Auditing electronic data: a report of the Steering Committee Task Force on EDI Audit and Legal Issues for Tax Administration.
On October 7, 1994, the Federation of Tax Administrators (FTA) hosted a meeting to begin the process of forming a task force of state and private sector tax administrators to address Electronic Data Interchange (EDI).(1) The meeting was attended by representatives of the Committee On State Taxation (COST), Institute of Property Taxation (IPT), Tax Executives Institute (TEI), Multistate Tax Commission (MTC), FTA and commissioners from several state revenue departments.
The meeting focused on understanding the concerns of the taxpayer community and tax administrators in five key areas.
1. How is EDI used today?
2. How does it affect a tax audit?
3. What issues need to be addressed by the task
4. How should the task force be organized?
5. How should the task force approach the issues
and problems of EDI and electronic audits?
Formally titled the Task Force on EDI Audit and Legal Issues for Tax Administration (Task Force),(2) it is comprised of members from each taxpayer organization and most state revenue departments. In addition, taxpayer and tax authority representatives were selected to serve as co-chairs for each work group. Early on, the Task Force was divided into two main work groups: EDI Audit Approaches and Legal Requirements and Recordkeeping. The Legal Requirements and Recordkeeping group was solely concerned with developing an electronic record retention regulation that could be used as a model by state and local government. The EDI Audit Approaches group was concerned with the EDI and electronic record issues as they affect the tax audit. The EDI Audit Approaches group was further divided into three subgroups: System Integrity Audits, Electronic Records Audits, and Educational Needs and Approaches. This white paper contains the work product of the EDI Audit Approaches work group.
The change in business process that removes a traditional source of information demands the creation of new audit procedures to conduct the compliance audit. Although much has been published on electronic commerce as a whole, no source of prepared materials related to the conduct of a tax audit has been found.
In developing the audit white paper, the participants focused on identifying the issues involved when auditing electronic records and assessing alternative approaches to the audit of such records. However, the reader should note that no attempt was made to address the nuances of each individual taxpayer or tax authority audit program.
The audit white paper represents the considerable work product of a large number of tax administrators and taxpayer representatives. It attempts to achieve a realistic balance between the needs of tax administrators and the needs of taxpayers. Above all, it is aimed at facilitating an efficient and effective tax administration process.
The Tax Audit
In the simplest terms, the tax audit verifies that taxpayers have properly determined and paid their tax liability. Generally, the typical tax audit is made up of seven fundamental elements:
1. Scope - Determine the scope of the audit
2. Plan - Develop the audit plan
3. Audit - Perform the audit steps: Tests,
procedures, correlation, etc.
4. Opinion - Formulate an opinion about the
accuracy of reporting
5. Close - Present the findings to the taxpayer
6. Report - Report the findings to management
7. Review - Review the audit for error, omission or
The specific scope of taxpayer audits is dependent on several factors:
* Tax involved: Type and number
* Records: Complexity, quality, location, and
* Taxpayer type: Individual, proprietorship,
A tax audit usually involves one-on-one contact with taxpayers. During the contact process, the auditor reviews the facts, circumstances, records, and other information that support the taxpayer's return. The audit work may take as little as a few days or as long as a few months, depending on the complexity of the situation, i.e., size of business, diversity of operations, etc. Ultimately, the auditor makes a determination that the taxpayer's return is: filed correctly (no change), overpaid (taxpayer is entitled to a refund), or underpaid (taxpayer owes additional tax).
The Electronic Data Tax Audit
The primary objective of the tax audit does not change because all or a part of the taxpayer's records are in electronic form. However, the mix of electronic data to physical data within a taxpayer's accounting system does determine whether the review of electronic records serves as a component of the overall tax audit program, or functions as the overall tax audit program.
The tax auditor's scope of examination includes the tax accrual and reporting systems, procedures and methodologies. It is within the auditor's scope to review the internal controls in place for the tax accounting process. This is true whether the accounting system is paper-driven or electronic. The evaluation of internal controls helps the auditor formulate an opinion on the level of reliability that can be placed on the tax accounting/accrual system. Reliability of the internal controls is the foundation for determining the scope of the tax audit.
What the Auditor Needs to Know
* Are the electronic records available? What is the taxpayer's record retention policy? What controls are in place to safeguard records? Are detail and summary records available for the audit period?
