Dear Readers,
You may download the *.PDF format file of the said Audit Mannual from the link given below. Once the file is downloaded type-in the password "CSINGH".
https://skydrive.live.com/redir.aspx?cid=af664bb412b1fb02&resid=AF664BB412B1FB02!1272&parid=AF664BB412B1FB02!1270&authkey=!AOz9rFxitwC1GqI
INTRODUCTION
SCOPE OF AUDIT IN CIS ENVIRONMENT / IMPACT OF CIS ON
AUDITING
<><>
>
IMPACT OF CHANGES ON BUSINESS PROCESS
<><>
>
<><>
>
AUDIT APPROACH IN CIS ENVIRONMENT
AUDIT
SOFTWARE
USES
OF CAAT
CONSIDERATIONS
IN USE OF CAAT
STEPS
INVOLVED IN APPLICATION OF CAAT
TESTING
CAAT
MEASURES
TO EXERCISE CONTROL OVER CAAT APPLICATIONS
You may download the *.PDF format file of the said Audit Mannual from the link given below. Once the file is downloaded type-in the password "CSINGH".
https://skydrive.live.com/redir.aspx?cid=af664bb412b1fb02&resid=AF664BB412B1FB02!1272&parid=AF664BB412B1FB02!1270&authkey=!AOz9rFxitwC1GqI
OR
Download File
INTRODUCTION
Ø
Now-a-days, the corporate world is getting
more and more inclined towards the use of Information technology (IT) and computer
information system (CIS) in their daily operations.
Ø
This has changed the manner in which the
organisations’ carry out their operations and various business processes.
Ø
This has further led to change in the nature
of audit evidences generated by each financial transaction.
Ø
The method of collection and evaluation of
audit evidences has also changed.
Ø
This requires auditors to possess reasonable
knowledge about EDI, SDLC, CASE tools and various hardware & software used
in the organisation.
Ø
Now-a-days, the corporate world is getting
more and more inclined towards the use of Information technology (IT) and computer
information system (CIS) in their daily operations.
Ø
This has changed the manner in which the
organisations’ carry out their operations and various business processes.
Ø
This has further led to change in the nature
of audit evidences generated by each financial transaction.
Ø
The method of collection and evaluation of
audit evidences has also changed.
Ø
This requires auditors to possess reasonable
knowledge about EDI, SDLC, CASE tools and various hardware & software used
in the organisation.
SCOPE OF AUDIT IN CIS ENVIRONMENT / IMPACT OF CIS ON
AUDITING
The use of
CIS in various organisations has caused drastic impact on audit approaches,
techniques, risk involved and internal control methods. Following factors (risks) must be given due
consideration while framing an audit plan for an organisation:
1.
High speed
and Automatic initiation/execution of transactions: In CIS
environment, transactions are processed instantly. Once the transaction is fed
into the system, it might get executed automatically without requiring for
authorisation of the same. Similarly, reports (even complex one’s also) can be
generated at a very high speed and can be viewed by multiple users at a time.
Thus giving rise to many security issues.
2.
Uniform
processing of transaction, hence low clerical error: While
feeding input, processing transactions and generating outputs, computer system performs multiple checks on data at each
at each point of time. Moreover, the processing of transaction is in a uniform
manner. Hence the clerical errors generated are minimised. However, there is a
shift of errors from human generated errors towards system generated errors.
3.
Unintentional
or system generated errors: As discussed earlier, there is a shift in
nature of errors from human generated to system generated. Errors occur due to
lack of experienced personnel. And errors are mainly related to development,
maintenance and execution of CIS.
4.
Inexperienced
personnel: Now-a-days, the technological advancement is occurring at a very
fast pace. It has created a deficit of expertized staff to understand the
current technology, both at client end as well as auditor end.
5.
Concentration
of duties: Under CIS environment, more than one kind of task/function can
be performed by an individual. This leads to difficulty in segregation of
duties among individual. Consequently, it gives rise to a number of security issues also.
6.
Lack of
audit trail: In computerised system, the processing of a transaction takes
place instantly. This leads to loss of audit trail. Thus, auditor needs to
apply some alternate procedure to compensate the loss of audit trial.
Audit Trail: It can be
defined as a step-by-step record by which a transaction can be traced.
The auditor may apply one of the
following methods to compensate the loss of audit trail:
i.
Special/Exceptional
Reports: The auditor may ask the client to arrange special reports
and print-outs. E.g.: sales orders for the month of December & March;
purchase orders that have been short-closed by the purchase department.
ii.
