Auditing Standards and Practices Council

Philippine Auditing Practice Statement 1009

COMPUTER-ASSISTED AUDIT TECHNIQUES

PAPS 1009
PHILIPPINE AUDITING PRACTICE STATEMENT 1009
COMPUTER-ASSISTED AUDIT TECHNIQUES

CONTENTS

..............................................................................................Paragraphs

Introduction..............................................................1-3
Description of Computer Assisted Audit Techniques (CAATs)

4-6

Considerations in the Use of CAATs........................7-16

Using CAATs............................................................17-25
Using CAATs in Small Entity IT Environments......26
Effective Date...........................................................27
Acknowledgment.....................................................28-29

The Auditing Standards and Practices Council (ASPC) issues Philippine Auditing
Practices Statements (PAPS or Statements) to provide practical assistance to auditors in
implementing the Philippine Standards on Auditing (PSAs) or to promote good
practice. Statements do not have the authority of PSAs.

This Statement does not establish any new basic principles or essential procedures; its
purpose is to assist auditors, and the development of good practice, by providing
guidance on the application of the PSAs regarding the use of Computer Assisted Audit
Techniques as an audit tool. This Statement applies to all uses of CAATs involving a
computer of any type or size. The auditor exercises professional judgment to

PAPS 1009
determine the extent to which any of the audit procedures described in this Statement
may be appropriate in the light of the requirements of the PSAs and the entitys
particular circumstances.

PAPS 1009

Introduction
1.The overall objectives and scope of an audit do not change when an audit is conducted
in a computer information technology (IT) environment. The application of
auditing procedures may, however, require the auditor to consider techniques
known as Computer Assisted Audit Techniques (CAATs) that use the computer as
an audit tool.
2.CAATs may improve the effectiveness and efficiency of auditing procedures. They may
also provide effective tests of control and substantive procedures where there are
no input documents or a visible audit trail, or where population and sample sizes
are very large.
3.The purpose of this Statement is to provide guidance on the use of CAATs. It applies to
all uses of CAATs involving a computer of any type or size. Special
considerations relating to small entity IT environments are discussed in paragraph
26.

Description of Computer Assisted Audit Techniques (CAATs)

4.This Statement describes computer assisted audit techniques including computer tools,
collectively referred to as CAATs. CAATs may be used in performing various
auditing procedures, including the following:
1

tests of details of transactions and balances, for example, the use of audit
software for recalculating interest or the extraction of invoices over a
certain value from computer records;

analytical procedures, for example, identifying inconsistencies or

significant fluctuations;

tests of general controls, for example, testing the set-up or configuration of

the operating system or access procedures to the program libraries or by
using code comparison software to check that the version of the program
in use is the version approved by management;

sampling programs to extract data for audit testing;

PAPS 1009
5

tests of application controls, for example, testing the functioning of a

programmed control; and

reperforming calculations performed by the entitys accounting systems.

PAPS 1009
-2-

5.CAATs are computer programs and data the auditor uses as part of the audit procedures
to process data of audit significance contained in an entitys information systems.
The data may be transaction data, on which the auditor wishes to perform tests of
controls or substantive procedures, or they may be other types of data. For
example, details of the application of some general controls may be kept in the
form of text or other files by applications that are not part of the accounting
system. The auditor can use CAATS to review those files to gain evidence of the
existence and operation of those controls. CAATS may consist of package
programs, purpose-written programs, utility programs or system management
programs. Regardless of the origin of the programs, the auditor substantiates their
appropriateness and validity for audit purposes before using them.
7

Package or generalized audit software consists of generalized computer

programs designed to perform common audit tasks or standardized data
processing functions, such as reading data, selecting and analyzing
information, summarizing and totaling files, performing or verifying
calculations, creating data files, providing totals of unusual items, and
reporting in a format specified by the auditor.

Customized or purpose-written programs perform audit tasks in specific

circumstances, where package audit software is deemed unsuitable usually
because system constraints make it difficult or impossible to use. These
programs may be developed by the auditor, the entity being audited or an
outside programmer hired by the auditor. In some cases the auditor may
use an entitys existing programs in their original or modified state because
it may be more efficient than developing independent programs.

Utility programs are part of the operating system and security software
packages that are provided by computer manufacturers and software
vendors and used by an entity to perform common data processing
functions, such as sorting, copying, creating, merging, erasing, and
printing files. Utilities can substitute for procedures that would otherwise
be performed by package software or customized programs. These
programs are generally not designed for audit purposes, and therefore may
not contain features such as automatic record counts or control totals.

