I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 1, 2003Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.CAAT refers to computer-assisted audit technique. Thisimplies that an auditor’s use of a computer-assisted audit tech-nique is something special—normally the techniques used byan auditor are not computer assisted. Today, in most large andmedium-sized enterprises, there are few business processesthat are not driven by computers. The business does not referto them as computer-assisted business processing. The use ofcomputers and information technology for doing business istaken for granted, so why should auditors talk about some-thing special called CAAT?Performing audits without using information technology ishardly an option. When all the information needed for doing anaudit is on computer systems, how can one carry out an auditwithout using the computer? While the audit world will likelygrow out of using this terminology, for the purpose of this arti-cle, the term CAAT refers to the use of certain software that canbe used by the auditor to perform audits and to achieve thegoals of auditing.CAATs can be classified into four broad categories:• Data analysis software • Network security evaluation software/utilities • OS and DBMS security evaluation software/utilities • Software and code testing tools Data Analysis Software Data analysis software is the most popular of the four and isloosely referred to as audit software. The generic products avail-able under this segment are termed as general purpose auditsoftware, also known in some parts as GAS or generalized auditsoftware. This software has the ability to extract data from com-monly used file formats and the tables of most database sys-tems. Thus, these systems can be used during the audits ofalmost any application on any technology platform. The auditsoftware can perform a variety of queries and other analyses onthe data. Some of the features are: data queries, data stratifica-tion, sample extractions, missing sequence identification, statis-tical analysis and calculations. This software also can performoperations after combining and joining files and tables. The listof features grows with each version of this software and arecent added feature is Benford analysis. Need for Audit Software Going back to the very basics, the IS audit methodologystarts with risk analysis, which translates into, “What can gowrong?” The next step is to evaluate controls associated withthe situation to mitigate risks, or, “What controls it?” The evalu-ation of controls goes into not only the design of the controls,but also their actual operation and compliance. Most observa-tions, interviews, scrutiny and compliance testing are to deter-mine whether controls exist, are designed well, are understood,operate effectively and are being complied with by the operat-ing personnel. At the end of this phase the IS auditor could haveobservations about some controls that exist and are operatingsatisfactorily or some controls that are nonexistent, badlydesigned or not in compliance. The following is an example of an IS auditor performing apayroll review. While doing an application review, the IS audi-tor observed that many of the required validations relating to thesalary ranges and admissible allowances and perks were notbuilt into the application software and concluded that it waspossible to process values that did not meet the rules. When per-forming compliance testing, the auditor also observed that themodification logs and exception reports were not being checkedregularly by the payroll officer. The application was in use atthe organization for more than two years. While the observa-tions were noted and corrective action was immediately takenon modifications to the software to include the validations, man-agement’s concerns were, “Have any errors or fraud really takenplace? Have we lost any money? Have we erred in any payroll-related tax compliances?”The IS auditor’s job is not really complete until these ques-tions are answered. The IS auditor’s job is not only to notifyconcerns and alarms but also to recommend corrective actionand provide concrete assurances and proof of errors whereverpossible. The IS auditor is faced with the daunting task of ver-ifying payroll for two years for, perhaps, thousands of employ-ees. Doing this manually would take many audit clerks work-ing for weeks and weeks and with no guarantees about thecoverage. In comes audit software. The complete verification of theentire payroll for two years, covering all the doubtful caseswhere validations and checking were inadequate, is possible.And this can be done with minimal effort and time, with guar-anteed accuracy. The number of occasions where such assurances andanswers are sought by management from the auditors is notconfined to just payroll. Progressive management teams andboards that are IT savvy would ask these questions for manycases as an effective aid to good governance. The disclaimersstated by auditors based on sampling are increasingly becom-ing luxuries that are neither affordable nor available anymore.Using audit software for substantive testing to provide totalassurance or clear pinpointing of errors and frauds greatlyincreases the credibility and value provided by the audit func-tion. That is obviously the way to go.Prerequisites for Using Audit SoftwareConnectivity and Access to Data The first prerequisite for using audit software is access todata. The auditor needs to obtain access to the “live” productiondata. In most cases, this is fairly easy to do. The IS auditor hasthe audit software installed on a notebook computer and con-nects it to the network where the server holding the data exists.The auditor then needs to obtain “read only” access to theUsing CAATs to Support IS AuditS. Anantha Sayana, CISA, CIAI NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 1, 2003files/tables that hold the data and can transfer the data files to thenotebook computer. Once this is done, the audit software canuse the data files and perform the audit. It is necessary to ensurethat the data that are downloaded are the actual copy from thereal production data. This can be achieved when the data transferis done either by the auditor or by the specialist IS auditor assist-ing a general auditor. In large enterprises using wide area net-works, it would be possible to do this data transfer even from