PRACTICE NOTE 1009 COMPUTER-ASSISTED AUDIT TECHNIQUES

MEMBERS' HANDBOOK

PRACTICE NOTE
1009
COMPUTER-ASSISTED AUDIT TECHNIQUES

(Issued December 2003)

Contents
Paragraphs

Introduction
1 - 3

Description of Computer-Assisted Audit Techniques (CAATs)
4 - 6

Considerations in the Use of CAATs
7 - 16

Using CAATs
17 - 25

Using CAATs in Small Entity IT Environments
26

Compatibility with International Auditing Practice Statements
27

RACTICE NOTE
1009
COMPUTER-ASSISTED AUDIT TECHNIQUES

(Issued December 2003)

The purpose of Practice Notes issued by the Hong Kong Institute of Certified Public Accountants is to assist auditors in applying Statements of Auditing Standards (SASs) and Standards on Assurance Engagements (SAEs) of general application to particular circumstances and industries.

They are persuasive rather than prescriptive. However they are indicative of good practice and have similar status to the explanatory material in SASs and SAEs, even though they may be developed without the full process of consultation and exposure used for SASs and SAEs. Auditors should be prepared to explain departures when called upon to do so.

This Practice Note replaces Auditing Guideline 3.262 "Computer-Assisted Audit Techniques (CAATS)".

Introduction

1. The overall objectives and scope of an audit do not change when an audit is conducted in a computer information technology (IT) environment. The application of auditing procedures may, however, require the auditors to consider techniques known as Computer-Assisted Audit Techniques (CAATs) that use the computer as an audit tool.

2. CAATs may improve the effectiveness and efficiency of auditing procedures. They may also provide effective tests of control and substantive procedures where there are no input documents or a visible audit trail, or where population and sample sizes are very large.

3. The purpose of this Practice Note (PN) is to provide guidance on the use of CAATs. It applies to all uses of CAATs involving a computer of any type or size. Special considerations relating to small entity IT environments are discussed in paragraph 26.

Description of Computer-Assisted Audit Techniques (CAATs)

4. This PN describes computer-assisted audit techniques including computer tools, collectively referred to as CAATs. CAATs may be used in performing various auditing procedures, including the following:

a. tests of details of transactions and balances, for example, the use of audit software for recalculating interest or the extraction of invoices over a certain value from computer records;

b. analytical procedures, for example, identifying inconsistencies or significant fluctuations;

c. tests of general controls, for example, testing the set-up or configuration of the operating system or access procedures to the program libraries or by using code comparison software to check that the version of the program in use is the version approved by management;

d. sampling programs to extract data for audit testing;

e. tests of application controls, for example, testing the functioning of a programmed control; and

f. reperforming calculations performed by the entity's accounting systems.

5. CAATs are computer programs and data the auditors use as part of the audit procedures to process data of audit significance contained in an entity's information systems. The data may be transaction data, on which the auditors wish to perform tests of controls or substantive procedures, or they may be other types of data. For example, details of the application of some general controls may be kept in the form of text or other files by applications that are not part of the accounting system. The auditors can use CAATS to review those files to gain evidence of the existence and operation of those controls. CAATS may consist of package programs, purpose-written programs, utility programs or system management programs. Regardless of the origin of the programs, the auditors substantiate their appropriateness and validity for audit purposes before using them.

a. Package programs are generalized computer programs designed to perform data processing functions, such as reading data, selecting and analyzing information, performing calculations, creating data files and reporting in a format specified by the auditors.

b. Purpose-written programs perform audit tasks in specific circumstances. These programs may be developed by the auditors, the entity being audited or an outside programmer hired by the auditors. In some cases the auditors may use an entity's existing programs in their original or modified state because it may be more efficient than developing independent programs.

c. Utility programs are used by an entity to perform common data processing functions, such as sorting, creating and printing files. These programs are generally not designed for audit purposes, and therefore may not contain features such as automatic record counts or control totals.

d. System Management programs are enhanced productivity tools that are typically part of a sophisticated operating systems environment, for example, data retrieval software or code comparison software. As with utility programs, these tools are not specifically designed for auditing use and their use requires additional care.

e. Embedded Audit Routines are sometimes built into an entity's computer system to provide data for later use by the auditors. These include:

i. Snapshots: This technique involves taking a picture of a transaction as it flows through the computer systems. Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through the various stages of the processing. Such a technique permits auditors to track data and evaluate the computer processes applied to the data.

