The Implications of Electronic Evidence

Guiding auditors along the information superhighway.
BY A. LOUISE WILLIAMSON

EXECUTIVE SUMMARY
  • THE INCREASED USE OF COMPUTERS IN business to track and store information means auditors are often required to deal with evidence in electronic form. To incorporate the concept of electronic evidence into the professional standards, the American Institute of CPAs auditing standards board issued Statement on Auditing Standards no. 80, Amendment to SAS No. 31, Evidential Matter.
  • TO PROVIDE AUDITORS WITH nonauthoritative guidance on applying SAS no. 80, an AICPA Auditing Procedures Study (APS), The Information Technology Age: Evidential Matter in the Electronic Environment, was issued in January 1997.
  • SAS NO. 80 PROVIDES GUIDANCE FOR auditors who have been engaged to audit the financial statements of an entity that transmits, processes, maintains or accesses significant information electronically. It is effective for engagements beginning on or after January 1, 1997.
  • THE APS OFFERS IMPLEMENTATION guidance about electronic evidence and its impact on an audit. The study describes electronic evidence and its implications and illustrates possible audit approaches.
  • SAS NO. 80 MOVES AUDITING STANDARDS into the information technology age and helps guide auditors along the information superhighway.
A. LOUISE WILLIAMSON, CPA, is a technical manager in the auditing standards division of the American Institute of CPAs. Ms. Williamson is an employee of the American Institute of CPAs and her views, as expressed in this article, do not necessarily reflect the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation.


Virtually every business uses computers to track and store information. This means auditors are increasingly required to deal with evidence in electronic form. Recognizing the need to incorporate the concept of electronic evidence into the professional standards, the American Institute of CPAs auditing standards board (ASB) issued a statement on auditing standards that amends existing guidance. SAS no. 80, Amendment to SAS No. 31, Evidential Matter, was issued in December 1996 and is effective for engagements beginning on or after January 1, 1997. In addition, the AICPA published an Auditing Procedures Study (APS), The Information Technology Age: Evidential Matter in the Electronic Environment, in January to provide auditors with nonauthoritative guidance on applying SAS no. 80. This article addresses both the SAS and the APS, which are likely to affect auditors of entities of all types and sizes.


KEEPING UP WITH THE TIMES
SAS no. 31, Evidential Matter, was issued in August 1980. With the growing use of computers and other information technology, entities have been processing important data electronically. Today, information technology is almost indigenous to the business environment. Information systems continue to have an impact on business processes, on the initiation and processing of accounting transactions and, therefore, on auditing. Auditors must keep pace with these developments. Information technology often requires auditors to use electronic evidence to reduce audit risk to an acceptably low level. This raises issues about the validity, completeness and integrity of that evidence.

SAS no. 80 provides guidance for auditors who have been engaged to audit the financial statements of an entity that transmits, processes, maintains or accesses significant information electronically. In certain entities where evidence is in electronic form, the standard provides that an auditor may determine that it would not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such circumstances, the auditor should perform tests of controls to gather evidence to support an assessed level of control risk below the maximum for affected assertions. Evidence from these tests of controls—when combined with that provided by substantive tests—should be sufficient to support the opinion to be issued. (The standard says the auditor should perform substantive tests regardless of the assessed level of control risk.) If the auditor concludes control risk must be assessed at the maximum in such circumstances or the evidence gathered through tests of controls and substantive tests is insufficient, the auditor should qualify or disclaim an opinion because of the resulting scope limitation.

SAS no. 80 defines accounting data and evidential matter. Accounting data include the general and subsidiary ledgers and other records such as worksheets and spreadsheets that support the financial statements. Evidential matter includes both written and electronic information—such as checks, records of electronic fund transfers, invoices, contracts and information developed by or available to the auditor—that permits him or her to reach conclusions through valid reasoning. In certain entities, some of the accounting data and evidence are available only in electronic form. Source documents, such as purchase orders, bills of lading, invoices and checks, are replaced by electronic messages. For example, entities may use electronic data interchange (EDI) or image processing systems.

With EDI, an entity and its customers or suppliers use communication links to transact business electronically. Purchase, shipping, billing, cash receipt and cash disbursement transactions often are consummated entirely by exchanging electronic messages. In image processing systems, documents are scanned and converted into electronic images to facilitate storage, and reference and source documents may not be retained after conversion. Certain electronic evidence may exist at a particular point in time but may not be retrievable after a specified period if files are changed and backup files do not exist. Therefore, SAS no. 80 says the auditor should consider the time during which information exists or is available in determining the nature, timing and extent of his or her substantive tests and, if applicable, tests of controls.


THE NEED FOR HOW-TO GUIDANCE
During its deliberations on SAS no. 80, the ASB concluded that implementation guidance about electronic evidence and its impact on an audit was needed. The Information Technology Age: Evidential Matter in the Electronic Environment was issued to respond to that need. The APS describes electronic evidence and discusses issues of concern to auditors. It also illustrates implications of electronic evidence and possible audit approaches.

The APS introduction describes the studys relationship to existing professional standards and other literature as well as the structure of the APS. In addition, the study defines electronic evidence, compares traditional and electronic evidence in the context of six desired attributes of audit evidence and highlights issues and related recommendations concerning the auditor and electronic evidence.

The attributes of audit evidence considered in the APS are

  • Difficulty of alteration. Easily altered evidence lacks credibility and has reduced value to the auditor.
  • Prima facie credibility. SAS no. 80 establishes a hierarchy of credibility for evidence. Increased credibility stems from the independence of the source and the auditors ability to corroborate the evidence.
  • Completeness of documents. Competent evidence includes the essential terms of a transaction so an auditor can verify the transactions validity.
  • Evidence of approvals. Approvals integrated into the evidence add to its completeness.
  • Ease of use. This leads to ease in evaluation and understanding.
  • Clarity. Competent evidence should allow the same conclusions to be drawn by different auditors performing the same task.
Ordering Information
To order SAS no. 80, Amendment to SAS No. 31, Evidential Matter (product no. 060673), and the APS, The Information Technology Age: Evidential Matter in the Electronic Environment (product no. 021068), call 800-862-4272 (menu selection 1), write the AICPA Order Department, P.O. Box 2209, Jersey City, New Jersey 07303-2209, or fax 800-362-5066 and follow the voice instructions.

The key issues the auditor might consider because of the differences between traditional documentary and electronic evidence include

  • Electronic information as competent evidence. Addresses the scope of the procedures necessary to assure the competence of evidence.
  • Presentation of electronic evidence. Addresses the need for the auditor to understand how electronic evidence is extracted from the information system.
  • Competence of tools used to access electronic evidence. Discusses how the use of computer-assisted audit techniques expands the ability to analyze data and test the assertions contained in the financial statements.
  • Definition of error. Discusses the fact that potential errors could range from data transmission errors to deliberate manipulation of data.
  • Embedded or implied control performance. Differentiates between the two by saying that embedded control performance deals with unexpected changes to the data while implied control performance deals with expected changes to the data.
  • Access to evidence. Points out that limited access to or retention of electronic evidence may require the auditor to select samples several times during the audit period rather than just at yearend.

The APS also includes two detailed case studies designed to show how a practitioner might approach auditing an entity where the electronic environment and the use of information technology significantly affect information and transactions.


MOVING INTO THE INFORMATION AGE

With the issuance of SAS no. 80 and the APS, auditing standards move into the age of information technology and provide implementation literature to help guide auditors along the information superhighway.

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.