Chapter

Auditing IT Using
Computer- Assisted Audit
Tools and Techniques

Today's auditors work constantly with computerized records. It is likely that

many audit clients either have eliminated or will eliminate a substantial
portion of their paper documents and replace them with electronic documents
filed only in computerized form. An auditor who is unable to use computerized
audit tools effectively will be at a tremendous disadvantage. Therefore, today's
auditor must be equipped with an understanding of alternative tools and
approaches to test the operations of computerized systems and gather and
analyze data contained in computer- ized files.
Computer technology has become an integral part of most organizational
functions. Experts are forecasting continued improvement in the power and
flexibility of computers and communica- tion devices while costs are expected
to decrease. Competitive factors have made it necessary for both auditors and clients
to utilize new technological developments.
The computer is an important tool for many occupations. The auditing profession is
particularly dependent on computers to perform most of the functions of the
job. All types of audits and all types of auditors can take advantage of software
tools and techniques to be more efficient and effective. This chapter describes
software tools and techniques used in IT audits.
 Audit productivity tools is software that help auditors to reduce the amount
of time spent on administrative tasks by automating the audit function and
integrating information gathered as part of the audit process.
Computer-assisted audit tools (CAATs) is software that help auditors
evaluate application
controls, and select and analyze computerized data for substantive audit
tests.
Computer-assisted audit tools and techniques (CAATTs) is software
and/or the methodology (such as data flow diagram or using SARF) applied
to test or document selected IT processes and their integration within the IT
environment.

103
104 Information Technology Control and Audit

This chapter examines the multitude of support tools available to the IT

auditor, which assist him in auditing IT. As this chapter suggests, the auditor's toolkit
is a critical component in con- ducting audits in today's complex environment. The
chapter will provide examples of uses of CAATTS as a way of generating and
documenting audit evidence (SAS 106 Audit Evidence). The chapter also
introduces a fast-growing area of CAATTS, called computer forensics,
supporting law enforcement, security, and audit professionals in computer
forensics investigations. Also discussed is the use and application of Web
analysis tools as audit tools for reviewing Web design, develop- ment, and
usability.

Auditor Productivity
Tools
The core of the audit process is analyzing controls to determine if they are adequate or
need improve- ment. Many of the tasks associated with performing an audit, such
as planning, developing, and documenting, although necessary, take time away
from doing the actual analysis work. Thus, the need for automating the auditing
functions. In addition, computer systems are highly complex and testing through
the computer provides greater evidence of the functioning of controls.
Mainframe, client/server, and all forms of personal computers are an integral part of
the audit processes. Technology is used as part of the audit process for the
following activities:
■ Planning and tracking the annual audit schedule using spreadsheets, database, and project
management software
■ Documentation and presentations using word processing, flowcharting,
 and graphics and
video software
■Communication and data transfer using electronic connectivity and a centralized server
or distributed resources
■Resource management using online work papers review and e-
mail
■ Data management using database, groupware, and intranet
software
■Reports and correspondence using word processing, video software, conferencing
software, collaborative writing, file sharing, and notation techniques

Audit Planning and

Tracking
Risk assessment (such as those identified in SAS 106 (Audit Evidence) and SAS 107 (Audit Risk
and Materiality in Conducting an Audit), audit schedule preparation and tracking, and
budget prepara- tions are necessary tasks in audit planning. Spreadsheets or database
software can be used to record risk values such as those values required in SAS 107,
develop an "audit universe," and prepare a bud- get. Project management software can
be used to schedule audits and track the current status. Each of these solutions is a standalone.
Their integration may not even be possible. Because planning tasks are
interdependent, an integrated application would provide quicker update and ensure that
all phases of planning are kept in sync. For example, the budget should provide
sufficient costs to accomplish the audit schedule, or the audit schedule should not exceed
the resources available.

Documentation and Presentations

The use of packages such as Microsoft Office suite provides "cut and
paste" and linking function- ality. These features facilitate the creation of
consistent, accurate documents. For example,
Auditing IT Using Computer-Assisted Audit
Tools and Techniques☐ 105

spreadsheet data containing functional

testing results can be incorporated into a
report docu- ment with a few clicks of a
mouse. This same data can then just as
easily be copied to a presenta- tion slide
 and also be "linked," so that changes to the
of
source documents will be reflected in any
the related documents. Software
suite functionality saves time and
ensures consistency and accuracy.
Other support tools are the use of
conferencing software to provide
presentations to collaborators worldwide and
the use of video capture capability to document
audit evidence.
Communicati
on
Because the auditor operates as part of a team, the need
to share data as well as communicate with other
members of the group is important. Providing
immediate access to current data, electronic
messaging, and online review capabilities
allows staff to quickly communicate and
gather research information for audits and special
projects. In addition, auditors may occasionally need
to operate from a host computer terminal, yet still have all the
Therefore, it is
capability of a dedicated desktop processor.
necessary to have the required computer
hardware, media hardware, protocol han- dlers,
desired terminal software emulators, high-speed modems,
and wireless connectivity at the
 audit
site.
Electronic connectivity not only allows auditors to communicate but also
provides access for audit clients to exchange information. For
example, a member of senior management can be given access to
the auditing risk universe database. This allows them to browse the
database and suggest additions or changes to risk areas. Again, video
conferencing capability allows meetings to be conducted and members to
participate worldwide. They can see a spreadsheet, a graph, a video clip,
receive live data feeds, and see responses from parties involved.

Data
Management
Establishing electronic connectivity provides audit personnel with the capability to
access and input data into a central data repository or knowledge base. The
central data repository can archive historical risk, audit schedule, and budget
data that can be accessed electronically by all authorized users throughout the
audit group, regardless of physical location. Database applications can be
developed to automatically consolidate data input electronically from all
audit functions.
Through the use of databases, audit management can centrally monitor and
have immediate access to critical activity such as audit schedule status, field audit
status, fraud or shortage activity, and training and development progress.
Database applications can automatically consolidate function- wide data and
generate local and consolidated status and trending reports. Auditors
can produce more effective products by leveraging off the knowledge of
other auditors by having access to function-wide data. The database can
contain information such as risk areas, audit programs, findings, corrective
action, industry standards, best practices, and lessons learned. This
information could be available for research whenever needed. Online
storage of information will allow auditors to do text and word searches to
find specific information in voluminous documents (e.g., insurance
code).
It helps auditors to research an audit area to determine prior risk
areas and functional testing approaches, identify related or
interrelated areas, and review local or organization-wide
corrective action. In addition to historical data, a repository
provides a platform for interactive activities such as electronic
 bulletin boards. Audit personnel (and others, if
authorized) can post new information or update old information.
that time will not be wasted "reinventing
the wheel." Building a central
knowledge base facilitates A central
repository provides immediate access
to historical data (e.g., prior audit
programs) so
■Information Technology Control and Audit

applying lessons learned and increases the level of understanding about the
business environment throughout the entire organization.

