Guidance Note on Computer Assisted

Audit Techniques (CAATs)*

Contents
Paragraph(s)
Introduction ...................................................................................... 1-2
Description of Computer Assisted Audited Techniques
(CAATs) ............................................................................................ 3-4
Considerations in the Use of CAATs ............................................. 5-14
IT Knowledge, Expertise and Experience of the Audit Team ........... 6
Availability of CAATs and Suitable Computer Facilities ................ 7-8
Impracticability of Manual Tests ..................................................... 9
Effectiveness and Efficiency .................................................... 10-12
Time Constraints ..................................................................... 13-14
Using CAATs ................................................................................ 15-22
Testing CAAT .............................................................................. 16
Controlling CAAT Application .................................................. 17-22
Documentation ............................................................................. 23-24
Arrangements with the Entity ...................................................... 25-27
Using CAATs in Small Entities.......................................................... 28
Appendices

* Issued in September, 2003

 Handbook of Auditing Pronouncements-II

Introduction
1. The overall objectives and scope of an audit do not change when an
audit is conducted in a computer information systems (CIS) environment. The
application of auditing procedures may, however, require the auditor to
consider techniques known as Computer Assisted Audit Techniques (CAATs)
that use the computer as an audit tool for enhancing the effectiveness and
efficiency of audit procedures. CAATs are computer programs and data that
the auditor uses as part of the audit procedures to process data of audit
significance, contained in an entity’s information systems.
2. The purpose of this Guidance Note is to provide guidance in the use of
CAATs. This Guidance Note describes computer assisted audit techniques
including computer tools, collectively referred to as CAATs. This Guidance
Note applies to all uses of CAATs when a computer of any type or size is
involved whether that computer is operated by the entity or by a third party.
Description of Computer Assisted Audit Techniques
(CAATs)
3. Computer Assisted Audit Techniques (CAATs) are important tools for
the auditor in performing audits. CAATs may be used in performing various
auditing procedures, including the following:
 tests of details of transactions and balances, for example, the use of
audit software for recalculating interest or the extraction of invoices
over a certain value from computer records;
 analytical procedures, for example, identifying inconsistencies or
significant fluctuations;
 tests of general controls, for example, testing the set-up or configuration
of the operating system or access procedures to the program libraries
or by using code comparison software to check that the version of the
program in use is the version approved by management ;
 sampling programs to extract data for audit testing;
 tests of application controls, for example, testing the functioning of a
programmed control; and
 reperforming calculations performed by the entity’s accounting systems.
4. CAATs allow the auditor to give access to data without dependence on
the client, test the reliability of client software, and perform audit tests more

367
Handbook of Auditing Pronouncements-II

efficiently. CAATs are computer programs and data that the auditor uses as
part of the audit procedures to process data of audit significance contained in
an entity’s information systems. CAATs may consist of package programs,
purpose-written programs, utility programs or system management program.
Regardless of the origin of the programs, the auditor substantiates their
appropriateness and validity for audit purposes before using them. A brief
description of the programs commonly used is given below.
 Package Programs are generalized computer programs designed to
perform data processing functions, such as reading data, selecting and
analyzing information, performing calculations, creating data files and
reporting in a format specified by the auditor.
 Purpose-Written Programs perform audit tasks in specific
circumstances. These programs may be developed by the auditor, the
entity being audited or an outside programmer hired by the auditor. In
some cases, the auditor may use an entity’s existing programs in their
original or modified state because it may be more efficient than
developing independent programs.
 Utility Programs are used by an entity to perform common data processing
functions, such as sorting, creating and printing files. These programs are
generally not designed for audit purposes, and therefore may not contain
features such as automatic record counts or control totals.
 System Management Programs are enhanced productivity tools that are
typically part of a sophisticated operating systems environment, for
example, data retrieval software or code comparison software. As with
utility programs these tools are not specifically designed for auditing use
and their use requires additional care.
Details of some of the techniques used are mentioned in the Appendix.
Considerations in the Use of CAATs
5. When planning an audit, the auditor may consider an appropriate
combination of manual and computer assisted audit techniques. In
determining whether to use CAATs, the factors to consider include:
 the IT knowledge, expertise and experience of the audit team;
 the availability of CAATs and suitable computer facilities and data;
 the impracticability of manual tests;
 effectiveness and efficiency; and
 time constraints.

