TOPIC 15: AUDITING IN A COMPUTERISED SYSTEM

Differences between computerised and manual systems

Computer information systems have unique features when compared to manual systems. These
features require that adequate controls are in-built into these systems to ensure that the
accounting system can be relied upon for complete and accurate accounting records. These
features include:
i. Consistency
If properly programmed computers will process transactions consistently accurately and
likewise if there is a programming error this will affect all transactions processed. The
auditor must test the system to ensure that it is processing transactions correctly.

ii. Concentration of function and controls

Due to the use of computers few people are involved in the processing of financial
information. This results in weak internal controls and in particular poor segregation of
duties. Certain data processing personnel maybe in a position to alter programs or data
while stored or during processing. Many control procedures that would be performed by
separate individuals in a manual system may be concentrated under one person in a CIS.

iii. Programs and data are held together increasing the potential for unauthorized access
and alteration.

iv. Computer information systems are designed to limit paper work. This results in less
visible evidence. Data may be entered directly into the computer system without
supporting documents e.g. in some online systems a sales transaction may be initiated
through the computer without a sales order being raised, the amount is then directly
charged to the customer’s account without a physical invoice being raised.
v. Lack of visible transaction trail/ loss of audit trail
An audit trail refers to the ability to trace transactions through the system by examining
source documents, books of accounts and the financial statements. This is possible in a
manual system where various stages of a transaction are evidenced by physical
documents. In computerized information system data and information is maintained in
magnetic files, which are overwritten over time. This results in loss of visible audit trail.
vi. Lack of visible output
In some CIS systems the results of transaction processing are not printed out, only the
summary data may be printed. This data can only be accessed through the computer.
vii. Ease of access of data and computer programs
Where there are no proper controls over access to computers at remote terminals there is
increased danger for unauthorized access to and alteration of data and programs. This
could result in fraud or manipulation of accounting records.
viii. Programmed controls
In CIS environment controls are programmed together with data processing instructions
e.g. protection of data against unauthorized access maybe by way of passwords or
computer programs containing limit checks.

1|Page

DAN OWINO
ix. A single input to the accounting system may automatically update all records associated
with the transaction e.g. when a credit sale is made on line the system will credit the sales
account, reduce the stock levels and debit the debtors account simultaneously. Thus an
erroneous entry in a system creates errors in the various affected ledgers.
x. Data and programs are usually stored in portable magnetic disks and tapes, which are
vulnerable to theft, loss, and international and accidental destruction.
xi. Systems generated transactions: Many systems are capable of generating transactions
automatically without manual intervention e.g. calculation of interest on customers’
accounts may be done and charged to income automatically. This lack of authorization
and documentation can result in significant misstatement or errors in financial
statements, if appropriate controls are not in place.

Internal controls in a CIS Environment

To mitigate the risks occasioned by the features discussed above of a CIS, management will
design controls over these systems. These controls include both manual procedures and
procedures built into the computer programs. These controls are divided into:
a) General controls
b) Application controls

1. General controls
These are controls, which relate to the environment within which computer-based accounting
systems are developed, maintained and operated aimed at providing reasonable assurance that
the overall objectives of internal controls are achieved. These controls could either be manual of
programmed. The objectives of general controls are to ensure proper development and
implementation of applications and the integrity of program and data files and of computer
operations. General controls can be classified into:
a) Systems development controls
b) The plant of organization and operation of the computer activity.
c) Access controls
d) Backup and recovery procedures and other controls.

a) Systems development controls

This relates to the controls that must be exercised by the client when developing new systems
or modifying existing systems.

Effective systems development requires participation by top management. This can be

achieved by setting up a steering committee composed of senior management and high-level
representative of system users. The steering committee will then approve or recommend
projects and reviews their progress.

