3 September 2020

With remote and paperless auditing becoming much more common, a number of threats and opportunities arise.

This article considers the use of Adobe DC Pro as both a great tool for authenticating and securing documents for signing, and also how it can be used maliciously to tamper with PDFs.

How safe are PDFs?

Many auditors would consider a PDF document to be less prone to tampering than say, a Word document. People tend to convert Word or Excel to PDF to try to preserve the integrity of the document. And this works to some degree.

If we request soft-copies of Minutes say from a client and they are sent in Word, there is no guarantee that the version we have is the latest, has been approved correctly, or is actually authentic. But a PDF, even if it includes a signature, while looking more convincing, may still have been tampered with.

Consider the example below:

  • Here is a Xero invoice, opened using Adobe DC Pro.
  • Edit is selected, and characters and numbers may be changed, and the document then saved.
  • Bank accounts, amounts, and other details on the invoice are easily updated.

How might we detect this?

One way of finding clues is to look at the PDF description and comparing the created and modified date/time. This does not guarantee with 100% accuracy that it wasn’t modified but if it was edited as above and the changes saved you will normally see a difference in the date.

If these are different then it was definitely edited. However, a really more sophisticated tamperer could work around this and modify the metadata.

What about items scanned to PDF?

It is common for clients to send us scanned documents, say signed minutes. How safe are these? Adobe DC Pro edit function can also be used to change these, (although changes may be more obvious as the updated font may look sharper or out of line).

The easiest way to detect if a file has been modified is to digitally sign the document. Reader and Acrobat will report if the document has been changed since it was signed. So if say we have an important document on file and we wish to have a client or third party confirm authenticity, we can use the digital signing feature to do this.

Secure digital signing of documents

However, there is the more obvious use for this tool – to create a document such as an engagement letter as a PDF, and add your own digital signature.

In the old context, we would print and sign a hard copy letter, mail it (or scan and email it) to the client, they would sign and mail it back (or print, scan, sign and email it back).

With digital signing tools, So we create the letter from Audit Assistant (for instance), and save as a PDF with the letterhead already inserted.

We then open the document in Adobe DC Pro, and select “Fill and Sign”. This allows us to add a facsimile of our own signature to the letter. Then we select “request signatures”. Then we add the email address of the client, a message, and to select the space where we want the client to sign.

Finally, we select “send” and the client receives an email with a link to sign digitally. They do not need to have any software installed to do this, as they complete in a web form. You will be advised automatically by email when the document has been signed by the client.

The beauty of this is not that you or they can add a facsimile of their signature without printing (signatures are becoming a quaint formality), but that the document has been controlled within a secure environment controlled by Adobe. They even append a certification as to the authenticity of the process.

Use this tool to certify other documents

There are other uses for this over and above signing letters and reports. How about we have an invoice or a contract on file, and we suspect it may have been tampered with?

We can use the “Fill and Sign” tool to securely send the document to the client or a third party to get them to approve and sign the document as authentic, thus adding another layer of assurance to our work.

Use this alongside Audit Assistant

Some audit evidence is gathered by sharing pages with clients, and they can add their comments and attachments. This is handled securely within Audit Assistant. Some parts of the audit however require documents to be passed and signed securely. Adobe DC Pro provides this with much the same feel as sharing pages within Audit Assistant. We recommend it.

The cost of an individual licence is $A22.99/month, or a team subscription is $A26.13/person/month.

20 August 2020

Larger charities are becoming seriously focused on preparing service information in a way that is meaningful, compliant with the standards, and able to be audited without too much drama.

It is important that charities see this task, not as an onerous burden but as a positive experience that enables them to tell their wider story. In most cases, charities are contributing primarily in ways that cannot be measured in financial terms, so we could say that service performance is their real reporting.

Charities aren’t about making money, but about achieving ends, so to just report finances is missing the point. The financial information is just the engine room out the back – necessary but not actually the purpose of the entity.

