MEMORANDUM To SUBJECT 1.0 RATIONALE 14 12 1.3 14 15 16 2.0 SCOPE Republic of the Philippines COMMISSION ON AUDIT Commontoenlth Avenue, Quezon City, Philippine! No. Date: doa) - O18 All Assistant Commissioners, Directors of the Central and Regional Offices, Supervising Auditors, Audit Team Leaders, Audit Team Members, and All Others Concerned Guidelines on the use of Electronic Documents in Government Transactions The Commission shall have exclusive authority to define the scope of its audit and examination, establish the techniques and methods required therefor, and promulgate accounting and auditing rules and regulations, including those for the prevention and disallowance of irregular, unnecessary, excessive, extravagant, or unconscionable expenditures, or uses of government funds and properties. The Commission recognizes the increasing significance of technology resulting in the government's paradigm shift from manual to electronic or automated processing of transactions. ‘There is a need for the Commission to review and enhance its processes to adapt to the advances in technology. Electronic documents have the legal effect, validity or enforceability as any other document or legal writing. The Commission deals with large volume of documents/files which must be reviewed within a limited period of time. The implementation and acceptance of digitally-signed documents will be beneficial for government agencies and the Commission. This Memorandum shall apply to all auditors whose audited agency/ies will use or have been using electronic documents in their transactions and/or in Const, (1987), Article IX-D (2)[2] in relation to Government Auditing Code of the Philippines Section 25 (2) (3), PD 1445. 2 See Electronic Commerce Act of 2000, RA 8792, Rules on Electronic Evidence, A.M. No. 01-7-01- SC, Government Procurement Policy Board Resolution No, 16-2078, and Publi FinancialManagement| (77 Committee's implementation of the Budget and Treasury Management System. Page 1 of 6performing their functions. This guideline will govern the procedure when their audited agency submits electronic documents. 3.0 DEFINITION OF TERMS As used in this Memorandum, the terms listed below shall mean as follows: 3.1 Electronic Document refers to information or the representation of information, data, figures, symbols or other modes of written expression, described or however represented, by which a right is established or an obligation extinguished, or by which a fact may be proved and affirmed, which is received, recorded, transmitted, stored, processed, retrieved or produced electronically. It includes digitally signed documents and any printout or output, readable by sight or other means, which accurately reflects the electronic data message or electronic document. For purposes of these Rules, the term "electronic document’ may be used interchangeably with "electronic data message."? 3.2 Electronic Signature (or e-Signature) refers to any distinctive mark, characteristics and/or sound in electronic form, representing the identity of a person and attached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such Person with the intention of authenticating or approving an electronic data message or electronic document.“ 3.3. Digitally-signed refers to an electronic document or electronic data message bearing a digital signature verified by the public key listed in a certificate > 3.4 Digital Signature refers to an electronic signature consisting of a transformation of an electronic document or an electronic data message using an asymmetric or public cryptosystem such that a person having the initial untransformed electronic document and the signer’s public key can accurately determine: Whether the transformation was created using the private key that corresponds to the signer's public key; and ii, Whether the initial electronic document had been altered after the transformation was made.® 3.5 Digital Certificate means an electronic document issued to support a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair. 5 Rules of Electronic Evidence, Section 1(h), AM, No. 01-7-01-SC + Electronic Commerce Act of 2000, Section 5(e) RA 8792 5 Rules of Electronic Evidence, Section 1(f), AM. No. 01-7-01-SC. ®© Rules of Electronic Evidence, Section 1(e), AM. No. 01-7-01-SC. Zz Page 2 of 63.6 37 3.8 3.9 3.1 34 Government Certificate Authority (CA) (1) issue certificates for all government transactions to government employees/entities and specific purpose certificates to private individuals/entities; (2) publish certificates and Certificate Revocation List (CRL); (3) handle revocation requests from the owners of the certificates it has issued. The Department of Information and Communications Technology, is designated to operate the Government CA.’ Accredited Certificate Authority (ACA) refers to any other CA accredited or recognized by competent authority to issue certificate to be used in government transactions. Electronic Data Message refers to information generated, sent, received or stored by electronic, optical or similar means. Key pair comprise of two (public and private keys) uniquely and mathematically related cryptographic keys (basically long random numbers) which are used in the encryption and decryption of data. 0 Private key refers to the key paired to a public key to create a digital signature to decrypt and transform a message to a readable format. 1 Public key refers to the key paired with a private key to verify a digital signature to set off the rules for text encryption and decryption and known only to the recipient. 