Chapter 4

TOOLS AND
TECHNIQUES USED
IN AUDITING IT
 Objectives
[Link] auditor productivity tools and describe how they
assist the audit process.
[Link] techniques used to document application
systems, such as flowcharting, and how flowcharts are
developed and appropriate to assist the audit process.
[Link] what Computer-Assisted Audit Techniques
(CAATs) are and describe the role they play in the
performance of audit work.
[Link] how CAATs are used to define sample size and
select the sample.
 Objectives

6. Describe the various CAATs used for reviewing applications,

particularly, the audit command language (ACL) audit software.
7. Describe CAATs used when auditing application
controls.
8. Describe CAATs used in operational reviews.
9. Differentiate between "Auditing Around the
Computer" and "Auditing Through the Computer".
[Link] computer forensics and sources to
evaluate computer forensic tools and techniques.
Audit Productivity Tools

Software that helps auditors

reduce audit time by:

- automating the audit function

and
- integrating information
gathered.
 Tools Help Enhance…
Planning and tracking audit activities
o Through spreadsheets or project
management software
Documentation and presentation
o Through Word processing, flowcharting, etc.
Communication / data transfer
o Immediate communication through electronic
connectivity, centralized servers
 Tools Help Enhance…
Access to data
Access to clients data files or audit work
papers, etc.
Sharing environments
Tools create collaborative environments
(e.g., Groupware)
System Documentation Techniques

to understand client accounting

systems/processes by providing visual
illustration (SAS No. 109)
to identify data sources, relevant
controls, control strengths, control
weaknesses
System Documentation Techniques

Common techniques include:

 Data Flow Diagrams
 Business Process Diagrams

 Flowcharts
 Data Flow Diagrams

Graphically describe the flow of data within an

organization

flow of data includes –

 data sources
 data flows
 transformation processes
 data storage
 data destinations
3-9
Data Flow Diagrams

3-10
 Business Process Diagrams

Visual way to represent activities in a business

process
 [Link] Process - shipping the goods
ordered, billing customers, collecting customer
payments

Show the organizational unit performing the

activity

3-11
Business Process Diagrams

3-12
 Flowcharts

Graphical descriptions of a system showing:

 how business processes are performed
 how documents flow through the organization

Flowcharts specifically show/describe:

 Inputs and Outputs
 Information activities (processing data)

 Data storage
 Data flows

 Decision steps
 Flowchart Development - Steps

1. Understand how financial applications process data

2. Identify documents & their flow through the system
3. Define data elements
4. Develop flowchart diagrams
5. Evaluate quality of system documentation
6. Assess controls over documents
7. Determine the effectiveness of data processing
8. Evaluate the accuracy, completeness, and usefulness
of reports
 Flowcharts

Use standard symbols to describe transaction

processing and the flow of data through a system
 symbolsare drawn using a software such as Visio,
Word, Excel, or PowerPoint

See example in next slide…

Flowcharts
 CAATs
Computer-Assisted Audit Techniques
(CAATs)

Software that helps auditors:

- evaluate application controls
and
- select/analyze computerized
data for substantive audit tests
 Why CAATs?
Many audit Computer
tasks take systems
time becoming highly
complex

Support financial,
application, and Enhance audit
operations type of productivity
audit/reviews
 CAATs in the Audit Process

Auditors responsible for:

 selecting and applying appropriate
audit techniques to conduct their
audit tests
 validating the reliability of systems
and programs with test of actual data
 CAATs in the Audit Process

Used to:
 evaluate integrity of applications
 validate application data:
 examine/test application controls and
 verify processing logic from point of:
 input

 execution of processing steps

 generation of output from specific

application
 CAATs in the Audit Process

Used to:
 select/analyze computerized data for
substantive testing
 determine compliance with procedures
 continuously monitor processing results
 query and analyze large amounts of data, using:
 ACL, IDEA, CA-Easytrieve (T), and SAS
 select sample, analyze data trends, data files
(“J/E testing”)
CAATs assist in following ways…
Identifying Items of Audit
Interest (i.e., potential fraud,
material and unusual items)

Providing grand totals to

validate populations so
auditors can select sample
(Audit Mathematics)

Analyzing, comparing,
and/or summarizing data
(Data Analysis)
 Items of Audit Interest
 Auditors can select material/significant items,
unusual items, or statistical samples of items
 Auditors:
 stipulate specific criteria
 let computers do the sample selection

Ex. Ex. Journal

Transactions of entries posted
$100,000 or on holidays;
more etc.
 Audit Mathematics

 Extensions and footings are tedious

and costly when performed manually

 Let’s take a look at an “Auditing

Accounts Receivable (A/R) file”
scenario…
 Audit Mathematics

Scenario: Auditing A/R file

With CAATs, the computer can be programmed to

select items from an A/R file, and (in the process of
looking at this file) extend and foot all invoicing
transactions.

