Back

CHINA

Preventing Audit Risks in an IT Audit Environment

The computer is one of the greatest achievements of scientific and technological development in the 20th century, which aroused unprecedented changes in all industries and greatly promoted human civilization by heaps and bounds. However, compared with increasing application of computers in accounting operation and rapid spread of internet technology, research and development on IT audit are relatively lagged behind. As a result, new audit risks are brought about to auditors under IT environment. 

Audit Risks in IT Environment

• Visible audit clues may disappear naturally. In a manual accounting system, every step in accounting circle is verified by paper recording and concerned signatures. leaving visible and clear audit clues. In an IT environment however, paper information is altered into magnetic codes through the introduction of computers, modern communication and network technology. Traditional audit evidence no longer exists without visible audit clues.
• Electronic accounting data are liable to be misused, distorted or lost. In manual accounting system, paper information can be easily identified and sourced. However, as the storage medium is changed in IT environment, electronic data can be destroyed or amended easily and secretly, once the firewall of computer network is broken through.
• The lack of original journals. In IT environment, traditional entry journals are no longer in existence, neither is original evidence in some computer systems.
• The great variety of accounting software and security protocols make auditing even more difficult.
• Risks on internal controls. In manual accounting, internal control stressed staff controlling. Having an employee responsibility system established, responsibility for staffs are clearly defined so that their performance can be judged directly. While in IT environment, internal controls consist of both staff and computer management, with the latter drawing great attention in most circumstance. Furthermore, control difficulty is intensified when computers are vulnerable to attacks by hackers and virus. 
• Abnormal accounting errors become possible when faults in network conveyance and data storage incomplete software function exist.
• Risks in audit process. During audit process, version updating of accounting software increased the difficulty of collecting historic information. Material substantial test on accounts and transaction is usually carried out on the basis of genuine data provided by audited entities. But the updating of accounting software and changes of platform make it difficult to find historic data from the past accounts. Auditors have to collect and sort historic data from hundreds of files, which not only hold up audit efficiency but also bring about more audit risks.

Prevention of Audit Risks in IT Environment

Risks can only be prevented after they are fully recognized. As known, knowledge-economic time is also a time full of high risks. Risks exist in all economic activities. As above-mentioned audit risks are such a fact, necessary preventive methods must be adopted to estimate and control risks effectively.

• Reforming Audit Techniques And Methodology. 
  
  The progress of knowledge-economy brought great changes to audit objectives, subjects, methodology, techniques, practice, audit standards, assessment criteria and audit theories. Audit objectives evolved from simple disclosure of accounting errors to multi-purposes of disclosing errors as well as analyzing reasons and outcomes. Site audit will gradually be taken place by remote audit. In the future, audit on database will play an important role in the whole audit process, which means, auditors will spend more time on collecting, keeping and safeguarding data information. 
  
  In a knowledge-economy, the trend will be that manual auditing is replaced by computerized audit. While the rapid development of network and e-commerce make simultaneous transaction and business decision possible, auditors have to face new challenges associated with these technical changes. On the one hand, as paperless trading was increasingly put into practice, caused by development of e-commerce, auditors have to improve auditing based on electronic data. On the other hand, the so-called virtual accounting entity came into being when Internet corporations, Internet banking and visual community become booming on the network. Therefore, it is another big task for auditors to auditing those virtual accounting entities. 
  
  In one word, risks in IT environment can only be curbed when auditors fully make use of modern IT and network techniques, adopt new audit programs and reform their auditing methodology.
  
  
• Improving Preliminary and Follow-up Audit On IT System
  
  In order to effectively carry out preliminary and follow-up IT audit, the concerned entity should clarify audit scope in its e-accounting framework, while auditors shall take a part in the process from designing, assessing till IT system evaluating. Since visible audit clues are not found in computerized environment, special data interface should be installed to automatically record related information so as to provide testing data and criteria for auditors. During the audit process, audit team has the rights to review all files and data and to carry out test and evaluation on audited IT system. The key issue of preliminary and follow-up audit is to ensure the compliance, security, availability and maintenance of the audited information system. In the process of auditing, great attention should be drawn on the facts whether the key programs of the system can properly fulfill the estimated functions; whether the internal control system is intact; whether the development of programs strictly followed the concerned rules, etc. Similarly, a test should be carried out on the fault-tolerant capacity of illegal data and system’ anti-interruption and restoration capacity. In the system evaluation process, the key part is to evaluate the availability of the information system in fulfilling the design and developing objectives. If it isn’t satisfactorily available, the audit team has the right to announce their disapproval of the whole system.
  