* Are the electronic records reliable? What internal controls are in place to support the tax accrual system? Do the internal controls produce an acceptable level of assurance that the records are reliable? How are tax accrual system changes developed and implemented? Do undocumented system changes exist?
* Where do the numbers on the tax return come from? What are the origins of the taxpayer's electronic records? Is there an audit trail? Is transaction level information available, in adequate detail, to sample and determine if the tax treatment is correct? Summary reports, in the early stage of a tax audit, may not be sufficient to satisfy the auditor's need to know.
* When, where and how will the electronic records be analyzed? Can the information be analyzed using the taxpayer's system resources? Does the taxing authority have adequate hardware and software resources available to conduct an audit of electronic records? Are the resources of a third-party service available? What sampling techniques and methods can be used in place of a detailed review of all records for the audit period?
Electronic Records Tax
Usually, a traditional (physical records) audit involves individuals representing the taxation, accounting and legal areas of a taxpayer's business. In an electronic audit situation, the taxing authority may need to interact with representative(s) from other departments including internal audit, data processing, management information systems and records management, as coordinated through the primary taxpayer representative.
Electronic Records Tests, Procedures,
Standards and Techniques
If an electronic data tax audit is a tax audit in every respect, it then follows that tests, procedures, standards and techniques within the audit will be similar if not identical to the traditional physical-records audit. The tests, procedures and techniques of this form of audit incorporate the taxpayer's data into electronic, computer-readable form. The sampling methods used by tax auditors will be enhanced through computer-assisted analysis of a taxpayer's electronic data.
First, and foremost, a proper study and evaluation of the existing internal controls for the accrual and reporting of tax liabilities may be necessary. Such a study forms the basis to measure the degree of reliance placed on the internal controls in determining the scope of the audit program: objectives, techniques, procedures and tests.
In the absence of good internal control, any document -- be it physical or electronic -- is subject to alteration, forgery and falsification. The degree of auditor-taxpayer trust has not changed; rather, it is the nature of the source document that has changed. In an electronic recordkeeping environment, more weight must be given to the internal controls installed to support the tax accrual and reporting systems.
Internal Controls and Electronic Data
There are some basic internal control functions that should be in place within an electronic recordkeeping system. The following list is not all-inclusive, but the existence or nonexistence of these functions helps a tax auditor evaluate the degree of reliability that can be placed on the electronic records and the tax accrual and reporting systems.
* System threat and risk analysis
* Limited access to
electronic record systems
* Access authorization or
* Unalterable date-stamping of transactions and
* System access and data access logs
* Data alteration logs and preservation of original
unaltered data record
* Rejected transaction or transmission procedures
* Regular review of access, alteration and rejection
logs or trails
* Archival retention of electronic records for the
* Preservation and security of data integrity of
archival records for the statutory period
* Storage of historical transaction, summary and
control total reports and related information to
verify and establish a level of reliability for the
* Third-party documentation that supports
electronic transactions, e.g., audit reports, bills of
lading, exemption certificates, acknowledgments of
receipt, payment vouchers, contracts,
trading-partner agreements, etc.
* Existence of a formal security policy or applicable
System Integrity Audit -- System Verification
In an audit of electronic records it may be important for the taxing authority to validate the taxpayer's EDI and business transaction systems. This is a verification of those system components that impact the EDI process related to the question of proper application of tax. This verification may be best served by a System Integrity Audit in which an individual or team reviews or tests a system (or subsystems) to determine a level of confidence.
An analysis of a system includes:
* How and what data flows through the system
* What files are used
* What reports are generated
* What manual processes relate to the data flows
* What internal controls are present
Most electronic accounting systems will not be completely EDI and will include some paper-based transactions. Changes in business operations, especially acquisitions and mergers of entities already engaged in EDI, and changes in accounting and computer systems, could affect existing EDI general controls. It is important, therefore, that system documentation be kept up to date.
A basic purpose of any tax audit is to ensure both the taxpayer and the taxing authority agree that the data examined is an accurate and complete record of the transactions that occurred. Many of the document controls which provided a desired level of confidence for a traditional form of record-keeping may not be available in an EDI environment. As a result, it may be necessary to examine, at some level, the system and subsystem that implements the EDI process.