Resource
Management
Another challenge for audit managers is to manage a remote workforce.
Whether an auditor is working on a local audit or out in the field,
managers need to be able to provide guidance and review work in progress.
Managers need to provide feedback while the auditor is on location in case
follow-up action is necessary.
A distributed workforce requires a very informed and responsive management team that can
gather and disseminate information quickly. Important information can be
rapidly gathered and disseminated function-wide through e-mail and
internal electronic b-boards. Supervisors can pro- vide immediate feedback
and direction on audit projects through online review of electronic work
papers.

Groupwar
e
Groupware is a specialized tool or assembly of compatible tools that enables
business teams to work faster, share more information, communicate more
effectively, and do a better job of com- pleting tasks. Groupware systems create a
collaborative work environment. Today, we are seeing desktop conferencing,
videoconferencing, coauthoring features and applications, e-mail and b-boards,
 meeting support systems, paging and voice applications, workflow
systems, and group and subgroup calendars as examples of groupware
products and support systems. A popular early groupware application is Lotus
Notes. Lotus Notes is a client/server application development plat- form. It is designed
to enhance group productivity by allowing users to share information, while also
allowing individuals to customize private views of the information. Notes differ from
tradi- tional relational database software through its use of document-oriented
databases. In Notes, a document is defined as an object containing text, graphics, video,
and audio objects or any other kind of rich-text data. The ongoing work on Web 2.0
hopes to bring the next generation of group- ware into use and practice.
Groupware is "a natural" for automating the audit function. These products use
database fea- tures and workflow processing that can be used to store and
integrate information gathered and used in the audit process. For example, risk
assessment information feeds audit planning, and audit results feed audit reporting
and update the risk assessment model. There are several products on the
market that use groupware products such as Lotus Notes or Microsoft Office to
automate the audit process.

Using Computer-Assisted Audit Tools in the

Audit Process
As mentioned in Chapter 3, the American Institute of Certified Public Accountants
(AICPA) issued the Statement on Audit Standard (SAS) 94, "The Effect of Information
Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit."
This SAS does not change the requirement to perform substantive tests on
significant amounts but states, "It is not practical or possible to restrict
detection risk to an acceptable level by performing only substantive tests."
When assessing the effectiveness and integrity of the design and operation of
controls, it is necessary for the auditor to test and evaluate these controls. The decision to
test and evaluate is not

id
52 is
in
 can

and
pro-
work

eams to

Auditing IT Using Computer-

Assisted Audit Tools and
Techniques 107

related to the size of the firm

but the complexity of the IT
environment. Therefore,
CAATT's play

of com- re
seeing
mail and
a very
important
role in the performance of
audit work.
Of the more recent SASS, SAS 104
through SAS 111 require the auditor
and the organization to
carefully
assess the risks of material
misstatement (RMM) of the
financial statements and what
actions the organization is taking to
reduce their risks. The AICPA's
Information Technology membership
sections developed their guide, "IT
Considerations in Risked Based
Auditing: A Strategic Overview" to
help auditors implement these
standards. These standards can
help cli- ants to identify control
weaknesses and reduce the amount of
substantive procedures required due to
a
greater reliance on controls and
 the use of CAATTs. Of these
SASS (104-111), there is greater
emphasis related to the impact of IT on
five of them: 106, 107, 108, 109, and
110.

and group
pular
early
pment
plat- ation,
while from
tradi- . In
Notes, a s or
any other
accura
cy

CAATTS can be used in a variety of ways to evaluate

the integrity of an application, determine
compliance with procedures, and
continuously monitor processing results.
Information systems auditors review
application systems to gain an understanding of
the controls in place to ensure the and
completeness of the data. When adequate application
controls are identified, the auditor performs tests to
 verify their effectiveness. When controls are not
adequate, auditors must more extensive testing to verify
the integrity of the data. To perform tests of applications
perform and data, the auditor may use CAATTS. Many tools
and techniques have been developed that offer
significantly
improved management control and reduced
costs if properly applied. Automated techniques
have proven to be better than manual techniques when
confronted with large volumes of information. The auditor,
by using automated techniques, can evaluate greater
volumes of data and quickly perform analysis on data to gather
a broader view of a process. Four software packages are ACL,
CA-Easytrieve (T), SAS, and IDEA. These tools can be used to
select a sample, analyze the characteristics of a data file,
identify trends in data, and evaluate data integrity. In addition to
auditing software, other software products can be used for
analyzing data. For example, Access can be used to analyze data,
create reports, and query data files. Excel can also be used to analyze
data, generate samples, create graphs, and perform regression
or trend analysis.

tion of
group-

se database
fea- on
gathered and
nning, and
audit
l products on
the utomate the
audit

rocess

Accountants
(AICPA) on
Technology on the
dit." This SAS does not
nts but states, "It is
not orming only
substantive peration of
controls, it is to test and
evaluate is not
Also, as mentioned earlier, there may be situations where the auditor may be
required to con- duct tests and evaluate IT controls and perform
substantive tests to obtain sufficient information and evidence
regarding financial statement assertions. If the auditor is using SAS 107
(Audit Risk and Materiality in Conducting an Audit), the auditor will look
at audit risk and materiality as the basis for the audit approach to be
used. Examples of some of these situations can be
Applications or systems involving electronic data interchange
(EDI) and financial transactions
■ Electronic payment systems that transmit electronic
transactions from one company net- work to another
and
■ Decision support systems that involve automatic reasoning or
artificial intelligence or heu- ristic scenarios where they support
decision making within the organization processes have financial
implications Applicationsthat use technology such as neural
network to assess financial conditions using ratio application in
calculation of credit worthiness
■In systems where enterprise resource architecture
is used to integrate the enterprise resource planning
systems, blending legacy data with newer support systems
■In systems that provide electronic services of
all types to customers, especially where the IT
system initiates bills for services rendered and processes the billing
transaction
Computer programs that perform complex
calculations involving money or resulting in a
financial decision, present or future, such as
reorder points, commissions, retirement or pen-
sion funds, and collection of accounts
108 Information Technology Control and Audit

A large part of the professional skills required to

use computer-assisted auditing techniques
liesin planning, understanding, and
supervision (e.g., SAS 108-Planning
 and Supervision) in apply. ing the
appropriate audit tools/techniques and
conducting the appropriate audit
functions and
tests. The computer has a broad range of capabilities. By way of
illustration, four broad of computer auditing functions can be identified:
Items of audit interest
Audit mathematics
Data analysis
■System validation

Items of Audit Interest

categorie
s

items from a computer-maintained file.

