Technology Changes the Form and Competence of Audit Evidence

By Paul Caster and Dino Verardo

E-mail Story Print Story

• SAS 80, Amendment to SAS 31, Evidential Matter
• Auditing Procedures Study (APS), The Information Technology Age: Evidential Matter in the Electronic Environment
• SAS 94, The Effect of Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit
• SAS 106, Audit Evidence.

Audit fieldwork standards require that auditors obtain sufficient competent evidence to support the audit opinion on the financial statements. However, the characteristics of sufficient and competent audit evidence have drastically changed with the technological advances used by business entities. The auditing profession has reacted to advances in technology and e-commerce by issuing new guidance. Technological advances and complex IT systems have altered not only the actual form of evidential matter required to be obtained by auditors, but also the competence of this evidence. In some respects, technology has weakened a number of traditional forms of audit evidence. Technology has had a significant impact on audit evidence, and existing auditing procedures could be improved in many ways.

Response from the Auditing Profession

In response to advances in business technology, the Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) 80, Amendment to SAS 31, Evidential Matter, in 1996 to guide accountants when auditing the financial statements of an entity where considerable information is transmitted, processed, maintained, or accessed electronically. In addition, the ASB issued an Auditing Procedures Study (APS), The Information Technology Age: Evidential Matter in the Electronic Environment, that addressed the differences between traditional and electronic audit evidence. As discussed by Louise Williamson (“The Implications of Electronic Evidence,” Journal of Accountancy, February 1997), the APS describes the attributes that make audit evidence sufficient, competent, and reliable. These attributes include difficulty of alteration; credibility; completeness; evidence of approvals; ease of use; and clarity. The APS then addresses how electronic evidence may differ from traditional paper documents in terms of these attributes, and tries to bridge the gap between the two.

In 2001, the ASB issued additional guidance in the form of SAS 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit, an amendment to SAS 55. SAS 94 was introduced because increasingly complex information technologies (IT) were affecting entities’ internal control components. George Tucker (“IT and the Audit,” Journal of Accountancy, September 2001) contended that SAS 94 acknowledges that “an entity’s reliance on IT may be so significant that the quality of the audit evidence available will depend on the controls the business maintains over its accuracy and completeness.” SAS 94 alerted the auditing profession to the significant benefits and risks that advances in IT systems had created. The reliability of electronic forms of evidence was also addressed in SAS 106, Audit Evidence, issued by the ASB in 2006. SAS 106 ranks the reliability of certain forms of electronic evidence. For example, electronic documents are more reliable than oral representations, but photocopies are less reliable than original documents.

As businesses become increasingly complex, the auditing profession must ensure that it obtains sufficient competent evidential matter to support financial statement assertions. In addition, the profession must be cognizant of the negative impact technology has had on certain traditional forms of audit evidence.

How Technology May Weaken Traditional Sources of Audit Evidence

Problem: scanners and printers. One technological advance that may weaken traditional sources of audit evidence is the scanner. Scanners are considered an essential component to most business organizations because of their ability to simplify document storage and to make document retrieval more convenient. Despite their benefit, scanners have negatively affected the persuasiveness of traditional confirmation evidence. Consider, for example, the recent Parmalat fraud. Parmalat’s auditors asked Bank of America to verify a $4.9 billion bank account and received a response confirming the amount. The response received by the auditors was, however, a fake document. An employee of Parmalat scanned a Bank of America logo to create the fake letterhead (John Tagliabue, “7 Detained as Parmalat Investigation Is Widened,” The New York Times, January 1, 2004). In this case, an audit procedure designed to provide auditors with substantive, independent audit evidence was unreliable.

The development of high-tech printers able to print extraordinarily high-quality, color, photolike documents has also enabled the creation of high-quality fake documentation that can pass for the real thing. In addition to confirmations, other fraudulent documents can be “created” by scanning logos and printing invoices or purchase orders that appear to be originals.

Recommendation. Auditors must be aware that any critical audit evidence obtained from the client and printed from a computer (such as customer purchase orders, vendor invoices, or confirmations) may be fictitious. Thus, documentary evidence should be reviewed with greater diligence and increased professional skepticism (as noted by Bruce H. Nearon, “Foundations in Auditing and Digital Evidence,” The CPA Journal, January 2005).

The authors also recommend that auditors contact a sample of key customers and vendors via telephone to confirm they exist and to verify the authenticity and accuracy of selected transactions. Even so, auditors must be careful that client personnel do not pose as customers or vendors. In addition, auditors may consider new services that have been developed to provide independent, secure confirmations that verify the authenticity of respondents and the accuracy of account balances, as discussed by George R. Aldhizer and James D. Cashell in “Automating the Confirmation Process” (The CPA Journal, April 2006).