  
• Establishing A Unified Audit Data Channel 
  
  Since there is a great variety of accounting software with different working programs, data-outputting models and developing languages, it is of necessity for the concerned entities to clarify the regulations and set up a standardized format on data outputting among different accounting packages. By doing so, it make possible that audit software can work harmoniously with audited accounting packages. Having the needed information collected according to specific audit purposes and goals, the harmony between audit data outputted by interface files and accounting package can then be achieved. 
  
  
• Strengthening Audit On Internal Controls and Urging Audited Entities To Establish and Improve the Internal Control System in IT Environment 
  
  Since modern auditing is internationally accepted as system based, reviews and assessment of internal control system is playing decisive role when making audit plans and simple tests. The development of IT technique and e-accounting has dramatically changed the traditional accounting system and internal controls system. These changes, along with the introduction of Just-In-time audit, will make internal controls even more complicated and bring about new audit risks. Therefore, auditors have to urge audited entities establish and improve internal control system, set up more sophisticated audit policy and adopt more advanced auditing methodology on internal control system test.
  
  All the possible causes that lead to IT system damages fall into two catalogues: environmental and data processing reasons. Therefore, the system risks can be reduced by various ways such as setting up authorization passwords, eliminating abnormal data errors and smoothing network conveyance. To be more specific, solutions includes decentralization of responsibility, setting up operation authorization passwords, preventing the control failure of system, improving network efficiency and effectiveness, eliminating abnormal errors, establishing net communication between corporations and banks, and controlling the disharmony among data, etc.
  
  In summary, when reviewing e-accounting system, auditors should scrutinize internal controls system and carry out substantial test on whether the concerned control and management system can play their roles effectively, which in turn provide the basis for assurance assessment.
  
  
• Enhancing The Training Of Auditors 
  
  With the aim to get more knowledgeable and proficient auditors, the existing educational and training framework must be reformed to meet the needs of tech-economy. New ideas and training pedagogy should be introduced and modern IT technique adopted to train the first-class modern auditors.
  
• Speeding Up The Development Of Software 
   

  The audit work can be improved with the assistance of special audit software.

  From all above, we can see that the rapid development of IT technique has brought about not only benefits, but also new audit risks. Therefore, new solutions must be adopted to encounter the challenges so as to improve audit quality and strengthen the influence of auditing work in economic development. 

Priorities and Approaches of Audit over Government Procurement in China

The establishment of government procurement system will bring about open and transparent government procurement activities, which are conducive to strengthening the management of budgets and fiscal expenditure, saving budgetary funds, and improving the performance of budget implementation.

Priorities of audit on government procurement activities.

According to Article 2 and 16 of “the Audit Law of China” and Article 3, 5, 6, 14 and 16 of “Audit Law Implementation Rules”, State Audit institutions shall conduct audit over budget expenditure and its truthfulness, compliance and performance. For the purpose of this, auditors of state audit institutions should put their focus on the following three aspects when conducting audit over government procurement activities:

I.    Examining whether the relevant procurement managing institutions carry out their duty of management and supervision 

Procurement managing offices of finance departments at various levels are responsible for the management of government procurement activities, exercising its power of management and supervision over relevant government procurement activities subject to corresponding levels. Whether the office carries out its duty according to law plays a crucial role in ensuring the truthfulness, compliance and performance of budget expenditure. In auditing procurement-managing office, auditors shall pay their attention to its following responsibilities 

Whether it, in accordance with the government’s budget and purchasing plan, has examined the purchasing list submitted by the purchasing sectors.

Whether it, according to certain regulations, has examined the relevant biding documents submitted by the purchasing sectors, such as contract draft, etc.

Whether it, according to certain regulations, has examined the changes of procurement contracts, and dealt with the problem of contract breaking by suppliers.

Whether it, according to certain regulations, has examined the funds application form and its relevant documents submitted by the purchasing sectors, and kept a sharp eye on the allocation of government procurement funds.

Whether it, according to certain regulations, has examined the qualifications of suppliers in government purchasing markets at various levels, and the qualifications of social agencies.

Whether it, according to certain regulations, has responded to the complaints occurred from government procurement activities.

Whether it has been involved in the specific business activity of government procurement.

In a certain sense, government procurement managing office at various levels is one of the supervising institutions of government procurement of corresponding levels. Consequently, it is a re-supervision into government procurement for the State Audit institutions through auditing the performance of government purchasing management office in carrying out their responsibilities.