368
 Handbook of Auditing Pronouncements-II

Before using CAATs the auditor considers the controls incorporated in the
design of the entity’s computer systems to which CAAT would be applied in
order to determine whether, and if so, how, CAATs should be used.
IT Knowledge, Expertise and Experience of the Audit Team
6. Standard on Auditing (SA) 401, “Auditing in a Computer Information
Systems Environment” deals with the level of skill and competence the audit
team needs to conduct an audit in a CIS environment. It provides guidance
when an auditor delegates work to assistants with CIS skills or when the
auditor uses work performed by other auditors or experts with such skills.
Specifically, the audit team should have sufficient knowledge to plan,
execute and use the results of the particular CAAT adopted. The level of
knowledge required depends on “availability of CAATs” and “suitable
computer facilities”.
Availability of CAATs and Suitable Computer Facilities
7. The auditor considers the availability of CAATs, suitable computer
facilities and the necessary computer-based information systems and data.
The auditor may plan to use other computer facilities when the use of CAATs
on an entity’s computer is uneconomical or impractical, for example, because
of an incompatibility between the auditor’s package program and entity’s
computer. Additionally, the auditor may elect to use their own facilities, such
as PCs or laptops.
8. The cooperation of the entity’s personnel may be required to provide
processing facilities at a convenient time, to assist with activities such as
loading and running of CAAT on the entity’s system, and to provide copies of
data files in the format required by the auditor.
Impracticability of Manual Tests
9. Some audit procedures may not be possible to perform manually
because they rely on complex processing (for example, advanced statistical
analysis) or involve amounts of data that would overwhelm any manual
procedure. In addition, many computer information systems perform tasks for
which no hard copy evidence is available and, therefore, it may be
impracticable for the auditor to perform tests manually. The lack of hard copy
evidence may occur at different stages in the business cycle.
 Source information may be initiated electronically, such as by voice
activation, electronic data imaging, or point of sale electronic funds
transfer. In addition, some transactions, such as discounts and interest

369
Handbook of Auditing Pronouncements-II

calculations, may be generated directly by computer programs with no

specific authorization of individual transactions.
 A system may not produce a visible audit trail providing assurance as to
the completeness and accuracy of transactions processed. For
example, a computer program might match delivery notes and suppliers’
invoices.
 In addition, programmed controlled procedures, such as checking
customer credit limits, may provide hard copy evidence only on an
exception basis.
 A system may not produce hard copy reports. In addition, a printed
report may contain only summary totals while computer files retain the
supporting details.
Effectiveness and Efficiency
10. The effectiveness and efficiency of auditing procedures may be
improved by using CAATs to obtain and evaluate audit evidence. CAATs are
often an efficient means of testing a large number of transactions or controls
over large populations by:
 analyzing and selecting samples from a large volume of transactions;
 applying analytical procedures; and
 performing substantive procedures.
11. Matters relating to efficiency that an auditor might consider include:
 the time taken to plan, design, execute and evaluate CAAT;
 technical review and assistance hours;
 designing and printing of forms (for example, confirmations); and
 availability of computer resources
12. In evaluating the effectiveness and efficiency of CAAT, the auditor
considers the continuing use of CAAT application. The initial planning,
design and development of CAAT will usually benefit audits in subsequent
periods.
Time Constraints
13. Certain data, such as transaction details, are often kept for a short
time and may not be available in machine-readable form by the time auditor
wants them. Thus, the auditor will need to make arrangements for the

