in Auditing and Digital Evidence
Bruce H. Nearon
2005 - The foundations of auditing are competence,
independence, and due professional care. All three affect
the quality and the value of an audit. In today’s environment,
where audit evidence is increasingly digital in nature, the
exercise of competence and due professional care have taken
on a new and different character.
Competence relates to an
auditor’s technical ability to discover a material
misstatement in the financial statements and
is a function of education, training, and experience. It
enables an auditor to collect evidence to support the audit
opinion and weigh it in order to determine if the evidence
is sufficient and reliable.
Independence requires an auditor to conduct the engagement
with objectivity, integrity, and lack of bias. Although
a critical underpinning of the profession, the meaning of
auditor independence has been the subject of debate for
decades. For public companies, the debate was ended—at
least for now—by the issuance of the SEC’s Final
Rules on Auditor Independence. The same applies to audits
subject to Generally Accepted Government Auditing Standards
(GAGAS). Both the SEC and the Government Accountability
Office (GAO), which establishes audit standards for GAGAS,
significantly tightened auditor independence requirements
for GAGAS audits. For non-SEC companies and not-for-profit
entities not subject to GAGAS, the more flexible AICPA Ethics
Rules still apply.
Due professional care is what society reasonably expects
of a professional, which means performing the work according
to the norms and standards of other professionals in the
same field. For auditors, this means compliance with the
Generally Accepted Auditing Standards (GAAS). An essential
element of due professional care is performing the audit
with a reasonable degree of skepticism.
Recently, the Auditing Standards Board issued Statement
on Auditing Standards (SAS) 99, Consideration of Fraud
in a Financial Statement Audit. The backbone of this
standard is an increased emphasis on professional skepticism.
Skepticism requires a questioning mind and an unwillingness
to accept things at face value. For auditors, this means
not relying solely on inquiry and not assuming that records
provided by clients are authentic without other corroborating
evidence. Computer records, defined here as digital evidence
of transactions, are particularly troublesome because often
they can be corroborated only by other digital evidence.
As such, their authenticity and reliability are difficult—if
not impossible—to ascertain without understanding
and testing the information technology controls around them.
The value of the audit is a function of the interaction
of independence and competence. An easy way to understand
this is to examine the extreme cases. If a user of an audit
opinion believes the auditor has zero independence, then,
no matter how competent the auditor, a user will not expect
the auditor to report a breach. On the other hand, if an
auditor is perceived as fully independent but totally incompetent,
then the user of that audit opinion will not expect the
auditor to detect a material misstatement even if it is
obvious. The true value of the audit lies somewhere in between
these two examples. No auditor can truly be 100% independent
and 100% competent.
In theory, auditor independence should approach 100% for
all auditors, due to personal ethics, firm culture, independence
safeguards, and the threat of litigation. Therefore, auditor
independence should not be the driving factor in the audit
Today, we have more than 100 years of financial auditing
experience under our collective belts, yet procedures remain
little changed from those of 20, 40, or more years ago.
This is a troubling thought, given the way that information
technology has dramatically changed almost every aspect
of society, including the way business transactions are
initiated, recorded, processed, and reported.
Many auditors may not be aware that the emergence of the
electronic digital computer, and later the microprocessor,
resulted in a profound and not-so-subtle shift in the very
nature of audit evidence. The audit process is the collection
and evaluation of evidence. Prior to computers, evidence
comprised physical documents and enterprise values that
were based on tangible assets. Now, when more than 90% of
business records are estimated to be in easily alterable
digital formats that can have multiple iterations and views,
and enterprise value is based on intangible assets, how
can the auditor weigh the sufficiency and competence of
such audit evidence? Furthermore, if the auditor’s
work winds up in a legal dispute, how can an examiner of
facts determine the authenticity of mostly digital audit
evidence used to support the opinion?
Competence, independence, and due professional care are
the critical foundations of auditing. Although independence
has been the subject of much debate within the profession
over the years, competence has received less attention.