The auditor has alternatives for the
application of the com- The auditor can use
the computer to select material items, unusual
items, or statistical samples of
puter to select items of audit interest. For example, the
auditor can
■Stipulate specific criteria for selection of
sample items
■ State relative criteria and let the computer do
the selection
An example of selection by specific criteria might be a
specification that the computer identifies all transactions
 of $100,000 or more and prepares a report for audit
review. However, the auditor could take a relative approach and
instruct the computer to select the largest transactions that make up 20% of
the total dollar volume for a given application.
This approach abridges manual audit procedures because the auditor
can rely on the computer's selection of items of interest. If the computer
were not used, the auditor would have to validate the selection process.
Under traditional approaches, for example, it would be common for an
auditor to ask client personnel to list all transactions of $100,000 or more. With
the computer, the auditor can be satisfied that the selection program has
looked at the total universe of accounts payable items. The validation of
the selection process is inherent in the auditor's developing and
accepting the computer-auditing application program.
Audit Mathematics
Performing extensions or footing can be a cost-effective payoff area for the
application of computers in auditing-particularly if the calculations can be performed
as a by-product of another audit function. For example, suppose the computer is
being used to select significant items from an accounts receiv- able file. In the
process of looking at this file, the computer can be programmed to extend and foot
all invoicing transactions. Because of the speed of the computer, these
calculations can be performed on 100% of the items in a file with no
significant addition of time or cost for this processing.
By contrast, extensions and footings are both tedious and costly under conventional
manual examination techniques. Typically, the auditor must limit
examination of any given application to extension and footing of a
judgmental sample covering a few short intervals of the period under
examination. Clearly, reliance can be far higher when these
verification calculations are performed
on complete
files.
Remember, however, that the computer has limitations in this area.
Although it can be pro- grammed to make many logical comparisons and
tests, the computer cannot supplant human judgment in examining items to be
tested.
Auditing IT Using Computer-Assisted Audit
 Tools and Techniques☐ 109
Data
Analysis

Using the computer for analysis of data

represents a major opportunity for
innovation by the audi- tor. The computer
can compare and summarize data and can
represent data in graphic form. Data analysis
programs use techniques such as
Histograms
■Modeling
■Comparative
analysis

"Histograms" are bar charts showing graphic relationships among

strata of data. In computer- assisted auditing, histograms
typically are graphic representations of frequency distributions
of records within data files. By picturing these
relationships in graphic form, histograms give the
audi- tor an improved perspective on the analysis of financial
statements. The histogram is, in effect, a snapshot showing the
substance, makeup, and distribution of data within an organization's
account- ing system.
With a histogram, auditors can apply their judgment in identifying
and selecting appropriate testing techniques. By comparison, given
a large collection of data about which such distribution data are not
known, the auditor performs testing on a relatively blind basis. In
such cases, the audi- tor cannot be sure of the significance of data until
after testing is well along. With a histogram, items of significance for testing
can be identified in advance because their relationship to the accounting
universe is emphasized graphically.
"Modeling" is a technique by which the auditor can compare current data with
 a trend or pattern as a basis for evaluating reasonableness. For example, the
auditor can develop a model based on several years of financial statements.
Then the current year's total revenue can be put into the model. The computer
can generate a pro forma financial statement based on past revenue or cost
relationships. The pro forma statement is compared with the actual financial
statements as a test of reasonableness.
Both techniques-histograms and modeling-add new content and dimensions of
informa- tion to the audit process through the use of the computer. With these
methods, the auditor is no longer restricted simply to validating data provided by
applications personnel. With these auto- mated techniques, the auditor generates
figures or snapshots of financial data to test the reason- ableness of
representations under examination.
"Comparative analysis" is a proven, cost-effective application of computers within
audit exami- nation that involves the comparison of sets of data to determine
relationships that may be of audit interest. For example, the computer may
be used to compare the inventory files of the previous and current years. Wide
variations in year-end balances could lead to reviews for possible obsolescence. A
failure to match part numbers from the previous and current years
might trigger testing proce- dures to determine whether old items have been
dropped or new ones added.

Flowcharting
Techniques
Emphasis on developing an understanding of client accounting
systems is particularly appropriate during the application analysis
phase of an audit engagement. It is important for the auditor to
understand the relationship of each application to the conduct of
the client company's business. Even where a computer plays a
critical role, the auditor should avoid having audit activities become
too technical and detailed too soon.
110 Information Technology Control and
Audit

Another practice to be avoided is the tendency to

treat manual and computerized elements of
accounting systems as separate, distinct entities.
Companies process data manually and on com-
 The auditor should treat them accordingly.
Thus, in walking through applications or
subsystems, puters in a planned continuum.
Manual and mechanized procedures usually are
interdependent. the auditor should include the entire
manual and mechanized procedures that go into the
prepara- tion and presentation of information in client financial statements.
Where individual applications are concerned, the auditor
concentrates on two primary
functions:

1. Gathering samples of source documents, input forms, and output

documents on reports. Documents should include both manually and
computer-produced forms and reports. 2. Flowcharting each application in
continuity. The relationship between manual and auto- mated procedures
and identification of control points, where applicable, should be
included.
Auditors prepare application flowcharts using standard symbols and
techniques. Flowcharts developed during the application analysis
phase of an audit engagement are most useful if they distinguish
processing according to department, function, or company area. There
are some very good application support packages for flowchart
development as well as the power of the word processor to build diagrams
and illustrations of the process as illustrated in Exhibit 5.1.

Flowcharting as an Analysis
Tool
As illustrated in Exhibit 5.2, for a computer auditor, flowcharts represent a
method for identifying and evaluating control strengths and weaknesses within a
system under examination. It can be time consuming to build an understanding of
strengths and weaknesses within a system to be audited. However, identification of
strengths and weaknesses often is crucial because the entire direction of the remainder of
an audit is toward substantiating and determining the effect of iden- tified control weaknesses.
For example, SAS 109 requires the auditor gain an understanding of the entity and its environ-
ment and determine those controls relevant to the audit. The auditor must have an
understanding of the nature and complexity of the systems that are part of the
 control environment being audited. One way of gaining that understanding is through
any existing documentation which may provide a visual illustration of the system
under review and any interaction with other systems. Any existing documen- tation
(flowcharts, systems charts, flow diagrams, etc.) provides a benchmark for the
auditor's review.
As a step toward building the needed understanding of control weaknesses, the audit
staff should develop a flow diagram of all information processed. The flow
diagrams, or audit data flow diagrams, as depicted in Exhibits 5.1 and 5.2, should
encompass all information processed, from source documents to final outputs.
Either automated or manual techniques can be used in prepar- ing these audit
data flow diagrams. With either approach, the process leads to the evaluation of a
number of elements of a system, including the following:

