Page 133 - CITP Review
P. 133
procedures (for example, extracting a suitable sample). They are affordable and relatively simple to
use, but most of these tools are susceptible to error, and caution should be exercised in using them
for evidence gathering. Controls and steps should be implemented to ensure data integrity both at
data extraction and throughout testing usage of the data.
Sophisticated tools include technologies made by vendors such as Galvanize (formerly ACL), Idea,
Arbutus, and PanAudit. Their usefulness includes specialized testing, use of very large data sets, and
the need for sophisticated procedures. When higher risks exist in the audit or review plan, they are
likely to be more appropriate than simple tools. They also are more costly.
CAATs considerations
Before using CAATs, some considerations that need to be made including the following:
The data involved (type, format, consistency, large data set or small)
The types of systems involved (COTS, custom)
The data’s location (local or remote, single or multiple sources)
Contact for data extraction
A primary requirement is how to ensure data integrity. At the data extraction point, the CITP needs to
have assurance that the data set extracted is exactly the data set on the operational computer; one
27
methodology is to use something similar to the batch control total approach to data processing. And
the CITP must ensure data integrity throughout the process of testing and reporting, which means
28
locking down spreadsheet data, or using read-only (RO) data in a CAAT tool.
Perhaps the most difficult part of using CAATs is to extract the data successfully and effectively from the
operational computer to the CAAT tool. There is an ideal format that looks like a spreadsheet: the first
row is column headings; all rows are contiguous (no subtotals, no breaks, and so on); each row beginning
with the second contains data; and usually no cell is empty. The file formats easiest to import are dBASE,
delimited text/ASCII, Excel files, print to file, and pdf (not scanned). Other options usually are fairly time-
consuming to effectively import. The last option is to hand key all of the data, and that clearly is a time-
consuming, last-resort approach.
Deficiency evaluation of IT-related controls
Although the technical literature for financial audit does not contemplate expressing an opinion on
controls for private companies, there is a requirement for auditors when they detect control deficiencies.
There is technical literature that does require expressing an opinion of controls for public companies
(issuers).
The technical literature on control definitions evolved in response to the Sarbanes-Oxley Act of 2002
(SOX). Section 404 of SOX requires management of financial statement issuers to evaluate the entity’s
system of internal controls, and for the auditor to opine on that evaluation. In response to that, the
PCAOB and AICPA converged on definitions about control deficiencies; refer to AU-C section 450 for
27
A total of number of records being extracted, the total of an amount column, and a total of a numeric but non-
dollar amount column. Reconcile these to those of the operational computer data when n extracted. Some CAATs
have this process built into it.
28
Most CAATs use RO for imported data for this reason.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 3-49