10

System management programs are enhanced productivity tools that are

typically part of a sophisticated operating systems environment, for
example, data retrieval software or code comparison software. As with
utility programs, these tools are not specifically designed for auditing use
and their use requires additional care.

PAPS 1009
-3-

11

12

Embedded audit routines are sometimes built into an entitys computer

system to provide data for later use by the auditor. These include:

Snapshots: This technique involves taking a picture of a transaction

as it flows through the computer systems. Audit software routines
are embedded at different points in the processing logic to capture
images of the transaction as it progresses through the various stages
of the processing. Such a technique permits an auditor to track
data and evaluate the computer processes applied to the data.

System Control Audit Review File: This involves embedding audit

software modules within an application system to provide
continuous monitoring of the systems transactions. The
information is collected into a special computer file that the auditor
can examine.

Test data techniques are sometimes used during an audit by entering data
(for example, a sample of transactions) into an entitys computer system,
and comparing the results obtained with predetermined results. An auditor
might use test data to:

test specific controls in computer programs, such as input

validation routines, error detection, transaction data control
procedures integral to the programs, on-line password and data
access controls, processing logic and controls over master data, and
calculations such as interest or taxes;

test transactions selected from previously processed transactions or

created by the auditor to test specific processing characteristics of
an entitys information systems. Such transactions are generally
processed separately from the entitys normal processing; and

test transactions used in an integrated test facility where a

dummy unit (for example, a fictitious department or employee) is
established, and to which test transactions are posted during the
normal processing cycle.

When test data are processed with the entitys normal processing, the
auditor ensures that the test transactions are subsequently eliminated from
the entitys accounting records.

PAPS 1009
-4The test data method can be applied to program processing verification
and evaluation. It does not check, however, completeness or accuracy of
input and update of data and master files.
6.The increasing power and sophistication of PCs, particularly laptops, has resulted in
other tools for the auditor to use. In some cases, the laptops will be linked to the
auditors main computer systems. Examples of such techniques include:
13

expert systems, for example in the design of audit programs and in audit
planning and risk assessment;

14

tools to evaluate a clients risk management procedures;

15

electronic working papers, which provide for the direct extraction of data
from the clients computer records, for example, by downloading the
general ledger for audit testing; and

16

corporate and financial modeling programs for use as predictive audit

tests.

These techniques are more commonly referred to as audit automation.

Considerations in the Use of CAATs

7.When planning an audit, the auditor may consider an appropriate combination of

manual and computer assisted audit techniques. In determining whether to use
CAATs, the factors to consider include:
17

the IT knowledge, expertise and experience of the audit team;

18

the availability of CAATs and suitable computer facilities and data;

19

the impracticability of manual tests;

20

effectiveness and efficiency; and

PAPS 1009
21

timing.

Before using CAATS the auditor considers the controls incorporated in the design
of the entitys computer systems to which the CAATS would be applied in order to
determine whether, and if so, how, CAATs should be employed.

PAPS 1009
-5-

IT Knowledge, Expertise, and Experience of the Audit Team

8.PSA 401 Auditing in a Computer Information Systems Environment deals with the
level of skill and competence the audit team needs to conduct an audit in an IT
environment. It provides guidance when an auditor delegates work to assistants
with IT skills or when the auditor uses work performed by other auditors or
experts with such skills. Specifically, the audit team should have sufficient
knowledge to plan, execute and use the results of the particular CAAT adopted.
The level of knowledge required depends on the complexity and nature of the
CAAT and of the entitys information system.
Availability of CAATs and Suitable Computer Facilities
9.The auditor considers the availability of CAATs, suitable computer facilities (controlled
as described in paragraphs 18-23) and the necessary computer-based information
systems and data. The auditor may plan to use other computer facilities when the
use of CAATs on an entitys computer is uneconomical or impractical, for
example, because of an incompatibility between the auditors package program
and the entitys computer. Additionally, the auditor may elect to use their own
facilities, such as PCs.
10.The cooperation of the entitys personnel may be required to provide processing
facilities at a convenient time, to assist with activities such as loading and running
of the CAATs on the entitys system, and to provide copies of data files in the
format required by the auditor.
Impracticability of Manual Tests
11.Some audit procedures may not be possible to perform manually because they rely on
complex processing (for example, advanced statistical analysis) or involve
amounts of data that would overwhelm any manual procedure. In addition, many
computer information systems perform tasks for which no hard copy evidence is
available and, therefore, it may be impracticable for the auditor to perform tests
manually. The lack of hard copy evidence may occur at different stages in the
business cycle.
22

Source information may be initiated electronically, such as by voice

activation, electronic data imaging, or point of sale electronic funds
transfer. In addition, some transactions, such as discounts and interest

PAPS 1009
calculations, may be generated directly by computer programs with no
specific authorization of individual transactions.

