A Guide to E-Auditing

Chartech Books Business and Information Systems Series

In association with
Sponsor’s Message

AuditWare Systems was established 22 years ago when Brendan Walsh, its
managing director, first came across IDEA during a business trip to Canada,
whilst working at the ICAEW. IDEA was originally developed by the Canadian
Institute of Chartered Accountants and was acquired by CaseWare International
Inc. in early 2000.
During the entire 22 year period, AuditWare has been the official distributor
in both the UK and Ireland, and has been in the enviable position of both
experiencing and contributing to the development of this amazing piece of
software.

What is IDEA?
IDEA is a Computer Assisted Audit Tool, an Interactive Data Extraction and
Analysis tool. Through a unique and powerful combination of data access,
analysis and integrated reporting capabilities, IDEA is able to import data from
virtually any source, across any system, through a consistent user interface –
whether housed in mainframes, servers, legacy systems, or PC networks. By
independently comparing and analysing data from ERP, CRM, SCM, or other
enterprise applications, IDEA enables audit, financial, and control professionals
to gain immediate insight into the transactional data underlying their business
processes and financial reporting.
The key distinctions of IDEA include:
• Enterprise-wide data access: Leverage the critical data housed in multiple ERP
systems, legacy systems, or customised applications to conduct the in-depth
analysis necessary in today’s complex business and regulatory environments.
With seamless, independent data access you are able to save time and
reduce the need to request data extracts from busy IT departments, as well
as analyse data at the source level, assuring data quality and integrity are
maintained.
• Ability to analyse high transaction volumes quickly and efficiently: IDEA
is able to analyse over 2 billion records, ensuring the analysis of all data
(every field and/or record of interest) – and to do this independently of any
application that actually processes and records the transactions.
• Purpose-built analysis and reporting capabilities: Cut the time needed for
audit and compliance reviews with powerful, robust IDEA analytics – ranging
from simple classification commands through to sophisticated tests and
digital analysis. Compare data drawn from disparate systems to gain greater
insight, identifying suspicious transaction patterns, trends, anomalies, and
control gaps or weaknesses.
• Efficiency, effectiveness, scalability and sustainability: Automate critical
analytic tests to improve productivity and efficiency, combining this with a
comprehensive audit trail.
• With market-leading IDEA technology, organisations can better assure
compliance, reduce risk and fraud, contain costs, minimise revenue leakage,
and enhance profitability. Audit and control professionals consistently rate
IDEA as the preferred audit-specific software for data analysis and extraction,
fraud detection, and continuous monitoring.
In conclusion, we would like to thank the ICAEW for providing us with the
opportunity of being involved with this publication and look forward to
receiving any feedback.
A Guide to E-Auditing

by Nigel Lewis
This report is published by the Faculty of Information Technology of
the Institute of Chartered Accountants in England and Wales. The views
expressed do not necessarily reflect those of the Council of the Institute.
Copyright © 2009 ICAEW
All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise without the
prior permission of the publisher.
No responsibility for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication can be accepted
by the publisher.
ISBN 978-1-84152-825-0
Contents

Preface 4
1. Introduction 5
2. Uses and Benefits of CAATs 6
3. Generic Approach 8
4. Major CAATs Techniques 11

Live interrogation 11

Offline interrogation 12

Continuous auditing 12

Data mining 13
5. Detailed Review Techniques 15
6. Top Tips 17
Appendix A: Further Information Resources 18
Appendix B: Examples of E-Auditing Software 19
4 A Guide To e-Auditing

Preface

The audience for this publication is management. It may also be of interest

to auditors and investigators. It is directed in particular to accountants in
management positions.
There should be enough detail to enable them to work directly on defining
the scope of useful data review and investigation tasks (possibly through the
agency of internal auditors, risk management teams or compliance teams) and
to help them manage these tasks through to a successful conclusion.
The overall objective of the publication is to describe the types of review,
audit and investigation procedures that can be done using such techniques
(including coverage of the interest of regulators in this approach), to highlight
the power of these techniques and to identify and explain some of the reasons
why, and circumstances in which, you might want to use them.
The guidance in this publication can also act as an executive overview of data
review and investigation techniques for senior management who have no need
to understand the detail.
 A Guide To e-Auditing 5