■ Quality of system
documentation
Adequacy of manual or automated controls over
documents
■Effectiveness of processing by computer programs (i.e., whether the
processing is necessary or redundant and whether the processing
sequence is proper)
■ Usefulness of outputs, including
reports and stored files
Auditing IT Using Computer-Assisted
Audit Tools and Techniques☐ 111
Purchasin
g
(Submitted
by any
authorized
buyer)
Account
payable
(central)
General
Shippin
g
Receiving
accounting
(central)
(Applies to each of (Applies
to each of the 10 warehouses)
the 10 warehouses)

Tran
PO's
issues
Invoices
 code
File
D
maintenance
Shipments
Receipt
s
Tran code H

Tran
cod
e

AS 400
Tran
code
PDA's
E,F,G
OCR
PC

A, B, C
PC
PC
light
pen

Edit
Edit
reports
PDA's
Notebooks

Edit
messages

Initial
edits
Initial
edits
messages

Error

suspens
e file
Initial
edits

Clean
PO
transaction
Any
vendor
Clean
online
Clean
invoices
file
shipmen
ts
vendor
invoices

Online
Update
updat
e
payabl
e
Online
Open
inventory
 Upda
te
and receive
updat
e
Payabl
e
inventory
file
Inventor
y
open POS
Inventory
file
file

Open PO
file

General
Authorized
ledger
database
Repor
t
report
program
inquiry

A/P
A/P trial
listin
g
balance
Financial
statements

Exhibit 5.1 Database computer accounting system

implementation under distributed pro- cessing concept.

Steps followed in the development of flowcharts and their use as

audit evaluation tools include

Understanding how data are

processed by computers
■Identifying documents and their flow
through the system
■Defining critical
data
■ Developing audit data flow
diagrams
■ Evaluating the quality of system
documentation
 Assessing controls over
documents
■ Determining the effectiveness of processing
under computer programs
Evaluating the usefulness
of reports

112 Information Technology Control and Audit

Originatio
n
Document
Personnel
Personnel
Payrol
l
IT
Report
Recipient
s

Division A
Promotion
data entry
operator

Keyed to
personnel
systems

Displa
y
transaction

No
Transaction
correct?

Yes

Personnel
system

Employe
e
update file

Special form
7
W2 form

Life insurance
change
Personnel
clerk
Personnel
clerk
Health
insurance
change
Payroll
master
change sheet
 Data entry
operator

Payrol
l
master

change
transaction
Personnel
clerk

corrects transactions

Pay clerk
division A

Pay clerk division A

5
3
Edit errors
PA02 BS
sort and list
6

Nonmatch
update

Payro
ll
Upda
te
master

Notes

1. No transmittal document
2. Transmittal document, but no control exhibited
change
transaction

PA02 BS sort
and list
update
Updat
e
listing

3. No record counts or control totals or transmittal documents

4. No run-to-run totals
5. Programmer submits all jobs for processing, enters all data, and transmits all reports produced by the system 6. No reports
go beyond Division Pay Clerk
7. Redundant
 processing

Exhibit 5.2 The payroll process from an auditor's control-

oriented view.

Understanding How Computers

Process Data
The auditor should build an understanding of how the system under examination generates its
data. This understanding should encompass the entire scope of the system
from preparation of source documents through to final distribution and use
of outputs. While learning how the system works, the auditor should identify
potential areas for testing, using familiar audit techniques such as

Auditing IT Using Computer-

Assisted Audit Tools and
Techniques☐ 113 Reviewing
corporate documentation,
including system documentation
files, input prepara- tion
instructions, and users' manuals
Interviewing organization personnel,
including users, systems analysts,
and programmers Inspecting,
comparing, and analyzing
corporate records
Identifying
Documents and
Their Flow through
the System
sions with corporate officials,
from previous audits or
evaluations, or from system
documentation To
understand document
flow, certain background
information must be
obtained through discus-
files. Because this
information may not be
current or complete, it
should be verified with the
 responsible programmer or
analyst. The auditor will have to
obtain
Name (title) of the
computer
product
Purpose of the
product
System name and
identification number
Date the system was
implemented
Type of computer used
(manufacturer's model) and
location Frequency of
processing and type of
processing (batch, online)
Person(s) responsible for the computer
application and database that generates
the computer product
A user or member of the computer center staff may already
the origin
have a document flow diagram that shows
of data and how it flows to and from the
computer. (This diagram should not be
confused with either a system flowchart that
 shows detailed computer processing of data or
a pro- gram flowchart that describes a
computer program.)
More often than not, the auditor will have to develop document flow
diagrams in a format that is workable in a given situation,
whether it is a narrative description, a block diagram using
simple symbols, a flowchart using standard symbols, or
some combination. The document flow diagram or narrative
description should include

Each source document, by title and identification number, with copies of the
forms attached
Point of origin for each source
document
Each operating unit or office through which data
are processed
■Destination of each copy of the source document and the action applied to each
copy (filed, audited, entered into a computer, etc.)
■ Actions taken by each unit or office in which the data are processed (recorded in
books of account, unit prices or extensions added, control numbers recorded
and checked, etc.)
■Controls over the transfer of source documents between units or offices to assure that no
documents are lost, added, or changed (controls include record counts, control
totals, arith- metic totals of important data, etc.)
■Recipients of computer
outputs

Document flow descriptions should not encompass actual computer processing

that takes place within a portion of the system treated as a "black box."
Processing details are beyond the scope of reliability assessment. If
computer output is the product of more than one input, this condition
should be noted clearly in the document flow description.
114 Information Technology Control and Audit

Defining Critical Data

The auditor must build a clear understanding of the data
being recorded within the system under study.
Therefore, the individual elements of data must
 be defined. Titles can be deceptive. For example,
is a cost derived from the current period or is it
cumulative? Is the cost accrued or incurred?
What are the components of a cost? Has the
composition of cost changed during the
fiscal periods under
review?

The organization's data element dictionary is a

good source for such definitions. If a data
dic- tionary is not available, a record layout may
contain the needed definitions. In many instances,
there is no one-to-one relationship between data elements and
the data in a computer-processed
report or file.

Developing Audit Data Flow

Diagrams
Inputs from which data flow diagrams are prepared should include
copies of the following:

■Narrative descriptions of all major application

programs
■ All manually prepared source documents that affect application
processing as well as corre- sponding coding sheets and instructions for
data transcription
■Record layouts for all major computer input and output records, computer master
files, and work files (such as update or file maintenance tapes and
computation tapes)
■ All major outputs produced by the automated
system
Lists of standard codes, constants, and tables used by
the system

These documents, along with the information developed in the previous tasks, should
enable the audit staff to prepare an audit data flow diagram identifying

Point of origin (title or individual) for all source

 documents
All transfers of source documents from one person or office to another (make
sure that all control points are identified)
■Transcriptions of source documents into a machine-
readable format
■Computer processing of
application data
All major outputs created from the source
documents
■Recipients of all essential
outputs

Evaluating the Quality of System

Documentation
On the basis of user and IT staff inputs, as well as on the degree of difficulty
experienced in con- structing an audit data flow diagram, the auditor should
be able to comment on the quality of system documentation. There are two
basic questions to answer: Is the documentation accurate? Is the documentation
complete?
To illustrate, if a federal auditor were examining IT internal control issues at a U.S. Navy
computer facility, he or she might use the Federal Information Systems
Controls Audit Manual (FICAM) recently updated by the (U.S.) Government
Accountability Office (GAO). This pub- lication would provide a basis for
assessing information system controls compliance to federal guidelines.

d within the
system under
tles can be
deceptive. For ve?
Is the cost
accrued or f cost
changed during the

1 definitions. If a
data dic- itions. In
many instances, 1 in a
computer-processed
es of the
following:

rocessing as well as
corre-

omputer master files,

and on tapes)

ious tasks, should enable

other (make sure that

all

ilty experienced in
con- iment on the
quality of
ocumentation accurate?

