Computers are not new to us. From microwave ovens to DVDs, everywhere around us we see and feel the effect of the microchip. But, too often, we have either not applied these new technologies to our everyday work activities, or we have only succeeded in automating the functions we used to do manually. “Things are working fine the way they are” or “I’m not an IS auditor” are just two of the many excuses we hear for not capitalizing on the power of the computer. However, we cannot afford to ignore the productivity gains that can be achieved through the proper use of information technology. The use of automation in the audit function—whether it is for the administration of the audit organization or tools employed during the conduct of comprehensive audits—has become a requirement, not a luxury. In today’s technologically complex world, where change is commonplace, auditors can no longer rely on manual techniques, even if they are tried and true. Auditors must move forward with the technology, as intelligent users of the new tools. The vision of the auditor, sleeves rolled up, calculator in hand, poring over mountains of paper, is no longer a realistic picture. Automation has found its way into our homes, schools, and the workplace—now is the time to welcome it into the audit organization.

These are exciting times for internal auditors, especially those who see themselves as agents of change within their organization. The drive to do more with less, to do the right thing, or to reengineer the organization and the way it does business is creating an environment of introspection and change. Change is occurring at a faster rate than ever, and this change is being driven by technological advances. Companies wishing to survive in these times must strive to exploit new technologies in order to achieve a competitive advantage. Today’s business environment is rapidly and constantly changing, and technology is one of the key factors that are forcing auditors to reassess their approach to auditing. Other factors are the evolving regulations and audit standards calling for auditors to make better use of technology. These forces are creating a new audit environment, and audit professionals who understand how to evaluate and use the potential of emerging technologies can be invaluable to their organizations. New possibilities exist for auditors who can tie software tools into their organizations’ existing systems (Baker [2005]).

In the last 20 years, we have progressed from Electronic Data Processing (EDP) to Enterprise-wide Information Management (EIM). We have gone from a time when hardware drove the programming logic and the software selection to a time when the knowledge requirements are driving business activities. As little as 15 years ago, information was almost a mere by-product of the technology; the selected hardware platform determined the software, which would likewise be a determining factor of each application. Today, the technology, the hardware and software, are merely delivery mechanisms, not the determining factors behind either information technology purchases or systems development activities. One of the main tenets of EIM is that the information is a key resource to be managed and used effectively by every successful organization. Data holdings are driving business processes, not the reverse, and there has been an increased treatment of information as a strategic resource of the business. From an audit perspective, this means that data and information are equally important. First, to analyze the current state of the business critically; and second, to help determine where the business is going or should go.

We are seeing a greater reliance on computers in every aspect of our world. Data processing is no longer confined to programmers or to the mainframe systems. We have seen the emergence of enterprise-wide systems in all business/operational areas in many organizations. In some, the separate information processing by specialized applications is a thing of the past. Enterprise-wide systems are changing the notion of traditionally centralized data and applications. Application programmers have been transferred to business areas to support and encourage use of enterprise technology. Today, one can find business applications where a purchase order transaction is initiated in England, modified in the United States, and then sent to a processing plant in Mexico. All of this occurs in minutes—or even seconds—across time zones and continents. The modules or components are fully integrated with the business processes and occur without a paper trail. These types of applications make traditional manual audit approaches useless and impossible to apply. Auditors must learn how to access and analyze electronic information sources if they want to make a meaningful contribution to their organizations’ bottom line.

While a “less paper” rather than a “paperless” office is the best we may be able to achieve in the near future, we have already seen the disappearance of paper in many areas as a result of information systems and technology such as enterprise system, Electronic Data Interchange (EDI), Electronic Commerce (EC), and Electronic Funds Transfer (EFT). The audit trail is electronic and is therefore no longer visible and more difficult to trace. The volume of data and its complexity is increasing at a rapid rate because of the requirement to quickly focus company resources on emerging problems or potential opportunities. To some, this lack of transparency is a problem; to the more enlightened auditor, this is an opportunity.

There is increasing pressure to do more with less. Over the last 200 years, most of the productivity gains have occurred within the areas of production, inventory, and distribution, but little gain has occurred within the administrative functions. The automation of production plants saw reductions in the number of production workers within a plant, going from 200 people on the assembly line with five managers to 50 people on the assembly line and five managers. With productivity increases in the traditional, blue-collar areas becoming harder to achieve, there is increasing pressure to make improvements in the white-collar areas. Reducing overhead, doing more with less, and rightsizing all circumscribe efforts to make productivity gains in the management areas of administration. Given the unfortunately still widely held view that audit is overhead, internal audit must not only become more efficient in delivering its products and services but often must also pay its own way and become more effective in order to succeed.

Many audit organizations have looked to the microcomputer as the new audit tool, a tool that can be used not only by IS auditors, but by all auditors. This book highlights the benefits of Computer-Assisted Audit Tools and Techniques (CAATTs) and outlines a methodology for developing and using CAATTs in the audit organization. Today’s auditors must become more highly trained, with new skills and areas of expertise in order to be more useful and productive. Increasingly, auditors will be required to use computer-assisted techniques to audit electronic transactions and application controls. Laws like the U.S. Sarbanes-Oxley Act of 2002 are pushing audit departments to find new ways to link specialty tools into the complex business systems (Baker [2005]). By harnessing the power of the computer, auditors can improve their ability to critically review data and information and manage their own activities more rationally. Due to the critical shortage of these skills and talents, they will become even more valuable and marketable.

Today’s microcomputer-based audit tools and techniques have their roots in mainframe Computer Assisted Audit Tools (CAATs), which in turn are surprisingly rooted in manual audit tools and techniques. These mainframe-based tools were primarily used to verify whether or not the controls for an application or computer system were working as intended. In the 1970s, a second type of CAAT evolved, which sought to improve the functionality and efficiency of the individual auditor. These CAATs provided auditors with the capability to extract and analyze data in order to conduct audits of organizational entities rather than simply review the controls of an application. A third type of CAAT, and a more recent use of automated audit tools, focuses on the audit function and consists of tools and techniques aimed at improving the effectiveness of the audit organization as a whole. But, for a moment, let’s step back in time to the late 1970s, as illustrated in Exhibit 1.1.

EXHIBIT 1.1 Audit Tools and Techniques (Computer System Audit)

The first audit software package, the Auditape System, which implemented Stringer’s audit sampling plan (Tucker [1994]), already provided limited capabilities for parallel simulation. The system facilitated limited recomputation of data processing results based on only a few data fields. In response to the Auditape System, many accounting, auditing, and software firms developed audit software packages that supported parallel simulation within computer families and against limited file and data types.