Computer-Assisted Audit Techniques (CAATs)

Computer-Assisted Audit Techniques (CAATs) are structured, software-driven procedures that let fraud examiners interrogate entire datasets rather than samples, uncovering anomalies that manual testing cannot reach.

Last updated: 10 Jun 2026

An auditor testing 200 purchase orders from a population of 80,000 will miss a fraud that targeted the other 79,800. That gap between what sampling can reach and what the data contains is the problem that Computer-Assisted Audit Techniques were built to close. CAATs let a fraud examiner interrogate every single transaction in a dataset, not a sample, running a battery of structured tests that a human could never complete manually, and completing them in minutes rather than weeks.

The tools have matured considerably. ACL Analytics (rebranded as Galvanize, now Diligent HighBond) and IDEA from CaseWare have been in forensic accounting use since the 1990s. Today they sit alongside SQL queries, Python notebooks, and Power Query, each capable of the same core techniques: finding duplicates, identifying gaps in sequences, stratifying by value, matching across tables, and flagging statistical outliers. The technique matters more than the tool.

This topic covers the main CAAT procedures used in fraud investigations, the logic behind each, how they are combined into a reproducible workflow, and the documentation standards that keep the results admissible. Alongside Benford analysis and network analytics, CAATs form the backbone of the data-driven forensic accounting engagement.

Key terms

CAATs: Computer-Assisted Audit Techniques: software-driven procedures applied to electronic data files that test the full population of transactions rather than a sample, covering procedures such as duplicate detection, gap testing, stratification, and join-and-match.
Stratification: The grouping of numeric values into defined ranges (strata) to reveal the distribution of a dataset. In fraud detection, large concentrations of transactions just below a threshold or in an unexpected value band are the primary flag.
Duplicate detection: A systematic search for records that share key fields (invoice number, vendor, amount, date) that should be unique, surfacing duplicate payments, double invoices, or parallel processing of the same expense.
Gap test: A test that identifies missing numbers in a document sequence (check numbers, invoice series, purchase orders) where continuity is expected; gaps often indicate documents that were destroyed or never recorded.
Sequence analysis: Verification that a numbered series progresses in expected order without skips, reversals, or unexpected repetitions. It is the positive counterpart to gap testing.
Join-and-match: A cross-table technique that links two or more data files on a common key, such as matching vendor bank account numbers against employee bank account records to detect self-dealing payroll or accounts-payable schemes.
Ratio analysis: Calculation of financial ratios across periods or business units to identify statistically unusual deviations that might indicate manipulation: cost ratios, gross margin shifts, or expense-to-revenue anomalies that exceed normal variation.

Why full-population testing matters

A fraudster who knows your sampling strategy simply avoids the sampled layer.

Statistical sampling works well in a compliance audit because errors are assumed to occur randomly. Fraud is not random. A dishonest employee who understands how invoices are checked will route their scheme through the categories and value bands that audit sampling rarely touches. Purchase orders just below the approval threshold. Vendor payments to addresses that look legitimate. Payroll entries in the same range as legitimate wages.

Full-population testing removes that refuge. When every disbursement, every journal entry, and every payroll record is tested, there is no safe harbour. The examiner does not need to know in advance which transactions are suspicious. The test finds the pattern and surfaces the outliers. Human review then concentrates on the flagged subset, which is often a small fraction of the total, instead of a random sample that may miss the fraud entirely.

Core CAAT procedures

Six techniques cover most of the territory a fraud examiner needs to explore.

The following procedures are the workhorses of the data-analytics layer of a forensic accounting engagement. They are run on the same dataset in sequence, and their outputs are combined before the examiner moves to substantive document testing.