System Integrity Audit Outline
The System Integrity Audit (SIA) Outline is designed to supplement an existing audit plan. Adding the SIA outline to a tax audit plan may have the effect of reducing the overall scope of the tax audit. If an acceptable level of confidence is established at some earlier point in completing the system integrity audit, the full SIA outline need not be completed.
It can be difficult to separate the essential steps in an EDI system integrity audit from those of a non-EDI system integrity audit. The recommended SIA outline may include some non-EDI verification steps that may also appear in the general audit outline. As such, there is the potential of redundant audit functions. The tax auditor is encouraged to minimize these redundancies.
An acceptable level of confidence in the EDI system can be determined by answering the following questions.
* Are there policies and procedures in place that
govern the system and subsystem processes and
* Are the controls subject to manipulation, and if
so, to what degree?
* Can individual transactions be traced?
* Are translation software control procedures in
* Does the information generated by the system tie
to the financial statements, or similar reports?
* Are relevant system audit reports (internal,
third-party, etc.) available for review?
It is important to understand that the SIA may not always be conducted by the tax auditor. Some taxing authorities may conduct a SIA because it is required by statute, or perhaps by audit policy. On the other hand, some taxing authorities may determine a SIA is not necessary due to the results of other internal control tests, review of other system audit reports, etc. This is a matter of individual practice and judgment by the various taxing authorities and their respective audit functions.
The need for an EDI system integrity audit should be determined on an audit-by-audit basis. It is conceivable, if agreed to by both parties, that the SIA could be conducted by the taxpayer or a third party. It is generally understood that the cost of the SIA, if performed by the taxpayer or a third party engaged by the taxpayer, is the burden of the taxpayer. Similarly, the cost of a SIA performed by a third party engaged by the taxing authority is the burden of the taxing authority(3) Taxpayers should be provided wit the work products or opinions, if they exist, generated by a SIA conducted by the taxing authority.
System Integrity Audit Methodology
Various methods may be used to verify the effectiveness of internal controls and EDI transactions. These methods may include Computer Assisted Audit (CAA) techniques or may rely on traditional manual techniques. CAA is in wide use among the states, but it is varyingly implemented and loosely defined.
It may include the following:
* Transaction recording procedures
* Individual and batch transaction-level testing
* Random transaction testing
* Transaction flow analysis
* Pre- and post-translator testing
Access to All Appropriate Data
Records and data relevant to the determination of a correct tax liability should be made available to taxing authorities. Requests for such records and data should be relevant to the audit and supported by statutory authority. Misunderstandings may result from requests for records and data that do not fit the taxpayer's accounting system.
The taxing authorities, representative should explain what type of information is needed and why it is needed. If what the taxing authorities, representative asks for is not available in the form requested, the taxpayer should provide the equivalent information. If the information requested does not exist, then the taxpayer and the taxing authorities' representative should discuss what alternative sources of information might be provided.
During the conduct of a tax audit, the taxpayer may be requested to provide multi-jurisdictional information by the taxing authority. When addressing the nature of transactions and the ease with which data can be accessed and analyzed, it is recommended that audit plans provide for the proper and material use of transaction data. The breadth of the examination and the extent of detail review necessary will be dependent upon the level of confidence in the controls of the taxpayer's system. This will not serve to limit interstate agreements (between taxing authorities) to collect data for each other where authorized by statute.
Most taxing authorities have privacy or confidentiality laws that should protect the sensitive nature of the taxpayer's information, including electronic records obtained during an audit. These laws should ensure that confidential taxpayer information will not be disclosed to the general public and/or competitors. In the event that a third party is utilized by the taxing authority during an audit, the taxing authority should insure that the same confidentiality provisions pertain to the third party. In instances where a taxing authority's laws lack privacy or confidentiality provisions, both parties may enter into specific confidentiality agreements addressing the use and disposition of the data.
Unless otherwise required by statute, the taxpayer may provide the taxing authority with copies of the electronic business records, or other facilities for the review of the records. When copies are provided, the taxpayer and taxing authority should agree to,
* The format in which the records will be provided
* Security measures to be used to protect the
confidentiality of the records
* How the records will be reviewed with respect to
the hardware and software concerns
* Possibly limiting access to the records to parties
agreed to by the taxpayer and taxing authority
* Returning or disposing of taxpayer copies of
electronic business records according to the
agreement of the parties at the conclusion of the audit
process or related litigation
The taxpayer should be aware that the information obtained may be shared with other taxing authorities in accordance with existing exchange agreements. There are some taxpayers and taxing authorities that believe notification should be given in cases where a taxpayer's actual data records are shared under these exchange agreements.