PAPS 1009
-6-

23

A system may not produce a visible audit trail providing assurance as to the
completeness and accuracy of transactions processed. For example, a
computer program might match delivery notes and suppliers invoices. In
addition, programmed control procedures, such as checking customer credit
limits, may provide hard copy evidence only on an exception basis.

24

A system may not produce hard copy reports. In addition, a printed report
may contain only summary totals while computer files retain the supporting
details.

Effectiveness and Efficiency

12.The effectiveness and efficiency of auditing procedures may be improved by using
CAATs to obtain and evaluate audit evidence. CAATs are often an efficient means
of testing a large number of transactions or controls over large populations by.
25

analyzing and selecting samples from a large volume of transactions;

26

applying analytical procedures; and

27

performing substantive procedures.

13.Matters relating to efficiency that an auditor might consider include:

28

the time taken to plan, design, execute and evaluate a CAAT;

29

technical review and assistance hours;

30

designing and printing of forms (for example, confirmations); and

31

availability of computer resources.

14.In evaluating the effectiveness and efficiency of a CAAT, the auditor considers the
continuing use of the CAAT application. The initial planning, design and
development of a CAAT will usually benefit audits in subsequent periods.

PAPS 1009

PAPS 1009
-7-

Timing
15.Certain data, such as transaction details, are often kept for only a short time, and may
not be available in machine-readable form by the time the auditor wants them.
Thus, the auditor will need to make arrangements for the retention of data
required, or may need to alter the timing of the work that requires such data.
16.Where the time available to perform an audit is limited, the auditor may plan to use a
CAAT because its use will meet the auditors time requirement better than other
possible procedures.

Using CAATs
17.The major steps to be undertaken by the auditor in the application of a CAAT are to:
(a)

set the objective of the CAAT application;

(b)

determine the content and accessibility of the entitys files;

(c)

identify the specific files or databases to be examined;

(d)

understand the relationship between the data tables where a database is to

be examined;

(e)

define the specific tests or procedures and related transactions and

balances affected;

(f)

define the output requirements;

(g)

arrange with the user and IT departments, if appropriate, for copies of the
relevant files or database tables to be made at the appropriate cut off date
and time;

(h)

identify the personnel who may participate in the design and application of
the CAAT;

PAPS 1009

(i)

refine the estimates of costs and benefits;

(j)

ensure that the use of the CAAT is properly controlled and documented;

PAPS 1009
-8-

(k)

arrange the administrative activities, including the necessary skills and

computer facilities;

(l)

reconcile data to be used for the CAAT with the accounting records;

(m)

execute the CAAT application; and

(n)

evaluate the results.

Controlling the CAAT Application

18.The specific procedures necessary to control the use of a CAAT depend on the
particular application. In establishing control, the auditor considers the need to:
(a)

approve specifications and conduct a review of the work to be performed

by the CAAT;

(b)

review the entitys general controls that may contribute to the integrity of
the CAAT, for example, controls over program changes and access to
computer files. When such controls cannot be relied on to ensure the
integrity of the CAAT, the auditor may consider processing the CAAT
application at another suitable computer facility; and

(c)

ensure appropriate integration of the output by the auditor into the audit
process.

19.Procedures carried out by the auditor to control CAAT applications may include:
(a)

participating in the design and testing of the CAAT;

(b)

checking, if applicable, the coding of the program to ensure that it

conforms with the detailed program specifications;

(c)

asking the entitys computer staff to review the operating system

instructions to ensure that the software will run in the entitys computer
installation;

PAPS 1009

(d)

running the audit software on small test files before running it on the main
data files;

PAPS 1009
-9-

(e)

checking whether the correct files were used, for example, by checking
external evidence, such as control totals maintained by the user, and that
those files were complete;

(f)

obtaining evidence that the audit software functioned as planned, for

example, by reviewing output and control information; and

(g)

establishing appropriate security measures to safeguard the integrity and

confidentiality of the data.