Examining the compliance of government procurement procedures

Procurement institutions are the executive bodies of government procurement, responsible for the specific organization of various government procurement activities. As a result, whether procurement institutions conducting procurement in accordance with the law, administrative rules and regulations is the main concern in supervising the government procurement activities by the auditors of audit institutions. As to the examination of purchasing institutions, the focus is as follows:

whether the purchasing ways are determined according to certain regulations.

whether the tender documents are prepared according to certain regulations.

whether the bid notices and invitations for bid are issued according to certain regulations.

whether the tender is accepted according to requirements.

whether the evaluation and determination of a bid is organized as required.

whether the notice for bid-winning is released as required.

whether the procurement contract with the bid winner is signed as required.

whether it, according to certain rules, supervises the supplier in its carrying out the contract, and reports to the government procurement office about the contract’s modification, termination and dissolution in time.

whether it, according to certain regulations, checks the government procurement contract, and puts forward the application about the means of payment.

Evaluating the performance of government procurement activities 

Accomplishing good performance of government procurement activity is the main target to establish government procurement system. While supervising the government procurement activities, the auditors should meanwhile be objective and fair in evaluating its performance. On the basis of ensuring quality of goods and services purchased, “how much money saved” in expenditure is an important quota in evaluating the performance of government procurement activities.

How do State Audit Institutions conduct effective supervision into government purchasing activities?

In order to exercise effective supervision into government procurement activities, the key point for the State Audit Institutions is to obtain objective, relevant and sufficient audit data. Government procurement activities are relatively open and transparent and purchasing institutions should keep all the written papers and documents related to purchasing. For example, the minutes of the meeting for determining the means of purchasing, the bidding papers concerning all the tenders, the records of bid-evaluating committee etc. In auditing government procurement activities, the auditors can request the auditees to submit all the written documents related to certain procurement activities.

State Audit institutions can evaluate the compliance of government procurement procedures by careful examination and comparison, which is in accordance with the related laws, administrative rules and regulations, of all the written documents concerning government procurement activities.

According to “Audit standards of audit institutions”, obtaining the market price of goods and services of the same kind and comparing the offers of various bidders will help to evaluate the performance of certain procurement activity while ensuring the quality of goods and services purchased.

Related background information: 

CNAO strengthens its efforts in auditing government procurements

Many countries practice the system of government procurement. Following the government restructuring and economic reform, China started to practice government procurement in 1996 on a trail basis and soon spread the practice to much wider areas and departments. The generally accepted practice is that government procurement accounts for 30% of government revenues or 10% of a nation’s GDP. Statistics show that the Chinese government spent 13 billion RMB (approximately US$158 million) in government procurement in 1999 and in 2000 it jumped to 32.8 billion RMB. In 2001, government procurement expenditure in China reached 60 billion RMB and the rate of increase is expected to speed up in the coming years. In pushing forward with government procurement practice, some problems should not be ignored such as lacking of a sound procurement management system and inadequate procurement regulations and standards. Meanwhile, China falls far behind in forming a government procurement budget plan system though government procurement has been in practice for some years. Some serious frauds have been detected as a result of this incompatibility.

The Audit Law of the People’s Republic of China stipulates that audit institutions shall supervise through auditing the truthfulness, legality and effectiveness of government funds. Government procurement, as a financial activity of government departments and an important part of government budget expenditures should be audited effectively. In 2000 and 2001, the Ministry of Supervision together with the Ministry of Finance and the National Audit Office of China issued a document on further standardizing government procurement practices, requiring audit institutions to strengthen audit of government procurement expenditures by taking effective measures.

The National Audit Office has published a Programme on Government Procurement Auditing, stipulating clearly the objectives, scope, priorities and contents of such audits. According to this programme, these areas should be covered by auditors in auditing government procurement activities:

• operation of the management system of government procurement;
• preparation of government procurement budgets and plans; and
• disbursement and management of procurement funds.

At the mean time, CNAO is also to carry out researches to understand the situation of government procurement over the following issues:

• operational system of the government procurement center;
• scale of centralized procurement;
• implementation of procurement plan and disbursement of procurement funds;
• management and operation of procurement projects;
• value for money of government procurement projects;
• any industry and local protectionism existed in government procurement process; and
• financial revenue and expenditure and management of government procurement.

It is expected that government auditors will be able to contribute to the improvement of government procurement practice and help the government realize its goal of cutting off expenditure and preventing fraud and corruption through auditing efforts. CNAO expects to help the government tackle two kinds of problems through auditing government procurement projects:

• the establishment, system, operation of the government procurement center;
• problems in the process of procurement.

