Assessing the Reliability of External Electronic Information

Written By Eszter Rapanos

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Is that PDF invoice really what the vendor sent?
Is your client's bank feed data as clean as it looks?

With more and more audit and assurance work relying on digital documents and automated feeds, a new staff guidance AS 1105.10A issued by the Public Company Accounting Oversight Board (PCAOB) brings much-needed clarity on how to evaluate the reliability of external information received in electronic form.

NOTE: While the guidance is aimed squarely at auditors under PCAOB standards, the lessons apply much more broadly. If you're doing compilations, reviews, or any other form of assurance, this is essential reading.

🎯 The Big Question: Is the Info Still What the Vendor or Bank Sent?

The PCAOB’s guidance says auditors must evaluate whether external information, i.e. like a vendor invoice or bank confirmation, remains reliable when provided electronically by the company. In plain terms: just because a client emails you a PDF or bank feed doesn’t mean you can trust it without question. If there’s any meaningful risk that the company could have altered or misused the data, even unintentionally, the auditor must take steps to test its reliability. This might mean cross-checking it against original sources or testing the internal controls around how the data is received and handled.

🔍 Rule of Thumb: Can the Company Change the Information?

Information is more reliable when:

  • It comes directly from an external party (like a vendor or bank)

  • It’s unaltered, just uploaded or stored “as received”

  • It’s used in low-risk areas (e.g., immaterial operating expenses)

  • There’s a clear audit trail or traceability to the source.

Information is less reliable and needs testing or control evaluation when:

  • The company processes, modifies, or converts the data (e.g., into ERP systems)

  • There’s no clear path back to the original source

  • It’s part of a high-risk area, like revenue or income taxes

  • The systems involved are complex, or access controls are weak.

🛡️ What Should You Do?

Whether you’re auditing, reviewing, or compiling, don’t take digital data at face value. Here’s how to protect yourself and your engagement:

Understand the Process

Always ask:

  • Where did the data originate, vendor, bank, government portal?

  • How was it received, PDF, email, API, download?

  • Was it modified, reformatted, or filtered by the client?

  • Who had access to the data before it reached you?

Understanding the data flow from source to your hands is step one in assessing reliability.

Test the Information or the Controls (Assurance engagements only)

If there’s a risk the data was altered, you need to either:

  • Verify the info directly (e.g., match bank feed data to a PDF bank statement)

  • Or test the controls, like access rights, system change logs

  • Or do both, especially if the area is high-risk, like revenue or large payments.

For lower-risk areas with clean, unedited data, minimal or no extra testing may be needed.

Document the Source—Even in Compilations

If you're compiling financial statements, you may not be required to verify data, but you still need to document:

  • Where each piece of key data came from

  • How the company received it (portal, system download, etc.)

  • Whether the source was internal or external

  • Any red flags or limitations you identified

This protects you if questions arise later, and demonstrates your professional judgment.

Rely on Other Audit Work if It Covers Reliability

Already compared tax rates to official sources? That counts. If other procedures already confirm the accuracy of external info, you don’t need to duplicate effort. Just be sure it’s clearly documented.

⚙️ Practical Scenarios

The guidance offers practical examples:

  • Vendor PDFs stored unedited? Likely reliable—no extra testing needed. I.e., when the company uploads unedited PDFs from vendors into their system, and there’s no risk of tampering, you can often rely on the info without extra testing.

  • Bank feeds into ERP, used for revenue testing? Higher risk—you must test the data or system controls. If the data, for example, cash receipt info from a bank feed is processed through the company’s ERP, and then used to verify revenue, that’s riskier. You’ll need to understand whether the internal controls in the process are reliable.

🔎 What This Means for Accountants Beyond the Audit

Whether you’re preparing financials for a compilation or doing limited assurance, these principles still matter. If you're relying on electronic documents, but not always verifying the trail. It's not enough to know where it came from, you need to understand how it got to you. Understanding the risks of electronic data and how it flows through client systems helps you safeguard your engagement and avoid issuing misleading reports.

Eszter Rapanos
Next

IRBA Guidance on the Use of AI in Audits – What You Need to Know