Nevertheless, the universal migration of financial information,
accounting records, and audit evidence to digital media
may be cause for concern. Due professional care may also
be an unrecognized issue because many auditors do not raise
their level of skepticism when evaluating digital audit
In 1994, the Kirk Report found very little wrong with existing
independence rules. Three years later, an AICPA white paper
on independence called for a major overhaul; however, when
it came to the effect of IT on auditing, the Kirk Report
and the AICPA white paper took similar positions. The Kirk
Report stated that the profession was at a critical juncture,
and even though much had been accomplished within firms,
serious issues remained. The report implied the effect of
IT on auditing, stating: “Information technology has
changed the nature and complexity of companies’ records
and the speed and ease with which those records are produced
and changed.” According to the AICPA white paper:
“Astonishing breakthroughs in information technology
are redefining the audit function, placing new demands on
auditors.” The white paper also states: “The
information revolution is likely to change the very nature
of the audit function, as well as the role of the auditor
… it is certain that auditors will be called upon
in the future to possess even greater skills and expertise
in information technology.” Auditors may already know
this because they cannot escape the effect of dramatic continuous
changes in information technology on their daily lives,
practice, and clients. However, with few exceptions, this
knowledge has not been translated into significant changes
in audit procedures, except for documentation with automated
workpaper preparation software and communication by e-mail.
Even though almost all financial accounting records are
in digital form, in general, auditors are not trained to
collect and evaluate it. Nor, in most cases, do they learn
how to do this in practice. This is contrary to the requirements
of generally accepted auditing standards (GAAS), which require
the auditor to have adequate technical training. GAAS has
recognized the differences between physical evidence and
digital evidence since 1974, when these differences were
first codified by SAS 3, The Effect of EDP on the Auditor’s
Study and Evaluation of Internal Control. In 1984,
SAS 3 was superseded by SAS 48, The Effects of Computer
Processing on the Examination of Financial Statements,
which, in turn, was superseded by SAS 94, The Effect
of Information Technology on the Auditor’s Consideration
of Internal Control in a Financial Statement Audit
(currently in force).
In 1970, four years before SAS 3 was issued, there were
approximately 130,000 computers in the entire world. These
computers were primarily used by large companies, government
agencies, universities, and research institutions. Except
for the large firms that audited these entities, SAS 3 was
irrelevant. Even where SAS 3 did apply, financial statement
auditors did not perform the work; rather, special EDP audit
units performed it. By the time SAS 48 was issued, the diffusion
of computers had increased to the point where many midsize
companies had minicomputers. This meant that their auditors
had to consider the effect of digital evidence on firm competence
and the audit.
Twenty years later, the business landscape has changed
dramatically. There are more than 550 million computers
in the world, and almost all organizations of any size maintain
their accounting records on computers. Yet most auditors
still approach digital records as if they have the same
intrinsic qualities as physical records. A first step in
gaining technical competence is appreciating one’s
limitations and realizing that there are some things one
does not know. Once an auditor accepts her limitations,
she is obliged to either acquire the necessary skills or
hire someone who already has the requisite knowledge and
skills. Unfortunately, many auditors do not realize—despite
SAS 94—that hardcopy printouts and listings generated
by computers and used for audit tests are only a physical
“view” of digital evidence, which could have
been easily altered to deceive them. Therefore, with regard
to competence, auditors must have the skills to evaluate
the reliability of digital evidence used to support their
audits. They need to ask the questions: What is the possibility
that this printout, listing, or document is erroneous, by
either intent or error? Who in the client’s organization
has the opportunity and incentive to alter digital records
in order to conceal misappropriation of assets or to misstate
the financial statements?
Auditing exists because of the separation of ownership
and control. Capital markets pool large sums of money raised
from many investors, and the size of these enterprises requires
professional managers. The actions of managers, however,
are essentially unobservable to owners. Given human nature,
if no one is watching and there are no consequences, a person
may be tempted to do something unethical. Therefore, capital
suppliers have good reason to be skeptical of managers’
Capital suppliers require businesses to engage auditors
to attest to the truthfulness of the managers’ reports.
It is the auditor’s opinion that serves to reduce
capital suppliers’ perceived risk. Implicit in the
capital suppliers’ reliance on the auditor is the
expected alignment of the auditor’s skepticism with
theirs. If an auditor fails to be skeptical, or is less
skeptical than appropriate, then the covenant with the users
of the audit opinion is broken. It is with them that the
auditor’s first duty must lie, not with management.
Before the digital age, business records and audit evidence
were physical, and alterations were difficult to make or
disguise. For example, consider an accounting journal, bound
with prenumbered pages, handwritten in pen and ink, and
locked in the controller’s steel safe; the only way
to delete an entry would be to destroy the entire journal.