2|Page

DAN OWINO
 Controls that should be exercised during system development can be divided into the
following categories:
 Review, testing and approval of new systems;
 Controls over program changes;
 Parallel running of the new and old system;
 Documentation procedures.

i. Review, testing and approval of new systems

The basic principles of these controls are:
 The team carrying out the systems design should include representatives of user
department, accounting department and internal audit. This is to ensure that user
needs are identified and proper consideration given to the need for adequate
internal controls. It might be important to carry out a feasible study on the new
system to be developed.
 Each proposed system should have written specifications that are approved by
management and the user department. Such specifications will outline the user
needs identified and how the new system aims to meet these needs. Such
specifications should also provide guidelines on the control considerations.
 Systems testing should involve both user and the computer department personnel.
Testing of the new system is as important as the actual development of the
system. The hardware and application programs need to be adequately tested.
This will provide assurance that the new system is reliable. The steering
committee should approve to ensure that adequate testing was carried out.
 The computer manager, the user department, data base administrator and the
appropriate level of management should give final approval to the new system
before it is placed under operation and after reviewing the completeness of
documentation and results of testing.
ii. Controls over program changes
Program changes refer to modifications made to the existing application programs.

Changes in the computer system should be subject to strict controls. For example, a
written request for an application program change should be made by a user
department and authorized by a designated manager or committee. Once the program
has been redesigned the documentation must be revised. The changes in the program
should be tested by the user and a systems employee who was not involved in
designing the change. Approval of the documented change and the results of testing
should be given by a Systems Manager.

Proposed program changes should be tested with incorrect or incomplete data as well
as actual data to determine if controls have been properly implemented in the
program.

iii. Documentation procedures

Documentation is the collection of information that support and explain computer
applications, including systems development. Microsoft Excel user manual is a good

3|Page

DAN OWINO
 example of documentation that assists the users in understanding the functions of the
software and how one can use it.

Documentation is helpful operators and other users, control personnel, new

employees, auditors, programmers and analysts.

For management, documentation provides a basis for:

 Reviewing the system, prior to authorization;
 Implementing smooth personal changes and avoiding the problem that key
employees might take with them all the knowledge on how the system works
when they leave the organization;
 Reviewing existing systems and programs;
 For the auditor documentation is necessary for preliminary evaluation of the
system and its control.
Documentation should be secured in a library with access controlled.
Types of documentation

 Systems documentation includes narrative descriptions, flowcharts, the system

definition used for development, detailed file and record layouts, change requests,
operator instructions and controls.

 Program documentation contains descriptions, program flow charts and

decision tables, program listings of source codes, test data, detailed file and record
lay outs, change requests, operator instructions and controls.

 Procedural documentation includes the systems master plan and operations to

be performed, documentation standards, procedures for labeling and handling
files, standards for system analysis, programming, operations security and data
definition.
iv. Parallel running
Before switching to the new system, the whole system should be tested by running it
parallel with the existing system. Parallel running refers to running the new and old
system along each other for a specified period of time say a month. This is important
because:
 It provides the users with the opportunity to familiarize themselves with the new
system while still having the old system available to compare;
 Provides for an opportunity for the programmers to sort out any problems with the
new system;
 It ensures that by the time the new system is put into full use the users are
confident that the new system is reliable and that all the data was correctly
transferred to the new system.

b) The plan of organization and operation of the computer activity

4|Page

DAN OWINO
 The organization should have proper segregation of functions and policies and procedures
relating to control functions within which the computerized system is operated.

Segregation of Functions
There should be proper segregation of duties in the operation of a computerized information
system.

Those who process the data should have no responsibilities for initiating or altering the data.
The following functions should be segregated:
 The computer department manager should report to an executive who is not regularly
involved for authorizing transactions for computer processing. This will ensure
independence of the function.
 IT staff should not correct errors in input data. This should be referred to the department
where the data originated for correction and resubmitted to the IT department for
processing:
 Computer staff should not initiate transactions or have custody of resulting assets.
 Within the computer department there should be segregation of duties.

Policies and procedures relating to control functions

Appropriate control policies and procedures should be developed. In particular:

 Programmers and systems analysts should not be allowed to operate the computer except
for testing purposes.
 Operator’s duties should be rotated so that the same operator is not responsible for the
same procedure.
 The computers operating system should be set up and keep a record of programs and files
operated on. This record should be checked regularly by the computer department
manager and the internal audit. There should also be procedures ensuring the
completeness and validity of all input and output. In a centralized system, the data control
group may be established for this function.

c) Access controls
Computer systems are often dependent on accuracy and validity of data held on file. Access
controls to the computer hardware, software and data files are therefore vital.

