Use these practical audit evidence gathering techniques to prepare for audits.
Advances in technology have vastly expanded the methods available to collect and store audit evidence. That makes documenting your audit trail — an essential step to preparing for a compliance audit — more complicated than ever before.
Consider all the ways an organization might store information these days: emails, chat applications, documents stored in the cloud, recorded phone calls or teleconferences, text messages, and even paper documents. They can all contain evidence you might need to show your auditor to demonstrate that you’ve met your compliance obligations.
So how do you find and track everything you need? And if you have more than one regulation, industry standard, or business contract with compliance obligations (spoiler alert: you do), collecting the evidence of your compliance efforts becomes that much more challenging.
In this article, we’ll review what audit evidence is and why it’s important for compliance, and consider some tools and techniques to help with gathering audit evidence.
What is audit evidence?
Audit evidence is the information you collect about processes related to the operations of a specific department within your organization. Auditors use this information to make findings about your compliance efforts.
Audit evidence can include documents, logs, and correspondence generated within your organization, as well as materials generated externally. Internal documents include:
- Process documents
- Policy documents
- Accounting records
- System logs
External sources of audit evidence can include information from:
- Stock exchanges
- The Internal Revenue Service
Whether the audit in question is conducted internally or externally, audits typically focus on key risk areas identified through risk analysis.
Audit evidence and risk analysis
Audits first became popular during the Industrial Revolution, when companies performed them to help understand, report on, and control costs.
External auditors traditionally focused on identifying poorly performing areas and then advising management on potential improvements. With the introduction of automation, however, this approach to audits has become inefficient, especially for larger companies. Audits responded by moving to a more risk-based approach. That is, audits now target parts of the business that are most prone to reputational, legal, or financial risk. That allows organizations to identify and mitigate problematic parts of the business more quickly.
From a technical perspective, we can define risk as the possibility of an event occurring that harms the achievement of business objectives. So the ability to identify risks is crucial to taking a risk-based approach to audits. A risk assessment is how an organization gets started.
Risk assessments use a dynamic process for identifying and assessing risks. For the most thorough risk assessment possible, establish clear objectives for operations, reporting, and compliance. Then ask: what events can thwart our ability to achieve those objectives.
Risk assessments alone, however, don’t provide sufficient or appropriate audit evidence that an auditor can use to issue an opinion. You need to supplement risk assessment procedures with additional audit procedures, including control testing; and with substantive procedures as well.
Audit evidence and internal controls
Internal controls are policies, procedures, or technical safeguards designed to prevent problems and protect your organization’s assets. You need three types of internal controls to avoid or minimize loss.
- Detective internal controls are used after an event has happened; they include:
- Internal audits
- Document reviews
- Preventive internal controls exist, as the name implies, to prevent unwanted events from happening. These controls include:
- Training programs
- Drug testing
- Computer and server backups
- Corrective internal controls are put in place after detective controls discover a problem, to rectify whatever failure allowed the event to happen. These include:
- Disciplinary action
- Reports filed
- Software patches
- New policies
You’ll need to test your controls either: (1) when the auditor conducts a risk assessment and wants to know the effectiveness of those controls; or (2) when your substantive procedures alone do not provide sufficient, appropriate audit evidence.
To improve your systems consistently, analyze and review your organization’s internal controls on a regular basis.
‘Sufficient, appropriate’ audit evidence
When auditors assess your organizational risks and decide the audit procedures they’ll perform, they consider the sufficiency and appropriateness of audit evidence provided.
Sufficiency, or the measure of the quantity of audit evidence, depends in part on the auditor’s assessment of the risks of misstatement—that is, the chance that some evidence you provide is incorrect. The higher the risk of misstatement, the more audit evidence your auditor will want to see.
Appropriateness, measures the quality of audit evidence; it considers relevance and reliability. “Reliability” depends on where the evidence comes from, what kind of evidence it is, and the circumstance under which it was obtained. “Relevance” concerns how the evidence connects to the audit procedure’s purpose and the opinion the auditor is trying to make.
When evaluating the sufficiency and appropriateness of audit evidence, auditors may redesign their audits during the examination stage. If they aren’t getting the level assurance they need from the evidence they’re collecting, they may take corrective action—which can delay their findings and increase your costs.
To form their opinion, auditors will gather and evaluate audit evidence using procedures including:
- Inspection (both of documents and records as well as tangible assets)
- External confirmation
- Analytical procedures
Auditors won’t always examine all the information you have. So long as the audit evidence is sufficient and appropriate, they may view only a sampling to draw reasonable conclusions and render their opinions.
Audit evidence gathering techniques
Auditors typically collect eight types of audit evidence during an audit process.
- Physical examinations are one of the main sources of audit evidence for fixed assets. In these, auditors physically verify the existence of various assets: visiting offices and warehouses, counting supplies, and so forth. Auditors usually collect this type of audit evidence themselves, and can use a physical examination to verify the state or condition of an asset.
- Confirmations consist of third-party verifications to confirm information such as the closing balance recorded in financial statements.
- Documentary evidence is critical to any audit. It requires auditors to gather documents regarding different aspects of an audit. The sources of audit evidence also matter to documentation. Various techniques such as vouching or tracing may be used as part of the audit procedures.
