Question

Explain what is meant by ‘Computer Assisted Audit techniques (CAATs)’ and describe their major categories Distinguish between ‘General controls’ and ‘Application controls’ in a computerized environment. 28. In IT systems, application controls share a number of common features regardless of the particular application involved. These common features can be categorized as: ? input controls (controls over input data) ? processing controls ? data file controls ? controls over the output from the system (output controls). Required: Discuss these common features

Answer 1

The use of computers may result in the design of systems that provide less visible evidence
than those using manual procedures. CAATs are such techniques applied through the
computer which are used in verifying the data being processed by it. System characteristics
resulting from the nature of EDP processing that demand the use of Computer Aided Audit
Techniques (CAAT) are:
a) The absence of input documents (e.g. order entry in on-line systems) or the generation of
accounting transactions by computer programs (e.g. automatic calculation of discounts)
may preclude the auditor from examining documentary evidence.
b) The lack of a visible audit trail will preclude the auditor from visually following transactions
through the computerized accounting system.
c) The lack of visible output may necessitate access to data retained on files readable only
by the computer.

General EDP Controls: The purpose of general EDP controls is to establish a framework of
controls over the activities of EDP department. It also provides assurance that overall
objectives of internal control are achieved. General EDP controls may include:
1. Organization and management controls: Designed to establish an organizational
framework over EDP activities, including:
a) Establishing Policies and procedures relating to control functions.
b) Appropriate segregation of functions (e.g. preparation of input transactions,
programming and computer operations).
2. Application systems development and maintenance controls: designed to provide
reasonable assurance that systems are developed and maintained in an authorized in
efficient manner. They are also designed to establish control over:
a) Testing, conversion, implementation and documentation of new or revised systems,
b) Changes to application systems,
c) Access to systems documentation,
d) Acquisition of application systems from third parties.
3. Computer operation controls: designed to control the operation of the systems and to
provide reasonable assurance that:
a) The systems are used for authorized purposes only,
b) Access to computer operations is restricted to authorized personnel,
c) Only authorized programs are used,
d) Processing errors are detected and corrected
4. Systems software controls: Designed to provide reasonable assurance that system
software is acquired or developed in an authorized and efficient manner, including:
a) Authorization, approval, testing, implementation and documentation of new systems
software and systems software modifications.
b) Restriction of access to systems software and documentation to authorized personnel.
5. Data entry and program controls: Designed to provide reasonable assurance that:
a) An authorization structure is established over transactions being entered into the
system.

b) Access to data and programs is restricted to authorized personnel.
c) There are other EDP safeguards that contribute to continuity of EDP processing.
These are:
i) Offsite back-up of data and computer programs.
ii) Recovery procedures for use in the event of theft, loss or intentional or accidental
destruction.
iii) Provision for offsite processing in the event of disaster.
EDP application controls: The purpose of EDP application controls is to establish specific
control procedures over the accounting applications in order to provide reasonable assurance
that all transactions are authorized and recorded, and are processed completely, accurately
and on timely basis. EDP application controls include:
1. Controls over input: designed to provide reasonable assurance that:
a) Transactions are properly authorized before being processed by the computer.
b) Transactions are accurately converted into machine readable form and recorded in the
computer data files.
c) Transactions are not lost, added, duplicated or improperly changed.
d) Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis.
2. Controls over processing and computer data files: designed to provide reasonable
assurance that:
a) Transactions, including system generated transactions, are properly processed by the computer.
b) Transactions are not lost, added, duplicated or improperly changed.
c) Processing errors are identified and corrected on a timely basis.
3. Controls over output: designed to provide reasonable assurance that:
a) Results of processing are accurate.
b) Access to output is restricted to authorized personnel.
c) Output is provided to appropriate authorized personnel on a timely basis.