WHAT IS A PAPERLESS AUDIT?
By K P C Rao, LLB., FCMA., FCS.,
CMA (USA)., FIPA (Australia)
Practicing Company Secretary
firstname.lastname@example.orgPaperless Audit Means
More than 30 years ago; even before the proliferation of personal computers; information technology experts predicted the advent of paperless offices. The findings of the Surveys conducted in US during 2010 showed 52% of the firms reported operating in a paperless work environment. Larger firms (by revenue) were more likely to be paperless. However, the term “paperless” has many different meanings, and many businesses are at different stages in the progression away from paper. So with all this talk about going paperless, what exactly does it mean?
A paperless audit is when an auditor accesses the electronic records of a client in order to conduct an audit. Ideally, it also means that the auditor issues a final report in an electronic format, such as by e-mail or by posting the information on a secure site for downloading by a client. Therefore, it is a process of applying audit procedures and documenting these procedures with the use of limited hard copies. The whole goal behind going paperless is to eliminate the paper trail as much as possible. It is also important to note that there are varying degrees of going paperless. In the society we live in today it is pretty difficult for a company to be completely paperless. According to Jeff Stimpson in The Nitty-Gritty of Going Paperless, "paperless, or, more accurately, document management,' can start as simply as outputting tax forms and documentation to PDF files instead of paper, using a paperless audit product, e-filing, and using more e-mail than snail-mail to communicate." As you can see going paperless does not have to be a difficult project, but it does require the organization to commit to it fully in order to be successful. In order to proceed to a paperless firm, a general understanding of the programs that make this possible is needed.
Electronic Testing and Evidence Gathering
Advances in computer technology have made more timely and detailed financial and operational information available; interested parties no longer have to wait until historical financial statements are published. Assurance providers must keep pace with this demand for real-time information while dealing with information systems that require new testing techniques and new evidence-gathering procedures. Traditional electronic assurance methods may not be as relevant in the increasingly paperless environment, where an audit trail is primarily electronic. The development of a truly continuous auditing approach requires a combination of techniques in order to ensure that sufficient evidence exists to assure the integrity of the system.
The advances made in computer technology during the past several decades have had a significant impact on how accounting systems process financial transactions. One implication of these advances is that users have more timely, detailed financial and operational information about an entity. Users no longer need to wait until the publication of quarterly or annual financial statements in order to assess performance. Advances in Enterprise Resource Planning (ERP), eXtensible Business Reporting Language (XBRL), and other software have enabled companies to report information on a weekly, daily, or even instantaneous basis. In some cases, users can even access the entity’s financial and operating information databases directly and select the information they consider relevant.
Continuous testing techniques are particularly appropriate in systems that leave electronic trails of evidence, such as e-commerce systems. Continuous monitoring should allow the auditor to adopt a lower control risk assessment approach in a financial statement audit. Many auditors believe that a continuous auditing approach is necessary for paperless systems, because transaction and other files might not be retained for the entire period under audit. For example, some e-commerce systems might use a web hosting provider that retains transaction data for a limited period of time. If the data is not reviewed continuously, it might not be available to the auditor.
Major Types of Continuous Auditing Techniques
Embedded audit modules filter transaction files for data or relationships that are considered anomalies. For example, they could inform the auditor when a credit card is used in twelve countries within two hours.
An Continuous Testing allows for testing of the entire system, both manual and computer processes. The auditor establishes a fictitious entity through which auditor-submitted transaction data can be processed with live data. For example, an auditor-established fictitious vendor or customer could enter transactions via a VAN in a traditional EDI environment. The actual results could be compared with expected results, and the differences, if any, would be investigated by the auditor. ITF is most effective in a stable, legacy environment; more modern, open networks are nearly impossible to accurately replicate in an ITF.
Computer-Assisted Audit Techniques (CAATs) or Computer-Assisted Audit Tools and Techniques (CAATTs) are a growing field within the audit profession. CAATs are the practice of using computers to automate the audit process. CAATs normally includes using basic office productivity software such as spreadsheet, word processors and text editing programs and more advanced software packages involving use statistical analysis and business intelligence tools.
An example of an emerging system is one that involves business-to-consumer e-commerce on the Internet. E-commerce is marked by electronic, nearly instantaneous transactions and increased challenges to electronic security and integrity. Though it continues to grow, the future of e-commerce is uncertain; currently, it presents new challenges to businesses, consumers, and auditors.
An assurance provider can employ both emerging and traditional evidence-gathering techniques in this paperless processing environment. Many traditional evidence-gathering and assurance techniques that can increase the likelihood that the system will possess integrity are appropriate in this type of electronic system. For example, auditors can use job accounting data or operating systems logs, library management software, comparison programs, flowcharting software, snapshots, program tracing and mapping, test data, ITF, and parallel simulation to provide assurance that the software works as intended and has not been modified without authorization.