When the auditor intends to perform audit procedures concurrently with on-line
processing, the auditor reviews those procedures with appropriate client personnel
and obtains approval before conducting the tests to help avoid the inadvertent
corruption of client records.
20.To ensure appropriate control procedures, the presence of the auditor is not necessarily
required at the computer facility during the running of a CAAT. It may, however,
provide practical advantages, such as being able to control distribution of the
output and ensuring the timely correction of errors, for example, if the wrong
input file were to be used.
21.Audit procedures to control test data applications may include:
32

controlling the sequence of submissions of test data where it spans several

processing cycles;

33

performing test runs containing small amounts of test data before

submitting the main audit test data;

34

predicting the results of the test data and comparing it with the actual test
data output, for the individual transactions and in total;

35

confirming that the current version of the programs was used to process
the test data; and

36

testing whether the programs used to process the test data were the
programs the entity used throughout the applicable audit period.

PAPS 1009

22.When using a CAAT, the auditor may require the cooperation of entity staff with
extensive knowledge of the computer installation. In such circumstances, the
auditor considers whether the staff improperly influenced the results of the CAAT.

PAPS 1009
-10-

23.Audit procedures to control the use of audit-enabling software may include:

37

verifying the completeness, accuracy and availability of the relevant data,

for example, historical data may be required to build a financial model;

38

reviewing the reasonableness of assumptions used in the application of the

tool set, particularly when using modeling software;

39

verifying availability of resources skilled in the use and control of the

selected tools; and

40

confirming the appropriateness of the tool set to the audit objective, for
example, the use of industry specific systems may be necessary for the
design of audit programs for unique business cycles.

Documentation
24.The standard of working paper documentation and retention procedures for a CAAT is
consistent with that for the audit as a whole (see PSA 230 Documentation).
25.The working papers need to contain sufficient documentation to describe the CAAT
application, such as:
(a)

(b)

Planning
41

CAAT objectives;

42

consideration of the specific CAAT to be used;

43

controls to be exercised; and

44

staffing, timing and cost.

Execution

PAPS 1009

45

CAAT preparation and testing procedures and controls;

46

details of the tests performed by the CAAT;

47

details of input, processing and output; and

PAPS 1009
-11-

48

(c)

(d)

relevant technical information about the entitys accounting system,

such as file layouts.

Audit Evidence
49

output provided;

50

description of the audit work performed on the output; and

51

audit conclusions.

Other
52

recommendations to entity management.

In addition, it may be useful to document suggestions for using the CAAT in

future years.

Using CAATs in Small Entity IT Environments

26.Although the general principles outlined in this Statement apply in small entity IT
environments, the following points need special consideration:
(a)

The level of general controls may be such that the auditor will place less
reliance on the system of internal control. This will result in greater
emphasis on tests of details of transactions and balances and analytical
review procedures, which may increase the effectiveness of certain
CAATs, particularly audit software.

(b)

Where smaller volumes of data are processed, manual methods may be

more cost effective.

(c)

A small entity may not be able to provide adequate technical assistance to

the auditor, making the use of CAATs impracticable.

PAPS 1009
(d)

Certain audit package or generalized audit software may not operate on

small computers, thus restricting the auditors choice of CAATs. The
entitys data files may, however, be copied and processed on another
suitable computer.

PAPS 1009
-12-

Effective Date
27.

This PAPS shall be effective for audits of financial statements for periods ending
on or after December 31, 2003. Earlier application is encouraged.

Acknowledgment
28.

This PAPS, Computer-Assisted Audit Techniques, is based on International

Auditing Practice Statement (IAPS) 1009 of the same title issued by the
International Auditing Practices Committee of the International Federation of
Accountants.

29.

This PAPS differs from IAPS 1009 with respect to the revisions made to update
the general description of CAATS in paragraph 5.

PAPS 1009
-13This Philippine Auditing Practice Statement 1009 was unanimously approved on
February 24, 2003 by the members of the Auditing Standards and Practices Council:

Benjamin R. Punongbayan, Chairman

Antonio P. Acyatan, Vice Chairman

Felicidad A. Abad

David L. Balangue

Eliseo A. Fernandez

Nestorio C. Roraldo

Editha O. Tuason

Joaquin P. Tolentino

Joycelyn J. Villaflores

Carlito B. Dimar

Froilan G. Ampil

Erwin Vincent G. Alcala

Horace F. Dumlao

Isagani O. Santiago

Eugene T. Mateo

Emma M. Espina

Jesus E. G. Martinez