ii. System Control Audit Review File: This involves embedding audit software modules within an application system to provide continuous monitoring of the system's transactions. The information is collected into a special computer file that the auditors can examine.

f. Test data techniques are sometimes used during an audit by entering data (for example, a sample of transactions) into an entity's computer system, and comparing the results obtained with predetermined results. Auditors might use test data to:

i. test specific controls in computer programs, such as on-line password and data access controls;

ii. test transactions selected from previously processed transactions or created by the auditors to test specific processing characteristics of an entity's information systems. Such transactions are generally processed separately from the entity's normal processing; and

iii. test transactions used in an integrated test facility where a "dummy" unit (for example, a fictitious department or employee) is established, and to which test transactions are posted during the normal processing cycle.

When test data are processed with the entity's normal processing, the auditors ensure that the test transactions are subsequently eliminated from the entity's accounting records.

6. The increasing power and sophistication of PCs, particularly laptops, has resulted in other tools for the auditors to use. In some cases, the laptops will be linked to the auditors' main computer systems. Examples of such techniques include:

a. expert systems, for example in the design of audit programs and in audit planning and risk assessment;

b. tools to evaluate a client's risk management procedures;

c. electronic working papers, which provide for the direct extraction of data from the client's computer records, for example, by downloading the general ledger for audit testing; and

d. corporate and financial modeling programs for use as predictive audit tests.

These techniques are more commonly referred to as "audit automation."

Considerations in the Use of CAATs

7. When planning an audit, the auditors may consider an appropriate combination of manual and computer assisted audit techniques. In determining whether to use CAATs, the factors to consider include:

a. the IT knowledge, expertise and experience of the audit team;

b. the availability of CAATs and suitable computer facilities and data;

c. the impracticability of manual tests;

d. effectiveness and efficiency; and

e. timing.

Before using CAATS the auditors consider the controls incorporated in the design of the entity's computer systems to which the CAATS would be applied in order to determine whether, and if so, how, CAATs should be employed.

IT Knowledge, Expertise, and Experience of the Audit Team

8. SAS 310 "Auditing in a computer information systems environment" deals with the level of skill and competence the audit team needs to conduct an audit in an IT environment. It provides guidance when auditors delegate work to assistants with IT skills or when the auditors use work performed by other auditors or experts with such skills. Specifically, the audit team would need to have sufficient knowledge to plan, execute and use the results of the particular CAAT adopted. The level of knowledge required depends on the complexity and nature of the CAAT and of the entity's information system.

Availability of CAATs and Suitable Computer Facilities

9. The auditors consider the availability of CAATs, suitable computer facilities (controlled as described in paragraphs 18-23) and the necessary computer-based information systems and data. The auditors may plan to use other computer facilities when the use of CAATs on an entity's computer is uneconomical or impractical, for example, because of an incompatibility between the auditors' package program and the entity's computer. Additionally, the auditors may elect to use their own facilities, such as PCs or laptops.

10. The cooperation of the entity's personnel may be required to provide processing facilities at a convenient time, to assist with activities such as loading and running of the CAATs on the entity's system, and to provide copies of data files in the format required by the auditors.

Impracticability of Manual Tests

11. Some audit procedures may not be possible to perform manually because they rely on complex processing (for example, advanced statistical analysis) or involve amounts of data that would overwhelm any manual procedure. In addition, many computer information systems perform tasks for which no hard copy evidence is available and, therefore, it may be impracticable for the auditors to perform tests manually. The lack of hard copy evidence may occur at different stages in the business cycle.

a. Source information may be initiated electronically, such as by voice activation, electronic data imaging, or point of sale electronic funds transfer. In addition, some transactions, such as discounts and interest calculations, may be generated directly by computer programs with no specific authorization of individual transactions.

b. A system may not produce a visible audit trail providing assurance as to the completeness and accuracy of transactions processed. For example, a computer program might match delivery notes and suppliers' invoices. In addition, programmed control procedures, such as checking customer credit limits, may provide hard copy evidence only on an exception basis.

c. A system may not produce hard copy reports. In addition, a printed report may contain only summary totals while computer files retain the supporting details.

