
system.

System operation and maintenance:

Minor modifications to the system to optimize performance, improve its usability or accommodate
small changes in the environment will have to be made from time to time, whilst the system is
operational and/or major modification or replacement also needed in system if existing system

8
cannot fulfill the requirement of the business. This phase also divided in two sub-system and they
are:

System maintenance:
Since businesses operate in a dynamic environment, the needs of system users are also dynamic,
so good systems must continuously evolve. System maintenance is one way of ensuring that the
system continues to meet the growing and changing needs of users through system, additions,
deletions and enhancements. Clearly, as the system ages the extent and critically of system
maintenance increase.
The IEEE defines maintenance as “modification of a software product after delivery to correct
faults, to improve performance or other attributes or to adapt the product to changed environment.”
System maintenance begins after the system becomes operational and should last as long as the
system is in use. Although it lacks the glamour of development, maintenance is the key to
continuing to derive the maximum benefits from a system. User requests for new features or for
enhancement of existing features, a changing business climate, new technologies or new
information needs within the organization can accelerate system maintenance. Maintenance costs
usually increase with time and at some point it becomes more expensive to maintain the system
than it is to develop a new one. At that point, the organization may make the decision to abandon
the existing system and build a new one.

Review:
Due to change in business environment major modifications would be needed to retain business
effectiveness, a full review is required. This may result in major re-working or even complete
replacement of the system.

Reasons to fail to achieve the success of system development objectives:

Information system development of an organization is a vital thing. The success of the system
helps management in decision making. The reasons as to why the organizations fail to achieve
their system development objectives are:
 Lack of proper documentation of their system goal and system operational activities;
 Lacking of expertise;
 Lacking of knowledge management;
 Poorly build infrastructure in terms of computer backbone and computer hardware;
 Time to time monitoring failure;
 Up-gradation and modification of software is not made properly.

Accounting information systems (AIS):

Accounting information systems (AIS) combines that of accounting with the much newer field of
information systems, systems that include people, processes, procedures and information
technology in a flexible resource used to handle data. Specifically, accounting information systems
are a subset of management information systems, systems designed to support and supplement
the decision-making process at all levels of management. The field of AIS includes the use, design
and implementation of such systems and their adherence to traditional accounting methods and
contemporary standards in accounting practices.

AIS technology:
AIS technology can be separated into three basis categories namely:
 Input;
 Process; and
 Output.

Steps of a system development:

The development of accounting information systems following five basic phases:
 System analysis;
 Prepare design specifications;
 Physical design;
 Implementation and conversion;
 Operation and maintenance.

9
System development can be broadly divided by the following stages:
 Establishing and recording user requirements;
 Investigation and feasibility;
 Project management;
 Developing a solution to fulfill requirement;
 Initial system design;
 Technical information and systems requirement;
 Specification of hardware and software;
 Implementing security requirements;
 Installing/implementation;
 Testing;
 System conversion and start-up;
 Post implementation review.

Computer-assisted audit techniques (CAATs):

The overall objectives and scope of an audit do not change when an audit is conducted in a
computer information technology (IT) environment. The application of auditing procedures may,
however, require the auditor to consider techniques known as Computer Assisted Audit
Techniques (CAATs) that use the computer as an audit tool.
CAATs may improve the effectiveness and efficiency of auditing procedures. They may also
provide effectives tests of control and substantive procedures where there are no input documents
or a visible audit trail or where population and sample size are very large.

Uses of CAAT:
CAAT tools have a significant advantage over manual data testing techniques. It is an audit tools
for auditor for auditing the automated system. It enhances the productivity of auditors. The major
uses of CAAT are as follows:
 Recalculating and verifying balances;
 Testing compliance with standards;
 Aging analysis of receivables and payables;
 Identifying control issues;
 Testing duplicates within data;
 Testing gap in invoice number etc.