Access controls provide assurance that only authorized individuals use the system and that
usage is for authorized purposes only. Access may be restricted to specific persons, files,
functions or devices.

Access controls are both physical and programmed. Physical controls apply to both hardware
and data files stored in form of magnetic disks or diskettes. Example of access controls:
 Only authorized personnel should be permitted access to the computer facilities, which
should be in a secure room.

5|Page

DAN OWINO
  Control over computers located in the user department should be improved by making
sure that vital data or programs are not left running when the computer is left unattended.
 Passwords should be issued to all staff, for access to the computer facilities. This is
supported by requirement that each user can only log into the computer by keying-in their
passwords, the computer then knows the identity of the user and it is programmed so as
to only accept instructions only from authorized users. System of passwords makes it
possible for each user to have limited access to files and that access may further be
designated as Read Only or Read and Write. In this way employees are given access to
information contained in files only. Computers should also be programmed to record
names of all those accessing the computer for purpose of adding, altering or deleting data.
 Passwords should be changed regularly and access to password data held in the computer
should be subject to stringent controls.
 The computer has no way of knowing whether the user is the authorized user of a
particular password. Hence user should be issued with machine- readable evidence e.g.
magnetic striped cards. For access then the user will have to use the card and the
password.
 Programs and data files which need not be on-line should be stored in a secure location
with a computer department librarian. Systems programs and documentation should be
locked away with limited access.
 A systems access log to record all attempts to use the system should be maintained. This
will record the date, time, codes used, mode of access and data involved. Logs of
computer and programmer usage should be maintained and periodically reviewed;
 Logs of operator over-rides of programs. This will show instances where the users have
overridden systems controls.
 Encrypting the data before transmission over communication lines makes it more difficult
for someone with access to the transmission to understand or modify the contents.
 Automatic log off i.e. disconnection of inactive data terminals may prevent the viewing
of sensitive data on an unattended data terminal.

d) Backup and recovery policies and procedures and other controls

The organization should have a reconstruction and disaster recovery plan that will allow it to
regenerate important programs and data files in case of disaster or accidental destruction.

The recovery plan should create back up or duplicate copies of data files, databases,
programs, and documentation, store backup copies off-sire and plan auxiliary processing at
another site. Such a recovery plan should be tested on a regular basis to ensure that it indeed
works.

For example, even after the unfortunate bomb attack on the US Embassy in 1998,
organizations such as co-operative Bank that were affected were able to reconstruct their data
due to the fact that there was adequate back-up of the information on remote sites. This
emphasis that a disaster recovery and reconstruction plan is a critical control that
management must implement.

Other issues that should be addressed include:

6|Page

DAN OWINO
  There should be adequate protection against natural disasters such as situating computer
rooms in rooms protected against floods and room fitted with smoke detectors.
 There should be maximum possible physical security where computers are installed.
Important files should always be stored in duplicate.
 Standby procedures should be put in place in the event of computer breakdown.
 File retention procedures e.g. retaining copies of essential data on separate and secured
location.
 There should be adequate virus protection. A computer virus is a software program that
infects another program or a system’s primary storage memory by altering its logic.
Infection often results in destruction of data or processing errors. Once infected, a
software program can spread the virus to other software programs. Viruses can be spread
through the use of unauthorized software, use of diskettes from outside, propagation of
viruses through e-mail attachments among other means. To protect viruses the following
controls can be exercised:
- Preventive controls include establishing a formal security policy, using only clean and
certified copies of software, checking new software with anti-virus software,
restricting access and educating users not to introduce unauthorized software or other
data
- Detective controls will include making the file size and date/time stamp comparisons;
- Corrective controls include ensuring that clean back up is maintained and having a
documented plan for recovery from a virus.

These controls will minimize the risks associated with the loss or corruption of data.