4.0 GUIDELINES 44 Electronic Documents In contrast to printed documents, electronic documents are received, recorded, transmitted, stored, processed, retrieved or produced electronically. Electronic documents include any form of representation of information or of concepts fixed in any medium in or by electronic, optical or other similar means and that can be read or perceived by a person or by any means. Examples of electronic documents include, but are not limited to, the following: 7 Executive © Rules of Email message, websites, Word processed documents Electronic spreadsheets Powerpoint presentations, Portable File Documents (PDF files), Scanned copy of a paper document, digital purchase receipts, databases, Order No, 810, s. 2009. Electronic Evidence, Section 1(g). A.M. No. 01-7-01-SC. Page 3 of 6 &text messages, social media postings, and information and electronic records stored on SharePoint sites and content management systems (Catalyst, Slack, DropBox, etc.) Electronic documents include records stored in email, shared drives, cloud storage, on laptops and cell phones, and any medium capable of storage 4.2 Submission of Electronic Documents The auditors shall accept, for the purpose of submission, electronic documents, whether original or duplicate, subject to the following rules; 4.2.1. Anelectronic document shall be regarded as the equivalent of an original document if it is a printout or output readable by sight or other means, shown to reflect the data accurately. if data is stored in a computer or similar device, any printout or other output readable by sight or other means, shown to reflect the data accurately, is an “original.” 4.2.2 A"duplicate" is a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, ‘or by chemical reproduction, or by other equivalent techniques which accurately reproduce the original. A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original, or (2) under the circumstances, it is unjust or inequitable to admit the duplicate in lieu of the original. 4.2.3 The Management has issued a representation letter to the auditor manifesting that they have taken appropriate measures to ensure that all and any electronic documents submitted to the auditor complies with the definition of electronic documents, whether original or duplicate, as defined above. A sample of a representation letter is appended hereto as Annex one 4.3 Authentication of Signed Electronic Documents Where a signature is required for the electronic document, the authenticity of the signed electronic document can be established through the following means: 4.3.1 by evidence that it had been digitally signed by the person purported to have signed the same; or 4.3.2 by evidence that other appropriate security procedures or devices for authentication of electronic documents were applied to the document; or a Page 4 of 64.3.3 by other evidence showing its integrity and reliability 44 Digital Signatures The auditors shall accept, for the purpose of submission, digitally-signed documents as functional equivalent of documents printed on papers, provided the following shalll be satisfied: 4.4.1 The Management has issued a representation letter pertaining to the use of digital signatures (Annex A); 4.4.2 The designated signatory/ies of the audited agencies have a valid Digital Certificate issued by the DICT or ACAs; 4.4.3The document was duly signed by the proper authority as required, using the valid digital certificate from 4.4.2; and 4.4.4 The document has not been tampered with since the time of signing until its validation 4.5 Electronic Signatures The auditors shall accept, for the purpose of submission, electronic documents with e-signature as functional equivalent of documents printed on papers, provided the auditor is satisfied that 4.5.1. the Management has issued a representation letter pertaining to the use of electronic signatures (sample attached as Annex A); 4.5.2. the electronic signature is that of the person to whom it correlates; 4.5.3. the electronic signature was affixed by that person with the intention of authenticating or approving the electronic document to which it is related or to indicate such person's consent to the transaction embodied therein; 484 the methods or processes utilized to affix or verify the electronic signature, if any, operated without error or fault, and 4.5.5 the person whose e-signature was affixed, takes responsibility and assumed accountability that the document remained unchanged until it was submitted to the auditor. 4.6 The Systems and Technical Services Sector (STSS) shall 4.6.1 Develop and maintain a portal and a central repository where submitted electronic documents are to be maintained (indexing, timestamping and access restrictions); 4.6.2 _ Implement appropriate controls to ensure confidentiality, integrity and availability of documents obtained in relation to this memorandum; 4.6.3 Proactively coordinate with the DICT on government agencies that will adopt digital signatures and train/capacitate its auditors on handling/verifying digitally-signed documents; Cx. Page 5 of 64.6.4 Process documents submitted to COA using existing and emerging technologies such as advanced analytics, computer vision, and continuous auditing techniques among others, with the purpose of assisting auditors in the field to gain observations for verification and further increase audit coverage. 4.7 Prior to the implementation of the portal and the central repository of electronic documents, auditors can accept documents through secure storage media and store the same locally. Another copy of the same document shall be forwarded to ITAO for analytics purposes. 4.8 The ITAO, in partnership with Information Technology Office (ITO), shall make the portal and repository available within 90 days from the effectivity of this Memorandum. 