Description of computer assisted audit techniques (CAATs):

Computer assisted audit techniques including computer tools, collectively referred to as CAATs.
CAATs may be used in performing various auditing procedures, including the following:
 Tests of details of transactions and balances, for example, the use of audit software for
recalculating interest or the extraction of invoices over a certain value from computer
records;
 Analytical procedures, for example, identifying inconsistencies or significant fluctuations;
 Tests of general controls, for example, testing the set-up or configuration of the operating
system or access procedures to the program libraries or by using code comparison
software to check that the version of the program in use is the version approved by the
management;
 Sampling programs to extract data for audit testing;
 Tests of application controls, for example, testing the functioning of a programmed control;
 Re-performing calculations performed by the entity's accounting systems.
CAATs are computer programs and data the auditor uses as part of the audit procedures to
process data of audit significance contained in an entity's information systems. The data may be
transaction data, on which the auditor wishes to perform tests of controls or substantive
procedures or they may be other types of data. For example, details of the application of some
general controls may be kept in the form of text or other files by applications that are not part of the
accounting system. The auditor can use CAATs to review those files to gain evidence of the
written programs, utility programs or system management programs. Regardless of the origin of
the programs, the auditor substantiates their appropriateness and validity for audit purposes before
using them.

10
  Package programs are generalized computer programs designed to perform data
processing functions, such as reading data, selecting and analyzing information,
performing calculations, creating data and files and reporting in a format specified by the
auditor;
 Purpose-written programs perform audit tasks in specific circumstances. These
programs may be developed by the auditor, the entity being audited or an outside
programmer hired by the auditor. In some cases the auditor may use an entity's existing
programs in their original or modified state because it may be more efficient than
developing independent programs.
 Utility programs are used by an entity to perform common data processing functions,
such as sorting, creating and printing files. These programs are generally not designed for
audit purposes and therefore may not contain features such as automatic record counts or
control totals.
 System management programs are enhanced productivity tools that are typically part of
a sophisticated operating systems environment, for example, data retrieval software or
code comparison software. As with utility programs, these tools are not specifically
designed for auditing use and their use requires additional care.
 Embedded audit routines are sometimes built into an entity's to provide data for later use
by the auditor. These include the following:
o Snapshots: This technique involves taking a picture of a transaction as at flows
through the computer systems. Audit software routines are embedded at different
points in the processing logic to capture images of the transaction as it progresses
through the various stages of the processing. Such a technique permits an auditor to
track data and evaluate the computer processes applied to the data.
o System Control Audit Review File: This involves embedding audit software module
within an application system to provide continuous monitoring of the system’s
transactions. The information is collected into a special computer file that the auditor
can examine.
 Test data techniques are sometimes used during an audit by entering data (for example,
a sample of transactions) into an entity's computer system and comparing the results
obtained with predetermined results. An auditor might use test data to:
o Test specific controls in computer programs, such as on-line password and data
access controls;
o Test transactions selected from previously processed transactions or created by
the auditor to test specific processing characteristics of an entity's information
systems. Such transactions are generally processed separately from the entity's
normal processing and test transactions used in an integrated test facility where a
"dummy" unit (for example, a fictitious department or employee) is established and to
which test transactions are posted during the normal processing cycle. When test data
are processed with the entity's normal processing, the auditor ensures that the test
transactions are subsequently eliminated from the entity's accounting records.
The increasing power and sophistication of PCs, particularly laptop has resulted in other tools for
the auditor to use. In some cases, the laptops will be linked to the auditor’s main computer
systems. Examples of such techniques include:
 Expert systems for example in the design of audit programs and in audit
planning and risk assessment;
 Tools to evaluate a client's risk management procedures;
 Electronic working papers, which provide for the direct extraction of data
from the client's computer records, for example, by downloading the general ledger for
audit testing; and
 Corporate and financial modeling programs for use as predictive audit
tests.
 These techniques are more commonly referred to as "audit automation”.