Effectiveness and Efficiency

12. The effectiveness and efficiency of auditing procedures may be improved by using CAATs to obtain and evaluate audit evidence. CAATs are often an efficient means of testing a large number of transactions or controls over large populations by:

a. analyzing and selecting samples from a large volume of transactions;

b. applying analytical procedures; and

c. performing substantive procedures.

13. Matters relating to efficiency that auditors might consider include:

a. the time taken to plan, design, execute and evaluate a CAAT;

b. technical review and assistance hours;

c. designing and printing of forms (for example, confirmations); and

d. availability of computer resources.

14. In evaluating the effectiveness and efficiency of a CAAT, the auditors consider the continuing use of the CAAT application. The initial planning, design and development of a CAAT will usually benefit audits in subsequent periods.

Timing

15. Certain data, such as transaction details, are often kept for only a short time, and may not be available in machine-readable form by the time the auditors want them. Thus, the auditors will need to make arrangements for the retention of data required, or may need to alter the timing of the work that requires such data.

16. Where the time available to perform an audit is limited, the auditors may plan to use a CAAT because its use will meet the auditors' time requirement better than other possible procedures.

Using CAATs

17. The major steps to be undertaken by the auditors in the application of a CAAT are to:

a. set the objective of the CAAT application;

b. determine the content and accessibility of the entity's files;

c. identify the specific files or databases to be examined;

d. understand the relationship between the data tables where a database is to be examined;

e. define the specific tests or procedures and related transactions and balances affected;

f. define the output requirements;

g. arrange with the user and IT departments, if appropriate, for copies of the relevant files or database tables to be made at the appropriate cut off date and time;

h. identify the personnel who may participate in the design and application of the CAAT;

i. refine the estimates of costs and benefits;

j. ensure that the use of the CAAT is properly controlled and documented;

k. arrange the administrative activities, including the necessary skills and computer facilities;

l. reconcile data to be used for the CAAT with the accounting records;

m. execute the CAAT application; and

n. evaluate the results.

Controlling the CAAT Application

18. The specific procedures necessary to control the use of a CAAT depend on the particular application. In establishing control, the auditors consider the need to:

a. approve specifications and conduct a review of the work to be performed by the CAAT;

b. review the entity's general controls that may contribute to the integrity of the CAAT, for example, controls over program changes and access to computer files. When such controls cannot be relied on to ensure the integrity of the CAAT, the auditors may consider processing the CAAT application at another suitable computer facility; and

c. ensure appropriate integration of the output by the auditors into the audit process.

19. Procedures carried out by the auditors to control CAAT applications may include:

a. participating in the design and testing of the CAAT;

b. checking, if applicable, the coding of the program to ensure that it conforms with the detailed program specifications;

c. asking the entity's computer staff to review the operating system instructions to ensure that the software will run in the entity's computer installation;

d. running the audit software on small test files before running it on the main data files;

e. checking whether the correct files were used, for example, by checking external evidence, such as control totals maintained by the user, and that those files were complete;

f. obtaining evidence that the audit software functioned as planned, for example, by reviewing output and control information; and

g. establishing appropriate security measures to safeguard the integrity and confidentiality of the data.

When the auditors intend to perform audit procedures concurrently with on-line processing, the auditors review those procedures with appropriate client personnel and obtain approval before conducting the tests to help avoid the inadvertent corruption of client records.

20. To ensure appropriate control procedures, the presence of the auditors is not necessarily required at the computer facility during the running of a CAAT. It may, however, provide practical advantages, such as being able to control distribution of the output and ensuring the timely correction of errors, for example, if the wrong input file were to be used.

21. Audit procedures to control test data applications may include:

a. controlling the sequence of submissions of test data where it spans several processing cycles;

b. performing test runs containing small amounts of test data before submitting the main audit test data;

c. predicting the results of the test data and comparing it with the actual test data output, for the individual transactions and in total;

d. confirming that the current version of the programs was used to process the test data; and

e. testing whether the programs used to process the test data were the programs the entity used throughout the applicable audit period.

22. When using a CAAT, the auditors may require the cooperation of entity staff with extensive knowledge of the computer installation. In such circumstances, the auditors consider whether the staff improperly influenced the results of the CAAT.