Hardware and Software Issues
In an EDI audit environment, hardware and software incompatibilities may arise. Taxpayers and taxing authorities need to work together in this regard. If incompatible systems are encountered, alternative means should be explored.
Tax statutes may require a taxpayer to keep all relevant application source files in a readable form. At the time of an examination, the electronic records must be capable of being retrieved and accessible for review. Likewise, the audit schedules normally given to taxpayers should be available to the taxpayer in an electronic format if available. State audit workpapers should be available to the taxpayer in a standard file format. It may be acceptable to utilize other reproductions of electronic records if they are properly documented and contain the appropriate level of detail.
In an EDI environment, paperless transactions and records exist, and auditing electronic records may be necessary. Therefore, hardware and software issues arise.
* If records are electronically maintained by
taxpayers, access to the records must be provided by
* It may be preferable to download information for
examination and complete the work off-site.
* Taxpayers should have the ability to provide data
in ASCII, EBCDIC, or flat file format.
* State audit workpapers should be available to the
taxpayer in a standard file format.
* If state audit software is incompatible with
taxpayer's software, both groups should work
together to accomplish the audit. If incompatible
systems are encountered, alternative means should
Data Dictionary of
The data dictionary is not an all-inclusive list of data elements that a taxing authority may need to utilize in order to determine the tax application of a transaction(s). It is a guide and is not meant to suggest that all data elements would be required to be provided to taxing authorities. This data dictionary relates primarily to sales/use tax examinations. A taxing authority may require the taxpayer to provide additional data elements to determine tax compliance for other tax disciplines.
Where a taxpayer uses electronic data interchange processes and technology, the level of record detail, in combination with other records related to the transactions, must be equivalent to that contained in an acceptable paper record. The taxpayer must provide data elements that support the determination of tax compliance. The data dictionary is reprinted at the end of this report.
The intent of a voluntary system of tax compliance and tax audits is to permit taxpayers to collect, remit and pay the proper amount of tax. Tax audits are performed to insure proper tax compliance. In a perfect world all tax auditors would examine 100% of the transactions and confirm such compliance. The objective of both parties is to insure proper compliance with the tax laws. The presence of electronic records does not alter that objective.
Many states are statutorily authorized to conduct compliance audits using sampling procedures. Further, an examination of all transactions may not be possible or practical because of the volume of transactions or events beyond the taxpayer's control, such as hardware or software damage, tape deterioration, etc. If the tax audit is conducted using sampling methodologies, the following items should be addressed:
* Method of sample and sample size should be
reviewed by both parties. Projection methods and
bases should be agreed upon.
* Nonrecurring, extraordinary items should not be
* Nontaxable items or credits should be projected
as well as liability items. Credits include, but are
not limited to, credit memo transactions, tax
accrued in error, tax paid to reciprocal taxing
authority, and adjustment transactions.
* Unless otherwise addressed in statute,
nonadjusted items and credits should be given equal weight
as other items in the sample.
* Nonadjusted items are not subject to assessment
in the sample. Nonadjusted items are those which
initially appear to be taxable exceptions;
however, upon additional review of supporting evidence,
they are found to have been properly taxed.
Examples include, but are not limited to, items with
tax self-accrued and remitted, non-taxable items,
exempt items, items with tax on a separate
* For those taxing authorities whose laws do not
provide a statutory basis for performing certain
sampling techniques, the parties should enter into
a sampling agreement.
(1) For purposes of this document, the term EDI means the computer-to-computer exchange of business documents in a structured format.
(2) Refer to Appendix A for a complete description of the Task Force.
(3) Some state statutes permit the taxing authority to bill the costs of the audit to the taxpayer under certain conditions. It is also important to note that taxpayers are very sensitive to providing their data to third parties performing a service for a taxing authority. Most state statutes subject third-party service providers to the same restrictions and confidentiality provisions that apply to the individual tax auditor.
