2.3 Scenario Practice for Information System Auditing Process

CAATs and Audit Data Analytics

Computer-assisted audit techniques (CAATs) are software tools that let auditors examine large or complex datasets that manual review cannot cover. Their biggest advantage: the auditor can test the entire population (100%) instead of relying on a sample, reducing sampling risk to zero for that test. Common CAATs include:

With audit data analytics, the auditor must first confirm the integrity and completeness of the source data — analytics on unreliable data produce unreliable conclusions. Documenting how the data was extracted and reconciled to the source system is essential.

Continuous Auditing vs. Continuous Monitoring

A subtle but tested distinction:

• Continuous auditing is performed by the auditor; it uses technology (GAS, embedded modules, scripts) to produce assurance on a near-real-time basis.
• Continuous monitoring is a management responsibility, part of normal operations and control.

Continuous auditing delivers the greatest value in high-volume, highly automated, paperless environments — for example, large transaction-processing systems where a quarterly sample would catch problems far too late. It shortens the time between an exception occurring and its detection. The exam may ask which environment justifies continuous auditing; the answer favors complex, real-time, high-risk systems, not low-volume manual ones.

Reacting to Findings and Irregularities

Scenario items frequently test judgment under pressure:

• Suspected fraud or illegal act: the auditor's responsibility is to report it promptly to the appropriate level of management or the audit committee, preserving evidence — not to confront the suspect, launch a solo investigation, or stay silent. If senior management is implicated, escalate to the audit committee/board.
• Scope limitation or denied access: document it and discuss with management; a scope restriction may need to be disclosed in the report and could prevent an opinion.
• Auditee disputes a finding: keep the finding if evidence supports it; record management's response, but do not delete a supported finding to avoid conflict.
• A control gap is found mid-fieldwork: assess and report it through the process — the auditor advises but does not fix the control, which would impair independence.

The through-line: protect independence, address the highest risk first, and follow the defined audit and escalation process.

Working a Scenario Step by Step

Most Domain 1 scenarios can be solved with a short decision routine. Read the stem and ask, in order:

1. What is being asked — first step, best response, or greatest risk? The verb changes the answer. "What should the auditor do FIRST?" rewards the earliest correct action; "BEST" rewards the most complete, risk-based choice.
2. Does any option impair independence? Eliminate answers where the auditor designs, operates, or fixes a control. Auditors recommend; they do not remediate.
3. Which option addresses the highest risk or follows the defined process? Prefer reporting through the proper channel, gathering more evidence, or focusing on the riskiest area over dramatic, unilateral action.
4. Is there enough evidence to support a conclusion yet? If not, the best answer is usually to gather sufficient, appropriate evidence — not to opine.

Worked example: an auditor running data analytics finds the extracted dataset does not reconcile to the source system's record count. The correct first move is not to analyze anyway or report a finding — it is to resolve the data-integrity gap (re-extract, reconcile, confirm completeness) before drawing any conclusion, because analytics on incomplete data are worthless. Another example: asked which CAAT verifies an application's edit checks without touching live data, the routine points to test data (known inputs, expected outputs) rather than analyzing production records.

Practicing this routine turns ambiguous scenarios into mechanical eliminations.

A few more scenario reflexes are worth drilling. When a stem says management has already remediated an issue during fieldwork, the auditor still documents the original condition and verifies the fix rather than dropping the finding. When access or evidence is denied, the auditor treats it as a scope limitation, escalates it, and may be unable to express an opinion on that area. When a powerful auditee pressures the auditor to soften wording, the response is to keep the evidence-supported finding and record the disagreement.

And when asked whether to rely on a third party's SOC report, the auditor confirms the report's scope, period, and the relevance of its controls to the audited process before placing reliance on it. Each of these reflexes traces back to the same principles: independence, sufficient evidence, and risk-based judgment. The single most common scenario mistake is choosing the action that feels proactive or decisive — fixing the control, confronting the suspect, reporting on a hunch — over the action that is correct for an independent assurance provider.

Slow down, identify which phase of the engagement the stem sits in, and let the principles, not the urgency, drive the choice.