Stratification
Group all amounts into bands (0-$500, $500-$1,000, $1,000-$5,000, and so on). A legitimate expense population should follow a roughly predictable shape. A heavy concentration just below the approval threshold is an immediate red flag for threshold-avoidance, as is a spike in an unusual value band that does not reflect the company's normal operations.
Duplicate detection
Compare every record against every other using combinations of fields. Exact duplicates (same invoice number, vendor, and amount on the same date) flag payment errors. Near-duplicates (same vendor and amount on dates that differ by a day or two) flag recycled or slightly altered invoices. The test should be run on multiple key-field combinations to catch different duplication strategies.
Gap testing
For any numbered series that should be consecutive, identify every missing number. In a check register or purchase-order log, gaps indicate either that the document was voided (which should be on record) or destroyed. In expense report systems with auto-generated reference numbers, gaps can indicate that records were deleted after the fact.
Sequence analysis
Verify that numbers in a series run in ascending order and without unexpected reversals or repetitions. In accounts payable, invoices from a given vendor should generally increase in number over time. A vendor whose invoice numbers decrease or repeat may be fabricating invoices using templates.
Join-and-match (cross-file matching)
Link data across tables using common keys. Matching vendor bank account numbers against employee bank account records detects ghost-vendor or self-dealing schemes. Matching approved supplier addresses against employee home addresses detects conflict-of-interest procurement. Matching payroll records against HR termination dates detects ghost employees still receiving wages.
Ratio analysis
Compute ratios across periods or business units and flag deviations beyond a defined threshold. A subsidiary whose cost-of-goods-sold ratio jumped 8 percentage points when the rest of the group held steady warrants scrutiny. The baseline should be built from several years of data and from comparable units, so that genuine business changes can be distinguished from manipulation.

Data acquisition and preparation

The analysis is only as reliable as the data it runs on.

Getting the right data is often the hardest part of a CAAT engagement. ERP systems such as SAP, Oracle, and Microsoft Dynamics store transactions in complex relational schemas, and an extract that looks complete may be missing tables, have been filtered by the system administrator, or contain data that was archived or deleted before the export. Every export should be accompanied by record counts and hash totals so the examiner can verify completeness.

Request data in flat file format (CSV or delimited text) with full field headers, or as a direct database extract with a data dictionary.
Hash the source file immediately upon receipt and document the hash value. Any subsequent copy must be hashed again and the values compared. This is the chain-of-custody for digital data.
Reconcile the extract to known totals: the total accounts payable disbursements in the extract should match the general ledger control account for the period. Discrepancies indicate an incomplete or filtered extract.
Profile the data before running tests: count null values, check date ranges, verify that code values are within expected categories. Anomalies in the data structure sometimes are themselves evidence of manipulation.

CAAT workflow from data acquisition to exception reporting.

Building a reproducible CAAT workflow

If another analyst cannot repeat your test from your documentation, the result is not evidence.

Reproducibility is the standard that separates a CAAT result that can withstand cross-examination from one that cannot. Every step in the analytical workflow must be scripted or recorded in sufficient detail that an independent examiner, starting from the same data, arrives at the same output. In ACL and IDEA, commands are logged automatically. In Python or SQL, the script itself is the record. In Excel, a formula audit trail and worksheet notes are the minimum acceptable documentation.

Documentation element	Purpose	Minimum standard
Source data hash	Proves the dataset was not altered after acquisition	SHA-256 of the original extract, logged with date and time
Field mapping	Explains which columns were used and why	A data dictionary linking column names to their business meaning
Query or script	Records the exact logic of each test	The full ACL/IDEA command, SQL statement, or Python script
Output record counts	Confirms the test ran on the full population	Counts at the start and end of each filter or join operation
Exception log	Documents the flagged items and the follow-up disposition	Tabulation of each exception, who reviewed it, and what was concluded

Integrating CAATs into the investigation

Data analytics identifies where to look; document review, interview, and financial tracing find the proof.

CAATs sit at the beginning of the investigative funnel. A well-designed CAAT run on accounts payable might flag 300 transactions out of 50,000. Those 300 go to document review: the examiner pulls the underlying invoices, goods-received notes, and approval records. Of the 300, perhaps 40 have documentation problems. Of those 40, perhaps 12 involve the same vendor. The vendor is then subjected to beneficial-ownership analysis and, if warranted, subpoena.