Appendix A: Task Force on EDI Audit and Legal Issues for Tax
In November 1994, the Federation of Tax Administrators (FTA) facilitated the formation of a task force of state tax administrators and taxpayer representatives to address the issues posed by the use of EDI technology and other similar, and emerging, business processes. Formally titled the Task Force on EDI Audit and Legal Issues for Tax Administration (Task Force), it is comprised of representatives of the Committee On State Taxation (COST), Institute of Property Taxation (IPT), Tax Executives Institute (TEI), Multistate Tax Commission (MTC), FTA, and commissioners from several state tax administration agencies.
Mission and Objectives. The general mission of the Task Force is to coordinate efforts between the business community and tax administrators in analyzing and addressing the issues posed for tax administration by electronic data interchange and related business processes. The Task Force is responsible for making recommendations to the governing bodies of the participating organizations on the actions states and taxpayers should take in addressing those issues.
Organization. The work of the Task Force has been accomplished by a Steering Committee and a limited number of work groups focusing on specific areas.
The Steering Committee is chaired by Stanley R. Arnold, Commissioner, New Hampshire Department of Revenue Administration, and consists of tax administrators and business representatives from each of the participating organizations. The Steering Committee is responsible for establishing the scope of work of the Task Force, providing an initial identification of the issues to be addressed by the work groups, and providing overall direction and assistance to the effort. It serves as the final reviewing entity for recommendations developed by the work groups.
Initially, two working groups were formed to address issues related to electronic recordkeeping and electronic auditing. These working groups were comprised of tax agency employees and taxpayer representatives with expertise in required areas, e.g., auditors, lawyers, tax managers, systems/technology persons, etc. Co-leaders, consisting of one tax administrator and one taxpayer representative, chaired each work group.
1. The Legal Requirements and Recordkeeping work
group developed a Model Recordkeeping and
Retention Regulation(1) (Regulation) which has been
recommended for adoption by the states. The
Regulation governs taxpayer retention of books and
records, particularly those that are electronically
generated. Several states have begun rule
promulgation processes to adopt record retention
regulations that closely follow the model Regulation.
This group was chaired by Marjorie Welch,
Oklahoma Tax Commission, and Lloyd Callaway,
Coca-Cola Co., Atlanta, Georgia.
2. The EDI Audit Approaches work group focused on
identifying the issues involved when auditing
electronic records and assessing alternative
approaches to the audit of such records. This group was
chaired by Stan Borawski, Michigan Bureau of
Revenue, and B.J. Denton, Koch Industries,
Wichita, Kansas. The audit white paper contained in
this report presents the work of the EDI Audit
Approaches work group.
Task Force -- Current Status. On May 2, 1996, the Steering Committee of the Task Force met to discuss several additional issues related to electronic business processes utilized by taxpayers and tax authorities. Based on these discussions, the Steering Committee formed two new work groups to review issues and develop recommended procedures for taxpayers and tax authorities to follow.
1. The Electronic Business Processes work group is
focusing on business process issues such as
corporate procurement cards, evaluated receipts
settlement, exemption/resale certificates, and direct pay
permits. This group is currently focusing
attention on corporate procurement cards and is
developing a white paper which outlines the issues and
discusses possible options for taxpayers and
taxing authorities to follow to insure the necessary
documentation is available at the time of a state
tax audit. This work group is chaired by Glenn A.
Bedoni, Florida Department of Revenue, and
Sandra Robertson, Georgia-Pacific Corporation.
2. The In-bound EDI Transactions work group will
develop a model administrative regulation which
provides recommended procedures associated with
the electronic filing of tax information. The
regulation will cover such issues as signature
alternatives, due dates, timely filing/due diligence,
confidentiality, acknowledgments and filing options.
This work group is chaired by Keith Staats,
Illinois Department of Revenue, and Charles
Phillips, Xerox Corporation.
(1) See Model Recordkeeping and Retention Regulation, A Report of the Steering Committee, Task Force on EDI Audit and Legal Issues for Tax Administration, (Washington, D.C.: Federation of Tax Administrators, March 1996).
|Printer friendly Cite/link Email Feedback|
|Date:||Mar 1, 1997|
|Previous Article:||Internet tools for tax professionals: how to get connected and enjoy immediate benefits.|
|Next Article:||Tax simplification and reform.|