This article uses a Q&A format to address some of the issues facing preparers of performance report information in New Zealand. It will also be relevant however to preparers in other jurisdictions and to auditors of performance information.

Q. Who are the key players?

The Government, via the Charities Act 2005 determines who is required to report (i.e. registered charities). The XRB (NZ External Reporting Board) is responsible for what these entities are required to report, (XRB standards). And Charities Services monitors and enforces compliance with XRB standards by registered charities.

Q. What are the audit requirements for charities?

Registered charities with operating expenses of over $1.1 m per annum in the prior two financial years must be audited, but charities with expenses between $550,000 and $ 1.1 m in the prior two financial years may opt for a Review Engagement rather than an Audit (see Charities Act 2005 Sections 42C & 42D).

Registered charities with total operating expenditure of less than $550,000 are not required by law to have an audit or a review.

Of course, any charity not required to have an audit or a review may opt to do so if they wish or if it is required by funders or by their founding document. Some charities that are under the limit for statutory audit, but opt to have an audit anyway, may limit the scope of the audit to exclude service performance information. Audits and Reviews of charities are required to be carried out by a qualified auditor.

Q. What are the reporting requirements for charities?

In New Zealand, there are four reporting tiers, relating to entity size and level of public accountability.

Note that entities are not obliged to report in the Tier that they fit into. They may opt for more complex reporting if they wish (but not for less complex of course).

If the governing body has opted to adopt Tier 3 or 4 (special purpose reporting) over the default General Purpose reporting (compliance with PBE IFRS standards that apply to both Tier 1 and 2) they should document this decision. Under both Tier 3 and 4 reporting a note must be added specifying that the entity is permitted to apply the standard and has elected to do so.

Q. How are Tier 1 and 2 entities required to report?

For Tier 1 and 2 PBE entities, the applicable reporting standard is PBE FRS 48. This is effective for reporting periods beginning on or after 1 Jan 2023, with early adoption permitted.

Q. What are the main principles of PBE FRS 48?

Paragraph 15 says:

An entity’s service performance information shall:

(a) Provide users with sufficient contextual information to understand why the entity exists, what it intends to achieve in broad terms over the medium to long term, and how it goes about this; and

(b) Provide users with information about what the entity has done during the reporting period in working towards its broader aims and objectives, as described in (a) above. (15)

It is important to note that PBE FRS 48 does not follow the standard terminology of “outcomes” and “outputs” as per the Tier 3 and 4 standards. The descriptions above however cover these and equate to the entity information (“sufficient contextual information to understand why the entity exists,“) outcomes (“what it intends to achieve in broad terms over the medium to long term, and how it goes about this“), and outputs (“what the entity has done during the reporting period in working towards its broader aims and objectives“) of Tier 3 and 4 standards. Nor is the term “impacts” used.

This leaves quite a bit of flexibility in how the service performance information may be reported.

Addressing this in a slightly different way, paragraph 19 says that the reporting entity should consider:

  • What it is accountable/responsible for.
  • What it intended to achieve during the reporting period.
  • How it went about achieving its service performance objectives.

Q. What are the qualitative characteristics and how do they relate together?

Paragraph 7 states that preparers must “…apply the qualitative characteristics of information and the pervasive constraints on information identified in the Public Benefit Entities’ Conceptual Framework (PBE Conceptual Framework)”.

This means “…balancing of the constraints on information results in service performance information that is appropriate and meaningful to the users of general purpose financial reports.”

The qualitative characteristics identified in the PBE Conceptual Framework are relevance, faithful representation, understandability, timeliness, comparability, and verifiability (para 8). Paragraph 9 elaborates on these. Some of these are obvious, some are less so.

The standard acknowledges that “… in practice, all qualitative characteristics may not be fully achieved, and a balance or trade-off between certain of them may be necessary” (para 8).

The pervasive constraints on information materialitycost-benefit and balance between qualitative characteristics are identified in the PBE Conceptual Framework (3.32–3.42). This acknowledges that preparers cannot be expected to compile all possible service performance information. And doing so would actually be counterproductive. No one would bother to read it all.