The point is that CAAT output does not end the inquiry. It focuses it. A ghost-vendor scheme uncovered through join-and-match still requires document and interview evidence to prove that the vendor was fictitious, that the approver was complicit, and that the payments served no legitimate purpose. CAATs are the filter that makes the rest of the work feasible.

Common fraud schemes detected by CAATs and how

Each major scheme type leaves a specific data signature.

Fraud scheme	Primary CAAT test	What the flag looks like
Duplicate payment to vendor	Duplicate detection on invoice number, vendor ID, amount	Two or more payments sharing key fields within a short date window
Ghost vendor / shell company	Join-and-match: vendor bank account vs employee bank account	Vendor and employee share a bank account number or address
Split purchase orders (threshold avoidance)	Stratification + two-digit Benford test	Concentration of amounts just below approval threshold; spike in specific two-digit pairs
Ghost employee	Join-and-match: payroll vs HR active-employee list	Payroll records for employees with termination dates in the past
Skimming / missing receipt sequences	Gap test on receipt or check numbers	Sequential gaps in a series that should be continuous
Expense report inflation	Outlier detection + duplicate detection	Expense claims significantly above the statistical mean, or identical amounts on different dates

Worked example

Ghost-vendor scheme uncovered by join-and-match

A simple bank-account cross-match flags a vendor that has been receiving payments for two years.

An accounts payable manager at a mid-size logistics company is under investigation after a whistleblower alleges that payments are going to fictitious vendors. The forensic accountant receives exports of the accounts payable master file (all active vendors with their bank account numbers) and the HR payroll master file (all employees with their bank account numbers for direct deposit).

Join-and-match: the examiner joins both files on bank account number. Three matches appear: three vendors whose registered bank account numbers match employee personal accounts.
Transaction pull: one of the three vendors, an IT services company created 26 months ago, received 47 payments totalling $284,000 over two years. All payments were approved by the accounts payable manager.
Document review: the vendor's address is a P.O. box. No signed contracts exist. Purchase orders reference generic descriptions ('IT consulting'). The vendor was created in the system by the same accounts payable manager who approved the payments.
Stratification check: the 47 payments are stratified by value. 38 of them are between $4,500 and $4,999, just below the $5,000 threshold requiring dual approval. The threshold-avoidance pattern corroborates the ghost-vendor conclusion.
Outcome: the examiner's report documents the bank-account match, the payment history, the absence of legitimate documentation, and the threshold-avoidance pattern as converging indicators. The manager is terminated and criminal referral is made. The $284,000 is traced to the manager's personal account.

The CAAT test itself took less than a minute. The investigative work that followed took three weeks. That proportion is typical: the data test is a hypothesis generator, and the documentation and interview work is what produces the evidence.

Check your understanding

Question 1 of 4· 0 answered

A forensic accountant finds that three vendors in the accounts payable master file share bank account numbers with three current employees. Which CAAT procedure produced this finding?

Key Takeaways

CAATs test the full transaction population rather than a sample, closing the loophole that allows a fraud targeting non-sampled data to survive routine audit procedures.
The core procedures are stratification, duplicate detection, gap and sequence testing, join-and-match cross-file analysis, and ratio analysis; each detects a different class of data anomaly and they are typically run together on the same dataset.
Data acquisition quality is the constraint: every extract must be reconciled to known totals, hashed for integrity, and profiled before testing to confirm completeness and detect structural anomalies.
Reproducibility is the evidential standard; every test must be scripted or documented so that an independent analyst can replicate it from the same source data and reach the same output.
CAATs generate hypotheses and focus the investigation; document review, interview, and financial tracing convert those hypotheses into proof.

What are CAATs in forensic accounting?

Computer-Assisted Audit Techniques are software-driven procedures applied to electronic financial data to detect anomalies, errors, or fraud indicators. They allow examiners to test entire populations rather than samples, running checks such as duplicate detection, gap analysis, and statistical stratification on tens of thousands of records at once.