Under the national audit plan of CNAO, in Zhejiang Province where a government procurement system has been in full operation, the provincial audit office has brought audit of government procurement projects under its financial audit plan as part of the annual budget implementation audit. The provincial audit office has made the following its audit priorities:

• the internal control system of the procurement center;
• the transparency and publicity of the procurement process;
• the preparation work of government departments procuring such as procurement files and statistics, contracts, supplier and consultant pool lists etc.

China is now quickly shifting its government procurement work from the initial experimental stage to the fully adoption stage with a comprehensive government procurement framework formed. With huge amount of public funds involved, supervision through auditing has become more necessary than ever. To ensure effective supervision through auditing, the CNAO has made a development plan to carry out government procurement audit including:

• to carry out systematic and complete audit over a number of selected key departments on the basis of overall auditing in combination of general surveys;
• to introduce value for money audit and management audit in the process of procurement audit;
• to closely link procurement audit with departmental budget implementation audit and audit investigations;
• to intensify comprehensive analysis and improve audit quality;
• to strengthen auditing and upgrade auditors professional knowledge of government procurement laws/regulations;
• to better play CNAO’s role in providing guidance to local audit institutions in performing relevant audits and investigations.

Three principles of audit hearing: Publicity, Impartiality and Equity

Commensurate with the principle of fair and square, China has established the system of hearing as one of the most important countermeasures in meting out administrative penalties. Accordingly, the system of audit hearing has been set up as the dispensable part of audit procedure in legal sense. A well-organized audit hearing will be of great significance in safeguarding the legitimate interests of the general public, legal person and other relevant institutions, easing the moods of interested parties and the audit institutions when disputed opinions concerned and promoting administration according to law by the government. Three principles should be adhered to in performing audit hearing, namely, “publicity, impartiality and equity”. 

Building the Precondition for a public hearing

Art. 9 of Stipulation on audit hearing organized by audit institutions of China read that “Except the case when state, business and individual secrets are concerned, audit hearing should be public.” The “public” mentioned here has two-fold meanings. First, audit institutions should use the bulletin board set up near the office to disclose the information on audit hearing including the time, venue and case concerned in advance. As situation permits, all citizens with the ID card should be allowed in the sittings of audit hearing once he or she has got the approval of the presiding person of audit hearing. Second, audit hearing could be open even to the mass media. With the approval of audit institutions, news report in newspaper, TV or radio covering the case discussed in audit hearing is also possible.

Building the core of opinion-seeking for an equitable audit hearing 

According to the procedure of audit hearing, in performing actions which might lead to incompatibility or impossibility of the interested parties to exercise their rights, audit institutions are obliged to let the interested parties well express themselves and justify for themselves. Thus, opinion-seeking, a core factor of well-established equitable audit hearing, should be used to curb various misbehaviors in administration and misuse of power or function as the channel of interaction and mutual-understanding. Administrative decisions and penalties delivered by audit institutions could be carried out with more acceptability and less resistance among the interested parties, paving the way for the improvement of administration performance. The participation of relevant parities from the news agencies, local congress and local government in audit hearing should be recommended so as to attract more attention as well as appreciation and support from the management and all walks of life for audit law-enforcing.

Giving the prominence to the presiding person of audit hearing

The presiding person is the leading actor of an audit hearing. In light with Stipulation on audit hearing organized by audit institutions and in the sense of separation of internal duties, anyone who has been a member of the audit team should not be the presiding person of audit hearing concerning the same case. In practice, most of the presiding persons are generally nominated from the law department of audit institutions. Actually, various issues concerning the presiding person of audit hearing should also follow the three principles of publicity, impartiality and equity.

The three principles are first embodied in the selection of the presiding person. From the current situation, staff in law departments of audit institutions is not only the organizer of audit hearing, but also the examiner of the quality of audit assignments and reviewer of various audit documents such as audit opinion, audit decision, letter of audit recommendations, letter of case transfer and attached audit report. Due to the common fact that most law departments are understaffed, the presiding person of audit hearing could possibly be a reviewer of the same case and as a result well-informed of the sanctions and penalties meted out. As the saying goes, “First impressions are the strongest,” a subjective notion might come to the presiding person and unintentionally he or she could become blind and deaf to the new information and new disputed points of view disclosed in the course of audit hearing. Though the presiding person might try to keep an unbiased view in performing the duty mentally and in practice, it is still hard to imagine the interested parties could be convinced by this kind of “impartiality”. It is therefore argued that we should stick to the principle that the persons who have participated in the review and discussion of sanctions and penalties shall not be nominated for the role of presiding person of audit hearing for the same case. Besides, publicity transparency should be enhanced to let the public convinced of the resolution and ability of auditors to enforce audit law in an objective and fair manner.

