Computer Aided Audit Tools

From Wikipedia, the free encyclopedia

Jump to: navigation, search This article is written like a personal reflection or essay and may require cleanup. Please help improve it by rewriting it in an encyclopedic style. (August 2009) Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS), also known as Computer Assisted Audit Tools and Techniques (CAATTs), is a growing field within the Financial audit profession. CAATTs is the practice of using computers to automate or simplify the audit process. In the broadest sense of the term, CAATTs can refer to any use of a computer during the audit. This would include utilizing basic software packages such as SAS, Excel, Access, Crystal Reports, Cognos, Business Objects, and also word processors. In practice, however, CAATs has become synonymous with incorporating Data analytics into the audit process. This is one of the emerging fields within the audit profession.

Contents
[hide]

1 Traditional Auditing vs CAATTs o 1.1 Traditional Audit Example o 1.2 CAATTs Alternative o 1.3 Traditional Audit vs CAATTs on Specific Risks 2 Specialized Software 3 Other uses of CAATTS o 3.1 Creation of Electronic Work Papers o 3.2 Fraud Detection o 3.3 Analytical Tests o 3.4 Data Analysis Reports o 3.5 Continuous Monitoring o 3.6 Curb stoning in surveys 4 Note on the Acronyms CAATTs vs CAATs o 4.1 CAATTs and Other BEASTs for Auditors by David Coderre 5 See also 6 External links 7 References

[edit] Traditional Auditing vs CAATTs

[edit] Traditional Audit Example

Traditionally auditors have been criticized because they reach conclusions based upon limited samples. It is not uncommon for an auditor to sample 30-50 transactions and declare a problem or conclude that "controls appear to be effective." Management upon hearing the verdict of the auditors may question the validity of the audit conclusions. Management realizes that they conduct thousands or perhaps millions of transactions a year and the auditor only sampled a handful. The auditor will then state that they conducted the sample based upon Generally Accepted Audit Standards (GAAS) and that their sample was statistically valid. The auditor is then forced to defend their methodology. Another common criticism of the audit profession occurs after a problem emerges. Whenever a problem emerges within a department, management might ask, "Where were the auditors?" If the audit department had reviewed the area recently it becomes a sticky situation as the Audit Manager attempts to explain that the reason the problem wasn't identified was because the problem was outside of the scope of the audit. The Audit manager might also try to explain that the sample was "a statistically valid sample with a 95% confidence level." The Audit Committee doesn't care that the audit was conducted according to GAAS, they only care that a problem went unnoted by the audit department.

[edit] CAATTs Alternative

CAATTs addresses these problems. CAATTs, as it is commonly used, is the practice of analyzing large volumes of data looking for anomalies. A well designed CAATTs audit will not be a sample, but rather a complete review of all transactions. Using CAATTs the auditor will extract every transaction the business unit performed during the period reviewed. The auditor will then test that data to determine if there are any problems in the data. For example, using CAATTs the auditor can find invalid Social Security Numbers (SSN) by comparing the SSN to the issuing criteria of the Social Security Administration. The CAATTs auditor could also easily look for duplicate vendors or transactions. When such a duplicate is identified, they can approach management with the knowledge that they tested 100% of the transactions and that they identified 100% of the exceptions.

[edit] Traditional Audit vs CAATTs on Specific Risks

Another advantage of CAATTs is that it allows auditors to test for specific risks. For example, an insurance company may want to ensure that it doesn't pay any claims after a policy is terminated. Using traditional audit techniques this risk would be very difficult to test. The auditor would "randomly select" a "statistically valid" sample of claims (usually 30-50.) They would then check to see if any of those claims were processed after a policy was terminated. Since the insurance company might process millions of claims the odds that any of those 30-50 "randomly selected" claims occurred after the policy was terminated is extremely unlikely. Even if one or two of those claims was for a date of service after the policy termination date, what does that tell the auditor?

Using CAATTs the auditor can select every claim that had a date of service after the policy termination date. The auditor then can determine if any claims were inappropriately paid. If they were, the auditor can then figure out why the controls to prevent this failed. In a real life audit, the CAATTs auditor noted that a number of claims had been paid after policies were terminated. Using CAATTs the auditor was able to identify every claim that was paid and the exact dollar amount incorrectly paid by the insurance company. Furthermore, the auditor was able to identify the reason why these claims were paid. The reason why they were paid was because the participant paid their premium. The insurance company, having received a payment, paid the claims. Then after paying the claim the participant's check bounced. When the check bounced, the participant's policy was retroactively terminated, but the claim was still paid costing the company hundreds of thousands of dollars per year. Which looks better in an audit report: "Audit reviewed 50 transactions and noted one transaction that was processed incorrectly" or "Audit utilized CAATTS and tested every transaction over the past year. We noted XXX exceptions wherein the company paid YYY dollars on terminated policies." However, the CAATTs driven review is limited only to the data saved on files in accordance with a systematic pattern. Much data is never documented this way. In addition saved data often contains deficiencies, is poorly classified, is not easy to get, and it might be hard to become convinced about its integrity. So, for the present CAATTs is complement to an auditor's tools and techniques. In certain audits CAATTs can't be used at all. But there are also audits which simply can't be made with due care and efficiently without CAATTs.