Tagging
and Tracing:
o It
is a method of compensating the audit trail.
o It
involves tagging the clients input data such that only relevant data is
highlighted on the screen, which needs to be verified by the auditor.
o E.g.:
cash payments of more than ₨.20,000/-; debtors outstanding for
more than 3 months; purchase order pending for more than 30 days from
expected delivery date; etc.
iii.
Alternative
Review Procedures (ARP): It means to include a number of methods to
compensate audit trial, such as:
o Auditors’
judgement: budgeting the figures and comparing them with actual figures.
o Ratio
analysis / checking critical ratios. This implies calculating certain
ratios on the basis of budgeted data or previous period’s data or data from
similar industries and comparing them with the actual data of the client
organisation.
o Testing
on total basis: if individual items can’t be checked in detail then
auditor may take totals of reasonable chunks of data and check accordingly.
o Clerical
recreation: Auditor may manually generate certain figures that have been
generated by the system (automatically).
iv.
Use
of CAAT: The auditor may take the help of white-box audit approach or
CAATs.
| <><>
>
7.
Auditor’s
participation in SDLC and dependence on other (manual) controls: We know
that there is a constraint of audit trail in CIS environment. Thus, a
computerised information system lacks
manual reasonableness. An information system of an organisation can
only be effective if it has reasonable level of audit facilities integrated
into it. Hence participation of auditor is highly important in SDLC. Moreover,
auditor may use certain manual methods
also while performing the audit.
8.
Internal
Control Environment & management supervision: The
success of CIS highly depends upon the involvement of management in development
and maintenance of CIS. Under CIS environment, the risk of fraud & error is
relatively high. Thus higher management supervision and better internal control
environment is required.
9.
Use of
CAAT: The audit under CIS environment cannot be carried by traditional
(manual) approaches, effectively. Since the processing of transaction in CIS
environment is fast and complicated, the audit must be carried out using
computer assisted audit techniques (CAAT). This requires a reasonably good
amount of IT skills on part of the auditors.
IMPACT OF CHANGES ON BUSINESS PROCESS
1.
EDI: Electronic Data Inter-change, as the
name suggests means exchange of data/information/documents from one user to
another, electronically (with the help of computers). In other words, EDI is
the computer-to-computer exchange of documents/information in public standard format. Under EDI
framework, once transaction (data) is fed into a computer many records are
automatically updated. There is no need to re-enter the data into accounting
system. This saves a lot of time & effort and enables an error free
transaction processing system (TPS).
2.
Process of recording transactions: Unlike,
manual system where a transaction goes through a sequence of steps in order to
get recorded in the principal books [Entry Ledger Final Accounts (Balance Sheet
and Profit & Loss Account)]. Under CIS environment, the above mentioned
three processes are carried out simultaneously.
3.
Accounting
/ Transaction Processing System: As mentioned above the CIS mechanism
leads to abandonment of maintenance primary records.
<><>
>
<><>
>
Batch Processing
(Old Concept)
<><>
>
OLRT / RTOL System
(New Concept)
<><>
>
Time Sharing & Service Bureau
(Distinct & New Concept)
<><>
>
<><>
>
<><>
>
o
It is a simple system and somewhat like traditional manual system.
o
In this process transactions are accumulated
and processed in groups.
o
In this files are not updated quickly.
o
E.g.: Accountant accumulates all the cash
receipts vouchers for the day and updates his accounting record by the end of
a working day.
<><>
>
o
OLRT – On-Line / Real-Time.
o
Under this system transaction are processed
as soon as they occur.
o
All the records are updated simultaneously
on occurrence of a transaction.
o
E.g.: On issue of a Sales invoice, Sales
ledger and debtor’s ledger are updated, automatically.
o
Software packages like Tally, SAP, etc.
works like this.
<><>
>
o
Time
sharing is a situation where a single computer serves more than one
user.
o
A service
bureau is an organisation which processes transaction on behalf of
its client organisation.
o
E.g.: a service bureau handling payroll
(including ESI/PF) for a small company.
o
If an organisation uses services of a
service bureau then the auditor must obtain reasonable evidences in support
of the controls exercised by the client organisation over the activities
performed by service bureau.
o
Nowadays, many of accounting firms are doing
this kind of activities.
<><>
>
<><>
>
4.
Data
Storage / file system: The data storage facilities and filing
system of the organisation has gone through drastic changes as result of
changes in the style of carrying out business processes.