Introduction
1
E-auditing is a generic term that covers a number of similar activities. Other
popular terms include ‘Interrogations’, and CAATs (Computer Assisted Audit
Techniques) or CAATTs (Computer Assisted Audit Tools and Techniques). More
recently ‘continuous auditing’ and ‘data mining’ have also emerged.
In essence it is the use of computers and computer software to extract useful
information from an organisation’s computer systems.
For the purposes of this guide the term CAAT(s) will be used to describe all of
the above. The guide will outline their uses, provide examples, and identify the
challenges and solutions in making use of these techniques.
CAATs can be used by:
• External auditors conducting a statutory audit;
• Internal auditors as an element within the regular cycle of internal audit;
• Reporting accountants as part of an assurance assignment or due diligence
process;
• Regulators or government agencies, such as HMRC, carrying out routine
checks, enquiries or investigations;
• Management in business functions such as Finance or Sales departments.
In some cases a separate computer and associated software will be used to run
the CAAT, perhaps on a PC. In other cases just a separate piece of software
will be used, which will run on the same computer as the business application
under review.
In one large organisation, £5 million in duplicate invoice payments to suppliers
was identified, within a matter of days, by using CAATs on the purchase ledger.
It was embarrassing that the auditors found the error, but it also proved the
power and value that CAATs can bring to a business.
A key difference and a real benefit of using CAATs over more traditional (audit)
sampling techniques, is that with CAATs it is possible to investigate and test
100% of the population under review. For example you can cover 100% of all
transactions in a month, rather than simply examining a very small sample of
the transactions.
Ideally, the use of CAATs should be more widespread within organisations.
There are excellent tools available at reasonable costs; there are training
courses available, and plenty of resources to hand, particularly on the internet.
One possible reason for their lack of use is that there are sometimes technical
and practical challenges to be overcome. Initial enthusiasm can be muted by
technical problems. However, these challenges can be overcome, as this guide
will illustrate.
Business information systems are getting ever more complex, and IT staff are
usually fully occupied keeping these running, and developing new systems.
However, it is possible to develop CAATs capabilities within an organisation
through the use of specialist IT staff, in the first instance, in conjunction with
knowledgeable business staff and to subsequently utilise these on a cost
effective and regular basis.
 6 A Guide To e-Auditing

USES AND BENEFITS OF CAATs

2
CAATs have been used by internal and external audit staff from the 1960’s.
They use them to ascertain if controls are operating correctly or otherwise,
because in this increasingly computerised world it is difficult to see the
application controls, since they are built into the system. CAATs enable a
‘window’ on the data and controls within computer systems. This can be
largely independent of the application system and normal processing, which
can be a huge advantage when an objective, independent view is required.
A more recent use of CAATs by auditors, and other review functions, such as
the Risk Department, is to use them initially at the planning stage of a review,
to scan the whole possible population of data in order to ascertain if the review
should be commissioned, and to identify what are the potentially higher risk
areas to focus on, should the review go-ahead.
There has been an increasing trend in the CAATs space for auditors to
perform CAATs on systems, as part of the audit process, in various business
departments, and for them to then persuade the business to use the same
techniques and tools as part of normal business operations. The use of CAATs in
normal business operations has huge potential. It has the benefit of improving
the control environment, and increases the armoury of business units in the
early detection of potential fraud or unauthorised activity.
Judicious use of CAATs can also help to overcome shortcomings in existing
application systems, in a pragmatic manner. For example, it may be too
complex or too expensive to have existing application systems modified in
order to meet new requirements, particularly in the area of reporting. In such
instances CAATs can be used to deliver new functionality, e.g. by extracting
a chunk of information, say each month, from the application system, and
then to ‘slice and dice’ the information, perhaps offline on a PC, in all sorts of
useful ways that were not envisaged when the requirements of the system were
initially specified.
CAATs are used to help ensure Regulatory compliance, e.g. for Sarbanes-Oxley
section 404 (SOX) testing. Here the benefits of rigorous, repeatable, evidenced
testing, covering a 100% sample make CAATs worthy of inclusion in SOX work.
CAATs are particularly useful in determining if data is sufficiently correct for
reporting requirements; or if automated control processing is operating as
required by management or mandated by government agencies or regulators.
Specifically, it can address matters ‘hidden’ in the automated processes; for
example, complex computations, transaction generation, the maintaining of
accrual and prepayment records or the application of access controls.
CAATs can be used to help managers, auditors and investigators:
• To investigate whether programs are performing as expected or not, to
identify systems or programmed processes that are not following their own
rules;
A Guide To e-Auditing 7