2. Application controls
The objectives of application controls which may be manual or programmed are to ensure the
completeness and accuracy of the accounting records and the validity of the entries made therein
resulting from both manual and programmed processing. Application controls therefore provide
assurance that all transactions are authorized, recorded and processed, completely, accurately and
on a timely basis. These controls relate to the transactions and standing data pertaining to each
computer based accounting system and are therefore specific to each such application. With the
increasing sophistication of computer operating systems it is becoming more common for
controls to be programmed as part of each application. Application controls are generally divided
into:
a) Input controls
b) Processing controls.
c) Output controls.
d) Controls over master files and standing data.
e) Controls over standing data and master files.
Controls that ensure the completeness of recording and processing, often also ensure accuracy,
so one control procedure may have several objectives.
a) Input controls

7|Page

DAN OWINO
 Most errors in computer accounting systems can be traced to faulty input. Controls over the
completeness, validity, data conversion and controls over rejection of input are therefore
vital.

Completeness
These controls ensure that all transactions are recorded. For example, that all sales are
recorded in the cash register or all purchase invoices are posted to the accounting records.

Validity
Controls over validity ensure that only actual transactions that have been properly authorized
are recorded. These controls are most important over the recording of liabilities such as
wages, creditors etc. it is important that there is adequate separation of duties such that those
who initiate a transaction or who have access to cash, cheques or goods as a result of the
transaction being entered should not have the responsibility for posting the transaction.

Access controls as discussed earlier play an important role in validity in that the computer is
programmed to accept input only from authorized users. The computer can also be
programmed to verify authority limits as well.

Data Conversion
There must be controls to ensure that all data on source documents is properly entered into
the computer.

Controls of rejected input data

Input data that has been rejected should be returned to the originating systems user. The
reasons for the rejection should be established and where appropriate necessary corrections
made. Such data should then be resubmitted for processing.

Examples of input controls

The most common input controls are edit controls. Edit controls are programmed into the
software.

Examples of edit controls include;

Type of edit control Description of control Objective

Missing field check Checks that all essential data fields are Ensures accuracy of the
present and are of the right length processed data. Transactions
during data input. cannot be properly processed
if necessary data is missing.

Valid character check Checks that data fields appear to be of Ensures correctness of input
the right type e.g. all alphabetic, all data

8|Page

DAN OWINO
Type of edit control Description of control Objective
numeric or mixed.

Limit / reasonableness Checks that data falls within Ensures accuracy and validity
checks predetermined reasonability limits e.g. in input data.
hours worked do not exceed a certain
limit, may be 8 hours a day.

Master file checks Checks that all codes match those on Ensures that data is processed
master files e.g. employee’s number against the correct master file.
matches an employee number of the
personnel file.

Check digit Applies an arithmetic operation to the To ensure accuracy of data by

code number and compares the result checking keystroke errors.
to the check digit.

Document count Agrees the number of input records in Ensures that all documents are
a batch with the total on the batch input.
control form.

Financial totals This summarizes the shilling amounts Ensures completeness of

in an information field in a group of input.
records.

Hash total Is a control total without a defined To verify the completeness of

meaning, such as the total of employee data
number or invoice numbers that is used
to verify the completeness of data.
Thus, the hash total for the employee
listing by the personnel department
could be compared with the total
generate during the payroll run

Sequence checks Determine that records are in proper To verify completeness of

order. data.

Sign check Assure that data in a field have the To verify validity and
appropriate arithmetic sign. For accuracy of data.
example, that discount awarded should
always have a negative sign.

Validity checks Are tests of identification numbers or To test for validity of input
transaction codes for validity by data.
comparison with items already known
to be correct or authorized.
9|Page

DAN OWINO
 i. Processing controls
Processing controls ensures that transactions are:
- Processed by the right programs.
- Processed to the right master files.
- Data is not lost, duplicated or otherwise improperly altered during processing.
- Processing errors are identified and corrected.

Some input controls are also processing controls e.g. limit, reasonableness and sign checks.

Processing controls include:

- Program file identification procedures, which enquire whether, the right master files are
in use during the processing of data;
- Matching test to ascertain that an updating transaction is matched with the appropriate
master file.
- Physical file identification procedures in the form of labels physically attached to files or
diskettes to ensure that the right files are applied during data processing;
- Limit and reasonableness tests applied to data arising as a result of processing.
- Sequence tests over pre-numbered documents.
- Comparing the contents of a record before and after updating in a posting check;
- A zero-balance check adds the positive and negative amounts posted. The result should
be zero.
- Run to run control totals e.g. record counts of certain critical amounts should be
generated and checked at designated points during processing.
- Internal header and trailer labels to ensure that incorrect files are not processed.
- Programs used in processing should be tested, for example, by reprocessing actual data
with a known result or by employing test data.
- An audit trail should be created through the use of input-output control logs, error
listings, transaction logs and transaction listing.

b) Output controls
Are necessary to ensure that:
- Output is received from input;
- Results of processing are accurate;
- Output is distributed to appropriate personnel promptly.