4.9 Once operational, the link to the portal will be given to the audited agencies for uploading and/or submission of electronic documents required by COA under existing laws, rules and regulations taking into consideration the admissibility of electronic documents under relevant laws. 4410 The auditor will be notified automatically through their official e-mail address upon successful upload of electronic documents by their respective audited agencylies. They can then accessiview/download the documents for auditorial and legal review as well as maintain a local copy. 4.11 In case auditors would need the assistance of the Technical Services Office (TSO) and ITAO particularly with technical review of contracts and the electronic copy of the contract was already uploaded in the repository, they only have to include the unique identifiers (e.g. reference number from the portal) of the documents relevant to the subject contracts in their request 4.12 In all matters not specifically covered by these Guidelines, the Rules of Court and pertinent provisions of statutes containing rules on evidence shall apply. 4.13 Cases not covered in this Memorandum shall be referred to the STSS. for proper resolution 5.0 EFFECTIVITY This Memorandum shall take effect immediately. For compliance of all concerned Commission on Audit MICH; | ‘i i G.AGUINALDO hairperson Page 6 of 6Annex A (Letterhead of the Audited Agency) MANAGEMENT REPRE! Date Cluster/ Regional Director Cluster / Regional Office Commission on Audit Subject: Submission of electronic document by [Name of Agency/ Corporation/ LGU/ Project Being Audited] This representation letter is provided in connection with your audit of the financial statements of the [Agency/ Corporation LGU /Project] for the purpose of expressing opinions as to whether the financial statements are presented fairly, in all material respects, in accordance with International Public Sector Accounting Standards (IPSAS) and government accounting standards, and as to other terms required by the 1987 Constitution or other relevant laws. Specific Affirmations pertaining to Digitally-signed Electronic Documents Provided to the Commission on Audit We certify that the [Agency/ Corporation’ LGU /Project] is implementing and will continuously review and ensure a secured process such that the documents submitted to COA with digital signature shall bear the valid and authentic signature of its appropriate signatories. We further certify that: 1. Appropriate security procedures were made to maintain the integrity, reliability, and authenticity of the information provided; 2. All the persons who have applied for Digital Certificates shall take full responsibility and accountability for all actions performed using their digital certificates; We verified that all electronic documents submitted are either original or faithful electronic reproductions or duplicate copy of the paper-based documents; and 4. In case of digitized document, we certify that the original, as the source of the digitized document is authent ‘The above certifications are supported by the Confirmation Report of our Internal Audit Unit (or Compliance Unit or its equivalent] dated [Date], a copy of which is attached to this Representation Letter. Specific Affirmations pertaining to the use of Electronic Signature other than Digital Signature on Documents Provided to the Commission on Audit We certify that the [Agency/ Corporation’ LGU /Project] is implementing and will continuously review and ensure a secured process such that the documents submitted C.,Annex A to COA with electronic signature shall bear the valid and authentic signature of its appropriate signatories. We further certify that the system being employed for this purpose can reasonably ensure that: 1. Appropriate security procedures were made to maintain the integrity, reliability, and authenticity of the information provided; ‘The electronic signatures that appear on electronic documents belongs to that of the person to whom it correlates; 3. Every time the electronic signature was affixed, the intention is for authenticating or approving the electronic document to which it is related or to indicate consent to the transaction embodied therein; 4, The methods or processes utilized to affix or verify the electronic signature, operated every time without error or fault; and The persons whose e-signature was affixed make manifestation under oath to take responsibility and assume accountability that the document bearing their e- signature remained unchanged until it was submitted to the auditor. ‘The above certifications are supported by the Confirmation Report of our Internal Audit Unit [or Compliance Unit or its equivalent] dated [Date], a copy of which is attached to this Representation Letter. Admission of Estoppel on the Authenticity of Documents We attest and certify that any document bearing our electronic signature (including digital signature) submitted to the auditor is authentic and accurate, thus can be submitted to any court as required under a subpoena duces tecum or can be used as a legal document for other purposes. Finally, we certify that, as supported by the Confirmation Report attached, we have taken appropriate measure to ensure that all and any electronic documents submitted to the auditor complies with definition of Original of Document in Section 4, Rule 30 of the 2019 Amendments to the 1989 Revised Rules on Evidence. The originals shall still be available for examination or inspection when needed. We make this representation and request the auditor to accept electronic documents submitted by this [Agency/ Corporation/ LGU /Project] in addition or in combination with other paper documents. Signed: Signature over Printed Name Signature over Printed Name Chief Accountant /Head of Finance Group _ Head of Agency/Authorized Representative Date DateAnnex A Note 1. Ifthe audited entity only uses digital signature on documents, the section for electronic signature should be deleted. Ifthe audited entity only uses electronic signature other than digital signature, the section for digital signature should be deleted. 3. If the audited entity uses a combination of electronic signatures includ both sections should be retained.