Batch Processing
(Old Concept) | <><>
>
OLRT / RTOL System
(New Concept) | <><>
>
Time Sharing & Service Bureau
(Distinct & New Concept) | <><>
>
o
It is a simple system and somewhat like traditional manual system.
o
In this process transactions are accumulated
and processed in groups.
o
In this files are not updated quickly.
o
E.g.: Accountant accumulates all the cash
receipts vouchers for the day and updates his accounting record by the end of
a working day.
| <><>
>
o
OLRT – On-Line / Real-Time.
o
Under this system transaction are processed
as soon as they occur.
o
All the records are updated simultaneously
on occurrence of a transaction.
o
E.g.: On issue of a Sales invoice, Sales
ledger and debtor’s ledger are updated, automatically.
o
Software packages like Tally, SAP, etc.
works like this.
| <><>
>
o
Time
sharing is a situation where a single computer serves more than one
user.
o
A service
bureau is an organisation which processes transaction on behalf of
its client organisation.
o
E.g.: a service bureau handling payroll
(including ESI/PF) for a small company.
o
If an organisation uses services of a
service bureau then the auditor must obtain reasonable evidences in support
of the controls exercised by the client organisation over the activities
performed by service bureau.
o
Nowadays, many of accounting firms are doing
this kind of activities.
| <><>
>
Flat File System (Old Concept)
| <><>
>
Integrated Database System (New Concept)
| <><>
>
o
In few words, in a flat file system, users
own their own data and they are responsible of their respective data files.
o
It leads to data redundancy and repetition
of tasks.
o
E.g.: Try and visualise admission system of
a government college, where you are asked to fill-up a hand-written form.
Ø
On the basis of this form, the Admission
Officer makes entry in his register (Book-1) and asks you to deposit the fees
with the Cashier.
Ø
Now Cashier takes the fees and passes
receipt entry in his cash register (Book-2) and issues a Cash Receipt.
Ø
Finally, you present the Cash Receipt to the
Admission Officer and he issues you the Admit Card and registers your name in
Student’s Register (Book-3).
Ø
Later on the Accounts Officer will update
his own accounting records (Book-4) on
the basis Cash Book & Students Register maintained by above mentioned two
officers.
o
It is evident from above example that how
one simple transaction need to be recorded in 4 separate set of books kept
with separate users.
| <><>
>
o
In this the transaction is entered only once
and the data corresponding to such transaction is shared by multiple users.
o
It works on client-server technology / topology.
o
It contains a set of interrelated files.
When input is fed from one end, the master file (server) itself gets updated.
This master file can be retrieved by more than one user (clients). Hence
reduces data redundancy.
o
E.g.: A person sitting at sales office issue
Sales Invoice to its customer. Under this system master files related to
Sales and Debtors are automatically updated. The person sitting in
back-office can anytime check the Sales data or outstanding debtors.
o
This kind of system is mainly used with
On-Line / Real-Time Systems.
| <><>
>
5.
Organisational
structure: Since there is very high dependence of the organisation of CIS,
no-a-days. Thus, there is a need for separate department (group of people) to
take care of IT needs of the organisation. Some of the personnel are listed
below:
i.
EDP Manager: is responsible for overall
management and administration of the IT department.
ii.
Data Administrator:
ascertains the data requirements of various users of information system in the
organisation.
iii.
Database Administrator: is
responsible for operational efficiency and security of the organisational
database.
iv.
System Analyst: takes
care of the information requirement of the users for new as well as existing
applications; designs information system architecture to meet these
requirements; facilitates implementation of information systems and maintains
documentation.
v.
System Programmers: is
responsible for the maintenance of operating system (OS) software, network and
hardware requirements.
vi.
Application Programmer: designs
new programs and modifies existing to meet the data processing needs; remove
errors and improves efficiency of the existing application software.
vii.
Operation Specialist: plans
and controls the day-to-day issues, which emerge during normal course of work,
of the users of information.
viii.
Librarian: maintains library of magnetic media
and documentation.
6.