Problem: direct deposit. The prevalent use of direct deposit by organizations to transfer employees’ pay directly to their bank accounts has simplified the payroll process for both employees and employers and reduced payroll-related expenses. Prior to the use of direct deposit, if an audit firm suspected payroll fraud, the standard audit procedure was to perform a surprise payout. An auditor would personally deliver checks to employees on their payday to ensure that every employee received only one paycheck and that no extra checks existed. The procedure provided the highest level of substantive evidence to the auditor that no fraud occurred in the payroll department, because the auditor was physically present when handing out the checks. The procedure worked because real employees generally showed up on paydays, and any who did not required significant follow-up procedures by the auditor. With direct deposit, such an audit procedure is no longer effective.

Recommendation. Auditors can, nevertheless, obtain and deliver direct deposit payroll stubs to a sample of employees to ensure that employees on the payroll register do exist. As discussed by Joseph T. Wells (“Keep Ghosts Off the Payroll,” Journal of Accountancy, December 2002), auditors can verify that “ghosts” do not exist by ensuring that not more than one paycheck is being deposited to the same bank account, that all employees have a unique employee identification number or Social Security number, and that any duplicate employee addresses are for legitimate purposes.

Problem: e-mail. In recent years, electronic mail (e-mail) has become an increasingly popular tool for both personal and business communication. The rise in the use of e-mail in business has reduced the usage of traditional mail. The replacement of postage mail by e-mail has increased the amount of electronic audit evidence. For example, in the past, when auditors received confirmation evidence via traditional mail, a reasonable procedure was to compare the city in the postmark on the envelope to the city of the addressee. This provided some additional assurance. Although the use of metered mail made this procedure less effective, the replacement of traditional mail with e-mail has eliminated the procedure altogether.

Recommendation. Auditors must place increased skepticism on information that they receive from both clients and independent parties via e-mail. The authors agree with the recommendation in AICPA Practice Alert 2003-01 that auditors need to “validate confirmations received via fax or electronically.” This may be possible by using an automated confirmation service, as discussed by Aldhizer and Cashell.

Problem: electronic banking procedures. Another audit procedure that has changed due to technological advances is related to disbursements. When auditors verify that proper controls over disbursements are in place, one procedure is to review cleared disbursement checks when they are returned by the bank. The returned checks substantiate that the disbursement was properly approved under company guidelines. The presence of multiple signatures of higher-level management in accordance with disbursement guidelines provides evidence that disbursements have been properly made in accordance with the entity’s objectives. Technological improvements implemented by banks have all but eliminated the return of cleared checks to customers, meaning that auditors cannot verify the validity of disbursements. In place of the physical check, entities increasingly maintain electronic versions of returned disbursement checks provided by banks, but the general characteristics of this type of electronic evidence differ from traditional checks. For example, a digitized check is easier to alter, and alterations are harder to detect, than with a traditional paper check.

Recommendation. Auditors should obtain electronic copies of checks from the business. To test the reliability and validity of these documents, auditors should draw a sample and seek corroborating evidence from the individuals who authorized payment and signed the disbursement check, to ensure that they were properly approved and signed. For those checks where a signature plate was used in lieu of a manual signature, auditors should evaluate controls over the use of the signature plate.

Problem: electronic signatures. For business entities that conduct operations online using electronic commerce, electronic signatures have become rather common. In 2002 Congress recognized their importance by passing the Electronic Signatures in Global and National Commerce Act, which made contracts and agreements with these signatures legally binding. In the past, all contracts and agreements were typed on paper, with handwritten signatures that provided auditors with the identity of the signers and their actual signatures, indicating agreement with the content of that particular document. Caroline Emond and Andree Lavigne (“Going Electronic,” CA Magazine, September 2002) warned that electronic signatures pose an issue for auditors because no physical evidence exists that can validate the intention of the signer of a particular document.

Recommendation. Auditors presented with documents containing electronic signatures in support of significant transactions should select a sample and contact the signers or personally meet with them to verify that they have agreed to the document in question.

Future Implications

To fulfill its duty to obtain sufficient competent audit evidence, the auditing profession must constantly adapt audit procedures as technology advances business practices.

Due to the continually changing business environment, auditors should perform additional tests to complement traditional audit procedures and exercise increased professional skepticism regarding audit evidence. As recommended above, the authors favor an emphasis on tests of details and increased sampling. Increasingly, integrated audits (such as those required under section 404 of the Sarbanes-Oxley Act) combine extensive control testing with traditional audit procedures. Integrated audits may provide the auditor with additional comfort as to the validity of audit evidence, but auditors must continue to be cognizant of the requirements in the recently issued auditing literature when financial information is electronic in nature.

Technological advances can significantly improve the effectiveness and efficiency of business operations for entities; however, auditors must also understand how those advances affect traditional audit procedures.