• To perform analysis of data, including summaries, averages, stratification and

profiles of the areas under review;
• To confirm the correctness of calculations (e.g. VAT or payroll deduction
calculations) or to identify calculations that are incorrect;
• To confirm that relationships between data items (or groups of data items)
are correct, or to identify relationships that are not as expected;
• To discover when stored data (including archive data and accumulated
values) is inconsistent in relation to other data items;
• To provide evidence that a control procedure (e.g. the correct operation of
authorisation limits such as credit limits or payroll grade boundaries) has
been operating as expected – or that it has not;
• To identify when transfers of data between independent systems, such
as order processing and invoicing or delivery systems, and invoicing and
processing systems, have not been properly made;
• To identify gaps in sequences or duplicates e.g. invoices and payments,
or missing (but expected) information, such as regular purchases or other
outgoings;
• To re-perform transaction processing or reporting functions, for checking
against reports used by management.
• To facilitate the analysis of log files of processing activities, incidents and
events, for example attempts at logins that possess characteristics suggesting
that they might be unauthorised;
• To identify unusual or unexpected transactions (e.g. large journal postings,
transactions entered at unusual times).
Systems can be set up to regularly perform some of the above tests of the data
on a system. For example each transaction can be examined and exceptions
flagged up, or the activities within a specific time period, such as a week, can
be summarised and any thresholds that have been breached can be identified.
This is known as ‘continuous auditing’, and is described in more detail in
section 4.
An increasingly popular field of CAATs is termed ‘data mining’, which is
also covered in section 4. This aims to extract useful information from an
organisation’s existing systems in order to, for example, derive operational
efficiencies or assist in marketing activities.
 8 A Guide To e-Auditing

GENERIC APPROACH
3
Like any worthwhile activity the approach you take is key to the success or
otherwise of the endeavour. Never is this more so, than when computers are
involved! A planned structured approach to using CAATS is not only useful, it
is absolutely essential if you are going to achieve something meaningful and
useful at the end.
The key considerations in a generic approach to CAATS are described below:
Objectives: It is necessary to clarify what the objectives are for using CAATs.
It is all too easy, when addressing CAATs challenges, to burn up resources and
lose sight of what is needed to be achieved.
Timescales: Start early, and put a realistic plan together. If you want answers
next week, you should have started several weeks ago (maybe months ago for
the more complex CAATs).
Resources: Identify what budget you have to expend on these activities, and
compare it to the likely benefits; what resources you have to hand, firstly within
your area of influence, and what other resources e.g. IT, you will need. Ensuring
success almost inevitably means involving the IT function. There will be cost
and timescale implications – see above. What may appear straightforward,
could be very involved in IT terms. A word of caution - for audit work involving
CAATs, an IT person could potentially compromise the results of CAATs work,
and therefore the independence of the audit work. Audit staff need to take this
into account, but it should not be a blocker to the CAATs being performed.
Integrity checks: Whatever CAATs method is used, it is necessary to ensure that
the process incorporates integrity, such as completeness checks. If, for example,
three separate months of sales ledger data are being extracted from, say, three
separate files, and then aggregated and reviewed on a PC, it is essential to
ensure that all records have arrived at the PC. In this simple example the record
count of the three separate files in the ledger system would be compared to
the aggregated total on the PC to detect if any had got ‘lost’ in the process.
CAAT packages usually have facilities to enable such integrity checking,
including hash totalling. Hash totalling can be applied to, for example, a batch
of invoice numbers, before and after a transfer from one system to another.
The hash total is a meaningless figure on its own, but by comparing the two
hash totals, assurance is given that all the invoice records have been transferred
satisfactorily.
Training: Where there are skill gaps, investigate appropriate training,
particularly on using PC-based packages. A PC-literate, enthusiastic person can
achieve significant results with such packages with a little training.
Regulation/security: Depending on the industry sector of the organisation,
and information under review, the appropriate regulations and policies,
external and internal, need to be adhered to when performing CAATs. Ensuring
that, for example, the Data Protection Act 1998 (DPA ) is complied with, affects
most organisations in a CAATs context, but depending on the sensitivity of the
data, for example, medical, customer, staff or share price sensitive, appropriate
controls need to be maintained to reduce risks of unauthorised disclosure of
the information. This will require strong access controls on a PC if information
has been downloaded to it as a result of CAATs work; it could mean encryption
of the contents of the PC; it will mean effective physical controls (locked
cupboard or safe) or encryption of any media (memory sticks, CDs, DVDs) used
to transfer or store the information. If either internal email, or internet-based
A Guide To e-Auditing 9