370
 Handbook of Auditing Pronouncements-II

retention of data required, or may need to alter the timing of the work that
requires such data.
14. Where the time available to perform an audit is limited, the auditor
may plan to use CAAT because its use will meet the auditor’s time
requirement better than other possible procedures.
Using CAATs
15. The major steps to be undertaken by the auditor in the application of
CAAT are to:
(a) set the objective of CAAT application;
(b) determine the content and accessibility of the entity’s files;
(c) identify the specific files or databases to be examined;
(d) understand the relationship between the data tables where a database is
to be examined;
(e) define the specific tests or procedures and related transactions and
balances affected;
(f) define the output requirements;
(g) arrange with the user and IT departments, if appropriate, for copies of
the relevant files or database tables to be made at the appropriate cut off
date and time;
(h) identify the personnel who may participate in the design and application
of CAAT;
(i) refine the estimates of costs and benefits;
(j) ensure that the use of CAAT is properly controlled;
(k) arrange the administrative activities, including the necessary skills and
computer facilities;
(l) reconcile data to be used for CAAT with the accounting and other
records;
(m) execute CAAT application;
(n) evaluate the results;
(o) document CAATs to be used including objectives, high level flowcharts
and run instructions; and
(p) assess the effect of changes to the programs/system on the use of
CAAT.

371
Handbook of Auditing Pronouncements-II

Testing CAAT
16. The auditor should obtain reasonable assurance of the integrity,
reliability, usefulness, and security of CAAT through appropriate planning,
design, testing, processing and review of documentation. This should be
done before reliance is placed upon CAAT. The nature, timing and extent of
testing is dependent on the commercial availability and stability of CAAT.
Controlling CAAT Application
17. The specific procedures necessary to control the use of CAAT depend
on the particular application. In establishing control, the auditor considers the
need to:
(a) approve specifications and conduct a review of the work to be performed
by CAAT;
(b) review the entity’s general controls that may contribute to the integrity of
CAAT, for example, controls over program changes and access to
computer files. When such controls cannot be relied on to ensure the
integrity of CAAT, the auditor may consider processing CAAT application
at another suitable computer facility; and
(c) ensure appropriate integration of the output by the auditor into the audit
process.
18. Procedures carried out by the auditor to control CAATs applications may
include:
(a) participating in the design and testing of CAAT;
(b) checking, if applicable, the coding of the program to ensure that it
conforms with the detailed program specifications;
(c) asking the entity’s staff to review the operating system instructions to
ensure that the software will run in the entity’s computer installation;
(d) running the audit software on small test files before running it on the
main data files;
(e) checking whether the correct files were used, for example, by checking
external evidence, such as control totals maintained by the user, and
that those files were complete;
(f) obtaining evidence that the audit software functioned as planned, for
example, by reviewing output and control information; and
(g) establishing appropriate security measures to safeguard the integrity and
confidentiality of the data.

372
 Handbook of Auditing Pronouncements-II

When the auditor intends to perform audit procedures concurrently with

online processing, the auditor reviews those procedures with appropriate
client personnel and obtains approval before conducting the tests to help
avoid the inadvertent corruption of client records.
19. To ensure appropriate control procedures, the presence of the auditor is
not necessarily required at the computer facility during the running of CAAT.
It may, however, provide practical advantages, such as being able to control
distribution of the output and ensuring the timely correction of errors, for
example, if the wrong input file were to be used.
20. Audit procedures to control test data applications may include:
 controlling the sequence of submissions of test data where it spans
several processing cycles;
 performing test runs containing small amounts of test data before
submitting the main audit test data;
 predicting the results of the test data and comparing it with the actual
test data output, for the individual transactions and in total;
 confirming that the current version of the programs was used to process
the test data; and
 testing whether the programs used to process the test data were the
programs the entity used throughout the applicable audit period.
21. When using CAAT, the auditor may require the cooperation of entity staff
with extensive knowledge of the computer installation. In such
circumstances, the auditor considers whether the staff improperly influenced
the results of CAAT.
22. Audit procedures to control the use of audit-enabling software may
include:
 verifying the completeness, accuracy and availability of the relevant
data, for example, historical data may be required to build a financial
model;
 reviewing the reasonableness of assumptions used in the application of
the tool set, particularly, when using modeling software;
 verifying availability of resources skilled in the use and control of the
selected tools; and
 confirming the appropriateness of the tool set to the audit objective, for
example, the use of industry specific systems may be necessary for the
design of audit programs for unique business cycles.

