There may not be any paper records for e-commerce transactions, and electronic records may be more easily destroyed or altered than paper records without leaving evidence of such destruction or alteration. The auditor considers whether the entity’s security of information policies, and security controls as implemented, are adequate to prevent unauthorized changes to the accounting system or records, or to systems that provide data to the accounting system.
The auditor may test automated controls, such as record integrity checks, electronic date stamps, digital signatures, and version controls when considering the integrity of electronic evidence. Depending on the auditor’s assessment of these controls, the auditor may also consider the need to perform additional procedures such as confirming transaction details or account balances with third parties.