email is being proposed, then additional controls may be required, such as

encryption.
Outcomes: CAATs can unearth fraud or a range of unauthorised activities, so
ensure that you have the procedures in place both internally, and with the
necessary external agencies, to adequately deal with such eventualities.
Third parties: Sometimes the systems upon which you wish to perform CAATs
are run by third parties on your behalf. This is an extra level of complication,
but with appropriate agreements and service levels in place, CAATs can be
successfully employed. It is better to discuss and agree arrangements at
the pre-contract stage, and to have them built into the contract. However,
arrangements can be negotiated mid-contract, though your negotiating
position may not be as strong. There are usually cost implications, as there
would be if the activity was undertaken in-house, though this can be a difficult
area as there is frequently a different perception to the external spend incurred
on a third party compared to that resulting from the use of internal resources.
However, there are examples of CAATs being run by a third party at no cost,
e.g. to detect potential fraud, since it is in both parties’ interests to eliminate
fraud.
IDEA
Be a better auditor.
You have the knowledge.
We have the tools.

With IDEA’s powerful functionality and robust execution, you can

• Improve your audit performance.
• Detect fraud.
• Extend your capabilities.
• Increase your value.

For over 20 years, IDEA has provided auditors with an easy-to-use

solution for essential data analysis.

For more information about IDEA and to request a Free Demo, visit
our website at www.caseware-idea.com.

Auditors in over 90 countries in 16 languages use IDEA to outperform peers

and exceed the expectations of clients, employers and regulators.

IDEA is a registered trademark of CaseWare International Inc.

 A Guide To e-Auditing 11

MAJOR CAATs TECHNIQUES

4
There are four broad techniques used in performing CAATs, though they are
not mutually exclusive. For the purposes of this guide we will refer to them as:
• Live interrogation;
• Offline interrogation;
• Continuous auditing;
• Data mining.
In the Live category all the CAATs activity takes place on the target system or
application. In the Offline category there are two major stages; firstly a coarse
level of interrogation takes place on the target system or application in order
to identify and extract a chunk of information, which is then transferred to
another system, typically a PC, for more detailed review activity. Data mining
can be considered to be a sub-set of the Offline category. In continuous
auditing regular extracts, of interest to either management or review functions,
are made from the system under review. These extracts can be made through
the use of extra functionality built into the system, or semi-automatically by
regularly running a routine to extract the required information.
This section will now examine the four techniques in more detail.

Live interrogation
One of the simplest interrogation techniques comes in this category, and it is
merely to use existing reporting options within the application itself. Sometimes
these reporting options are on a menu system, or they may be restricted to
users with higher privileges such as an administrator. To find out about these,
it is necessary to refer to the administrator or somebody else with detailed
knowledge about the application. In this way a full list of the options available
can be obtained, as some of these may have been hidden from normal users
when the system was first configured.
Some people would not regard this as a CAAT, since it is not using a separate
piece of software; it is merely using the existing functions of the application,
which hitherto may not have been exploited for this purpose. This is a moot
point, but it still may be a valuable method of extracting the information
required.
A more complex technique in this category involves utilising a Report
Generator, inbuilt into or bolted onto the application, where there is a simple
language which can be used to perform interrogations on the application data.
There may already be pre-configured reports available to be used, by entering
parameters such as date ranges, or invoice amounts etc. There may also be
existing reports which can be readily modified and used for a new interrogation
task. An example is SAP, the commonly-used Enterprise Resource Planning suite
of software, which has a Report Generator called ABAP.
The next level in complexity is the use of a generic interrogation language
known as SQL (Structured Query Language). SQL is a very popular standard
language for querying and updating databases. It is more technical, and much
riskier using this on a live system, and requires good training. A big advantage
of SQL is that it is a universal language, so when the techniques have been
mastered on one system, using it on another system which supports SQL is
a lot easier. It typically takes less than a week to learn enough of the basics
to do useful SQL e-auditing. Both SQL and the previously mentioned Report
12 A Guide To e-Auditing