These controls include:

- Recording all output obtained from processing;

- Matching or agreeing all output to input.
- Noting distribution of all the output. Output should be distributed in accordance with
distribution register that list authorized users.
- Output checklists aimed at ensuring that all expected reports are processed and
forwarded to the relevant department or personnel.
10 | P a g e

DAN OWINO
 - Error listings should be received directly from the system by the control group, which
should make any necessary inquiries and send the errors to users for correction and
resubmission.
- The console log should be reviewed for unusual interruptions, interventions or other
activity.
- User review of the output. Users should be able to determine when output is
incomplete or not reasonable.

c) Controls over master files and standing data

These are aimed at ensuring completeness, accuracy and authorization of amendments to
master files and standing data files. These controls are similar to controls over input. E.g.
controls to prevent the deletion of any account, which contains a current running balance.
Once standing data has been written onto a master file, it is important that there are adequate
controls to ensure that the data remains unaltered until an authorized change is made.

Examples of controls
 Periodic printouts of standing data for checking with manually held information.
 Establishment of independent control totals for periodic verification with computer
generated totals.
 Limiting persons who can make amendments to standing data.

Auditing in a Computerized Environment

The use of computers in the processing of financial information by the client affects the general
approach of the auditor to his work. The use of computers does not affect the auditor’s primary
responsibility of reporting on the financial statements but the way in which the auditor carries
out his substantive and compliance procedures to arrive at his opinion will be considerably
different.

Planning the audit in a Computerized Environment

When planning for an audit in a computerized system the following factors must be considered:-
i. Auditors need to be involved in computerized systems at a planning, development and
implementation stages. Knowledge of the system gained at these stages will enable the
auditor to plan the audit with an understanding of the system.
ii. Timing of the audit visits is more important in computerized environments than in
manual environment because of the need of the auditor to be present when data and the
files are available, more frequent visits to the client maybe required.
iii. Recording methods may be different. Recent developments including; the use of portable
laptops to aid in preparing audit working papers enabling auditors to download data files
onto their own personal computers.

11 | P a g e

DAN OWINO
iv. The allocation of suitably skilled staff to the audit. Thus audit firms now use the
computer audit department on some parts of the audit and allowing general audit staff to
have some parts of the audit and allowing general audit staff to have some computer
experience.
v. The extent to which computer assisted audit techniques can be used. These techniques
often require considerable planning in advance.

The auditor’s approach

As a result of the features of a computerized information system the auditor will need to devise
an appropriate audit approach. There are two main approaches that can be adopted:
a) Auditing around the computer,
b) Auditing through the computer.

Auditing around the computer

Auditing around the computer assumes that the presence of accurate output verifies proper
processing operations. This type of auditing pays little or no attention to the control procedures
within the IT environment.
Generally, it is not an effective approach to auditing computerized environment. The auditor
does not rely on controls, manual or computerized, the auditor does not rely on controls, manual
or computerized, the audit approach is mainly substantive.
This approach is adopted for small applications where there is adequate documentation of the
transactions such that the auditor is able to trace the initiation of the transaction to the final
recording without the need to review how the data is processed by the computer. In this case, the
computer system is viewed as simply an instrument through which conventional records are
produced. Audit around the computer is only suitable where:
 The audit trail is complete and visible.
 Processing is simple.
 Complete documentation of transactions is available.

This approach is much criticized because:

i. It is extremely risky to audit and give an opinion on records that have been produced by a
system that the auditor does not understand fully, and;
ii. A computer has immense advantages for the auditor and it is inefficient to carry out an
audit in this manner.