Second, the way of presiding audit hearing should also be compatible to the three principles. Whether audit hearing could hit the targets and realize desired social effects, depends on whether the presiding person could develop a proper way of presiding audit hearing. This has been presupposed in those sophisticated cases. As a special procedure, hearing always involves two contradictory roles. The interested parties are the passive receiver subject to administration while the auditor plays the role of active administrator. This unbalanced precondition emphasizes the necessity of audit institutions to keep two of them in an equal legal status. Therefore, the presiding person should fulfill his or her role in light of the three principles “publicity, impartiality and equity” and make a vigorous performance on the basis of equal and fair. In some cases, the presiding person of audit hearing has wrongly played the role of prosecutor, cultivating the feelings of distrust and antipathy among the interested parties. Under such circumstances, the authentic cross-examination between the two sides is out of the question and audit hearing could only be summarized as a total failure.

Making minutes of audit hearing might also have a bearing on whether the presiding person could issue an equitable judgment and we need to concentrate on this point. As the Stipulation on audit hearing organized by audit institutions of CNAO requires, once audit hearing comes to a close, the presiding person should submit to the competent management of audit institution, audit hearing report as well as minutes of audit hearing and case files. The competent management of audit institution should take audit hearing report into consideration when mating out audit sanctions and penalties. Though minutes of audit hearing and audit hearing report are not the sole foundation for the audit sanctions and penalties, the new facts disclosed during the course of audit hearing, or the objection against the originally proposed sanctions and penalties, as the case might be, should be incorporated into audit hearing report for the reference of decision-maker. During the whole process, we should be willing to witness the compliance with the obligations by the presiding person of audit hearing to make full exposure of mistakes uncovered, especially the change of sanctions and penalties when necessary.

The role of audit hearing in promoting publicity of audit findings could not be ignored and to some extent, words and behaviors of the presiding person could be decisive. 

Auditing in IT Environment

Information technology (IT) is widely applied in today's world, computers have been used in a wide range of fields, and thereby imposing a far-reaching impact on auditing today. Different phases of IT development have different impact on auditing. Initially, the major impact of Information Technology resulted from the computerized accounting of the audited entities. In that case, forms of information media changed from paper to magnetic one. The challenge facing auditors was that they felt it hard to read related material, reconcile the computation in the process and get evidence. Up to now information technology has been applied in all kinds of fields in economic organizations, including implementation of obligations, control on economic activities, management of human resources, record of accounting information and even decision-making. Under such circumstances, auditors have to meet overall challenges. In order to adapt to the changes in auditing environment, it is a must to take reforms on auditing methodology by applying some special techniques. The impact brought by IT Development and the technical methods used to adjust to the impact are as below:

Influence of IT Development on Auditing and Features of Auditing Techniques

According to Basic Principles of Government Auditing of the National Audit Office of China (CNAO), "When auditing under IT system, auditors are not supposed to change auditing objectives or auditing scopes set by auditing programs." In order to fulfill the auditing objectives and finish all auditing activities within the scope of auditing programs in IT Environment, auditors are supposed to analyze the impact on auditing caused by IT and adopt some new auditing methodology. The impact on auditing resulting from IT Development and the techniques and methodologies taken to adjust to the above-mentioned IT Development is as below:

a)    The change of the auditees

In IT Environment, economic activities of the auditees are carried out through computer operation. For instance, reception of customers' orders, investigation on customers' credit filings, and automatic request on the reception of accounts. Meanwhile, people are recording economic activities by computer instead of by hand, and then making records on electronic files instead of on papers. Therefore these changes make auditors unable to read, examine and observe the audited materials provided by the audited entities in the traditional way. Instead, they're expected to attain auditing objectives by control over computer processing and processing results. In that case, auditors examine the design and development of Computer System, check the reliability of computer processing procedures, verify and authenticate the output and input of the computers.

b)    Changes of Types of Wrongdoings and Frauds

Under such circumstances, forms of wrongdoings and frauds show various characteristics. Examples are as below:

1. permitting people to deal with economic and accounting affairs anonymously;
2. allowing modification of accounting data without authorization or modification of accounting data without documentation of the modification;
3. allowing repeated input, output and process of data, having systems likely to be visited and attacked by unauthorized visitors;
4. hiding or carrying out some invisible operations;
5. allocating data through allocated system.

