Forensics Principles Become Part of the Sarbanes Oxley Audits After the Market Crisis

According to the new proposed from the PCAOB auditing standards, auditors must obtain sufficient appropriate audit evidence to provide a reasonable basis for their opinion.
What is sufficiency? It is the measure of the quantity of audit evidence.

What is appropriateness? It is the measure of the quality of the evidence obtained.

Evidence must be relevant, which means that it must be related to the assertion or to the objective of the control being tested.

Evidence must also be reliable. It means that it depends on:

1. The nature
2. The source of the evidence
3. The circumstances under which the evidence is obtained.

Obtaining more of the same poor audit evidence, cannot compensate for the poor quality of it.

Here is where computer forensics principles come in. According to the new proposed from the PCAOB auditing standards, everything depends on the nature, source and circumstances under which evidence is obtained.

A. A knowledgeable source that is independent of the company obtains more reliable evidence than evidence obtained only from internal company sources

B. Evidence is more reliable when the company’s controls over that information are effective.

C. Evidence is more reliable when obtained directly by the auditors.

D. Evidence is more reliable when provided by original documents. Photocopies, facsimiles, documents filmed, digitized or converted into electronic form, are secondary evidence.
The more controls over the conversion and maintenance of those documents, the more auditors can use these documents.

The auditors don’t have to be experts in document authentication.
If a document may not be authentic or there are modifications not disclosed to the auditors, they should also modify their planned audit procedures or perform additional procedures.

Auditors do not trust all information produced by a company.
They should evaluate whether the information is sufficient and appropriate by:

A. Testing the accuracy and completeness of the information

B. Testing the controls over the accuracy and completeness of that information

C. Evaluating the information (is it sufficiently precise and detailed?)

If audit evidence obtained from one source is not consistent with what is obtained from another, or if the auditor has any reasons to believe that there is a problem with the reliability of information to be used as audit evidence, they should use professional judgment and perform all the procedures needed to resolve the matter.