[edit] Specialized Software

In the most general terms, CAATTs can refer to any computer program utilized to improve the audit process. Generally, however, it is used to refer to any data extraction and analysis software. This would include programs such as SAS, Excel, Access, Crystal Reports, Business Objects, etc. There are, however, companies that have developed specialized data analytic software specifically for auditors. Product Name / Brand Audit Command Language (ACL) Interactive Data Extraction and Analysis (IDEA) [2] Company ACL Services Ltd. [1] CaseWare International [3]

ESKORT Computer Audit (SESAM) [4] ActiveData For Excel [6] CorpSystem ActiveData [8] Monarch TopCAATs for Excel [10] Picalo [11] Benefits of audit software include:

Intracom IT Services Denmark A/S [5] InformationActive Inc [7] CCH / Wolters Kluwer Datawatch Corporation [9] Reinvent Data Ltd Partly Open Source

They are independent of the system being audited and will use a read-only copy of the file to avoid any corruption of an organizations data. Many audit-specific routines are used such as sampling. Provides documentation of each test performed in the software that can be used as documentation in the auditors work papers.

Audit specialized software can easily perform the following functions:

Data queries. Data stratification. Sample extractions. Missing sequence identification. Statistical analysis. Calculations. Duplicate inquires. Pivot tables. Cross tabulation

[edit] Other uses of CAATTS

In addition to using data analysis software, the auditor utilizes CAATS throughout the audit for the following activities while performing data analysis:

[edit] Creation of Electronic Work Papers

Keeping electronic work papers on a centralized audit file or database will allow the auditor to navigate through current and archived working papers with ease. The database will make it easier for auditors to coordinate current audits and ensure they consider findings from prior or related projects. Additionally, the auditor will be able to electronically standardize audit forms and formats, which can improve both the quality and consistency of the audit working papers.']]

[edit] Fraud Detection

CAATTs provides auditors with tools that can identify unexpected or unexplained patterns in data that may indicate fraud. Whether the CAATS is simple or complex, data analysis provides many benefits in the prevention and detection of fraud. CAATTs can assist the auditor in detecting fraud by performing and creating the following,

[edit] Analytical Tests

Evaluations of financial information made by studying plausible relationships among both financial and non-financial data to assess whether account balances appear reasonable (AU 329). Examples include ratio, trend, and Benford's Law tests.

[edit] Data Analysis Reports

Reports produced using specific audit commands such as filtering records and joining data files.

[edit] Continuous Monitoring

Continuous Monitoring is an ongoing process for acquiring, analyzing, and reporting on business data to identify and respond to operational business risks. For auditors to ensure a comprehensive approach to acquire, analyze, and report on business data, they must make certain the organization continuously monitors user activity on all computer systems, business transactions and processes, and application controls. The Institute of Internal Auditors recently published a GTAG on Continuous Monitoring. See also Continuous Auditing.

[edit] Curb stoning in surveys

Curb stoning is the term for instances where a surveyor completes a survey form by making up data. Because some of the data should conform with Benford's law, this practice can be detected using CAATTs which provide the capability of performing such tests. An example case study is provided at [12] to illustrate.

[edit] Note on the Acronyms CAATTs vs CAATs

CAATTs and CAATs are used interchangeably. While CAATs has emerged as the more common spelling, CAATTs is the more precise acronym. The acronym CAATTs solves one of the two problems with defining the acronym. CAATs means: Computer Aided (or Assisted) Audit Tools (or Techniques)

The first "A" and the "T" can have two different meanings depending on who uses the term. By using the term CAATTs, one is clearly incorporating both "Tools" AND "Techniques."

[edit] CAATTs and Other BEASTs for Auditors by David Coderre

CAATTs and Other BEASTs for Auditors by David Coderre is the seminal work on CAATTs. David Coderre argues that the term CAATTs is much more appropriate because there is no purpose in having techniques if you don't have the tools, or the tools without the techniques. Coderre attempts to differentiate the use of CAATTs for any computer program used to improve the audit with the acronym "BEASTs." BEASTs stands for, "Beneficial Electronic Audit Support Tools." While CAATTs has become a household term in audit units, BEASTs remains relatively unused. BEASTs includes electronic work papers, Microsoft suite of products, and non-analytical programs/applications.

[edit] See also

Generalized Audit Software Information technology audit Separation of duties

[edit] External links

Comparing fraud detection software CAAT Automation Tool 2009 IT Audit Benchmarking Study (The Institute of Internal Auditors)

[edit] References

Information Technology Control and Audit; Frederick Gallegos, Sandra Senft, et al.; 2nd Edition ISBN 0-8493-2032-1 Audit Tools Use of Computer-Assisted Audit Tools and Techniques (CAATTs), Part 1 Audit Tools Use of Computer-Assisted Audit Tools and Techniques (CAATTs), Part 2 The IIA's GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment

Retrieved from "http://en.wikipedia.org/wiki/Computer_Aided_Audit_Tools" Categories: Information technology audit | Computer Assisted Auditing Techniques | Data analysis software Hidden categories: Wikipedia articles needing style editing from August 2009 | All articles needing style editing

Personal tools

New features Log in / create account

Namespaces

Article Discussion

Variants Views Actions Search

Read Edit View history

Navigation

Main page Contents Featured content Current events Random article

Interaction Toolbox

About Wikipedia Community portal Recent changes Contact Wikipedia Donate to Wikipedia Help

What links here Related changes Upload file

Special pages Permanent link Cite this page

Print/export

Create a book Download as PDF Printable version This page was last modified on 4 July 2010 at 19:46. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details. Wikipedia is a registered trademark of the Wikimedia Foundation, Inc., a nonprofit organization. Contact us Privacy policy About Wikipedia Disclaimers