Foundations in Auditing and Digital Evidence

By Bruce H. Nearon

E-mail Story Print Story

Competence relates to an auditor’s technical ability to discover a material misstatement in the financial statements and
is a function of education, training, and experience. It enables an auditor to collect evidence to support the audit opinion and weigh it in order to determine if the evidence is sufficient and reliable.

Independence requires an auditor to conduct the engagement with objectivity, integrity, and lack of bias. Although a critical underpinning of the profession, the meaning of auditor independence has been the subject of debate for decades. For public companies, the debate was ended—at least for now—by the issuance of the SEC’s Final Rules on Auditor Independence. The same applies to audits subject to Generally Accepted Government Auditing Standards (GAGAS). Both the SEC and the Government Accountability Office (GAO), which establishes audit standards for GAGAS, significantly tightened auditor independence requirements for GAGAS audits. For non-SEC companies and not-for-profit entities not subject to GAGAS, the more flexible AICPA Ethics Rules still apply.

Due professional care is what society reasonably expects of a professional, which means performing the work according to the norms and standards of other professionals in the same field. For auditors, this means compliance with the Generally Accepted Auditing Standards (GAAS). An essential element of due professional care is performing the audit with a reasonable degree of skepticism.

Recently, the Auditing Standards Board issued Statement on Auditing Standards (SAS) 99, Consideration of Fraud in a Financial Statement Audit. The backbone of this standard is an increased emphasis on professional skepticism. Skepticism requires a questioning mind and an unwillingness to accept things at face value. For auditors, this means not relying solely on inquiry and not assuming that records provided by clients are authentic without other corroborating evidence. Computer records, defined here as digital evidence of transactions, are particularly troublesome because often they can be corroborated only by other digital evidence. As such, their authenticity and reliability are difficult—if not impossible—to ascertain without understanding and testing the information technology controls around them.

The value of the audit is a function of the interaction of independence and competence. An easy way to understand this is to examine the extreme cases. If a user of an audit opinion believes the auditor has zero independence, then, no matter how competent the auditor, a user will not expect the auditor to report a breach. On the other hand, if an auditor is perceived as fully independent but totally incompetent, then the user of that audit opinion will not expect the auditor to detect a material misstatement even if it is obvious. The true value of the audit lies somewhere in between these two examples. No auditor can truly be 100% independent and 100% competent.

In theory, auditor independence should approach 100% for all auditors, due to personal ethics, firm culture, independence safeguards, and the threat of litigation. Therefore, auditor independence should not be the driving factor in the audit value function.

Today, we have more than 100 years of financial auditing experience under our collective belts, yet procedures remain little changed from those of 20, 40, or more years ago. This is a troubling thought, given the way that information technology has dramatically changed almost every aspect of society, including the way business transactions are initiated, recorded, processed, and reported.

Many auditors may not be aware that the emergence of the electronic digital computer, and later the microprocessor, resulted in a profound and not-so-subtle shift in the very nature of audit evidence. The audit process is the collection and evaluation of evidence. Prior to computers, evidence comprised physical documents and enterprise values that were based on tangible assets. Now, when more than 90% of business records are estimated to be in easily alterable digital formats that can have multiple iterations and views, and enterprise value is based on intangible assets, how can the auditor weigh the sufficiency and competence of such audit evidence? Furthermore, if the auditor’s work winds up in a legal dispute, how can an examiner of facts determine the authenticity of mostly digital audit evidence used to support the opinion?

Foundations

Competence, independence, and due professional care are the critical foundations of auditing. Although independence has been the subject of much debate within the profession over the years, competence has received less attention. Nevertheless, the universal migration of financial information, accounting records, and audit evidence to digital media may be cause for concern. Due professional care may also be an unrecognized issue because many auditors do not raise their level of skepticism when evaluating digital audit evidence.