These new ways of wrongdoings and frauds demand auditors take various checking measures in auditing.

c)    Changes of Auditing Evidence

Auditing evidences collected by auditors in IT Environment have various forms due to the changes of the audited entities. Traditionally, auditing evidences are in written form, while auditing evidences today are mainly electronic files. At the same time, environment proofs become important evidence to the reliability of the system of the auditees, expert certification is an important source of evidence, and the auditors' personal observations become a kind of important evidence too.

d) Changes of Working papers

Obviously, the collection of electronic evidence, the testing of electronic computation system of the audited, the auditing activities through electronic computation system, the electronic records of these activities and testimonial materials got in auditing activities all accelerate the emergence of electronic working papers. That's to say, auditing working papers turn from paper auditing working papers to electronic auditing working papers.

Internal control and self-assessment on internal control 

With the development of information technology, it is a must to evaluate internal control in auditing. It's still an important step in auditing to evaluate the internal control of the audited entity. Assessment on internal control in IT Environment falls into three categories:

A.    Testing and evaluation of the electric computation system of the audited entity

To assess internal control of the audited entity, auditors should, first of all, get to know the general situation of electric computation. By doing so auditors aim to make clear and collect the essential knowledge about the hardware and software of the audited entity, including the size, type and technical complexity of computer system. Afterwards auditors can decide to adopt what kind of auditing ways and methodologies. Meanwhile, they will decide if some IT experts are needed.

Testing controls of electric computation include: scale of electric computation industry of the audited entity; the complexity of IT software and network techniques; history of electric computation system; sensitive aspects of computer system and their dealings; the development of the system and the management of the computer system.

B.    Assessment and evaluation on electric computation system control

IT control consists of environment control and application control. Since the existence of the shortcomings in electric computation system's environment control weakens the effectiveness of control within each financial application system, auditors need to make special evaluation of its environment control. This kind of control aims to identify the degree of control, weak points and 
risk in electric computation system's environment control. The risks in the environment control of electric computation system are likely to reduce the effectiveness of the control in the application procedure, therefore they belong to inherent risks within the audited entities.

The major contents of environment control testing are the testing and evaluation of the control measures in computer department, system software and hardware. These measures include the segregation of duties, physical access control, logical access control, operation control, management control on system's transfer, disaster recovery program control, application control of outside IT providers and the control over the self-developed system by the audited entity.

The methodology of testing usually starts with inquiring strategic questions about the IT strategy of the audited entity. Afterwards auditors are able to check customers' IT strategy, system management, internal control and the adequacy of security strategy.

C.    Testing and evaluation of IT application control

In order to examine control measures, internal control and auditing risk within each industry and financial application process, auditors make testing and evaluation of the audited entity. Through testing and evaluation of the concrete measures of application system auditors decide risk level and choose appropriate auditing methodologies.

Major contents of testing and evaluation are these as below: the reliability of application system, file management, security of application system, input control, data transfer control, processing control, output control and normal data control.

Substantial testing 

Auditors must make substantial testing of related transactions and accounting surplus in the era of information technology. Methodologies of testing include:

•  scrutinizing invoices in a traditional way;
• reading and examining data in computers by means of the transfer of electric computation data;
• performing auditing by applying CAAT, which is an extremely distinct technique that assists auditors in making testing by taking advantage of computer functions and some specially designed software. 

There are two kinds of CAAT.

I.    The CAAT designed for processing 

In IT Environment, people deal with industries and accounting of the audited entities by computers, so the correctness of them are greatly dependent on the reliability of computer procedures and operation. Here auditors must test and verify the correctness of computer procedure and operation process. Main testing methods include system procedure examination, code comparisons, parallel testing, data checking and tracing back testing. 

II.    The CAAT designed for data analysis

When auditing auditors may use specially designed auditing software. Auditing software has the capacity to retrieve and read data of the audited entity directly so that it's able to complete some designated auditing tasks.

The above-mentioned designated auditing tasks are as below:

• total checking computation of related data;
• taking samples with the method developed by auditors;
• stratification of data;
• comparisons between different materials;
• taking required data out of designated account and data warehouse;
• analysis of the aging of accounting;
• detection of parity (for example, finding out the inventory whose marginal price is higher than its market price) 
• virtual output.