Even if they were to include every possible item, this would create issues such as the inclusion of immaterial information, high compliance costs, and it would be more difficult for users to discern what is essential due to each qualitative characteristic given equal value of importance.

The selection process is as important as the reporting itself. Paragraph 44 states that the entity must: “…disclose those judgements that have the most significant effect on the selection, measurement, aggregation and presentation of service performance information reported …”

As we shall see, the auditor will be looking carefully at the selection criteria to ensure that it results in unbiased and relevant information being presented.

Q. What kinds of measures of information may be reported?

Paragraph 20 states that preparers must use:”…an appropriate and meaningful mix of performance measures and/or descriptions for the reporting period. The performance measures and/or descriptions used by an entity to communicate its service performance may be:

(a) Quantitative measures: Examples of quantitative measures are the quantity of goods and services, the cost of goods and services, the time taken to provide goods and services, levels of satisfaction using a rating scale on a questionnaire or survey, and numerical measures for service performance objectives or goals;

(b) Qualitative measures: Examples of qualitative measures are descriptors such as compliance or non-compliance with a quality standard, ratings such as high, medium or low, or ratings assigned by experts; or

(c) Qualitative descriptions: Examples of qualitative descriptions are those based on participant observations, open-ended questions on interviews and surveys and case studies. For example, how did an entity’s service performance activities change the well-being and circumstances of a client group?

Some service performance reports tend to be just a restating of financial results. This is not the point, although in some cases it may be appropriate. A good report will choose a mix of appropriate measures that flow down from the purpose of the organisation, what it set out to achieve and how, and what it did achieve. The measures used will reflect the result being measured.

NOTE: This article is designed to give accurate but general information, however, Audit Assistant Ltd accepts no liability in any way to any person arising out of reliance on the contents for any purpose. Talk to your auditor or accountant for more information.

3 June 2020

When help or support is needed first use the “help” icon from within Audit Assistant (bottom right of the screen):

  • This connects to relevant articles from our support hub.
  • Includes a contextual search function with a number of suggestions.
  • If the suggestions are not suitable, use the search bar to access all the content on our support hub:
  • The help topic will open in the sidebar, but clicking on the up arrow will open the full article in the support hub. 

If browsing for more information go directly to the support hub.

Support hub front page

This provides information on:

  1. What type of work can be done within Audit Assistant.
  2. Answers to frequently asked questions.
  3. Services we provide if you are seeking further training.
  4. Detailed instructions on how to use features in Audit Assistant.
  5. Articles of interest related to topics like audit principles, COVID, AML to name a few.

The site has been separated into five main categories of which category has its sub-categories. For example, the category Articles has sub-categories for current issues and technical articles for areas of focus such as:

  • Less complex entities
  • Accounting standards
  • Anti-money laundering audits
  • And other audit and technical issues

The Q&A section has answers to questions that other users have asked and we feel are beneficial to users especially frequently asked questions.

We recommend looking at all categories especially the Q&A section before contacting us directly as this will speed up the process of obtaining an answer, however, we are always just a click away if needed.

Contacting us directly

  • When using the contact option tell us as clearly as possible the specific problem.
  • Attaching a screenshot of what you are seeing is often helpful.
  • If you tell us the name of the job you are working on this is also very helpful as we can view from our end.
  • If you think it easier to discuss your issue over the phone please provide your phone details so that we can contact you when it is convenient.
  • Our response will depend on the urgency of the request and time of the day – ranging from immediately to the following day.
  • Please also contact us to make suggestions and provide feedback – this is most helpful.

While the help-desk or email is the most reliable way to contact us in the first instance, if a really urgent issue has arisen and we haven’t responded on the help-desk, try calling us (in business hours) on:

  • 021 169 4097 (Clive – content, and admin); or
  • 022 199 6830 (Swikrit – technical issues).