I issues at a U.S. Navy

Controls Audit Manual
ffice (GAO). This
pub- compliance to
federal

Auditing IT Using Computer-Assisted Audit

Tools and Techniques 115 Assessing
Controls over Documents
Control points identified during
the preparation of the audit
 data flow diagram, along with
infor mation on controls
developed in the background
segment, should enable the
auditor to identify system
controls. With a diagram of
this type, the auditor can
determine whether the
following
controls are
used:

Turnaround documents (These

documents (manual or automated]
should be returned to the originator to
make sure that all documents were
received and none were added during
transmittal.)

Record counts (They [manual or system generated] should

be maintained for all documents to make sure
that none are added or lost.)
Predetermined control totals (For payroll,
predetermined control totals should be
developed for important data items,
 such as hours worked, leave taken,
hourly rates, gross pay, and
deductions. The purpose is to make sure that
records are not altered.)
Run-to-run totals (These totals should be
maintained to assure that no records
are added or lost during steps in the
computer processing sequence.)
Determining the Effectiveness
of Processing under Computer
Programs The audit staff should
idéntify any problem areas in the
processing cycle including but not
limited to
Redundant processing of data
or other forms of duplication
Bottlenecks that delay
processing
Points in the operating cycle at which clerks do not have enough
time to review output reports and make corrections

Evaluating the
Usefulness of
Reports
The audit staff should review the key or major outputs (such as edit listings,
error listings, and control of hours listings) of the application
system and determine if the outputs are
■ Accurate
■ Useful as intended
The auditor should confirm findings by interviewing the users of the output reports. One
appropriate technique might be the completion of a questionnaire
or survey, perhaps conducted by e-mail on user satisfaction with output
reports.

Appropriateness of Flowcharting
Techniques
A distinction should be noted between the use of systems flowcharts in computer
broader field of systems analysis. In recent years,
auditing and in the
systems analysts have begun to favor other methods of modeling
and documentation. Data flow diagrams, for example, are often preferred
over systems flowcharts for purposes of analysis. The
rationale is that data flow diagrams are process-oriented
and emphasize logical flows and transformations of data. By contrast,
systems flowcharts emphasize physical processing steps and
controls. It is just this type of control-oriented view,
however, that is the auditor's primary focus. Thus,
although the use of systems flowcharting may be
declining for systems development purposes, this
modeling tool remains important for computer auditors.
116 Information Technology Control and Audit

descriptions of programs in pseudocode may be used as

points of departure. Based
revie
w
W
10

Systems flowcharting is not

necessarily always the most
practical approach for the a
Existing documentation including data
flow diagrams, narratives written in
structured Engl existing
 documentation, the auditor can decide
what additional modeling is needed t
The auditor should also be aware of
the increasing use of automated
tools in preparing charts. Software
packages are available, many of
which run on mainframes and
microcomp that accept program
source code as input and generate
finished flowcharts. Also,
microcompu based software
packages now available can aid in
documentation or verification of
spreadshee
adequate understanding of the systems under
examination.

database
applications.

important. For example,

separate vertical columns
on the flowchart can show
processing by fu The
technique for departmental segregation
of processing in the preparation of
is the
flowchan evaluates
segregation of duties within
the accounting system.
Structuring flowcharts in d
tion or department. This
representation is useful because
one of the important controls the
audi way helps to discipline the
auditor's thinking and identify any
incompatible functions that m the
initiation, authorization,
recording, processing, and
reporting of transactions
handled by exist within
 accounting applications.
Using this technique you
are documenting the role
of IT,
application or within the system of
applications.

During the preliminary review and

application analysis phases, the
auditor should be accum lating notes to be
considered for later inclusion as comments within
a letter of recommendation
to client
management.

At the conclusion of the preliminary

review and application analysis phases
of the engagement
the audit team briefs audit firm partners and client managers
associated with the audit. All
resp
on

sible parties should have a clear understanding of

the sources and procedures for the
development information reflected in the financial
statements on which the audit firm will render an
opinion.
On completing its preliminary
 review and application analyses,
the audit team should ha
built an understanding that
includes
■ Establishing of sources for all financially significant
accounting information
■ Identifying processing steps, particularly of points within applications
at which changes in accounting information take place
■Determining and understanding processing
results
ma
jo

■ Analyzing the nature and progress of audit trails to the extent that they
exist and can b followed within individual applications

Sampli
ng
Some audit tools assist in defining sample size and selecting the sample. For
example, ACL, z audit analysis tool, will automatically calculate the
sample size and select a sample from the pop lation, and spreadsheet
applications will generate random numbers for selecting a sample. Ther are
two types of sampling techniques:

Judgmental sampling: The sample is selected and the results evaluated

are based on the auditor experience. The judgment may be to select a
specific block of time, geographic region,
function.
Statistical sampling: The sample is randomly selected and evaluated
through the application
the probability
theory.

of
in

JW-
 ters
iter-
TS OF

irts is

Auditing IT Using Computer-

Assisted Audit Tools and
Techniques☐ 117
Both methods allow the auditor to project to the
population. However, only statistical sampling
allows the auditor to quantify the risk that the
sample is not representative of the population.
The specific method selected for a sample
will depend on the audit objectives and the
characteristics of the population. Some of the
techniques mentioned earlier in Exhibit 5.2 can be
integrated with sampling techniques. For example, the
sample audit review file (SARF) technique can
apply a number of different sampling
methodologies mentioned later in
Exhibit 5.3. The appropriateness of the
methodology selected should be reviewed
for validity purposes by statistical or
actuarial staff

func-
uditor
in this
at may of
IT in 1
by the

accumu
ndations
Sampling
Method
Random number
sampling

Systematic sampling
(interval sampling)

Stratified
sampling
gagement
,
ll respon-
‫ال‬

opment of
pinion.
hould have

which major

st and can be
Descriptio
n

Items are randomly selected from a

population so that each item has an
equal chance of being selected.

