THE Commission on Audit has issued Circular 2020-010 requiring all government agencies, local government units and government-owned or controlled corporations (GOCCs) to grant access to auditors in their information and communications systems, electronic data and source documents.
The directive was in response to the refusal of some government bodies to allow auditors to review transactions in their electronic systems using RA 10173 or the Data Privacy Act as a ground.
“There were instances when COA auditors were precluded by its auditees to access and perform the evaluation of the systems and their databases, especially those outsource-developed system due to data privacy issues,” the commission said.
It reminded all audit entities that government auditors should be allowed to effectively discharge their mandate to safeguard government resources and promote good governance.
COA Chairman Michael G. Aguinaldo and Commissioner Roland C. Pondoc said the circular serves as a guideline defining the authority of COA auditors to access information and communications systems as well as electronic documents within the limits of the Data Privacy Act.
They stressed that the access requirement covers “all audited entities” using information and communications systems whether developed in-house or outsourced.
Auditors will submit a written request for such access, stating the purpose and specific data to be covered in their evaluation. The access shall include “read/view, extract, and print rights to the information and communication systems, electronic data messages and source documents.
The audited agencies are given five days to provide the auditors with a unique user account to establish accountability or, in the alternative, to share said data electronically or by giving them copies of backup files.
The circular provides a penalty clause wherein officials or employees who fail to comply may face administrative sanctions.
On the other hand, COA auditors were cautioned to treat all information gathered with confidentiality in accordance with existing laws protecting data security and personal data protection.