A New Layer in Audit Evidence

The US Public Company Accounting Oversight Board (PCAOB) amended AS 1105, Audit Evidence. in 2024, adding paragraph .10A, which requires auditors to consider the reliability of external information that companies provide in electronic form. The change recognizes a simple fact: most audit evidence today—whether invoices, bank confirmations, or regulatory filings—exists primarily in digital formats.

To help firms apply this requirement, the PCAOB followed up with a policy statement in September 2025 and staff guidance in October 2025. Both emphasize that reliability must be judged in context rather than through a prescribed checklist. The guidance highlights three areas that should shape the auditor’s approach: the level of risk of misstatement, the importance of the evidence to the financial statements, and the company’s own process for receiving, processing, and maintaining information.

Why Every Situation Demands a Different Response

What these changes reinforce is that no two engagements are identical. The same principles apply, but the auditor’s actions differ depending on the facts.

Take supplier invoices as an example. When vendors send invoices electronically and the company stores them without changes, the likelihood of alteration is very low. In such cases, once the auditor understands the process, no additional testing may be necessary.

Contrast that with cash receipts imported from bank feeds into an ERP system. Here, the data is reformatted and processed internally, creating a risk that requires further attention. An auditor might respond by comparing selected receipts directly to electronic bank statements, or by testing the company’s IT and application controls. Either approach addresses the concern, but the choice depends on the audit strategy.

Other scenarios require yet another approach. Income tax expense often relies on files containing statutory rates. By cross-checking those rates with official tax authority sources, the auditor both validates the figures and confirms reliability, without needing separate control testing. And in capital markets, where companies use third-party aggregators for exchange rates or bond yields, the risk lies outside the company altogether. In that case, triangulating data across several independent sources is the most practical way to establish reliability.

The Centrality of Auditor Judgment

These examples underline a key message: reliability in electronic evidence cannot be assumed. It has to be demonstrated. The PCAOB’s amendments and subsequent guidance recognize that audit evidence, shaped increasingly by technology, cannot be governed by rigid rules alone.

For auditors, the path forward rests on three key actions: understanding the company’s process for managing electronic evidence, evaluating the risk and materiality associated with that evidence, and applying judgment to select the appropriate combination of substantive procedures, control testing, or direct verification.

Assurance in the digital era depends less on mechanical compliance and more on the careful and thoughtful application of professional judgment. By reviewing processes closely and tailoring responses to risk, auditors can give stakeholders confidence that electronic evidence provides a reliable foundation for financial reporting.

KNAV Comments

While audit evidence in the manual world had its own nuances, the digital environment presents a different set of considerations. The fact that information is generated or maintained within a system does not automatically guarantee its accuracy. The principles of evaluating evidence remain the same: reliability must be established through procedures and, above all, professional judgment.

Share via