23. Audit procedures to control the use of audit-enabling software may include:

a. verifying the completeness, accuracy and availability of the relevant data, for example, historical data may be required to build a financial model;

b. reviewing the reasonableness of assumptions used in the application of the tool set, particularly when using modeling software;

c. verifying availability of resources skilled in the use and control of the selected tools; and

d. confirming the appropriateness of the tool set to the audit objective, for example, the use of industry specific systems may be necessary for the design of audit programs for unique business cycles.

Documentation

24. The standard of working paper documentation and retention procedures for a CAAT is consistent with that for the audit as a whole (see SAS 230 "Documentation").

25. The working papers need to contain sufficient documentation to describe the CAAT application, such as:

a. Planning

i CAAT objectives;

ii. consideration of the specific CAAT to be used;

iii. controls to be exercised; and

iv. staffing, timing and cost.

b. Execution

i. CAAT preparation and testing procedures and controls;

ii. details of the tests performed by the CAAT;

iii. details of input, processing and output; and

iv. relevant technical information about the entity's accounting system, such as file layouts.

c. Audit Evidence

i. output provided;

ii. description of the audit work performed on the output; and

iii. audit conclusions.

d. Other

i. recommendations to entity management.

In addition, it may be useful to document suggestions for using the CAAT in future years.

Using CAATs in Small Entity IT Environments

26. Although the general principles outlined in this PN apply in small entity IT environments, the following points need special consideration:

a. The level of general controls may be such that the auditors will place less reliance on the system of internal control. This will result in greater emphasis on tests of details of transactions and balances and analytical review procedures, which may increase the effectiveness of certain CAATs, particularly audit software.

b. Where smaller volumes of data are processed, manual methods may be more cost effective.

c. A small entity may not be able to provide adequate technical assistance to the auditors, making the use of CAATs impracticable.

d. Certain audit package programs may not operate on small computers, thus restricting the auditors' choice of CAATs. The entity's data files may, however, be copied and processed on another suitable computer.

Compatibility with International Auditing Practice Statements

27. This Practice Note is, in all material respects, in accordance with International Auditing Practice Statement 1009 "Computer-Assisted Audit Techniques".


Contents		Paragraphs
Introduction		1 - 3
Description of Computer-Assisted Audit Techniques (CAATs)		4 - 6
Considerations in the Use of CAATs		7 - 16
Using CAATs		17 - 25
Using CAATs in Small Entity IT Environments		26
Compatibility with International Auditing Practice Statements		27


The purpose of Practice Notes issued by the Hong Kong Institute of Certified Public Accountants is to assist auditors in applying Statements of Auditing Standards (SASs) and Standards on Assurance Engagements (SAEs) of general application to particular circumstances and industries. They are persuasive rather than prescriptive. However they are indicative of good practice and have similar status to the explanatory material in SASs and SAEs, even though they may be developed without the full process of consultation and exposure used for SASs and SAEs. Auditors should be prepared to explain departures when called upon to do so. This Practice Note replaces Auditing Guideline 3.262 "Computer-Assisted Audit Techniques (CAATS)".

Introduction
1.	The overall objectives and scope of an audit do not change when an audit is conducted in a computer information technology (IT) environment. The application of auditing procedures may, however, require the auditors to consider techniques known as Computer-Assisted Audit Techniques (CAATs) that use the computer as an audit tool.
2.	CAATs may improve the effectiveness and efficiency of auditing procedures. They may also provide effective tests of control and substantive procedures where there are no input documents or a visible audit trail, or where population and sample sizes are very large.
3.	The purpose of this Practice Note (PN) is to provide guidance on the use of CAATs. It applies to all uses of CAATs involving a computer of any type or size. Special considerations relating to small entity IT environments are discussed in paragraph 26.