A method of random sampling that

begins the sample by selecting a
random starting point in a population
and then selecting the remaining items
at fixed intervals. This method should not be
used for selection from a population that has
a fixed pattern.
A method of random sampling that separates
the population into homogeneous groups
before selecting a random sample. This
 method should be used for selection from a
population with wide variances in value.
Cluster sampling (block sampling) A method of random sampling
that separates the

mple, ACL,
an from the
popu a
sample. There
Stop-or-go sampling
(sequential sampling)

d on the auditor's
graphic
region, or
Discovery
sampling

Dollar-unit sampling
(probability proportional to size)

Mean per unit

Difference estimation
 Ratio estimation

the application
of
population into similar groups and then
selects a random sample from the group.

Minimizes the sample size by assuming a low

error rate. It estimates the error rate of the
population within a specified interval (e.g., plus or
minus number).

Tests for a significant error or irregularity. It

should not be used where there are known deviant
conditions.

This method uses the dollar as a sampling unit, which

increases the probability that larger dollar
values will be selected. It primarily detects
overpayments.
The mean value of a sample is calculated and
multiplied by the units in the population to
estimate the total value of the population.
The average difference between the audit value and
book value for a sample unit is calculated. This
difference is then multiplied by the population
to estimate the total value.

The sample ratio to book value is multiplied by

the population book value to estimate the total
value.

Exhibit 5.3 Statistical sampling

techniques.

118 Information Technology Control and Audit

that has expertise in this area.

Also, the applied technique
should be revisited and
reassessed ove
time to see if there is any change to the
characteristics or attributes of the population under
revie
 Random Attribute
Sampling
Random attribute sampling is a statistical
technique that tests for specific,
predefined attributes of transactions
selected on a random basis from a file.
Attributes for which such testing is done
could include signatures, account
distribution, documentation, and
compliance with policies and proce
dures. To perform attribute sampling, the
auditor must specify three parameters that
determine
sample
size:

1. Estimate the "expected error rate," or

estimated percentage of exception transactions,
in the
total
population
2. Specify the required "precision," or degree of accuracy
desired, of the sample conclusion to
be made

3. Establish an acceptable "confidence level" that the

conclusion drawn from the sample will
be representative of the
population

The size of the sample will be determined by the combination of the

precision, confidence level, and expected error rate parameters.
 Variable Sampling
Techniques
Variable sampling estimates the dollar value of a population or
some other quantifiable character- istic. To determine the sample size,
the auditor must specify four parameters:

1. Acceptable "confidence level" that the conclusion drawn from

the sample will be representa-
tive of the
population
2. Absolute value of the "population" for the field
being sampled
3. "Materiality" or maximum amount of error allowable in the population
without detection
4. "Expected error rate" or estimated percentage of exception
transactions in the total
populati
on

The size of the sample will be determined by the combination of confidence level,
population value, materiality, and expected error rate.
Exhibit 5.3 lists various statistical sampling techniques. Again, the auditor must watch for
changes and updates to guidance in the use of sampling to
perform audit work within his profes- sion. A good example is SAS 111
(Amendment to the Statement on Auditing Standard No. 39, Audit Sampling).
SAS 111 addresses the concepts of establishing "tolerable deviation rates" when
sampling test of controls such as matching and authorization. It also
defines the appropriate use of dual-purpose sampling.

System
Validation

System validation is a method for testing the reliability of programs

through simulation with either the test data or the actual data. With
parallel simulation techniques, the auditor may be able to satisfy both
compliance and substantive testing needs in one process.

Auditing IT Using
Computer-Assisted Audit
Tools and Techniques ☐
 119
Computer-
Assisted Audit
Tools and
Techniques for
Auditing applications require
specific and general
knowledge about hardware
and software, In addition,
familiarity with system
utilities helps in conducting
control and substantive
tests. For auditing
applications and data
integrity, there is a variety
of auditing tools that are
useful. There are tools
that analyze
spreadsheet logic and
calculations for
accuracy. There are
tools that analyze used
to analyze data produced
from most applications.
Again, all of the
information generated by
a database application and
produce a logical
flowchart. Finally,
generalized audit software
can be the use of CAATTS must
be evaluated.
Generalized
Audit
Software
Use of generalized audit
software makes it possible to
perform required functions
directly on
application
files. Audit
software can
be used to
Analyze and
compare files
Select specific
records for
 examination Conduct
random samples Validate
calculations
Prepare
confirmation
letters
Analyze aging of
transaction files

IT auditors can also use the same software

tools as the programming staff or additional
tools used by auditors. There are a variety of
query and analysis tools, as shown in
Exhibit 5.4. Application Testing
Once controls have been identified, the next
step in an audit is to verify the control's
effectiveness. This can be accomplished by
■Submitting a set of test data that will produce known results if the
application functions properly
■Developing independent programs to reperform
the logic of the application
Evaluating the results of the
application

In any case, the auditor will need to understand the processing

logic of the application to simu- late the application or evaluate
the application's results.

Designing Tests of
Controls
Reproducing an application can be very time consuming if the application being
reviewed is fairly complex. The simulated application will need to be coded
and tested before being able to rely on the results. Consider only partially
 duplicating the application logic to test key functions.

Data
Analysis
Organizations develop a wealth of information from their
transaction processing systems. Auditors can use this
information to gain an overall understanding of an area to identify
general trends and

122 Information Technology Control and Audit

pro-
auditing-around-the-computer approach is that it does not verify or validate
whether the gram
logic is correct. Also, this
method does not evaluate how the
application and their embed ded controls
respond to various types of
transactions (anomalies) that can
contain errors, Therefore, the
issuance of SAS 106 through 110 by the
AICPA helps support the importance of
CAATTS and its role in performing
audit procedures in response to
assessed risks and evaluating
the IT auditor must draw upon techniques
combined with tools to successfully test
and evaluate Certainly, when audits involve the
use of advanced technologies or complex
 applications, the
application. The
techniques most commonly used
are shown in Exhibit 5.5. Again,
many of these techniques should be
embedded into the application for use by
auditors and security person- nel. These
techniques provide continuous audit and
evaluation of the application or systems
and

Technique
Integrated
test facility

Test data

Parallel simulation
Descriptio
n

Integrated test facilities are built-in test environments

within a system. This approach is used primarily with
large-scale, online systems serving multiple locations
within the company or organization. The test facility is
composed of a fictitious company or branch; set up in the
 application and file structure to accept or process test
transactions as though it was an actual operating entity.
Throughout the financial period, auditors can submit transactions to
test the system.

This technique involves methods of providing test transactions

to a system for processing by existing applications. Test data
provide a full spectrum of transactions to test the processes
within the application and system. Both valid and invalid
transactions should be included in the test data as the objective is to
test how the system processes both correct and erroneous
transaction input. For a consumer credit card service, such
transactions may be invalid account numbers, accounts that
have been suspended or deleted, and others. If reliance is placed on
program, application, or system testing, some form of intermittent
testing is essential. Test data generators are very good tools to
support this technique but should not be relied on entirely for
extreme condition testing.