373
Handbook of Auditing Pronouncements-II

Documentation
23. The various stages of application of CAATs should be sufficiently
documented to provide adequate audit evidence.
24. The audit working papers should contain sufficient documentation to
describe CAAT application, including the details set out in the sections
below:
(a) Planning
 CAAT objectives;
 CAAT to be used;
 Controls to be exercised; and
 Staffing, timing and cost.
(b) Execution
 CAAT preparation and testing procedures and controls;
 Details of the tests performed by CAAT;
 Details of inputs (e.g., data used, file layouts), processing (e.g.,
CAATs high-level flowcharts, logic) and outputs (e.g., log files,
reports);
 Listing of relevant parameters or source code; and
 Relevant technical information about the entity’s accounting
system, such as file layouts.
(c) Audit Evidence
 Output provided;
 Description of the audit work performed on the output;
 Audit findings; and
 Audit conclusions;
(d) Other
 Recommendations to the entity management; and
In addition, it may be useful to document suggestions for using CAAT in
future years.
Arrangements with the Entity
25. The auditor may make arrangements for the retention of the data files,
such as detailed transaction files, covering the appropriate audit time frame.

374
 Handbook of Auditing Pronouncements-II

26. In order to minimize the effect on the organisation’s production

environment, access to the organisation’s information system facilities,
programs/systems and data should be arranged well in advance of the
needed time period
27. The auditor should also consider the effect of these changes on the
integrity and usefulness of CAAT, as well as the integrity of the
programs/system and data used by the auditor.
Using CAATs in Small Entities
28. Although the general principles outlined in this Guidance Note apply in
small entity IT environments, the following points need special consideration:
(a) The level of general controls may be such that the auditor will place less
reliance on the system of internal control. This will result in greater
emphasis on tests of details of transactions and balances and analytical
review procedures, which may increase the effectiveness of certain
CAATs, particularly, audit software.
(b) Where smaller volumes of data are processed, manual methods may be
more cost effective.
(c) A small entity may not be able to provide adequate technical assistance
to the auditor, making the use of CAATs impracticable.
(d) Certain audit package programs may not operate on small computers,
thus restricting the auditor’s choice of CAATs. The entity’s data files
may, however, be copied and processed on another suitable computer.

375
Handbook of Auditing Pronouncements-II

Appendix

Examples of Computer Assisted Audit Techniques

Techniques Description Advantages Disadvantages

Audit  Expert Systems  These techniques  Not applicable in the case
Automation are more useful of mainframe computers.
 Tools to evaluate a
when auditors are
client’s risk
using laptops
management
procedures which can be
directly linked with
 Electronic working the entity’s system.
papers, which
provide for the
direct extraction of
data from clients
computer records
 Corporate and
financial modeling
programs for use as
predictive audit test
Audit Software  Software used by  Performs a wide  Requires a reasonable
the auditor to read variety of audit degree of skill to use
data on client’s tasks
 Initial set up costs can be
files, to provide
 Long term high
information for the economies
audit and/or to re-  Adaptation often needed
perform procedures  Reads actual from machine to machine
carried out by the records
client’s programs.  Capable of dealing
with large volumes
of transactions
Core Image Software used by the  Provides a high  Requires a high degree of
Comparison auditor to compare degree of comfort skill to set up and to
the executable concerning the interpret the results.
version of a program executable version
 Where programs have
with a secure master of the program
been recompiled the
copy
 Particularly useful comparison may be
where only invalidated as the program
executable records everything as a
versions are difference
distributed
 Printouts are hard to
interpret and the actual
changes made are difficult
to establish