Description of Computer-Assisted Audit Techniques (CAATs)
4.	This PN describes computer-assisted audit techniques including computer tools, collectively referred to as CAATs. CAATs may be used in performing various auditing procedures, including the following:
	a.	tests of details of transactions and balances, for example, the use of audit software for recalculating interest or the extraction of invoices over a certain value from computer records;
	b.	analytical procedures, for example, identifying inconsistencies or significant fluctuations;
	c.	tests of general controls, for example, testing the set-up or configuration of the operating system or access procedures to the program libraries or by using code comparison software to check that the version of the program in use is the version approved by management;
	d.	sampling programs to extract data for audit testing;
	e.	tests of application controls, for example, testing the functioning of a programmed control; and
	f.	reperforming calculations performed by the entity's accounting systems.
5.	CAATs are computer programs and data the auditors use as part of the audit procedures to process data of audit significance contained in an entity's information systems. The data may be transaction data, on which the auditors wish to perform tests of controls or substantive procedures, or they may be other types of data. For example, details of the application of some general controls may be kept in the form of text or other files by applications that are not part of the accounting system. The auditors can use CAATS to review those files to gain evidence of the existence and operation of those controls. CAATS may consist of package programs, purpose-written programs, utility programs or system management programs. Regardless of the origin of the programs, the auditors substantiate their appropriateness and validity for audit purposes before using them.
	a.	Package programs are generalized computer programs designed to perform data processing functions, such as reading data, selecting and analyzing information, performing calculations, creating data files and reporting in a format specified by the auditors.
	b.	Purpose-written programs perform audit tasks in specific circumstances. These programs may be developed by the auditors, the entity being audited or an outside programmer hired by the auditors. In some cases the auditors may use an entity's existing programs in their original or modified state because it may be more efficient than developing independent programs.
	c.	Utility programs are used by an entity to perform common data processing functions, such as sorting, creating and printing files. These programs are generally not designed for audit purposes, and therefore may not contain features such as automatic record counts or control totals.
	d.	System Management programs are enhanced productivity tools that are typically part of a sophisticated operating systems environment, for example, data retrieval software or code comparison software. As with utility programs, these tools are not specifically designed for auditing use and their use requires additional care.
	e.	Embedded Audit Routines are sometimes built into an entity's computer system to provide data for later use by the auditors. These include:
		i.	Snapshots: This technique involves taking a picture of a transaction as it flows through the computer systems. Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through the various stages of the processing. Such a technique permits auditors to track data and evaluate the computer processes applied to the data.
		ii.	System Control Audit Review File: This involves embedding audit software modules within an application system to provide continuous monitoring of the system's transactions. The information is collected into a special computer file that the auditors can examine.
	f.	Test data techniques are sometimes used during an audit by entering data (for example, a sample of transactions) into an entity's computer system, and comparing the results obtained with predetermined results. Auditors might use test data to:
		i.	test specific controls in computer programs, such as on-line password and data access controls;
		ii.	test transactions selected from previously processed transactions or created by the auditors to test specific processing characteristics of an entity's information systems. Such transactions are generally processed separately from the entity's normal processing; and
		iii.	test transactions used in an integrated test facility where a "dummy" unit (for example, a fictitious department or employee) is established, and to which test transactions are posted during the normal processing cycle.
	When test data are processed with the entity's normal processing, the auditors ensure that the test transactions are subsequently eliminated from the entity's accounting records.
6.	The increasing power and sophistication of PCs, particularly laptops, has resulted in other tools for the auditors to use. In some cases, the laptops will be linked to the auditors' main computer systems. Examples of such techniques include:
	a.	expert systems, for example in the design of audit programs and in audit planning and risk assessment;
	b.	tools to evaluate a client's risk management procedures;
	c.	electronic working papers, which provide for the direct extraction of data from the client's computer records, for example, by downloading the general ledger for audit testing; and
	d.	corporate and financial modeling programs for use as predictive audit tests.
	These techniques are more commonly referred to as "audit automation."

Considerations in the Use of CAATs
7.	When planning an audit, the auditors may consider an appropriate combination of manual and computer assisted audit techniques. In determining whether to use CAATs, the factors to consider include:
	a.	the IT knowledge, expertise and experience of the audit team;
	b.	the availability of CAATs and suitable computer facilities and data;
	c.	the impracticability of manual tests;
	d.	effectiveness and efficiency; and
	e.	timing.
	Before using CAATS the auditors consider the controls incorporated in the design of the entity's computer systems to which the CAATS would be applied in order to determine whether, and if so, how, CAATs should be employed.

	IT Knowledge, Expertise, and Experience of the Audit Team
8.	SAS 310 "Auditing in a computer information systems environment" deals with the level of skill and competence the audit team needs to conduct an audit in an IT environment. It provides guidance when auditors delegate work to assistants with IT skills or when the auditors use work performed by other auditors or experts with such skills. Specifically, the audit team would need to have sufficient knowledge to plan, execute and use the results of the particular CAAT adopted. The level of knowledge required depends on the complexity and nature of the CAAT and of the entity's information system.

