February 2003
Digital Data and the Meaning of ‘Audit’
By Steven W. Teppler
Individual investors, mutual funds, and retirement funds (individual, corporate, and governmental) have seen the value of their holdings shrink significantly since the Internet bubble burst in early 2000. In part, these devaluations are attributable to the degradation of investor trust in the market participants as a result of record-breaking income restatements and bankruptcies, as well as financial fraud (both alleged and admitted) by corporate officers, directors, and their auditors.
The current environment is the product of a two-sided erosion of trust. This erosion of trust is not in the system of capitalism but in the self-serving activities of those officers and directors whose fiduciary duty it is to protect shareholder interest, even at the expense of their own. The lack of trust also extends to auditors, acting as trusted parties, whose duty it is to examine and vouch for the efficacy of statements or reports made by those fiduciaries.
An audit is defined as “a formal examination of an individual or organization’s accounting records, financial situation, or compliance with some other set of standards” (Black’s Law Dictionary, 7th Edition, 1999). Black’s further outlines other types of audits:
A Twenty-First-Century Definition of ‘Audit’
What the above definition of “audit” points to is not so much a statement of financials, but a statement of a condition at a precise and unique moment in time, of which internal, financial, or compliance audits are mere subsets. A company hires an independent audit firm, sets an audit date, lets the auditor perform a physical examination of financial documents, and receives an opinion either confirming or denying management’s statement of condition. Real-world audits are also difficult to fake, spoof, or alter, because of decades of accepted procedures as well as forensics, which exist in order to detect and expose such forgeries or spoofs. For example, a physical audit scheduled to occur on December 31, 2002, cannot be conducted at any time either before or after that date. If the physical evidence of an audit were amended or changed, forensic analysis of ink, paper, and witness testimony could expose a forgery or fraud. When audits were conducted by reviewing paper or other physical records, these procedures worked well.
Enter the twenty-first century and the rapid migration of all data to digital rather than paper form. Data for the audit process is now generated electronically, but digital data’s malleability makes it uniquely susceptible to shifts of reality. A typical result of such a reality shift is highlighted in this excerpt from an article in Business Week Online, published April 8, 2002:
Business Week has learned from internal Andersen documents that [Andersen’s] Enron team was also busy amending four key memos to correct the record of its review of Enron’s convoluted and conflicted partnership deals [emphasis added].
It seems likely that some form of digital data alteration is used in almost all sophisticated instances of audit fraud.
The Need for Digital Data Auditability
An audit provides the means for ascertaining in the physical world that a transaction has taken place, and may include the components or elements which comprise that transaction. Audits also necessitate a human element of supervision or verification in order to validate that process. The most relied-upon type of audit is an independent audit and involves a validation process by which the supervisory or verification activities are undertaken by a disinterested third party. Trust in this third party is implied because of its very nature as an objective witness. By convention and as a direct result of the interposition of a trusted third party, the data contained in such independent audits is relied upon by other parties making sensitive decisions based on such audited data.
Audits and Time
Independent auditors conduct the audit at unique, verifiable points in time. Any audit not conducted for or within a prescribed timeframe may be deemed invalid, ultimately because it fails to reflect the status or condition of the audited entity as prescribed by legal, accounting, or industry convention.
There is, however, a core component to the conduct of a real-world independent audit that is so fundamental that it is taken for granted and therefore never challenged. That component involves control over time. In the real world, once a moment in time passes, it can never happen or be created again, nor can time be started or stopped. No human factor can exert control over the element of time, nor its inseparable attributes of uniqueness and linearity; as such, time in the real world is inherently both trustworthy and trusted.
In the digital world, however, the opposite is true. Time is inherently untrustworthy. This is because in any digital data-generating environment, the owner of the data-generating device has the power to control time. The owner may start, stop, turn back, or go forward in time in accordance with his or her whims. This inherent control over time in the digital world robs electronic data of uniqueness and linearity, and therefore renders such data repudiable. Any such data thus generated will always be open to credibility challenges regarding time and content.
Mountains of paper data have been and continue to be converted into digital media every day. In addition, huge amounts of new digital data are also being generated daily. Since current data-generating devices employ user-resettable clocks to generate such data, that data will be open to challenge in court. Because the data could have been changed, they are not nonrepudiable or immune from content challenge as a prima facie matter. And because the data are subject to repudiation and challenge, a factual issue is created, leaving the matter up to a jury to decide. A jury could find that the data were altered after the fact—even if they weren’t—for reasons without a purely factual basis.
The liability risk has been heightened by recently enacted laws and regulations such as the Gramm-Leach-Bliley Act; the Health Insurance Portability and Accountability Act (HIPAA); the Uniform Electronic Transactions Act (UETA); the Food and Drug Administration’s Electronic Records and Electronic Signatures Rule (21 CFR Part 11); and, most recently, the Sarbanes-Oxley Act of 2002. These laws and regulations impose, among other things, ongoing affirmative obligations for data generators and transmitters with the purpose of creating auditable (i.e., trusted and reliable) digital data. Failure to comply with these laws and regulations can mean dire financial consequences for companies, their officers and directors, auditors, and attorneys. It can also mean potential legal liability in the public and private sectors.
The Sarbanes-Oxley Act codifies many of these dire consequences by expressly providing for prison sentences of up to 20 years and fines of tens of millions of dollars, as well as forfeitures of bonuses and equity sales profits on a per-violation basis. The act then articulates a “reckless conduct” or “repeated negligent acts” standard for finding violations of its provisions, substantially lowering the bar for finding criminal and civil liability. Of paramount and immediate importance, therefore, is the need for directors and officers (as well as their company auditors and attorneys) to ensure that the digital data they generate are trusted and auditable.
Data Control
If, for audit purposes, the mountains of digital data now existing or to be generated in the future can be trusted, sufficient safeguards must be adopted in order to ensure that data generators retain possession, but not control, over their data. To permit control over data used in any audit examination process negates the “trustedness” and “reliability” that audited data has provided for centuries in the physical universe.
Editors:
Paul D. Warner, PhD, CPA
Hofstra University
L. Murphy Smith, DBA, CPA
Texas A&M University
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
Visit the new cpajournal.com.