Tom Klaff

Accurate and Secure Records Are Central to the New Standards Set Forth in SAS 103

Software tools exist for CPAs to prove the authenticity of their audit documentation.

September 4, 2007
Sponsored by Surety

by Tom Klaff, CEO, Surety, LLC

All auditors and accountants are familiar with the American Institute of Certified Public Accountants’ (AICPA) recently enacted Statement on Auditing Standards (SAS) 103. However, many of these professionals have yet to take the proper precautions, necessitated by SAS 103, to ensure the integrity of their findings, extensive documentation and supporting evidence for peer review.

SAS 103, which went into effect on December 15, 2006 and superseded SAS 96, establishes standards and provides guidance for proper audit documentation. Among other things, SAS 103 requires that audit documentation be detailed enough so that an “experienced auditor” having no connection to the audit can understand the work performed, evidence obtained and conclusions reached. This added level of detail to the audit report requires that auditors document all significant discussions with management, including when the discussion took place. Additionally, SAS 103 states that oral explanations of evidence and findings cannot be used to support the auditor’s work, making electronic records supporting the conclusion of paramount importance.

Because accurate and secure records are central to the new standards set forth in SAS 103, it is clear that auditors need a way to prove that their documentation has not been altered since its creation. Without the aid of verbal explanations or specific knowledge of a particular audit, an experienced peer auditor will need to rely on the accuracy and integrity of electronic records to support a fellow auditor’s conclusions. The alarming ease with which electronic records can be tampered, coupled with the troubling frequency of such tampering, can justifiably concern an auditor and a peer reviewer. Third-party data authentication services can independently and cost-effectively prove that electronic audit records are authentic and enable auditors to meet SAS 103 requirements.

Surety, LLC operates a standards-based third-party data authentication service, called AbsoluteProof®, that can independently, transparently and persistently prove the time and content integrity of electronic audit documentation. AbsoluteProof seals a digital audit record by generating a unique “hash,” or digital fingerprint, from an electronic audit record. This hash then gets transmitted via a secure Internet connection to one of Surety’s geographically distributed data centers. Surety combines the hash with a secure timestamp and other traceable information to create a timestamp token that is sent back to the customer where it is securely linked with the archived audit record. To preserve confidentiality and evidential integrity, Surety only handles the secure hashes of audit records and not the records themselves. Every file’s hash and time value are linked together forming a “hash chain.” Each week, Surety advertises the summary value of the chain in the New York Times, making it possible for any third party to authenticate the record’s time and integrity wherever and whenever it wishes.

With this process, auditors and peer reviewers can prove that any given audit record, sealed by the AbsoluteProof service, existed at a point in time and was never altered since. If the sealed document is ever legally challenged, either an AbsoluteProof user or a third-party, like a lawyer or regulator, can easily prove, with a click of a mouse, the authenticity of the given record. An auditor using AbsoluteProof has a distinct advantage over others.

“Under SAS 103, I am responsible for obtaining the best possible evidence to support my conclusions and that includes making sure the electronic records I used are protected,” said Pennsylvania-based CPA Jim Milinovich. “Before AbsoluteProof, I used a combination of software products to protect my data but now I get a higher level of protection and assurance with just one click of my mouse.”

Surety’s AbsoluteProof is available via three options — AbsoluteProof Software Development Kits that can be easily integrated into your organization’s existing applications; AbsoluteProof Desktop costs just $250 per year for unlimited uses, can be quickly installed on any computer for direct use; and through Surety’s technology integration partners.

Tom Klaff brings over fifteen years of high-tech management experience to Surety, most recently as Founder and CEO of Reliacast, Inc., a leading digital media software company. Prior to Reliacast, Mr. Klaff founded College Town, Inc., the first web portal for college admission widely used by students to purchase college-related items and to apply for financial aid. After College Town, Mr. Klaff established a management consulting firm to provide contract marketing and sales services to Internet-centric businesses. In that capacity, he developed strategic marketing and sales plans, managed large projects and helped his clients build an effective sales force.

Mr. Klaff received a Bachelor of Arts degree in English from Brown University and a Masters of Science in Industrial Administration from the Graduate School of Industrial Administration, Carnegie Mellon University.