CISA Made Easy

                                           - easy CISA preparation

Friday, November 14, 2008

How to select a CAAT

CAAT stands for Computer Assisted Audit Techniques


This is a common thing of discussion among IS Auditors is "which one is best - CAATs or Manual method of IS Audit". Sometimes manual method is not enough to find out effective and efficient IS Audit results. On the other hand in many instances use of CAATs gives less efficient results than corresponding manual IS Audit methods.

It is always recommended to use a mix of CAATs and manual method for optimal results.

"What should be the criteria to select CAATs?" is another question many IS Auditors ask.

Following are some of the important points an Organization should see before selecting CAATs.

1.End User of CAAT

End user of CAAT/IS Auditors should be able to handle almost all operational and related aspects of the CAAT.

2.Cost Benefit analysis

Cost benefit analysis over similar manual process should be analysed. Cost of control should never be much more than the loss due to risks.

3.System Impact analysis.

This is particularly useful for the CAAT that is integrated to main system. Use of CAAT should never degrade the system performance beyond a certain limit.

4.Compatibility of CAAT

CAAT should ideally be compatible in all hardwares/softwares and available infrastructure.

5.Efficiency, Accuracy & Speed of results

This is the most important aspect of CAAT selection. An efficient, accurate and speedy results producing CAATs are generally preferred.

6.Support from the CAAT vendor

This is equally important criteria for CAAT selection.

7.Limitations and Inherent risks within CAAT.

This should be confirmed and evaluated at the time of decision making for CAAT selection.

8.Security of data processed by CAAT

An important criteria which should be evaluated by Information Security Administrator.

9.Validity Tests

Results of the CAATs should be validated as against corresponding processes. A wide variety of test and live data should be evaluated.


Be careful while analyzing test CAAT data in live environment for validity of CAAT results. Make necessary arrangements to separate test data in live environment.


10.Regulatory and legal requirement (if any)

Do consider regulatory and legal requirements wherever applicable.


Add Post To: | Digg| Technorati| del.icio.us| Stumbleupon| Reddit| BlinkList| Furl| Spurl| Yahoo| Simpy|

Posted by PassCISA | Permalink |  

Labels:

Readers who visited this post also read :

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 

Home | | | | |

CISA made Easy - Easy CISA Preparation