Modified
internal control base: In CIS environment since most of the
processes are automated, the probability of occurrence of error substantially
increases. Moreover, the risk of fraud is higher in CIS environment, as it is
less-easily identifiable. Thus, there is a shift in internal control base in
CIS environment as compared to traditional manual system. Following are two
main categories of internal control required in CIS environment:
A. General EDP Controls:
Overall controls over EDP environment. | <><>
>
B. EDP Application Controls:
Specific controls over specific applications. | <><>
>
i. Organisational
& Management Controls: These controls are designed to establish
an organisation wide frame-work for CIS activities. It includes:
o
Designing appropriate control policies &
procedure;
o
Properly segregating duties among various individuals.
ii. System
Software Controls: These controls are meant to provide
assurance that system software is acquired or developed in an authorised
manner. It includes:
o
Authorisation, approval, testing,
implementation and documentation of new system software and system software
modification;
o
Restriction of access to system software and
documentation to authorised personnel.
iii. Application
System Development & Maintenance Controls: These
control are designed to provide assurance that systems are developed and
maintained in an authorised and efficient manner and also to establish
control over:
o
testing, conversion, implementation and
documentation of new revised system;
o
changes made to application system;
o
access to system documentation;
o
Acquisition of application system from third
parties.
iv. Computer
Operation Controls: These help in controlling the operations
of the computer system. They assure that:
o
The systems are used for authorised purposes only.
o
Access to computer operation is restricted
to authorised personnel.
o
Only authorised programs are to be used.
o
Processing errors are detected and corrected on timely basis.
v. Data
Entry & Program Controls: These assures that:
o
Access to data and program is restricted to
authorised personnel.
o
An authorisation structure is established
over transaction being entered into the system.
| <><>
>
i. Control
Over Inputs: These controls are drawn to assure that:
o Transactions
are properly authorised before being processed by the computer.
o There
are adequate checks installed in the input form to assure the correctness of
data entered by the users.
o Incorrect
transactions are rejected, corrected and if necessary, resubmitted on a
timely basis.
ii.
Control Over Processing & data files: These
controls ensure that:
o Transactions
are properly processed by the computer.
o Transactions
are not lost, added duplicated or improperly changed.
o Processing
errors are identified and corrected on a timely basis.
iii.
Control Over Output: They
assure that:
o Results
of processing are complete, accurate and through ride media.
o Outputs
so generated, satisfy the requirement of the user.
o Access
to output is restricted to authorised personnel.
| <><>
>
AUDIT APPROACH IN CIS ENVIRONMENT
There
have been drastic changes in audit approaches and methodologies as a result of
emergence of CIS environment. The selection of one of the approaches depends
upon the knowledge base expertise of Auditors. There are mainly two approaches
for auditing in CIS environment that are explained as follows:
A.
Black-box
Approach (Auditing around the computer): In this
approach, the auditor is mainly concerned about the Inputs fed-in by the client
and the output generated by the system. The auditor completely ignores the
internal processing of the Information System.
For example, while testing payroll of a company,
under black-box approach, the auditor may first find out the total monthly
hours worked by selected employees from their respective time cards and then he
may check the salary/wage rate from the rate card to find out the salary/wage payable
to each employee. On the basis of above, the auditor ascertains his own output
by comparing hours, rates, extensions, over-time & leaves. Finally, the
auditor compares his own results with the system generated results.
The biggest advantage of
auditing around the computer is the ease and simplicity, since the auditor does
not require in-depth knowledge of system application program in order to
perform his duties.
On the contrary, a major disadvantage
is that, under this approach, the auditor is completely ignorant about the
internal processes of the system. Moreover, in order to generate certain
complex reports, print-outs cannot be arranged to apply the audit procedures.
White-Box Approach (Auditing through the computer): Under this approach, the auditor is not only
concerned with the subject matter of the audit (i.e. inputs and outputs), but
also with the internal processing of the computer system. This means to include
various auditing with the help of Audit software and computer aided audit
techniques (CAAT)
CAAT: COMPUTER AIDED/ASSISTED AUDIT TECHNIQUE
Under
CIS environment, the auditing cannot be carried effectively using traditional /
conventional and manual techniques of auditing. The auditing through the computer
requires the use of various audit software packages and some computer assisted
audit techniques.
AUDIT
SOFTWARE
The
use of CAAT allows the auditor to test the reliability and credibility of the
clients’ information system, without being much dependent upon the clients’
software. Now-a-days, there are a plenty of audit software options available with
the auditor, with the help of which he can perform his audit independently and
effectively. This audit software may include package programs, purpose-written
programs, utility programs or system management program. These programs are
explained as follows:
I.
Package
Programs:
o These
are generalised computer software packages.
o These
packages come with a lot of generalised features and utilities, which can be
used at many clients’ site.
o Since
these software packages are highly generalised and are available across the
globe, so one does not face any compatibility issues. Almost all the
organisation maintains certain level of compatibility with these programs.
o E.g.