In 1994, the Kirk Report found very little wrong with existing independence rules. Three years later, an AICPA white paper on independence called for a major overhaul; however, when it came to the effect of IT on auditing, the Kirk Report and the AICPA white paper took similar positions. The Kirk Report stated that the profession was at a critical juncture, and even though much had been accomplished within firms, serious issues remained. The report implied the effect of IT on auditing, stating: “Information technology has changed the nature and complexity of companies’ records and the speed and ease with which those records are produced and changed.” According to the AICPA white paper: “Astonishing breakthroughs in information technology are redefining the audit function, placing new demands on auditors.” The white paper also states: “The information revolution is likely to change the very nature of the audit function, as well as the role of the auditor … it is certain that auditors will be called upon in the future to possess even greater skills and expertise in information technology.” Auditors may already know this because they cannot escape the effect of dramatic continuous changes in information technology on their daily lives, practice, and clients. However, with few exceptions, this knowledge has not been translated into significant changes in audit procedures, except for documentation with automated workpaper preparation software and communication by e-mail.

Even though almost all financial accounting records are in digital form, in general, auditors are not trained to collect and evaluate it. Nor, in most cases, do they learn how to do this in practice. This is contrary to the requirements of generally accepted auditing standards (GAAS), which require the auditor to have adequate technical training. GAAS has recognized the differences between physical evidence and digital evidence since 1974, when these differences were first codified by SAS 3, The Effect of EDP on the Auditor’s Study and Evaluation of Internal Control. In 1984, SAS 3 was superseded by SAS 48, The Effects of Computer Processing on the Examination of Financial Statements, which, in turn, was superseded by SAS 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit (currently in force).

In 1970, four years before SAS 3 was issued, there were approximately 130,000 computers in the entire world. These computers were primarily used by large companies, government agencies, universities, and research institutions. Except for the large firms that audited these entities, SAS 3 was irrelevant. Even where SAS 3 did apply, financial statement auditors did not perform the work; rather, special EDP audit units performed it. By the time SAS 48 was issued, the diffusion of computers had increased to the point where many midsize companies had minicomputers. This meant that their auditors had to consider the effect of digital evidence on firm competence and the audit.

Twenty years later, the business landscape has changed dramatically. There are more than 550 million computers in the world, and almost all organizations of any size maintain their accounting records on computers. Yet most auditors still approach digital records as if they have the same intrinsic qualities as physical records. A first step in gaining technical competence is appreciating one’s limitations and realizing that there are some things one does not know. Once an auditor accepts her limitations, she is obliged to either acquire the necessary skills or hire someone who already has the requisite knowledge and skills. Unfortunately, many auditors do not realize—despite SAS 94—that hardcopy printouts and listings generated by computers and used for audit tests are only a physical “view” of digital evidence, which could have been easily altered to deceive them. Therefore, with regard to competence, auditors must have the skills to evaluate the reliability of digital evidence used to support their audits. They need to ask the questions: What is the possibility that this printout, listing, or document is erroneous, by either intent or error? Who in the client’s organization has the opportunity and incentive to alter digital records in order to conceal misappropriation of assets or to misstate the financial statements?

Skepticism

Auditing exists because of the separation of ownership and control. Capital markets pool large sums of money raised from many investors, and the size of these enterprises requires professional managers. The actions of managers, however, are essentially unobservable to owners. Given human nature, if no one is watching and there are no consequences, a person may be tempted to do something unethical. Therefore, capital suppliers have good reason to be skeptical of managers’ reports.

Capital suppliers require businesses to engage auditors to attest to the truthfulness of the managers’ reports. It is the auditor’s opinion that serves to reduce capital suppliers’ perceived risk. Implicit in the capital suppliers’ reliance on the auditor is the expected alignment of the auditor’s skepticism with theirs. If an auditor fails to be skeptical, or is less skeptical than appropriate, then the covenant with the users of the audit opinion is broken. It is with them that the auditor’s first duty must lie, not with management.

Before the digital age, business records and audit evidence were physical, and alterations were difficult to make or disguise. For example, consider an accounting journal, bound with prenumbered pages, handwritten in pen and ink, and locked in the controller’s steel safe; the only way to delete an entry would be to destroy the entire journal. Consider, too, the difficulty in making an alteration. Ink on paper is difficult to change without obvious evidence. Even pencil erasures are often easily detected. Practically speaking, the only way to change a single journal entry would be to rewrite the entire journal. By simply physically scanning the pages and seeing no obvious evidence of changes, limited skepticism was required to accept that a journal had not been altered.