The auditor could employ audit software to discover anomalies in data files of deleted transactions (e.g., payment of the same invoice number twice). Embedded audit modules can be used to provide real-time notification of a variety of events, such as a denial of service attack.
The auditor can also employ emerging electronic assurance techniques in paperless systems. One of these techniques, identified in the AICPA and CICA’s Continuous Auditing, is the use of digital agents. Digital agents are data and code that act on the behalf of the user. A reactive digital agent filters incoming information, such as an order for goods that exceeds a certain dollar amount and is sent to a manager for approval. A proactive digital agent searches the system for the existence of prespecified conditions and takes specific actions upon discovery or nondiscovery.
Reactive digital agents are static and remain in one location in the system. For example, the agent could notify the auditor if the purchase price of an inventory item fell outside of a prespecified range. Mobile agents are proactive and move through networks. For example, the agent could search the web for specific information that would impact inventory marketability and net realizable value. This information could be stored in a database for the auditor’s review.
Mobile agents can subscribe to specific types of updated information within an internal or web-based system. The agent could be programmed to take appropriate action upon notification of specified events. For example, a day trader could subscribe to an online service that advises when a company’s stock price reaches a certain level and then issues a buy or sale order.
Embedded audit modules and digital agents can only be implemented with extensive assistance from management and internal audit staff. This degree of involvement in the design and implementation of the audit tool might raise questions concerning auditor independence.
Another emerging assurance technique utilizes data provided by sensors in analytical review procedures. Sensors measure a physical process, such as the amount of oil that flows through a pipeline, the amount of water used as measured by meter, or the number of rotations of a turnstile. The auditor could obtain operational data provided by the sensors and perform analytical review procedures to compare expected results with recorded amounts; for example, multiplying the gallons of water actually used at a car wash by average revenue per gallon. This analytical review procedure is based upon objectively obtained data and yields a fairly precise estimate of gross revenue.
Another technique utilizes electronic confirmations (e-mail) to obtain thirdparty confirmation of amounts on the books. The assurance of the true identity of the sender and the recipient is critical to the integrity of the electronic confirmation process. This assurance can be obtained if both the sender and recipient utilize the services of a digital certificate authority. This is an authentication control: It ensures that the individuals are who they purport to be, not impersonators. An analogy is the customer who purchases goods with a check and produces a driver’s license (independent authentication) as proof of identity.
Apart from resulting in reduced costs for both parties, a paperless audit is having the following advantages:
(1) Analysis software:
Depending on the format in which the client information is provided, the auditor may be able to use analysis software to automatically review the information.
(2) Error reduction:
There is no rekeying of information from client documents into the auditor's software, so rekeying errors are eliminated.
(3) Travel costs:
The auditor can conduct audits from a remote location, so travel costs are eliminated.
(4) Turnaround time:
Given the use of automated analysis tools, a paperless audit can result in faster turnaround time, which can be useful when a third party is demanding audited financial statements as soon as possible.
(5) Workflow management:
The auditor can more easily see the status of all aspects of an audit, in terms of percentages of completion, bottlenecks, and so forth, and so can bring resources to bear on any issues that are holding up completion of the audit.
(6) Worksheet templates:
The auditor can issue electronic templates of worksheets for the client to fill out that are based on the electronic records from the last audit.In short, the paperless audit is effective in eliminating rekeying and travel costs, while speeding up the analysis of information and monitoring the completion stages of an audit.
Despite its advantages, there are several downsides to the use of a paperless audit, which are:
Some of the information provided to auditors is considered confidential, and storing it outside of the client location (i.e., on the auditor's computer) increases the risk that it will be accessed by an unauthorized party.
If a client currently keeps some or all of its financial records on paper, converting to an electronic storage format can be expensive.
The world of client services is changing. New advances in technology and web-based computing are transforming the way we work and interact with clients. In addition, the economic downturn is dramatically impacting our clients in ways that will ultimately affect our future business revenue as well. To succeed in this changing world, we need new tools, new approaches, and new educational content and training.
Therefore, ‘Paperless Auditing’ is a very important issue facing the accounting profession today. Several firms throughout the world are faced with the decision to go paperless and many are in the early stages of becoming a paperless office. It is important for a company to go at this task full force or the benefits will be significantly reduced. When the decision has been made to go to a paperless office, several issues present themselves for the firm. These issues include the level and how to implement a paperless system, what audit issues need to be addressed in the conversion and use, and what are the pros and cons of this system. In most cases, the advantages of a paperless audit seriously outweigh any offsetting issues. At a minimum, any business should consider shifting as much audit work as possible to a paperless solution.
[Published in 'circuit', monthly journal of ICAI, Hyderabad during February, 2013]