MS-Excel can be the most common example for such programs.
II.
Purpose-written
Programs:
o These
programs are created to perform specific natured audit task.
o These
packages are not available for sale in the open market. The auditor is required
to get these programs developed.
o The
auditor may appoint some outside agency to develop the program on his behalf
(outsourcing) or he may himself hire the programmers and get it built in-house.
o While
choosing the purpose-written program option, the auditor must take into
consideration, the cost related issues.
III.
Utility
Programs:
o These
programs are used to perform common data processing functions such as sorting;
sampling; documenting; creating, emailing & printing files/reports, etc.
o Although,
these are not specifically designed
for the audit purposes but can be extremely useful while performing the audit.
o E.g.
Acrobat’s Adobe Reader; Microsoft’s Office also consist of certain utility
programs such as MS-Access, MS-Word, MS-PowerPoint, etc.
IV.
System
Management Software:
o These
software/programs are also not specifically
meant for audit purpose.
o These
are productive tools, meant to enhance the performance of the Operating System.
o E.g.:
Disk Defragment, Task Manager, Task Scheduler, Disk Clean-up, etc. are some of
the examples of system management software.
USES
OF CAAT
CAAT
may be used to perform following audit procedures:
1. Detailed and in-depth test of transactions
and balances: The auditor can check the transaction in-depth and in detail,
since he can select a larger sample size. There is a lot of time saving, while
applying CAAT, thus he may apply more time to analyse a transaction.
2. Application of complex analytical review
procedures: The can perform complex procedure and calculations with the
help of CIS. He may extract detailed and complex reports also to support his
procedure.
3. Application of statistical sampling
techniques to extract the relevant data: While extract data from the
client’s information system, the auditor can take help of complex statistical
and scientific techniques in order to improve the quality and prudence of
sample selected. Application of statistical and scientific methods is almost
impossible, without the help of computer systems. E.g.: MS Excel is an
application program that contains a number of statistical and mathematical
formulae and techniques.
4. Test of general EDP controls: The
auditor may check various input controls; processing controls; output controls;
data storage, transmission and security controls. The auditor can check the
access rules and procedure.
5. Test of Application controls: The
auditor can check the functioning of various applications installed and running
in the system. The auditor may check the authenticity of various application
programs.
6. Re-Performing calculations and processing:
The auditor can also re-perform calculations performed by the client’s
accounting system.
7. Better reporting Methods: Under CIS
environment there are a number of reporting techniques are available with the
auditor. The auditor can use of various graphical designs and multimedia
techniques in order to make his report effective, concrete and more catchy.
E.g.: MS PowerPoint is one of the software used to prepare presentations.
CONSIDERATIONS
IN USE OF CAAT
While
planning an audit with the help of CAAT, the auditor must take care of the
following factors:
1.
IT
knowledge and experience of the Audit Team: Both the auditor and the audit
team should have sufficient skills and experience to handle the audit under
CAAT.
2.
Availability
of relevant Audit Software and suitable computer facilities: The auditor
can use the CAAT and maintain the independence only if he has sufficient
infrastructure, in the form of computer hardware and audit software, available
with him. Otherwise the cooperation and assistance of the client entity’s
personnel will be required.
3.
Impracticability
of manual test: Now-a-days, many organisations are adopting eco-friendly
approaches while performing the business operations. Moreover, many computer
information system perform tasks where there is no hard copy evidence is
generated. Hence making it impractical for the auditor to perform the tests
manually.
4.
Effective
and Efficiency: With the help of CAAT, it is possible to test large number
of transactions together with a better level of precision. This brings
efficiency and effectiveness in performing the audit assignment.
5.
Time
Constraint: The auditor is required to perform the assignment in the
limited time span. Whereas, a large amount of data is required to be stored
(such as transaction details and reports) for such short audit period. Thus the
auditor is required to make arrangement for retention and retrieval of data.
6.
Detection
of fraud and error: The CAAT allows the auditor to plan and execute the
audit work more effectively with the help of sophisticated audit software. But,
under CIS environment, frauds are intentional and generally deep-laid.
Moreover, there are chances that some frauds are highlighted, but there is no
concrete evidence to prove the same. Thus it cannot be said that the auditing
through the computer will increase the probability of detection of fraud.
7.
Use of
CAAT in small organisations: In small business organisation, use of CAAT
might not be a cost-effective and viable alternative. This is because of two
reasons, first the revenue per
assignment is not very huge, and second
the client entity might not have the appropriate technical infrastructure to
run CAAT.
