In the practice of statutory auditing, a common question often arises regarding the extent of an auditor’s authority to investigate transactions between a company and its shareholders.

A frequent concern is whether, in the interest of transparency, a statutory auditor may require shareholders to provide personal documents such as bank statements.

The Colombian Technical Council of Public Accounting (CTCP), through Concept No. 0044 of 2026, clarified this issue by defining the legal boundaries of the auditor’s authority in relation to the right to privacy.

According to Article 207 of the Colombian Commercial Code, the supervisory functions of the statutory auditor are clearly limited to the scope of the entity itself. The auditor’s authority primarily applies to:

• The company’s accounting books and corporate minutes.

• Documents and records related to corporate transactions.

• Information requested directly from the entity’s administrators.

The Technical Council emphasizes that there is no general legal authority allowing the statutory auditor to directly request personal information from shareholders. The professional’s scope of action is limited to the entity and those responsible for its management; therefore, demanding private documents from third parties, even if they are shareholders, exceeds the auditor’s legal powers.

A critical aspect of this discussion is the fundamental right to privacy and the protection of personal data, established under Article 15 of the Colombian Constitution. However, the Technical Council clarifies that it is not the competent authority to rule on the specific scope of fundamental rights. Nevertheless, it stresses that Public Accountants must perform their duties in accordance with these constitutional principles.

Therefore, any auditing attempt that violates a shareholder’s privacy without explicit legal support could lead to legal conflicts, as the statutory auditor must balance the duty of oversight with respect for the private sphere of individuals connected to the company.

The fact that a statutory auditor cannot directly demand private information does not mean that transactions with shareholders should be ignored. Article 7 of Law 43 of 1990 requires accountants to obtain sufficient and appropriate evidence to support their professional opinion.

To address this dilemma, the statutory auditor must rely on the International Standards on Auditing (ISA), incorporated into Colombian law through Law 1314 of 2009 and Regulatory Decree 2420 of 2015. The key standards applicable in these situations include:

1. ISA 500 (Audit Evidence): Establishes the general framework for designing procedures that provide a solid basis for professional judgment.

2. ISA 550 (Related Parties): Specifically designed to audit relationships and transactions between the entity and related parties, such as shareholders.

3. ISA 505 (External Confirmations): Allows evidence to be obtained formally and technically through third parties.

When transactions between the company and its shareholders exist, the statutory auditor must apply audit procedures that do not violate privacy while still ensuring the transparency of the financial statements. These procedures include:

• Review of internal supporting documents: Inspecting the records and documents held by the entity regarding the transaction (payment vouchers, contracts, cash receipts).

• Requests to management: Requiring explanations and technical documentation from management regarding the nature and conditions of the transactions.

• Management representations: Obtaining written statements in which management certifies the truthfulness and legality of transactions with shareholders.

• External confirmations: Using confirmation techniques that validate balances or transactions reported by the entity without invading the shareholder’s personal banking privacy.

The Technical Council is clear in the aforementioned concept by stating that the statutory auditor does not have the authority to directly demand personal financial information from shareholders. The auditor’s oversight work must remain within the boundaries of the company’s corporate and administrative information.

Finally, financial transparency does not depend on intruding into shareholders’ privacy, but rather on the technical and rigorous application of information assurance standards. The success of a comprehensive statutory audit lies in obtaining “sufficient and appropriate” evidence through the established legal and professional mechanisms, while always guaranteeing respect for the constitutional rights of all individuals connected to the organization.

Realizado Por: María Angélica Mora – Senior de Auditoria.

EL PRESENTE ESCRITO CORRESPONDE A UNA OPINIÓN DE NUESTRA FIRMA. LAS AUTORIDADES TRIBUTARIAS PUEDEN NO ESTAR DE ACUERDO CON NUESTRA POSICIÓN. SI DESEA PROFUNDIZAR AL RESPECTO O REQUIERE UNA ASESORÍA ESPECIALIZADA SOBRE EL TEMA, NO DUDE EN CONTACTARNOS, ESTAMOS PARA SERVIRLE.