Auditing through the computer

12 | P a g e

DAN OWINO
There are basically two techniques available to the auditor for auditing through the computer.
These are a use of test data and the use of computer audit programs. These methods are
ordinarily referred to as computer assisted audit techniques (CAATs).
Computer Assisted Audit Techniques (CAATs)
Relevant standard IAPS 1009: Computer – Assisted Audit Techniques

We have already mentioned that the most appropriate method to audit computerized information
systems is through the use of CAATs. Let us examine CAATs in details.

Definition
This refers to any automated audit technique such as audit software and test data. CAATs, are
ways in which the computer may be used by the auditor in a computerized information system to
gather, or assist in gathering, audit evidence, CAATs are mainly of two types:-
a) Audit software
b) Test data

Audit Software
This refers to software that has the capability to directly read and access data from various
database platforms. The software is able to carry out mathematical computations, statistical
analysis, sequence checks and re-computations. Using this software, the auditor can directly
access the data stored in a computer and perform various types of mathematical computations
and statistical analysis.

Types of audit software

a) Generalized audit software. This comes in a variety of forms. It may either be a software
package available commercially or one developed by an auditing firm. This software is
designed to perform a variety of functions such as reading computer files, selecting data,
manipulating data, sorting data, summarizing data, performing calculations, selecting
samples, and printing reports or letters in a format specified by the auditor. This type of
software may be used to gather evidence in relation to both the effectiveness of operation of a
programmed control procedure and the extent of misstatements in account balances and
underlying classes of transactions. In other words, this software may be used as either a test
of control or as a substantive procedure.

b) Utility programs. These are programs, which are generally not designed for audit purposes
but can be used by the auditor to perform common data processing functions such as sorting,
creating and printing files.
13 | P a g e

DAN OWINO
c) Purpose written programs. These are programs specifically written either by the auditor or by
a programmer to suit the auditor’s specific circumstances.

d) Commercial software, such as Microsoft Excel, WordPerfect, etc., may be used by the
auditor for analyzing data imported from client files, writing audit programs, etc.

e) Embedded audit module is a CAAT in which code prepared by the auditor is embedded in
the client’s software. The code may be designed, for example, to replicate a specific aspect of
a control procedure, or to record details of certain transactions in a file accessible only to the
auditor. Thus, it may be used as both a test of control or as a substantive procedure.

f) Integrated test facility is a facility forming part of the client’s software that enables the
auditor’s test data to be integrated and processed with the client’s live input data. The facility
ensures that the test data updates special dummy files, rather than actual operating files. The
dummy files are examined to ensure that the test data has been processed in the manner
expected. This procedure provides evidence of the effectiveness of design of programmed
control procedures as well as aspects of the effectiveness of operation.

g) Parallel simulation, in which actual client data is processed using a copy of the client’s
software that has undergone program code analysis by the auditor and is under the control of
the auditor. The data processed on the auditor’s copy of the software is compared to the data
previously processed by the client to ensure that the processing is identical. This procedure
provides evidence as to the effectiveness of design of programmed control procedures as well
as aspects of the effectiveness of operation.

h) Program code analysis is the analysis of the client’s program code to ensure that the
instructions given to the computer are the same instructions that the auditor has previously
identified when reviewing the systems documentation. The analysis may be performed using
specialized audit software owned by the auditor. The procedure provides evidence as to the
effectiveness of the design of programmed control procedures.

Use of audit software

Although audit software may be used for compliance and substantive procedures it is more suited
for carrying out substantive testing of transactions and account balances. By using audit
software, the auditor is able to test large volumes of data within a short time sparing time for
investigation of results rather than in the extraction of information. The following functions can
be performed using audit software:
 File reorganization – enables indexing, sorting, merging and linking with other files.
 Data selection – enables data filtration
 File access – enables the reading of different record formats and file structures;
 Arithmetic functions – enables the performance of arithmetic functions;
 Summarizing data;
 Selecting samples of items for testing;
14 | P a g e

DAN OWINO
 Printing reports or letters in a format specified by the auditor.
 Detecting of violation of systems limits e.g. a sales ledger can be checked to ensure no
customer has a balance above the authorized credit limit;
 Testing reasonableness checks e.g. ensuring the value of purchases is not greater than the
value of stocks received.