376
 Handbook of Auditing Pronouncements-II

 Availability restricted to
certain machine types
Database Software used by the  Provides detailed  Requires a high degree of
Analysers auditor to examine the information skill to set up and to
rights associated with concerning the interpret the results
terminals and the operation of the
 Restricted availability both
ability of users to database
as regards machine types
access information on
 Enhances the and database management
a database
auditor’s systems
understanding of  Specific and limited audit
the database applicability
management
system
Embedded Software used by the  Performs a wide  There is a processing
Code auditor to examine variety of audit overhead involved because
transactions passing tasks of the extra programs
through the system by
 Examines each  Definition of what
placing his own
transaction as it constitutes an unusual
program in the suite
passes through the transaction needs to be
of programs used for
system very precise
processing.
 Operates  Precautions need to be
continuously taken over the output from
the programs to ensure is
 Capable of
security
identifying unusual
transactions  Precautions need to be
passing through taken to ensure that the
the system. program cannot be
suppressed or tampered
with
 Requires some degree of
skill to use and to interpret
the results
Log Analysers Software used by the  Provides detailed  Requires a high degree of
auditor to read and information on skill to use and to interpret
analyse records of machine usage. the results
machine activity  Long term  Limited availability as
economies regards machine types
 Effective when  High volume of records
testing integrity restricts extent of test
controls
Mapping Software used by the  Identifies program  Very specific objective
auditor to list unused code which may
 Requires a high degree of
program instructions be there for
skill to use and to interpret
fraudulent reasons.
the results
 Adaptation needed from
machine to machine.

377
Handbook of Auditing Pronouncements-II

Modelling A variety of software,  Can be a very  A high volume of data may

usually associated powerful analytical need to be entered initially
with a microcomputer, tool
 Results require careful
enabling the auditor to
 Can enable the interpretation
carry out analytical
auditor to examine
reviews of client’s
provisions on a
results, to alter
number of different
conditions so as to
bases
identify amounts for
provisions or claims,  Very flexible in use
or to project results  Can provide the
and compare actual auditor with useful
results with those information on
expected trends and
patterns
On-line Testing Techniques whereby  Very widely  Each use satisfies only one
the auditor arranges applicable particular objective
or manipulates data
 Easy to use  Care must be taken to
either real or fictitious,
ensure that “live” data does
in order to see that a  Can be targetted
not impact actual results
specific program or for specific
screen edit test is functions carried
doing its work out by programs
Program Code An examination by the  Gives a  The auditor must
Analysis auditor of the source reasonable degree understand the program
code of a particular of comfort about language
program with a view the program logic
 The auditor needs to check
to following the logic
 The auditor can that the source code
of the program so as
examine every represents the version in
to satisfy himself that
function of the the source library, and that
it will perform
program code this version equates to the
according to his
executable version
understanding
Program Software used by the  Provides the  Requires a high degree of
Library auditor to examine auditor with useful skill to use and to interpret
Analysers dates of changes information the results
made to the concerning the
 Availability restricted to
executable library and program library
certain machine types
the use of utilities to
 Identifies abnormal
amend programs  Only relevant when testing
changes to the integrity controls
library
 Useful when
testing program
security
Snapshots Software used by the  Permits the auditor  Can be expensive to set up
auditor to take a to examine
“picture” of a file of processing at a
data or a transaction specific point in

378
 Handbook of Auditing Pronouncements-II

passing through the time to carry out

system at a particular tests, or to confirm
point in time the way a
particular aspect of
the system
operates
Source Software used by the  Compares source  Other procedures are
Comparison auditor to compare code line by line necessary to ensure that
the source version of and identifies all the executable version
a program with a differences reflects the source code
secure master copy examined
 Useful when
testing integrity  Requires some degree of
controls or skill to use and to interpret
particularly the results
important program
 Availability restricted to
procedures
certain machine types
Test Data - Fictitious data applied  Performs a wide  “Dead” test data requires
“Live”, “Dead”, against the client’s variety of tasks additional work for the
Integrated Test programs either whilst auditor to satisfy himself
 Gives considerable
Facility or they are running or in the right programs were
comfort about the
Base Case an entirely separate used
operation of
System operation.
programs  Care must be taken to
Evaluation The results of ensure that “live” data does
 Can be precisely
processing the not impact actual results
fictitious data are targetted for
specific  Technique can be
compared with the
expected results procedures within expensive to set up and
programs cumbersome to use
based on the auditor’s
understanding of the  Long term  Adequate for detection of
programs involved economies major error but less likely to
detect deep-seated fraud
Tracing Software used by the  Helps to analyse  There may be less costly
auditor to identify the way in which a ways to achieve the same
which instructions program operates objectives, although not in
were used in a the same detail
program and in what
 Requires a high degree of
order
skill to use and to interpret
the results
 Adaptation needed from
machine to machine

379