Computer audit techniques

In recent years, information technology (IT) used by firms, large and small, has become increasingly sophisticated and complex. The explosive growth in IT includes computer hardware, databases, networks, telecommunications, the Internet, extranets, electronic commerce, client/server architecture, data warehouses, integrated accounting systems software (such as enterprise resource planning software), automated reasoning systems and neural networks software. The advances in IT have significantly changed the methods firms employ to gather and report information. Thus, auditors encounter many IT environments that maintain data on electronic media rather than paper-based media. Auditors must determine how the firm uses IT systems to initiate, record, process and report transactions or other financial data. This understanding is necessary to plan the audit and to determine the nature, timing and extent of tests to be performed to gain a sufficient understanding of internal controls.

SAS No. 94 was recently issued to provide guidance to auditors concerning the proper assessment of internal control2 activities in IT systems. The auditing standard states that computer-assisted auditing techniques (CAATs) are needed to test automated controls in certain types of IT environments. This paper revisits auditing-through-the-computer techniques, which should become more widely used with the issuance of SAS No. 94, and focuses on the test data technique, which can be applied in almost any audit to test automated programmed controls. This technique is relatively easy to apply and does not require the auditor to have a high degree of computer expertise.