	Availability of CAATs and Suitable Computer Facilities
9.	The auditors consider the availability of CAATs, suitable computer facilities (controlled as described in paragraphs 18-23) and the necessary computer-based information systems and data. The auditors may plan to use other computer facilities when the use of CAATs on an entity's computer is uneconomical or impractical, for example, because of an incompatibility between the auditors' package program and the entity's computer. Additionally, the auditors may elect to use their own facilities, such as PCs or laptops.
10.	The cooperation of the entity's personnel may be required to provide processing facilities at a convenient time, to assist with activities such as loading and running of the CAATs on the entity's system, and to provide copies of data files in the format required by the auditors.

	Impracticability of Manual Tests
11.	Some audit procedures may not be possible to perform manually because they rely on complex processing (for example, advanced statistical analysis) or involve amounts of data that would overwhelm any manual procedure. In addition, many computer information systems perform tasks for which no hard copy evidence is available and, therefore, it may be impracticable for the auditors to perform tests manually. The lack of hard copy evidence may occur at different stages in the business cycle.
	a.	Source information may be initiated electronically, such as by voice activation, electronic data imaging, or point of sale electronic funds transfer. In addition, some transactions, such as discounts and interest calculations, may be generated directly by computer programs with no specific authorization of individual transactions.
	b.	A system may not produce a visible audit trail providing assurance as to the completeness and accuracy of transactions processed. For example, a computer program might match delivery notes and suppliers' invoices. In addition, programmed control procedures, such as checking customer credit limits, may provide hard copy evidence only on an exception basis.
	c.	A system may not produce hard copy reports. In addition, a printed report may contain only summary totals while computer files retain the supporting details.

	Effectiveness and Efficiency
12.	The effectiveness and efficiency of auditing procedures may be improved by using CAATs to obtain and evaluate audit evidence. CAATs are often an efficient means of testing a large number of transactions or controls over large populations by:
	a.	analyzing and selecting samples from a large volume of transactions;
	b.	applying analytical procedures; and
	c.	performing substantive procedures.
13.	Matters relating to efficiency that auditors might consider include:
	a.	the time taken to plan, design, execute and evaluate a CAAT;
	b.	technical review and assistance hours;
	c.	designing and printing of forms (for example, confirmations); and
	d.	availability of computer resources.
14.	In evaluating the effectiveness and efficiency of a CAAT, the auditors consider the continuing use of the CAAT application. The initial planning, design and development of a CAAT will usually benefit audits in subsequent periods.

	Timing
15.	Certain data, such as transaction details, are often kept for only a short time, and may not be available in machine-readable form by the time the auditors want them. Thus, the auditors will need to make arrangements for the retention of data required, or may need to alter the timing of the work that requires such data.
16.	Where the time available to perform an audit is limited, the auditors may plan to use a CAAT because its use will meet the auditors' time requirement better than other possible procedures.

Using CAATs
17.	The major steps to be undertaken by the auditors in the application of a CAAT are to:
	a.	set the objective of the CAAT application;
	b.	determine the content and accessibility of the entity's files;
	c.	identify the specific files or databases to be examined;
	d.	understand the relationship between the data tables where a database is to be examined;
	e.	define the specific tests or procedures and related transactions and balances affected;
	f.	define the output requirements;
	g.	arrange with the user and IT departments, if appropriate, for copies of the relevant files or database tables to be made at the appropriate cut off date and time;
	h.	identify the personnel who may participate in the design and application of the CAAT;
	i.	refine the estimates of costs and benefits;
	j.	ensure that the use of the CAAT is properly controlled and documented;
	k.	arrange the administrative activities, including the necessary skills and computer facilities;
	l.	reconcile data to be used for the CAAT with the accounting records;
	m.	execute the CAAT application; and
	n.	evaluate the results.

