There are a lot of situations where the easiest way to provide information to an auditor is via a screenshot. For example, sometimes administrator listings from Active Directory or password configuration settings are so plainly obvious by the screenshot that the natural inclination of the Network Admin is to take a screenshot and send it to the auditor as evidence. But the question inevitably arises: Can or should an auditor accept a screenshot as evidence during an audit?
Whether an auditor should accept a screenshot is highly dependent on the manner in which the screenshot was gathered, the level of assurance the auditor can gain regarding the screen captures accuracy, and the type of audit.
When not to accept a screenshot
For example, in this screenshot we cannot verify when this screenshot was captured. It’s possible that a lazy (or efficient, depending on how you see it) Network Admin resent you the same screenshot from the previous audit “because nothing has changed since last year”.
Without a live observation of the system configurations or otherwise verification of the date of the screenshot’s generation you probably shouldn’t accept it as audit evidence. At a minimum, I always ask that the IT contact include a screen capture of the date and time as well as the configurations in question.
These type of considerations are especially important if you are an external auditor and your report is subject to a specified audit period. For example, you wouldn’t want to accept a screenshot from 2013 if you are auditing 2014.
When you may accept a screenshot
An auditor is supposed to be skeptical (professional skepticism), but it is also important to be practical. That’s often the difference between being hated and being effective.
Plus, sometimes the best evidence really is a screenshot. In fact, there are many circumstances where a screenshot is more difficult to manipulate than a system generated listing in excel. (It’s a lot easier to delete a column or cell from excel, for example, than to doctor a screenshot.)
So when possible, I suggest accepting screenshots under the following conditions:
1. When you can observe the generation of the screenshot.
2. When you can verify when the screenshot was generated (i.e., date stamp).
3. When you can verify that the screenshot is inclusive of all data elements (i.e., you can verify that no information was cut off from the bottom of the screenshot).
Consider the Audit
Another important component to consider is the level of documentation required to meet both regulatory and firm requirements. This is more a question of firm policy than best practices (though the two should be in sync). I’ve worked at firms that forbid screenshots totally as stand alone evidence and others that embrace them fully. I refer you to your manager to settle that dispute.
On a practical level, it’s really nice to have a few screenshots to reference when it comes time to draft your final report. And it’s a real hassle to have to go bug the client a few months after the audit and re-request evidence because someone didn’t document their work (or maybe they didn’t do it to begin with?). So if you are performing audit observations anyway – why not grab a screenshot too?
Note: ISACA considers screenshots to be a valid form of audit evidence.