Generator require a reasonable knowledge of the structure and format of the

application data, so assistance from IT staff is almost always required, both to
make sense of the data being interrogated, and also to reduce the risks to the
live system.

Offline interrogation
The Offline interrogation approach is more involved and can sound like a lot
of effort. However, it is the probably the most popular method of e-auditing.
It nearly always requires the services of a specialist (IT) person, initially, but in
some ways it is less risky and more flexible than the Live approach. In essence
the technique involves four elements:
• Identifying all the data likely to be required for the interrogations. This is best
performed jointly by a person who knows the business application and a
specialist (IT) person who knows how the data is structured / organised.
• Performing the extract of the aforementioned data into a file(s) on the target
system will be done by the IT specialist, who will then prepare the extracted
file ready for transfer to a PC.
• Transferring the file(s) to a PC which is usually straightforward, but can be
tricky depending upon the facilities available in the organisation. There are a
number of possible methods including a file transfer over the network, using
email, writing the file(s) onto a CD, or DVD drive attached to the target
system, and then putting the CD or DVD disk into the PC.
• Performing interrogations on a PC is the main aim of the process, and
there is a wide variety of software packages available to be used. Microsoft
Excel is usually available on a PC at no extra cost, so should be considered
first. However, it has capacity limitations of 64,000 rows, (or records) of
information. Microsoft Access, a desktop database package, can be used, and
does not have Excel’s capacity limitations, though it requires more skill.
If you are handling hundreds of thousands or millions of records of information,
or want software designed specifically for e-auditing, then consider buying
specialist e-auditing packages. These were originally written for audit staff to
perform a range of interrogations on a PC, ranging from simple to complex.
They are usually relatively easy to learn, and once a modicum of skill has been
built up they can be successfully used in a large range of different types of
interrogations, from almost any system in the organisation, using the four steps
above.
A list of some of the more popular CAATs software has been included in
Appendix B.

Continuous auditing
Continuous auditing is a valuable technique for improving the control
environment of a business application. It can be used for:
• Detecting fraud;
• Confirming that controls are working;
• Identifying exceptions that require further investigation;
• Detecting unusual activity.
Arguably, a good business application should have ‘continuous auditing
facilities’ available to be used, in the form of reports that can be produced
A Guide To e-Auditing 13

daily/ weekly/monthly etc. However if this is not the case, it is possible to bolt
them on.
A continuous auditing process can produce exceptions, e.g. transactions
happening at weekends, for an organisation that normally works a Monday
to Friday week. These will be highlighted for further investigation. Another
example would be in a financial services organisation, where the number of
new loans written in a specific time period (e.g. a month) by a single member
of staff has breached a threshold. It may be genuine, but it is also worthy of
investigation, as it may point to fraudulent activity. The benefits of continuous
auditing are that the checks for exceptions are performed by the system,
efficiently, all the time, and enable a focus on a small number of potential
exceptions, which can then receive the appropriate level of attention they
merit.
At the selection or design stage of a business application, or during the design
of a major change to an application, it is well worth considering specific
requirements in the continuous auditing area. Essentially, a semi-automatic
continuous audit programme can be inbuilt into a live running system, and set
to report against a set of parameters of interest. The parameters can be input
or changed, usually in a straightforward manner, and can therefore reflect
changing business needs.
If the above programme cannot be built into the live running system, then
alternatively it is usually possible, using a separate piece of software, to
set up regular routines, e.g. daily, weekly, or monthly, depending on the
requirements. These typically run overnight, trawling through the application
data and looking for data results that are potentially risky or unusual. The
reports produced can then be forwarded to supervisory management in the
business unit, a compliance function, or quality function, for the appropriate
attention.
An example of continuous auditing in the internet world is to detect
unauthorised changes to websites, hence to identify if inappropriate material
may have been uploaded to it, perhaps after a hacking attempt. In this
example, after each proper authorised change of an organisation’s website, a
hash total of its total contents is calculated and stored. There is then a routine
which regularly performs hash totalling, at least every hour, to compare original
and current hash totals. If a difference is detected an alert would be sent to IT
to investigate. This may be a specialist example, but hopefully it illustrates the
concept of continuous auditing.