	Controlling the CAAT Application
18.	The specific procedures necessary to control the use of a CAAT depend on the particular application. In establishing control, the auditors consider the need to:
	a.	approve specifications and conduct a review of the work to be performed by the CAAT;
	b.	review the entity's general controls that may contribute to the integrity of the CAAT, for example, controls over program changes and access to computer files. When such controls cannot be relied on to ensure the integrity of the CAAT, the auditors may consider processing the CAAT application at another suitable computer facility; and
	c.	ensure appropriate integration of the output by the auditors into the audit process.
19.	Procedures carried out by the auditors to control CAAT applications may include:
	a.	participating in the design and testing of the CAAT;
	b.	checking, if applicable, the coding of the program to ensure that it conforms with the detailed program specifications;
	c.	asking the entity's computer staff to review the operating system instructions to ensure that the software will run in the entity's computer installation;
	d.	running the audit software on small test files before running it on the main data files;
	e.	checking whether the correct files were used, for example, by checking external evidence, such as control totals maintained by the user, and that those files were complete;
	f.	obtaining evidence that the audit software functioned as planned, for example, by reviewing output and control information; and
	g.	establishing appropriate security measures to safeguard the integrity and confidentiality of the data.
	When the auditors intend to perform audit procedures concurrently with on-line processing, the auditors review those procedures with appropriate client personnel and obtain approval before conducting the tests to help avoid the inadvertent corruption of client records.
20.	To ensure appropriate control procedures, the presence of the auditors is not necessarily required at the computer facility during the running of a CAAT. It may, however, provide practical advantages, such as being able to control distribution of the output and ensuring the timely correction of errors, for example, if the wrong input file were to be used.
21.	Audit procedures to control test data applications may include:
	a.	controlling the sequence of submissions of test data where it spans several processing cycles;
	b.	performing test runs containing small amounts of test data before submitting the main audit test data;
	c.	predicting the results of the test data and comparing it with the actual test data output, for the individual transactions and in total;
	d.	confirming that the current version of the programs was used to process the test data; and
	e.	testing whether the programs used to process the test data were the programs the entity used throughout the applicable audit period.
22.	When using a CAAT, the auditors may require the cooperation of entity staff with extensive knowledge of the computer installation. In such circumstances, the auditors consider whether the staff improperly influenced the results of the CAAT.
23.	Audit procedures to control the use of audit-enabling software may include:
	a.	verifying the completeness, accuracy and availability of the relevant data, for example, historical data may be required to build a financial model;
	b.	reviewing the reasonableness of assumptions used in the application of the tool set, particularly when using modeling software;
	c.	verifying availability of resources skilled in the use and control of the selected tools; and
	d.	confirming the appropriateness of the tool set to the audit objective, for example, the use of industry specific systems may be necessary for the design of audit programs for unique business cycles.

	Documentation
24.	The standard of working paper documentation and retention procedures for a CAAT is consistent with that for the audit as a whole (see SAS 230 "Documentation").
25.	The working papers need to contain sufficient documentation to describe the CAAT application, such as:
	a.	Planning
		i	CAAT objectives;
		ii.	consideration of the specific CAAT to be used;
		iii.	controls to be exercised; and
		iv.	staffing, timing and cost.
	b.	Execution
		i.	CAAT preparation and testing procedures and controls;
		ii.	details of the tests performed by the CAAT;
		iii.	details of input, processing and output; and
		iv.	relevant technical information about the entity's accounting system, such as file layouts.
	c.	Audit Evidence
		i.	output provided;
		ii.	description of the audit work performed on the output; and
		iii.	audit conclusions.
	d.	Other
		i.	recommendations to entity management.
	In addition, it may be useful to document suggestions for using the CAAT in future years.

Using CAATs in Small Entity IT Environments
26.	Although the general principles outlined in this PN apply in small entity IT environments, the following points need special consideration:
	a.	The level of general controls may be such that the auditors will place less reliance on the system of internal control. This will result in greater emphasis on tests of details of transactions and balances and analytical review procedures, which may increase the effectiveness of certain CAATs, particularly audit software.
	b.	Where smaller volumes of data are processed, manual methods may be more cost effective.
	c.	A small entity may not be able to provide adequate technical assistance to the auditors, making the use of CAATs impracticable.
	d.	Certain audit package programs may not operate on small computers, thus restricting the auditors' choice of CAATs. The entity's data files may, however, be copied and processed on another suitable computer.

Compatibility with International Auditing Practice Statements
27.	This Practice Note is, in all material respects, in accordance with International Auditing Practice Statement 1009 "Computer-Assisted Audit Techniques".