Consider, too, the difficulty in making an alteration. Ink
on paper is difficult to change without obvious evidence.
Even pencil erasures are often easily detected. Practically
speaking, the only way to change a single journal entry
would be to rewrite the entire journal. By simply physically
scanning the pages and seeing no obvious evidence of changes,
limited skepticism was required to accept that a journal
had not been altered.
Today, accounting journals are stored in digital form on
a computer. The audit program requires the field auditor
to select some journal entries for testing and to ask the
bookkeeper to inspect the journal. The bookkeeper obliges
and displays a “view” of the journal entries
on a computer screen. At the bottom of the screen, the journal’s
control total ties to the trial balance. The bookkeeper
proceeds to page through some screens, and, as several hundred
entries scroll by, the auditor decides that the entries
appear correct, and checks off that step of the audit process.
However, another auditor with some degree of skepticism
may recognize the pitfalls of the above scenario. This auditor
will ask the bookkeeper to print the entire journal, which
can be several hundred pages in length. Like the control
total on the bottom of the computer screen, the printout’s
bottom line ties to the trial balance. The auditor flips
through a few pages of the printout, and, seeing nothing
unusual, checks off the step and moves on.
What is wrong with this picture? In both cases, if the
underlying records had been intentionally altered, or the
view prepared with the intent to deceive, an auditor would
be clueless. If fraudulent entries had been deleted or altered
to look like valid entries, an auditor would have no way
of knowing without performing additional procedures. Tragically,
many auditors accept such views as valid and consider printouts
as physical evidence with the same attributes as nondigital
records, even though they are not.
The above example has nothing to do with competence and
everything to do with skepticism. An auditor need not necessarily
be competent in the collection and examination of digital
evidence to realize that information reported by computers
is not reliable in the absence of other corroborating evidence
or a documented understanding and testing of general and
Because of the profound shift in the nature of audit evidence—more
than 90% of all business documents are now digital—greater
auditor skepticism is also required. New questions must
be asked so that the auditor’s evidence is indeed
sufficient, competent, and, in extreme cases that go to
Audit Questions About Digital Evidence
What questions might a skeptical auditor ask about digital
- Is the digital evidence subject to change or alteration
without an audit trail or evidence of the change?
- Is there an audit trail that unambiguously ties the
digital evidence back to the initiating entry or, in some
cases, forward to its inclusion on the face of the financial
statements or in the footnote disclosures?
- Does the digital evidence include metadata that identifies
who made the entry and when?
- What are the controls designed to prevent unauthorized
changes to the digital evidence after it was created?
- Who has or had access rights to change the digital
- How does the auditor know that the digital evidence
hasn’t been intentionally altered to deceive or
- Has operating system audit logging been properly enabled
to record all successful and failed access attempts to
the digital evidence?
- Have the audit logs been reviewed independently?
- Has the continuity of the logs been maintained, and
have all gaps been explained?
- Have the logs been frequently copied to offline, read-only
media and stored in a secure location inaccessible to
those who might have the incentive to fraudulently alter
- Has access to the logs and their security settings
been logged, and limited to only authorized individuals?
- If passwords are a key control to prevent unauthorized
changes to the digital evidence, are the passwords strong?
- Have employees shared passwords, or does the IT department
know all of the passwords?
The answers to these questions can assist an auditor in
evaluating the reliability of digital records, assessing
the risk of material misstatement, and planning more effective
Due for Change
Dramatic changes in information technology have changed
the very nature of the evidence of transactions and have
created a challenge for the audit profession to maintain
its competence. Auditor independence has been an ongoing
issue for over 30 years, and, at least for public companies
and those subject to generally accepted government auditing
standards, the independence standards have been significantly
tightened. Due professional care and increased skepticism
of digital records has not been an issue raised by the profession’s
critics, but nevertheless may be cause for concern in the
The changes in the use of information technology by business
have had a profound effect on accounting and auditing because
these records are almost universally recorded, processed,
and reported digitally. The nature of the digital evidence
used to support an audit opinion requires an even greater
level of skepticism than that for physical evidence, because
digital records may be more easily altered without a trail.
Auditors are advised not to rely blindly on the digital
evidence—what they see may not be what they get.
Bruce H. Nearon, CPA, is director of
IT security auditing with J.H. Cohn LLP. He is a member of
the NYSSCPA’s Auditing Standards and Procedures Committee
and can be reached at firstname.lastname@example.org.