STEPS
INVOLVED IN APPLICATION OF CAAT
Following
steps are required to be undertaken by the auditor in effective application of
CAAT:
1.
set the objective
of CAAT application;
2.
determine the content and accessibility of the entity’s files;
3.
determine
the scope: identify the specific files or databases to be examined;
4.
understand the relationship between the data
tables where a database is to be examined;
5.
define the specific tests or procedures and
related transactions and balances affected;
6.
define the output requirements;
7.
arrange
files & databases: arrange with the user and IT departments, if
appropriate, for copies of the relevant files or database tables to be made at
the appropriate cut-off date and time;
8.
audit
team: identify the personnel who
may participate in the design and application of CAAT;
9.
cost
effectiveness: refine the estimates of costs and benefits;
10.
follow-up:
ensure that the use of CAAT is properly controlled;
11.
arrange the administrative activities, including
the necessary skills and computer facilities;
12.
reconcile data to be used for CAAT with the
accounting and other records;
13.
execute
CAAT application;
14.
evaluate
the results;
15.
document
CAATs to be used including objectives, high level flowcharts and run
instructions; and
16.
Assess the effect of changes to the
programs/system on the use of CAAT.
TESTING
CAAT
Before
applying or completely relying CAAT, the auditor must first obtain reasonable
assurance of the integrity, reliability, usefulness, and security of CAAT
through appropriate planning, design, testing, processing and review of
documentation. There are many testing methods; some of them are listed below:
1.
Test Data:
The auditor enters the test data into the entity’s computer system and compares
the result with predetermined results.
2.
Test
Packs: It involves testing a set of data, chosen by the auditor from the
entity’s system and testing it separately from the normal processing procedure.
3.
Integrated
Test Facility: In this approach, auditor establishes a dummy unit, into
which test transactions are posted during the normal processing cycle of the
entity. However, these dummy entries are eliminated later on.
MEASURES
TO EXERCISE CONTROL OVER CAAT APPLICATIONS
Since, most of the audit
procedures performed using CAAT are highly automated and machine driven.
Moreover, many-a-times, a situation may occur, where the auditor also requires
the cooperation of client entity’s IT staff for extensive knowledge of computer
installation. In such circumstances, the chances of inappropriately influencing
the CAAT results by the client’s staff. Thus, while applying CAAT in audit
procedure, due care and control must be exercised. Following points are
important to consider:
o
The kind of audit procedure that needs to be
performed by CAAT;
o
Review the entity’s general controls that may affect
the integrity of CAAT, for example, controls over program changes and access to
computer files. When such controls cannot be relied on to ensure the integrity
of CAAT, the auditor may consider processing CAAT application at another
suitable computer facility; and
o
Ensure appropriate integration of the output by
the auditor into the audit process, and later on in drawing audit conclusions
and reporting.
The
success or failure of auditing with CAAT highly depends upon the degree of
control exercised on the overall application of CAAT. The control over the CAAT
applications can be:
I.
Control Over Software Application:
a. Participation in design and testing of CAAT:
The success of CAAT significantly depends upon the participation of the
principal auditor in the designing and testing of CAAT.
b. Checking the coding: Wherever
applicable, detailed checking the coding of the program to ensure that it is
in-line with the program specification.
c. Compatibility with client’s system: Asking
the client entity’s IT staff to check the compatibility of the audit software
with the operating system used in the client’s information system.
d. Testing the software: Before running
the audit software on the main system’s data files, the software must be run on
small test files in a different system.
e. Testing the test results: The results
of the above test.
f.
Addressing
the security issues: The must establish appropriate security measures to
safeguard the integrity and confidentiality of client’s data.
g. Regular follow-up: Sufficient evidence
must be obtained so as to ensure that the audit software is functioning, as
planned. And also ensure that there is proper vendor support.
II.
Control Over Test Data:
a. Controlling
the sequence in which the test data
needs to be sent.
b. Initially,
performing the test runs with small
chunks of test data, before submitting the main audit test data.
c. Predicting the results of the test data
and comparing it with the actual
test data output.
d. Confirming
that the current version of the
programs was used to process the test data.
e. Ensure
that the client entity used the same
version of software throughout the audit period, on which the audit is
being conducted.
f.
Make sure that dummy entries are deleted, which were fed in the system, while
performing the audit.
The
auditor should one thing in mind while performing the audit that, “CAAT is one
of the ‘solutions’ for Audit and no the ‘substitute’ to Audit."