Test data
Test data is CAAT in which test data prepared by the auditor is processed on the current
production version of the client’s software, but separately from the client’s normal input data.
The test data that is processed updates the auditor’s copies of the client’s data files. The updated
files are examined to ensure that the transactions were processed in the manner expected. This
procedure is typically used to gather evidence as to the effectiveness of design of programmed
control procedures, as well as aspects of the effectiveness of operation.

Test data can be used in the following ways:

 Test assesses controls over the CIS by attempting to gain unauthorized entry into or by
attempting to process invalid data. E.g. unauthorized passwords, employee names or numbers
may be used in an attempt to gain entry.
 Reasonableness test-incomplete transactions, transactions with incorrect coding, transactions
outside programmed parameters and transactions with nonexistent customers or suppliers
may be used in testing to ensure that the system properly rejects invalid transactions.
Test data carries with it the inherent risk of corruption of client data. Integrated test facilities
which give the auditor his own section of the general ledger avoid this, and permit the testing
of longer-term controls. For example, the auditor may post a sales invoice to the auditors
account on the ledger. He would then hope that in a few weeks or months’ time, the invoice
would show in the client’s system as an overdue debtor.

Advantages of using CAATs

a) CAATs are likely to be the only effective way of testing programmed controls.
Computer programs often perform functions without leaving visible evidence and the
controls in-built in such systems cannot be tested manually. E.g. it is not possible to
test the effectiveness operation of passwords manually;
b) CAATs are quicker and more efficient enabling the auditor to test a large volume of
transactions quickly and accurately;
c) Once acquired the use of CAATs is cost effective provided that they can be used in a
large clients base;

15 | P a g e

DAN OWINO
 d) Use of CAATs and especially audit software enables the auditor to test the accounting
system directly rather than relying on printouts which could be doctored by the client.

Disadvantages of CAATS
a) High cost of installation.
b) Requires detailed knowledge in computers.
c) Requires a lot of computer time
d) May be incompatible with client’s software.
e) Requires a lot of staff training
f) High rate of obsolescence means constant replacing.

Factors to consider when using CAATs

When planning an audit, the auditor should consider an appropriate combination of manual
techniques and CAATs. In determining whether CAATs should be used, factors to consider
include:
 Computer knowledge, expertise and experience of the auditor. The auditor should have
sufficient knowledge to plan, apply and evaluate the results of the particular CAAT to be
used. The level of knowledge required depends on the complexity and nature of the CAATs
and the entity’s system.
 Availability of suitable CAATs and IT facilities;
 Efficiency and effectiveness of using CAATs over manual techniques. Use of CAATs may
improve the efficiency and effectiveness with which the audit is carried out;
 Impracticability of manual tests. May CIS process data without leaving any visible evidence
of the processing carried out? In addition most of the controls are programmed such that
manual procedures cannot be applied for audit testing. In such circumstances use of CAATs
is the only way to perform the audit tests;
 Time constraints;
 Integrity of the clients IT system and environment;
 Level of audit risk.

Planning the use of CAATs

The major steps to be undertaken by the auditor in preparing for the application of the selected
CAAT are:
 Set the audit objectives of the CAATs;
 Determine the accessibility and availability of the organization’s IT facilities, programs and
data;
 Define the procedures to be undertaken e.g. statistical sampling, recalculation, etc.;
 Obtain access to the organization’s IT facilities.

16 | P a g e

DAN OWINO
Controlling the use of CAATs
The auditor should control the use of CAATs to provide reasonable assurance that the audit
objectives have been met. In controlling the use the auditor should:
 Carry out a technical review of the work involving the use of the CAAT;
 Review the entity’s general controls which may have an effect on the integrity of the CAAT.
E.g. when controls over changes and access to computer files cannot be relied upon then the
client’s computer programs cannot be used to carry out testing by the auditor;
 The auditor should test the software on small test files before running on the main data to
ensure that the CAAT is performing the required tests effectively.

CAATs documentation
The step-by-step CAATs process should be sufficiently documented to provide adequate audit
evidence. The audit work papers should contain sufficient documentation to describe the CAATs
application, including the following details:
 The objective of using the CAAT.
 Specific CAAT to be used.
 Controls to be exercised.
 Details of tests performed.
 Details of input, processing and output.
 Results obtained.
 Description of the audit analysis work performed on the output.
 Audit recommendations.

17 | P a g e

DAN OWINO