Data mining
Data mining is a technique for finding useful information from a mass of your
organisation’s data, when you were not quite sure what you were looking for at
the outset!
It is normally achieved using a data warehouse, a huge database system, where
data is stored, having been regularly extracted from the key applications and
systems of the organisation. ‘Regularly’ may mean monthly, weekly or daily,
depending on the nature of the application data that is being extracted.
For larger systems, millions of transactions a day can be stored in a data
warehouse.
Mining the information can be complex, using expensive and specialised
software incorporating intricate rules or algorithms that look for patterns and
14 A Guide To e-Auditing

associations. For example, some supermarkets record all the individual items
purchased per customer and use data mining techniques to look for patterns
of product purchase in order to help optimise store layouts, as well as linking
purchases to customers and customer types to aid subsequent marketing
campaigns. The explanations and examples below are deliberately simple in
order to help explain the concept.
Data mining can also effectively be performed on a small scale using a PC, and
does not necessarily need large and expensive databases and systems.
A simple example would be to:
• Extract supplier information from the purchase ledger application to a PC;
• Extract information from the staff database to the same PC;
• Run comparisons of addresses and bank accounts across the two sets of
data. If any matches occurred these could be investigated, since it would be
unusual, in most organisations, for an employee to also be a supplier to the
organisation.
A marketing example of data mining would be to put together a list of the
different products sold to each customer. The list could be refined to establish
which customers have purchased product A and product B, but NOT product
C. The latter list could then be the focus of a targeted marketing campaign.
A further example, from an organisation’s customer application system, could
be to produce a list of the customers per address. Initially the number of
customers per address could be produced, and then for any records greater
than 1, customer names would be listed to aid the scrutiny of the information.
Such information has been used to detect fraud, or to provide valuable
information in sales and marketing activities.
A word of caution regarding the use of data mining techniques. A successful
outcome is very much dependent of the quality of the base data. If you are
matching post codes from several different systems and one of the systems has
only 70% of records with accurate post codes, the results will be disappointing.
It may be necessary to perform a data cleansing exercise first, prior to the data
mining, e.g. in this case, get post code accuracy better than 98%, either by
staff manually keying in the correct post codes or by using automated post
code cleansing routines.
Where there is significant processing involved in a data mining exercise, it can
slow the system down for other users. This is less of a problem with current
high performance systems, otherwise it is sometimes possible to schedule
CAATs to be run ‘off peak’, when the system is quieter, e.g. as an overnight job,
also known as a batch job.
On very large systems it may be possible to get a prediction of how long a data
mining exercise will take before it is actually run. This can be useful to ensure
that other users are not impacted, but also to help ensure that the routine has
been written efficiently. In one organisation a memorable data mining exercise
was initially predicted to run for 1 billion years! It was back to the drawing
board for that one to reduce it to more manageable proportions. Several
fundamental errors in the way the exercise was set to run were identified, and
when corrected it actually ran in a few hours.
 A Guide To e-Auditing 15