Because of the speed of the computer, these

calculations can be performed on 100% of the items in a
file with no significant addition of time or cost for this
processing.
 Data Analysis

 CAATs allow computers to:

 compare and summarize data Data
 represent data in graphic form Analysis

Using three techniques

 Data Analysis

1) Histograms - graphical representation

of distribution of data; look for
relationships amongst the data
 Data Analysis
2) Modeling -
comparison
of current
data with
trends or
patterns as
a basis for
evaluating
reasonablen
ess
 Data Analysis

3) Comparative Analysis - compares same

data at different time periods

Example:
 compare yearly financial statements (e.g., Income
Statements, etc.)
 compare previous and current year inventory
balances
 variations in balances could lead to additional
tests (e.g., valuation, potential obsolescence,
etc.)
Comparative Analysis Example
 CAATs for Sampling
CAATs allow for the selection and
definition of the audit sample
 Judgmentally - based on auditor’s
experience
 Statistically - randomly generated
 CAATs for Sampling
Good approach - combine the 2 sample
methods.
 Examples: journal entries, purchase
approvals above certain limits, etc.)
Due professional care must always be
exercised in the application and
interpretation of results
Refer to Exhibit 4.8 for additional
statistical sampling techniques used
 CAATs for Application Reviews

Common techniques to test Applications:

Integrated test facility (built-in test environments)
Test data (auditor provides test transactions)
Parallel simulation (tests separate system)
Popular software packages:
 Audit Command Language (ACL)
 Interactive Data Extraction and Analysis (IDEA)

Refer to Exhibit 4.10 Computer-assisted audit

techniques for computer programs.
Audit Command Language (ACL)

General audit software that reads from

most formats
 e.g.,
databases, text files, de-limited files,
Excel files, etc.
Provides data selection, analysis, and
reporting.
File interrogation tool designed to assist
the audit of applications by handling and
processing large amounts of data.
Audit Command Language (ACL)

ACL functions range from:

(1) identifying negative, minimum, and
maximum balances;
(2) performing statistical sampling and aging
analyses;
(3) identifying duplicates or gaps in sequence
testing; and
(4) performing comparative joining and
matching; among others.
 ACL

Video – ACL Analytics

 Source: [Link]
analytics/
 Time: 2:46min
 Auditing Application Controls
Auditors typically perform procedures with
organization- or client-provided:
 Spreadsheets
 Databases

Spreadsheet or database controls commonly tested:

 checking for mathematical accuracy of records
 validating data input
 performing numerical sequence checks

Auditors must ensure these controls are effectively

implemented to ensure accurate results.
 Spreadsheet Controls
Controls should be
implemented in
spreadsheets to
minimize the risk of
bad data and incorrect
logic.
Some of the key
objectives/controls
that IT Auditors expect to
be in place to minimize
risks in spreadsheet
development and use
include:
Spreadsheet Controls
 Database Controls

Some of the key

objectives and
controls that IT
Auditors expect to
be in place to
minimize risks in
databases
include:
Database Controls
CAATs for Operational Reviews

Several techniques to test Operations:

 ACL, IDEA (file interrogation SW)
 SW Asset Management (SAM)

 Disaster Recovery System (DRS)

Appropriate use and application for above

techniques rely on training, sharing of
experiences, and supervision
 Auditing Around the Computer

Auditor obtains source documents associated with

particular input transactions and reconciles them
against output results
Audit supporting documentation is drawn and
conclusions are reached without considering how
inputs are being processed to provide outputs
 Procedures do not verify/validate whether program logic is
correct, nor it evaluates how the application and its
embedded controls respond to various types of transactions
(anomalies) that can contain errors
Auditing Around the Computer
Auditing Through the Computer

Auditors perform various steps to assess the clients

application system in order to determine reliability of
operations and operating effectiveness of the related
general computer controls (e.g., processing controls,
access controls, etc.)
Has significantly increased and impacted the audit
process
Auditing Through the Computer
 Computer Forensics
Examination, analysis, testing, and
evaluation of computer-based material
conducted to provide relevant and valid
information to a court of law
Fast growing area of CAATs
Computer Forensics Tools
Support law enforcement, computer
security, and computer audit
investigations.
Computer Forensics Tool Testing
(CFTT) Project Web Site at
[Link]
 Homework Problems
Chapter 4:
 Review Questions: [chosen by Instructor]
 Exercises: [chosen by Instructor]

Due: [chosen by Instructor]

END OF CHAPTER 4