Today, accounting journals are stored in digital form on a computer. The audit program requires the field auditor to select some journal entries for testing and to ask the bookkeeper to inspect the journal. The bookkeeper obliges and displays a “view” of the journal entries on a computer screen. At the bottom of the screen, the journal’s control total ties to the trial balance. The bookkeeper proceeds to page through some screens, and, as several hundred entries scroll by, the auditor decides that the entries appear correct, and checks off that step of the audit process. However, another auditor with some degree of skepticism may recognize the pitfalls of the above scenario. This auditor will ask the bookkeeper to print the entire journal, which can be several hundred pages in length. Like the control total on the bottom of the computer screen, the printout’s bottom line ties to the trial balance. The auditor flips through a few pages of the printout, and, seeing nothing unusual, checks off the step and moves on.

What is wrong with this picture? In both cases, if the underlying records had been intentionally altered, or the view prepared with the intent to deceive, an auditor would be clueless. If fraudulent entries had been deleted or altered to look like valid entries, an auditor would have no way of knowing without performing additional procedures. Tragically, many auditors accept such views as valid and consider printouts as physical evidence with the same attributes as nondigital records, even though they are not.

The above example has nothing to do with competence and everything to do with skepticism. An auditor need not necessarily be competent in the collection and examination of digital evidence to realize that information reported by computers is not reliable in the absence of other corroborating evidence or a documented understanding and testing of general and application controls.

Because of the profound shift in the nature of audit evidence—more than 90% of all business documents are now digital—greater auditor skepticism is also required. New questions must be asked so that the auditor’s evidence is indeed sufficient, competent, and, in extreme cases that go to court, credible.

Audit Questions About Digital Evidence

What questions might a skeptical auditor ask about digital evidence?

• Is the digital evidence subject to change or alteration without an audit trail or evidence of the change?
• Is there an audit trail that unambiguously ties the digital evidence back to the initiating entry or, in some cases, forward to its inclusion on the face of the financial statements or in the footnote disclosures?
• Does the digital evidence include metadata that identifies who made the entry and when?
• What are the controls designed to prevent unauthorized changes to the digital evidence after it was created?
• Who has or had access rights to change the digital evidence?
• How does the auditor know that the digital evidence hasn’t been intentionally altered to deceive or mislead?
• Has operating system audit logging been properly enabled to record all successful and failed access attempts to the digital evidence?
• Have the audit logs been reviewed independently?
• Has the continuity of the logs been maintained, and have all gaps been explained?
• Have the logs been frequently copied to offline, read-only media and stored in a secure location inaccessible to those who might have the incentive to fraudulently alter them?
• Has access to the logs and their security settings been logged, and limited to only authorized individuals?
• If passwords are a key control to prevent unauthorized changes to the digital evidence, are the passwords strong?
• Have employees shared passwords, or does the IT department know all of the passwords?

The answers to these questions can assist an auditor in evaluating the reliability of digital records, assessing the risk of material misstatement, and planning more effective substantive tests.

Due for Change

Dramatic changes in information technology have changed the very nature of the evidence of transactions and have created a challenge for the audit profession to maintain its competence. Auditor independence has been an ongoing issue for over 30 years, and, at least for public companies and those subject to generally accepted government auditing standards, the independence standards have been significantly tightened. Due professional care and increased skepticism of digital records has not been an issue raised by the profession’s critics, but nevertheless may be cause for concern in the future.

The changes in the use of information technology by business have had a profound effect on accounting and auditing because these records are almost universally recorded, processed, and reported digitally. The nature of the digital evidence used to support an audit opinion requires an even greater level of skepticism than that for physical evidence, because digital records may be more easily altered without a trail. Auditors are advised not to rely blindly on the digital evidence—what they see may not be what they get.