DETAILED REVIEW TECHNIQUES

5
CAATs can be used to examine many different types of data held within
systems, including application systems. Data that may be particularly amenable
to such techniques includes:
• Tables/parameters: these are set to govern the specific performance of
software (packages) and if they are wrong then all transactions using them
are likely to contain errors (and controls are likely to have failed). Such data
includes tax rates, interest rates, discounts and pay rates.
• Master (standing) data which contains the details of an account (e.g. the
details of an employee on the payroll; details of a customer on the sales
ledger). Again, if this data is wrong, then all transactions using it are likely to
contain errors (and controls are likely to have failed).
• Details of large numbers of essentially identical or similar transactions, such
as sales, payroll payments or movements of inventory.
• Information on authentication or authorisation of input, specifically logs of
changes to tables or parameters and standing data and, sometimes, system
functions. Where access controls are important and segregation of duties
has been implemented to improve the control environment, these can
be examined to ensure they have been implemented correctly in order to
maintain adequate controls.
Such techniques include:
Selection of data items at random or at pre-determined intervals, so as
to facilitate more detailed checking, for example that the data is supported
by other records, or to use in procedures such as stock checking or debtor
confirmation.
Selection of data items in a particular category, such as sales, payments,
receipts or inventory movements, by reference to a pre-determined attribute or
attributes, so as to facilitate a detailed investigation of such data. For example,
the selection of data items might be on the basis that:
• The data item can be identified as in some way erroneous;
• The data item represents an unusually large value or quantity;
• Values or quantities are inconsistent with the trading arrangements recorded
as applicable to a customer (e.g. credit limit) or other counter-party;
• Values or quantities are in some way inconsistent with the usual range of
transactions with a particular customer or counter-party.
Comparison of data, for example, identification of values or quantities that are
inconsistent with data held in other records, such as orders inconsistent with
the subsequent invoice or delivery information, or invoices inconsistent with
the relevant payment made or received.
Selection of data items for checking to external sources to confirm the
accuracy or completeness of standing data governing a particular area of
processing (e.g. pay rates, access control definitions) or to confirm that
controls have performed as expected over time, where evidence of control
16 A Guide To e-Auditing

performance is retained in the system; for example in relation to the operation

of the organisation’s computer systems and the proper operation of online
authorisation and validation, including payroll changes and price changes in
respect of the organisation’s goods or services.
Statistical sampling of data items, the sampling of items in accordance with a
statistically valid algorithm, for review, such that the results of the review of the
sample, for example, the number or size of errors found, can be used to draw
statistically valid conclusions about the whole population of such data items,
such as the number or size of errors in the whole population.
Statistical analysis of data, for example by investigating the deviation,
skewness or kurtosis of items within a population of data.
Other mathematical processes, including the application of Benford’s Law
(examining the pattern of digits to detect possibly fraudulent data populations),
often used to facilitate or assist the conduct of a fraud investigation.
Re-performance of computations, particularly complex calculations, such as
order pricing, discounts or the application of VAT.
Totalling of data, so as to confirm control totals retained separately, or to
confirm the completeness of data within a computer application or shared
between applications, such as the reconciliation or confirmation of control
totals for purchases or sales by reference to the related transactions recorded
over a period of time. This can also be used to identify or confirm sub-totals
or the totals of stratified sections of a file, for example the totals of debts that
have been outstanding for particular periods of time.
Independent generation of reports to confirm the contents of regular
exception reports to management.
Generation of new data for review or audit purposes, for example the
generation of personnel information derived from both the payroll and the file
containing contractual personnel records.
There is a useful list of potential applications for CAATs feely available on the
internet, which is referenced in Appendix A – ‘Applications of IDEA’. It describes
a wide range of auditing and testing that can be carried out in the following
categories:
• Financial statement audit;
• Public sector-specific;
• Private sector-specific;
• Security and other logs;
• Other applications – including management accounting.
 A Guide To e-Auditing 17