Considerations in the use of CAATs:

When planning an audit, the auditor may consider an appropriate combination of manual and
computer assisted audit techniques. In determining whether to use CAATs, the factors to consider
include:
 The IT knowledge, expertise and experience of the audit team;

11
  The availability of CAATs and suitable computer facilities and data;
 The impracticability of manual tests;
 Effectiveness and efficiency; and
 Timing.
Before using CAATs, the auditor considers the controls incorporated in the design of the entity's
computer systems to which the CAATs would be applied in order to determine whether and if so,
how, CAATs should be employed.
IT knowledge, expertise and experience of the audit team:
The audit team should have sufficient knowledge to plan, execute and use the results of the
particular CAAT adopted. The level of knowledge required depends on the complexity and nature
of the CAAT and of the entity's information system.
Availability of CAATs and suitable computer facilities:
The auditor considers the availability of CAATs, suitable computer facilities and the necessary
computer-based information systems and data. The auditor may plan to use other computer
facilities when the use of CAATs on an entity's computer is uneconomical or impractical, for
example, because of an incompatibility between the auditor's package program and the entity's
computer. Additionally, the auditor may elect to use their own facilities, such as PCs or laptops.
The cooperation of the entity's personnel may be required to provide processing facilities at a
convenient time to assist with activities such as loading and running of the CAATs on the entity's
system and to provide copies of data files in the format required by the auditor.
Impracticability of manual tests:
Some audit procedures may not be possible to perform manually because they rely on complex
processing (for example, advanced statistical analysis) or involve amounts of data that would
overwhelm any manual procedure. In addition, many computer information systems perform tasks
for which no hard copy evidence is available and therefore, it may be impracticable for the auditor
to perform tests manually. The lack of hard copy evidence may occur at different stages in the
business cycle.
 Source information may be initiated electronically, such as by voice activation, electronic
data imaging or point of sale electronic funds transfer. In addition, some transactions, such
as discounts and interest calculations, may be generated directly by computer programs
with no specific authorization of individual transactions.
 A system may not produce a visible audit trail providing assurance as to the completeness
and accuracy of transactions processed. For example, a computer program might match
delivery notes and suppliers' invoices. In addition, programmed control procedures, such
as checking customer credit limits, may provide hard copy evidence only on an exception
basis.
 A system may not produce hard copy reports. In addition, a printed report may contain
only summary totals while computer files retain the supporting details.
Effectiveness and efficiency:
The effectiveness and efficiency of auditing procedures may be improved by using CAATs to
obtain and evaluate audit evidence. CAATs are often an efficient means of testing a large number
of transactions or controls over large populations by:
 Analyzing and selecting samples from a large volume of transactions;
 Applying analytical procedures; and
 Performing substantive procedures.
Matters relating to efficiency that an auditor might consider include:
 The time taken to plan, design, execute and evaluate a CAAT;
 Technical review and assistance hours;
 Designing and printing of forms (for example, confirmations); and
 Availability of computer resources.
In evaluating the effectiveness and efficiency of a CAAT, the auditor considers the continuing use
of the CAAT application. The initial planning, design and development of a CAAT will usually
benefit audits in subsequent periods.
Timing:
Certain data, such as transaction details are often kept for only a short time and may not be
available in machine-readable form by the time the auditor wants them. Thus, the auditor will need
to make arrangements for the retention of data required or may need to alter the timing of the work
that requires such data.
Where the time available to perform an audit is limited, the auditor may plan to use a CAAT
because its use will meet the auditor's time requirement better than other possible procedures.

12
Steps of using CAATs:
The major steps to be undertaken by the auditor in the application of a CAAT are to:
a) Set the objective of the CAAT application;
b) Determine the content and accessibility of the entity's files;
c) Identify the specific files or databases to be examined;
d) Understand the relationship between the data tables where a database is to be examined;
e) Define the specific tests or procedures and related transactions and balances affected;
f) Define the output requirements;
g) Arrange with the user and IT departments, if appropriate, for copies of the relevant flies or
database tables to be made at the appropriate cut off date and time;
h) Identify the personnel who may participate in the design and application of the CAAT;
i) Refine the estimates of costs and benefits;
j) Ensure that the use of the CAAT is properly controlled and documented;
k) Arrange the administrative activities, including the necessary skills and computer facilities;
l) Reconcile data to be used for the CAAT with the accounting records;
m) Execute the CAAT application; and
n) Evaluate the results.