Parallel simulation involves the separate maintenance of two presumably identical sets of programs.
The original set of programs is the production copy used in the
application under examination. The second set could be a copy
secured by auditors at the same time that the original version
was placed into production. As changes or modifications are
made to the production programs, the auditors make the same
updates to their copies. If no unauthorized alteration has taken
place, using the same inputs, comparing the results from each set of
programs should yield the same results. Another way is for the
auditor to develop pseudocode using higher-level languages
(Vbasic, SQL, JAVA, etc.) from the base documentation
following the process logic and requirements. For audit
purposes, both software applications (test versus actual) would
utilize same inputs and generate independent results that can be
compared to validate the internal processing steps.

Exhibit 5.5 Computer-assisted audit techniques for

computer programs.

Continuous

Auditing IT Using Computer-

Assisted Audit Tools and
Techniques☐ 123
monitoring or continuous
assurance
 SARF

Systems
control audit
review file

Transaction tagging

Snapsh
ot

These techniques require

planning, design,
development, implementation,
and continuous monitoring
and assurance if they are to
be used and applied
successfully. The application
of statistical sampling,
regression, and advanced
analytics to identify anomalies
(unusual events or situations).
These anomalies can be
extracted in real time through
embedded audit modules or audit hooks
designed into the application.
SARF selects transactions and
processes through sampling
techniques and places these into
log files for evaluation by auditor
and security personnel. Systems
Control Audit Review File (SCARF)
is another real-time technique that
can collect specific transactions or
processes that violate certain
predetermined conditions or
patterns. This may be enhanced
by decision support software
that alerts designated personnel
(audit, security, etc.) of unusual
activity or items out of the
ordinary. Computer forensic
specialists can collect data to log files for
further review and examination.
This is the ability to follow a selected
transaction through the entire
application from input,
transmission, processing, and
storage to output to verify the
integrity, validity, and reliability of the
application under review. Some
applications have a trace or debug function,
which can allow one to follow the transaction
through the application. This may be a way to
 ensure that the process for handling unusual
transactions is followed within the application modules
and code.
The ability to look at a selected execution of
application code and variables used to validate
the values going into the process and the
values being generated by the process to ensure that
they meet requirement.

Exhibit 5.5 (Continued) Computer-

assisted audit techniques for computer
programs.
provide management and the audit or security personnel
assurances that controls are working as planned,
designed, and implemented.
The techniques and the tools provide the auditor the mechanisms to
perform their audit. Using technology to audit technology has long
been a practice applied by the authors. They have used these tools
and techniques to support the audit functions.

Computer-Assisted Audit Tools and

Techniques for Operational
Reviews
Earlier, we covered a number of tools and techniques used for performing tasks to
support the audit of applications. Most of these tools can be used to
support operational reviews as well as col- lect information about the
effectiveness of general controls over IT operations. Exhibit 5.6 lists a sample of
tools that can be used for different areas of review and support.
However, the use of tools need not be limited to specialized packages. Computer
languages can be useful in performing operational tests and collecting
information about the effectiveness of general controls. Even basic tools such
as Access in MS Office can be used to take an imported data file of
operational data (e.g., users' account information and file
accesses, rights to number of file accesses), perform analysis on
the file (histograms, frequencies, summaries), and then move
124 Information Technology Control and Audit

Client/
Computer-
Server

Name of Tool
Control
Assisted
Audit Tools
Contingency
Planning
and E-
Commerce
Data

Warehou
sing

Control Compliance
Suite,
X
X

Electronic Discovery & Audit

by
Symantec, Inc., Cupertino,
CA
SQLSecure by
Idera
X
X

ACL by ACL Services

Ltd.,
X

Vancouver, BC, Canada

IDEA by Audimation Services,
Inc., Houston, TX
X
X

Number-Audit Sampling by Linton

X

Shafer Computer Services,

Inc., Frederick, MD
 ADM Plus by Joseph Pleier
& Associates, Mission Viejo,
CA
X

WizWhy and WizRule TM by

Wizsoft Inc., Syosset, NY
TM

RecoveryPAC, RecoveryPAC
Web,
X
X

and RiskPac by HaXer LLC,

the Netherlands

Software Asset Management

X
X

(SAM) by Software One,

New
Berlin,
WI
Disaster Recovery System
(DRS)
X
X
X

by TAMP Computer Systems Inc., Merrick, NY

Informatica Identity Resolution by
Informatica, Redwood City, CA
X
X

COD 32, Double Check, and

Achieve by IPS of
Boston,
X

Middleboro, MA

Exhibit 5.6 List of selected operational audit tools and

techniques.

data into MS Excel and visually portray information for management or even
forecast trends with regard to workload, growth, and other IT operational
areas.
 Should the IT auditor have the technical capability to "design, develop, and
implement" host routines to support audit function and activities, most
fourth-generation languages offer full support. Exhibit 5.7 outlines the capability
of the support available.
Product
MS Office
SQL
Perl
SAP
QBE
QMF
ACL
IDEA
Oracle
Fa
ct
ori
ng
H
u
m
a
n
Database
Support
XXXXXX IBM Environment
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
XXXX Server Environment
XXX Tool Available on PC
XMicro-to-Mainframe Link
X
X
X
X

Full PC Implementation
XXXXXX Query Language
XXX
XXXXX Report Generator
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Screen Painter/Data Entry
XXXX Graphics Generator
XXXX Decision-Support
Tools
X
X
X
X
X
X
X
X
X
XX
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
XX
X
Χ
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Subset for End Users
IT Professionals
Procedural
Language
 Interface-to-Action
Diagrams
Well-Structured Code
Provable Specifications
Heavy-Duty
Computing
Full COBOL
Replacement
Environment
Application-Generation Function

Recommended for Information Centers

xHelp Facility
XX
X
X
X
XXX

Computer-Aided
Instruction
Computer-Aided
Thinking
Support
Database
Management
Standard DBMS
Package
Data Dictionary
Data-Modeling
Tool

sa pe so we duo Buisn
Exhibit 5.7 List of selected operational audit tools and techniques.
Product
Webmetrics 3.0
SAS C++
VS-Basic
DMS
SPSS
A
s
s
et
F
ac
to
ry
 A
p
pl
ic
at
io
n
JAVA
Exhibit 5.7
Environment
Application-Generation Function
Human
Database
Factoring
Support
X
X
X
X
X
XX
X
X
X
X
X

