Computer assisted verification: e-Audit and risk assessment
If you maintain electronic financial records, we will consider using e-Audit. This involves the use of computer assisted verification (CAV) techniques to analyse your records. These techniques may not be appropriate in every compliance or client engagement activity. We may use our information systems risk assessment (ISRA) tool to assess system risks and as part of our assurance and justified trust activities.
Find out about:
Benefits of computer assisted verification/e-Audit
The use of CAV in audits and other compliance activities has the following benefits:
- it is cheaper and more efficient to provide information electronically
- fewer requests to supply paper copies of transactions and reports
- providing electronic information reduces the time we spend on your premises, minimising disruption to your regular business activities.
A tax officer skilled in e-Audit will also be able to analyse your electronic information more efficiently, accurately and thoroughly than if they had used manual processes.
The e-Audit process
The following describes how we work with you when conducting an e-Audit.
Accessing your records
Using formal access powers we are permitted full and free access to documents required for the purposes of the Acts we administer. Documents include electronically stored information.
We will usually seek access to your information through a cooperative approach, and we will consult with you on the records required.
Supplying electronic information
When we identify a need for electronic information to be provided, we will schedule a meeting to obtain that information. We will always discuss this with you beforehand to develop an understanding of your system and identify what information we may need to collect.
We seek to understand:
- the accounting systems you use
- your system architecture and how the data flows through your system or systems
- the format and extent of your electronic records
- the documentation available to assist in our analysis – for example, your chart of accounts, reference tables or data dictionary.
We are flexible when organising a meeting time in which your tax adviser and information technology specialist are available to attend to gain the most benefit out of the meeting. During the meeting, we may request that you download a copy of the mutually agreed electronic information from your system to any of the following:
- a tax officer's secure biometric thumb drive
- a secure drop box via SIGBOX
- any other agreed medium.
We recommend you keep a copy of the electronic information you supply to us for your own records.
Where we have provided you with a request for data
If we have made a request for data, you can save time by having the following information ready. Generally, you will need to provide us with:
- names and versions of all the point of sale, accounting, payroll, financial management system, enterprise reporting system (ERP) or any other software and systems used in the course of meeting your tax obligations, including manual processes
- contact details of the accountant or accounts manager who prepares your BAS or financial records
- information such as system support documentation which can include a system architecture diagram, data dictionary, BAS preparation papers and other working papers.
If you are unable to provide any of the above, we will assist you as much as possible. We may visit your business premises again to obtain the data we require to carry out our analysis. This could include bank records and copies of back up data for the period included in our enquires.
Data review and analysis
We use specialised software to verify that the data that you provide is accurate and complete. We then conduct a series of tests on your data to ensure you comply with tax laws. We conduct these tests in accordance with the nature of the compliance activity we are undertaking.
Our specialised software allows us to perform tests on the data without altering the data itself, so the integrity of your data is protected.
There is no risk to your computer system
During the e-Audit process, you provide us with a copy of the required data from your systems. We will not operate your computer system.
When the compliance activity is completed
The data that you provide us will be stored as part of a case file kept as a record of the compliance activity.
Your information is secure
Electronic and paper records you provide for the compliance activity are protected by law. Your information is maintained in accordance with both:
Information systems risk assessment
The integrity of the information systems used to support your business will affect the accuracy and completeness of the information you report to us. As part of the e-Audit process, we may use our information systems risk assessment (ISRA) tool to assess your system's risks regarding the correct reporting of your tax and super obligations.
An ISRA is a process that provides a high level overview of your information systems, using a series of questions, enabling us to derive a risk rating for key elements of your systems.
An ISRA is normally undertaken as part of a larger review or audit. If you are a privately owned and wealthy group or a public group we may also use our ISRA tool as part of our governance assurance and justified trust models.
You can save time by having the following information ready:
- information such as system support documentation which can include a system architecture diagram or a data dictionary
- copies of processes, including manual processes for data entry or reconciliation processes
- copies of IT contracts for the maintenance and upgrade of your systems
- copies of roles and responsibilities setting out the segregation of duties of your accounting and IT teams
- business continuity and disaster recovery plans.
Benefits of ISRA
The use of ISRA in audits and other compliance activities has a range of benefits including:
- providing an efficient way to understand your business, its systems and processes
- highlighting any compliance risks and providing recommendations to mitigate them.
We prepare a final report detailing the findings and we incorporate your feedback. This includes recommendations to address any issues we identify that may impact on the accuracy and completeness of the reporting of your tax obligations.
We will discuss the results detailed in the ISRA report with you in a final interview. You will have the opportunity to work through the findings and offer any comments.
How the assessment works
We will ask to speak to the person from your business who can answer questions in relation to your information systems. The questions will focus on:
- the history of your systems – how long have you had the system in place and how did you determine which system to use?
- planning – what is your process to identify and implement changes?
- support – who supports your IT systems?
- change management – how do you manage upgrades?
- other system management functions.
The ISRA Tool
We have developed a tool that provides a structured approach for assessing your information system risks. The tool is based on the guidelines and assurance frameworks set out by both the:
The tool includes a series of standard questions that relate to IT Governance and regulatory compliance.
The tool is made up of five auditable units:
- System inventory
- Interface inventory
- Customisation inventory
- IT projects and methodologies
- IT governance.
Each of the auditable units has a series of questions weighted according to a predetermined risk rating.
The interview process
The process involves identifying and recording your responses for each question. Discussions we have with you during this process help us understand your:
- business systems
Once completed, the ISRA tool will be used to generate a risk rating profile that will be included in your ISRA report.
It is important that you are aware of your rights and obligations when dealing with us. If we advise you that we intend to undertake compliance activities in relation to your tax affairs, we will tell you about your relevant rights and obligations as set out in the taxpayers’ charter.
In addition to Taxpayers’ charter – what you need to know (NAT 2548), which sets out your rights and obligations, the charter booklet If you’re subject to review or audit (NAT 2558) tells you what you can expect if you’re subject to a face-to-face enquiry or audit from us.
You can obtain more information:
If you do not speak English well and need help from us, phone the Translating and Interpreting Service on 13 14 50.
If you are deaf, or have a hearing or speech impairment, phone us through the National Relay Service (NRS) on the numbers listed below:
e-Audit encompasses many things, including system-based auditing that uses computer assisted verification (CAV). e-Audit is used as part of our compliance activities when auditing electronic financial records. We may also use our information systems risk assessment (ISRA) tool to assess risks.
- TTY users, phone 13 36 77 and ask for the ATO number you need
- Speak and Listen (speech-to-speech relay) users, phone 1300 555 727 and ask for the ATO number you need
- internet relay users, connect to the NRS on relayservice.com.auExternal Link and ask for the ATO number you need.