Controlling the CAAT application:

The specific procedures necessary to control the use of a CAAT depend on the particular
application. In establishing control, the auditor considers the need to:
a) Approve specifications and conduct a review of the work to be performed by the CAAT;
b) Review the entity's general controls that may contribute to the integrity of the CAAT, for
example, control over program changes and access to computer files. When such controls
cannot be relied on to ensure the integrity of the CAAT, the auditor may consider
processing the CAAT application at another suitable computer facility; and
c) Ensure appropriate integration of the output by the auditor into the audit process.

Procedures carried out by the auditor to control CAAT applications may include:
a) Participating in the design and testing of the CAAT;
b) Checking, if applicable, the coding of the program to ensure that it conforms with the
detailed program specifications;
c) Asking the entity's computer staff to review the operating system instructions to ensure
that the software will run in the entity's computer installation;
d) Running the audit software on small test files before running it on the main data files;
e) Checking whether the correct files were used, for example, by checking external evidence,
such as control totals maintained by the user and that those files were complete;
f) Obtaining evidence that the audit software functioned as planned, for example, by
reviewing output and control information; and
g) Establishing appropriate security measures to safeguard the integrity and confidentiality of
the data.
When the auditor intends to perform audit procedures concurrently with online processing, the
auditor reviews those procedures with appropriate client personnel and obtains approval before
conducting the tests to help avoid the inadvertent corruption of client records.
To ensure appropriate control procedures, the presence of the auditor is not necessarily required
at the computer facility during the running of a CAAT. It may, however, provide practical
advantages, such as being able to control distribution of the output and ensuring the timely
correction of errors, for example, if the wrong input file were to be used.

Audit procedures to control test data applications may include:

 Controlling the sequence of submissions of test data where it spans several processing
cycles;
 Performing test runs containing small amounts of test data before submitting the main
audit test data;

13
  Predicting the results of the test data and comparing it with the actual test data output for
the individual transactions and in total;
 Confirming that the current version of the programs was used to process the test data; and
 Testing whether the programs used to process the test data were the programs the entity
used throughout the applicable audit period.
When using a CAAT, the auditor may require the cooperation of entity staff with extensive
knowledge of the computer installation. In such circumstances, the auditor considers whether the
staff improperly influenced the results of the CAAT.

Audit procedures to control the use of audit-enabling software may include:

 Verify the completeness, accuracy and availability of the relevant data, for example,
historical data may be required to build a financial model;
 Reviewing the reasonableness of assumptions used in the application of the tool set,
particularly when using modeling software;
 Verifying availability of resources skilled in the use and control of the selected tools; and
 Confirming the appropriateness of the tool set to the audit objective, for example, the use
of industry specific systems may be necessary for the design of audit programs for unique
business cycles.

Documentation:
The standard of working paper documentation and retention procedures for a CAAT is consistent
with that for the audit as a whole.
The working papers need to contain sufficient documentation to describe the CAAT application,
such as:
(a) Planning:
 CAAT objectives;
 Consideration of the specific CAAT to be used;
 Controls to be exercised;
 Staffing timing and cost.
(b) Execution:
 CAAT preparation and testing procedures and controls;
 Details of the tests performed by the CAAT;
 Details of input, processing and output;
 Relevant technical information about the entity’s accounting system, such as file
layouts.
(c) Audit evidence:
 Output provided;
 Description of the audit work performed on the output;
 Audit conclusions.
(d) Other:
 Recommendations to entity management;
 In addition it may be useful to document suggestions for using the CAAT in future
years.

The end

14