XX
X
X
X
X
X
XX
X
X
X
XX
X
X
XXXXX
XXXX
XX
XXXX
XX

XXXXX

XX
X
XX
XX
X
X
X
X
X
IBM Environment
Server Environment
Tool Available on PC
Micro-to-Mainframe Link
Full PC Implementation
Query Language
Report Generator
Screen Painter/Data Entry
XXX Graphics Generator
X
X
X
XXXX
X
X
X
X
X
X
X
X
X
XXXX
XXXX
X
XX
X
X
X
XXXXX
X
X
XX
X
X
X
X
XX
Decision-Support Tools
Subset for End Users
IT Professionals
Procedural Language
Interface-to-Action Diagrams
Well-Structured Code
Provable Specifications
Heavy-Duty Computing
Full COBOL Replacement
Recommended for Information Centers
XXXX Help Facility
XX
XX
XX
X
X
X
XX
XXX
Computer-Aided Instruction
Computer-Aided Thinking
Support Database Management
Standard DBMS
Package
Data Dictionary Data-Modeling Tool
(Continued) List of selected operational audit tools and techniques.
126 Information Technology Control and Audit
App
licat
ion
Fa
cto
ry
As
se
t
JA
VA
X
X
XX

XX
XX
X
X
X
Exhibit 5.7 (Continued) List of selected operational audit tools and techniques.

Auditing IT Using
Computer-Assisted Audit
Tools and Techniques☐
127
The
methods
or

techniques in use for

performing the reviews in
the areas of systems
maintenance, operating
systems, client/server
applications, and ISO
9001 will be discussed
in supported by tools to
gather information that
may help determine if
controls are working
Chapter 11. It should
be kept in mind that
the ability to perform
these tasks (the
techniques) is
Web
Analysis
Tools
obtaining
or

On reviewing an
organization's Website,
IT auditors can measure
download time,
transaction time,
connection attempts,
missing pages, missing
page components, and
broken links, which have
to be and availability of the
Website. In addition, IT
auditors have to be aware of
errors such as failed
tabulated. The IT auditor
 should evaluate the
overall performance of
the organization's
Website by r preparing
comparative Web performance
statistics for several months. These
statistics should
be examined
for significant issues and
used in the assessment of
the overall performance of
the Website. Moreover, IT
auditors should review the
Web information to ensure
that all posted data are
current. It is impossible
for IT auditors to
 manually perform a
Website audit. Manually
checking that all posted data
are current will be time
consuming. Discovering
broken links, miss- ing
pages, and page
components manually are
almost impossible. Thus,
IT auditors need
CAATT'S the CAATS
because it gives IT auditors the
following advantages on audits of
Websites: to
assist them in
performing this kind of
audit. Web analysis
 software is appropriate to
be one of
Reduces the time to
complete audit analysis,
test, and reports
Increases audit coverage by reducing the
amount of time spent on manual processes
Provides quality audit services by having
a standard set of audit tools and
procedures Leverages the knowledge
gathered as a result of audit projects
to provide immediate metric/ data quality
feedback to management
Using Web analyst software as CAATS not only
benefits the IT auditors but also the
organiza- tions.
By having a good
and effective Website, an
organization will gain the following
benefits:
Reduced
advertising costs
Equal access to new
markets
■Increased sales

■More opportunity for

niche marketing
Reduced delivery cost for goods that
 can be delivered electronically
Finally, IT auditors have to be aware that Web analysis
software such as CAATs has its strength and weakness. It
cannot be operated on all computer systems and platforms.
Moreover, IT audi- tors should also consider a proper
combination of manual techniques and Web analysis
software while performing an audit of a Website.

Web Analysis Software as an

Audit Tool
There are many Web analysis software tools and services for assessing
the usability of a Website. One of the earliest of these Web analysis tools is
"Webmetrics" (version 3.0) from NIST. Webmetrics is not sold in the market;
it is still in development. However, NIST has made it available for use.

128■ Information Technology Control

and Audit
Webmetrics can be downloaded free from the NIST
Web Metrics Testbed site at nist.gov/WebTools/.
http://
zing ne

ITL of NIST released the first

Webmetrics 1.0 Tool Suite in
August 1998. In January 2009
Access Division (IAD). For
more information about
current and past research,
products and took they
released their latest version.
Webmetrics is one of the
research projects of ITL's
Information
or other information about IAD, visit IAD's
Website.

The objective of
developing Webmetrics is
to provide industries with
the current state-of-the
art technology that will allow improved usability of
Websites. Improved usability can
dramati
cally

increase the effectiveness and

accessibility of a Website, and
this is critical if the U.S. industry
is to remain competitive in the
global marketplace. Some of
the earlier IT audit uses of
this type of tool
was looking at Web usability and
 compliance with Web development and
testing standards.
Today, a number of products and companies
are offering services that are available
which could be used for audit support
purposes providing Web analysis and
security alert capability Some examples
are Clicktracks, SAS Web Analytics, Google
and
Analytics, Site Catalyst by Omniture
Nedstat. Clicktracks provides products
and hosted services in the field of
Website analysis. SAS
traffic
Analytics applies SAS Customer
Intelligence software to online
channels so that
Analytics offers free Web analytic
services with integrated analysis of
Adwords. This product is every customer
interaction is captured and analyzed with a profile
view of the customer. Google based on Urchin
which Google acquired in 2005. Site Catalyst by
Omniture is a hosted applica tion that offers
 a complete view of activity on a
company's Website that includes
historical (data warehouse) and real-time analysis and
reporting. Nedstat is a provider of software solutions services for
monitoring Websites and reporting on Website visits.

Computer
Forensics
Computer forensics is the examination, analysis, testing, and evaluation of
computer-based material conducted to provide relevant and valid
information to a court of law. Computer forensics tools are increasingly
used to support law enforcement, computer security, and computer audir
investigations.
A good source for evaluating computer forensics tools is the Computer
Forensics Tool Testing (CFTT) Project Website at
http://www.cftt.nist.gov/. CFTT is a joint project of the NIST, the U.S.
Department of Justice's National Institute of Justice (NIJ), the Federal
Bureau of Investigation (FB), the Defense Computer Forensics Laboratory
(DCFL), the U.S. Customs Service, and others to develop programs for
testing computer forensics tools used in the investigation of crimes
involving
computers.
One tool recently reviewed by CFTT was EnCase Forensics by Guidance Software, Inc.
EnCase enables "noninvasive" computer forensic investigations, allowing
examiners to view relevant files including "deleted" files, file slack, and
unallocated space. Other valuable resources for experience in the use of
computer forensics tools and techniques would be those professional
associations or organizations that support this area. Some of those would be The
International High Technology Crime Investigators Association, Association of
Certified Fraud Examiners, the Institute of Internal Auditors, Federal Government's
Electronic Crimes Task Force, FBI Regional Computer Forensics Laboratory, and
Colloquium for Information Systems Security Education. Note that when
applying computer forensics techniques, one must be aware of the
investigative methodology, processes, and procedures that must be
followed to the letter to