- Analytical procedures include performing analyses to identify any trends or discrepancies, and can help auditors detect any changes since the last audit.
- Oral evidence is obtained through inquiries, and helps auditors to understand the process to design audit procedures. Inquiries may not be considered a strong form of audit evidence.
- Accounting systems allow auditors to obtain all the information related to an organization’s financial statements, and can help auditors to gather other types of audit evidence.
- Reperformance evaluates internal controls to check for deficiencies and determine control risk.
- Observatory evidence differs from a physical examination as it focuses on processes rather than physical assets. In observation, auditors observe various aspects of your operations or processes (for example, how the security team vets the security of cloud-based technology partners).
Each type of audit evidence has a corresponding procedure for collection. There are a number of procedures auditors can use, often in combination, to obtain and evaluate audit evidence.
Let’s examine each audit evidence gathering technique and further evaluate how each can be used to prepare for an audit.
Inspection involves examining documents or records in paper form, electronic form, or other media. Whether internal or external, inspection of documents and records may give evidence of ownership (for example, title deeds), evidence that a control is operating (say, stamped invoices), or evidence about cut-off (the dates on invoices). This evidence can confirm value and purchase costs. Inspection of tangible assets usually gives evidence of existence or valuation.
Observation consists of looking at processes or procedures. It either confirms or denies that a control was operating at the time of the observation, keeping in mind that the auditor’s presence may have had an influence on behaviors. Examples include an auditor’s observation of inventory counting or of the performance of control activities.
External confirmation is audit evidence obtained by the auditor as a direct written response to the auditor from a third party. The confirmation can be in paper form, electronic form, or other media. External confirmations may give good evidence of the existence of balances, but may not necessarily give reliable evidence of valuation.
Recalculation consists of checking the mathematical accuracy of documents or records.
Reperformance is the auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control.
Analytical procedures consist of evaluations of information through analysis of plausible relationships among data. They’re used throughout the audit process for the following purposes:
- Risk assessment, to identify high-risk areas; which auditors can use to inform the nature, timing, and extent of audit procedures
- Substantive testing to determine accuracy or to identify potential misstatements or errors, as a substitute for tests of details
- Overall conclusion, for assessing the propriety of audit conclusions reached and in evaluating the overall opinion and report
- Understanding the business, to better understand your enterprise
- Entity communications, for a better understanding of relevant business and audit issues
Inquiries involve seeking information from knowledgeable persons within or outside your enterprise. Auditors conduct inquiries to:
- Get information about your business
- Develop the preliminary audit approach
- Collect specific evidence
- Corroborate evidence collected by other means
Inquiry considers the knowledge, objectivity, experience, responsibility, and qualifications of the individuals to be interviewed. It requires auditors to ask clear and concise questions; use open or closed questions appropriately; listen actively and effectively; maintain a skeptical mindset; and evaluate the interviewee’s responses based on an understanding of the entity and other audit procedures performed.
Although inquiry has always been an important part of an audit, it is becoming an increasingly integral part of collecting audit evidence due to the increasing use of “soft information,” or information based on estimates, expectations, and assumptions.
Now that we’ve covered what audit evidence is and how it can be gathered to prepare for an audit, let’s look more closely at why audit evidence is relevant to compliance, and whether your organization needs additional tools to help with the audit evidence collection process.
Why gather audit evidence?
For most organizations, gaining certification from a third party is increasingly important to conducting business. External audits are often crucial to that certification, but they can be expensive and time consuming.
Conducting an internal audit to prepare for an external audit can help smooth the way for your organization to achieve some necessary certification, or to verify compliance efforts.
ISO certification, which is a voluntary process, requires an audit by an independent professional. Becoming ISO-compliant requires enormous investments of time, work, and money, especially for organizations using old-fashioned spreadsheets to keep track of compliance tasks.
Similarly, IT security audits can help to prevent data threat events. Security audits involve technical reviews reporting on configurations, technologies, infrastructure, and more. Understanding potential risk in the IT realm could mean avoiding the loss of money or reputation due to a breach.
Being prepared for an audit by gathering audit evidence ahead of time can save your organization time and money. Using an automated tool can help improve your operational efficiencies and increase productivity.
Using GRC software to gather audit evidence
Governance, risk, and compliance (GRC) software can help the parties involved in an audit collaborate more efficiently. That helps you save money and time, adding financial value to your organization’s compliance program. You can streamline risk and compliance work by integrating risk control information with internal audit goals and storing compliance documentation in one shared space.
ZenGRC automates the entire compliance process by alerting you to compliance gaps in your system and telling you how to close them. ZenGRC continuously monitors your systems to ensure that you maintain compliance between audits, and alerts you in real time to issues and vulnerabilities.
Our software-as-a-service automatically monitors your third-party vendors, helps you generate and send vendor surveys, and compiles results automatically.
By gathering and storing audit-trail documentation in a “single source of truth” repository, ZenGRC provides an in-a-glance view of your compliance posture on user-friendly, color-coded dashboards.
Finally, ZenGRC performs unlimited self-audits in a few clicks and analyzes the findings.
When audits go more smoothly, your profits increase. Contact us today to learn more about how ZenGRC can help your organization automate the audit evidence gathering process.