TOP TIPS
6
• Plan to make regular use of the CAATs techniques you are developing. Doing
it as a one-off exercise is rarely cost effective.
• Be patient – you may want the answers immediately but these techniques
take a little time to initially develop and use effectively, before producing
potentially significant results.
• In some cases the information uncovered may point to fraudulent activity.
You need to have the procedures in place to engage the appropriate internal
and external agencies who are able to deal with this.
• Ensure that, when undertaking CAATs, appropriate IT skills are available,
and the usual IT Governance procedures (e.g. change controls) are used.
The systems being reviewed are frequently core to the business and causing
problems to them comes with a heavy price.
• Make sure that you receive adequate training irrespective of which CAAT
package you use. This will help you enormously in making efficient and
effective use of these feature-rich packages.
• Confirm that there is adequate protection of information on any PC you
use, commensurate with the protection afforded of the host system it was
extracted from. This will mean strong PC (and associated media) access
controls and possibly encryption.
• Continuous auditing is a technique that, in particular, requires effective
planning, budgeting, system building and testing. Don’t opt to use it simply
on a whim.
• Data mining brings with it a huge spectrum of scope and complexity. Start
small and simple, and then build on this.
• Pay particular attention to the quality and structure of the underlying data
prior to undertaking data mining exercises.
• Ensure that the processes used have integrity, for example by building in
completeness checks when transferring data from one system to another.
Also, maintain a record of the steps involved and key information such as file
versions used.
• Make good use of available support. Software packages have maintenance
arrangements, where expert support can be called upon to help address the
challenges you face.
• Ensure that there is compliance to both internal and external policies and
regulations, for example the Data Protection Act, with regard to the access
and processing of data.
 18 A Guide To e-Auditing

A pp e n d i x

FURTHER INFORMATION RESOURCES

A
Publications
Computer Assisted Audit Techniques (2nd edition): Eckhardt J. Kriel
Auditing in an e-Business Environment: IIA
Continuous Auditing: Potential for Internal Auditors: J. Donald Warren
CAATTs and other BEASTs (3rd edition): David G. Coderre
Data Mining, Second Edition: Concepts and Techniques: Jiawei Han and
Micheline Kamber
The ICAEW library catalogue has comprehensive details of books and articles on
computer auditing, computer-assisted audit techniques and computer-assisted
audit tools and techniques, some of which may also be relevant to the subject.

Internet Resources
Applications of IDEA
http://www.auditware.co.uk/solutions_default.asp
CaseWare’s Research Report, ‘Data Analysis – The Cornerstone of Internal
Auditing’
http://www.caseware.com/products/idea#_research_reports
Guide 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment
http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/
gtag3/
The CaseWare Smart Analyzer add-ons to IDEA – providing standard tests
http://www.caseware.com/products/idea/smart-analyzer-financial
White papers on data analysis, fraud detection and controls assurance
http://www.acl.com/resource_library/default.aspx
 A Guide To e-Auditing 19

A pp e n d i x

EXAMPLES OF E-AUDITING SOFTWARE

B
Software Website Description
ACL Desktop Edition www.acl.com PC-based package, with
comprehensive, easy to use,
interrogation facilities.

DB2 www.ibm.com Multi-platform database with

analysis, and data mining options.

IDEA www.caseware.com PC-based package, with

comprehensive, easy to use,
interrogation facilities.

Microsoft Access www.microsoft.com Part of the office suite of

programmes. PC-based general
purpose database package.

Microsoft Excel www.microsoft.com Part of the office suite of

programmes. PC-based general
purpose spreadsheet package.

Oracle www.oracle.com Comprehensive multi-platform,

integrated suite of programmes,
with analysis and data mining
options.

SAP www.sap.com Comprehensive multi-platform,

integrated suite of programmes,
with analysis and data mining
options.

SAS www.sas.com Comprehensive multi-platform

analysis and data mining tool.
20 A Guide To e-Auditing

The Author

Nigel Lewis gained an Honours degree in electronic engineering at Manchester

University, before pursuing a career in computing. He held mainstream IT
positions with Cap Gemini and Fujitsu, prior to moving to a major financial
services organisation, where he has worked in Audit and IT Risk disciplines.
During this time he has led teams in the effective deployment of CAATs
(Computer Assisted Audit Techniques).
Nigel has authored and presented some of the Institute of Internal Auditors
information system audit-related professional courses since 2000, which have
included CAATs syllabus areas.
He has also authored and presented IT auditing courses on several continents,
including a hands-on workshop, for the Hong Kong Government.
August 2009

£25

Information Technology Faculty

Institute of Chartered Accountants in England and Wales
Chartered Accountants’ Hall Moorgate Place London EC2P 2BJ UK

T +44(0)20 7920 8481

F +44(0)20 7920 8657
E itfac@icaew.com

www.icaew.com/itfac