10 Nov

Can I Use a Screenshot as Audit Evidence?

There are a lot of situations where the easiest way to provide information to an auditor is via a screenshot. For example, sometimes administrator listings from Active Directory or password configuration settings are so plainly obvious by the screenshot that the natural inclination of the Network Admin is to take a screenshot and send it to the auditor as evidence. But the question inevitably arises: Can or should an auditor accept a screenshot as evidence during an audit?

Whether an auditor should accept a screenshot is highly dependent on the manner in which the screenshot was gathered, the level of assurance the auditor can gain regarding the screen captures accuracy, and the type of audit.

When not to accept a screenshot

Photo compliments of http://technet.microsoft.com

Photo compliments of http://technet.microsoft.com

For example, in this screenshot we cannot verify when this screenshot was captured. It’s possible that a lazy (or efficient, depending on how you see it) Network Admin resent you the same screenshot from the previous audit “because nothing has changed since last year”.

Without a live observation of the system configurations or otherwise verification of the date of the screenshot’s generation you probably shouldn’t accept it as audit evidence. At a minimum, I always ask that the IT contact include a screen capture of the date and time as well as the configurations in question.

These type of considerations are especially important if you are an external auditor and your report is subject to a specified audit period. For example, you wouldn’t want to accept a screenshot from 2013 if you are auditing 2014.

When you may accept a screenshot

Graphic compliments of http://www.oracle.com

Graphic compliments of http://www.oracle.com

An auditor is supposed to be skeptical (professional skepticism), but it is also important to be practical. That’s often the difference between being hated and being effective.

Plus, sometimes the best evidence really is a screenshot. In fact, there are many circumstances where a screenshot is more difficult to manipulate than a system generated listing in excel. (It’s a lot easier to delete a column or cell from excel, for example, than to doctor a screenshot.)

So when possible, I suggest accepting screenshots under the following conditions:

1. When you can observe the generation of the screenshot.
2. When you can verify when the screenshot was generated (i.e., date stamp).
3. When you can verify that the screenshot is inclusive of all data elements (i.e., you can verify that no information was cut off from the bottom of the screenshot).

Consider the Audit

Another important component to consider is the level of documentation required to meet both regulatory and firm requirements. This is more a question of firm policy than best practices (though the two should be in sync). I’ve worked at firms that forbid screenshots totally as stand alone evidence and others that embrace them fully. I refer you to your manager to settle that dispute.

On a practical level, it’s really nice to have a few screenshots to reference when it comes time to draft your final report. And it’s a real hassle to have to go bug the client a few months after the audit and re-request evidence because someone didn’t document their work (or maybe they didn’t do it to begin with?). So if you are performing audit observations anyway – why not grab a screenshot too?

Note: ISACA considers screenshots to be a valid form of audit evidence.

5 thoughts on “Can I Use a Screenshot as Audit Evidence?

  1. I had a SME provide the same screenshot one year that he had provided the previous year. A quick comparison proved that, especially because the extra text/graphics in the background were a dead give away. I then received a new screenshot.

    I almost always observe the evidence being collected. Of course, with today’s technology, if the SME shares his screen with you over the network, you can take your own screenshots.

    Good article. I’ll put a link up on my blog to yours. I see you already put a link on your blog to me. Thanks!

  2. Nowadays, screenshot tools like SnagIt (which I LOVE!) have such good graphic editors, it’s almost as easy to alter/forge screenshot evidence as it is textual output. So, you’re right that just about the only way to get good evidence is to get the screenshot while actually observing the SME perform the action. (Or, as I prefer, get the permissions granted to you and perform the action yourself!) And including the date is important — with the Windows clock, as you showed, or if the output is from UNIX/Linux, by asking the SME to include the “date” command in his inputs.

    Your blog looks great — ITauditSecurity recommended it & I’ve subscribed — looking forward to more good posts like this one. Thanks!

  3. Good advice. As with ITAS, I only take screen shots when I’m actually standing over the auditee’s shoulder, there and then. Anything submitted outside of this timeframe I would treat for information only purposes rather than hard and fast evidence.

Leave a Reply