What software is used for CAATs?

ACL Analytics (now Galvanize / Diligent) and IDEA (from CaseWare) have been the dominant specialist tools for decades. SQL-based queries in databases, Python with pandas, and Power Query in Excel are now common alternatives. The choice depends on data volume, the examiner's skill, and the evidentiary requirements of the engagement.

What is the difference between a gap test and a sequence test?

A gap test identifies numbers in a sequence that are missing, for example purchase order numbers that were never issued, which can indicate that documents were destroyed. A sequence test verifies that a numbering series is consecutive and in the expected order, flagging any breaks or unexpected jumps.

How are CAAT results treated as evidence?

The reproducibility of the CAAT workflow is key to evidential value. Examiners document each step: the source data, the exact query or filter applied, the output, and the chain of custody for the data file. The test should be repeatable by an independent analyst from the same source data, and any data transformation must be recorded and disclosed.

Can CAATs detect all forms of financial fraud?

No. CAATs are powerful for detecting record-level anomalies in structured data: duplicates, gaps, threshold avoidance, outliers, and unusual timing. They do not detect fraud that leaves no trace in the electronic record, such as undocumented cash transactions, and they cannot replace interview, document review, or physical inspection.

Test yourself on Forensic Accounting and Financial Forensics with free, timed mocks.

Practice Forensic Accounting and Financial Forensics questions

Found this useful? Pass it along.

Spotted an error in this page? Report a correction or read our editorial standards.

Documentation element

Purpose

Minimum standard

Source data hash

Proves the dataset was not altered after acquisition

SHA-256 of the original extract, logged with date and time

Field mapping

Explains which columns were used and why

A data dictionary linking column names to their business meaning

Query or script

Records the exact logic of each test

The full ACL/IDEA command, SQL statement, or Python script

Output record counts

Confirms the test ran on the full population

Counts at the start and end of each filter or join operation

Exception log

Documents the flagged items and the follow-up disposition

Tabulation of each exception, who reviewed it, and what was concluded

Fraud scheme

Primary CAAT test

What the flag looks like

Duplicate payment to vendor

Duplicate detection on invoice number, vendor ID, amount

Two or more payments sharing key fields within a short date window

Ghost vendor / shell company

Join-and-match: vendor bank account vs employee bank account

Vendor and employee share a bank account number or address

Split purchase orders (threshold avoidance)

Stratification + two-digit Benford test

Concentration of amounts just below approval threshold; spike in specific two-digit pairs

Ghost employee

Join-and-match: payroll vs HR active-employee list

Payroll records for employees with termination dates in the past

Skimming / missing receipt sequences

Gap test on receipt or check numbers

Sequential gaps in a series that should be continuous

Expense report inflation

Outlier detection + duplicate detection

Expense claims significantly above the statistical mean, or identical amounts on different dates

Key Takeaways

CAATs test the full transaction population rather than a sample, closing the loophole that allows a fraud targeting non-sampled data to survive routine audit procedures.

The core procedures are stratification, duplicate detection, gap and sequence testing, join-and-match cross-file analysis, and ratio analysis; each detects a different class of data anomaly and they are typically run together on the same dataset.

Data acquisition quality is the constraint: every extract must be reconciled to known totals, hashed for integrity, and profiled before testing to confirm completeness and detect structural anomalies.

Reproducibility is the evidential standard; every test must be scripted or documented so that an independent analyst can replicate it from the same source data and reach the same output.

CAATs generate hypotheses and focus the investigation; document review, interview, and financial tracing convert those hypotheses into proof.

What are CAATs in forensic accounting?

What software is used for CAATs?

What is the difference between a gap test and a sequence test?

How are CAAT results treated as evidence?

Can CAATs detect all forms of financial fraud?

Your journey to becoming a forensic professional starts here.

Key Takeaways

Key Takeaways