Advances in information technology have vastly expanded the methods available to collect and store electronic audit evidence. That makes documenting your audit trail – an essential step to preparing for a compliance audit report – more complicated than ever before.

Consider all the ways an organization might store information these days: emails, chat applications, documents stored in the cloud, recorded phone calls or teleconferences, text messages, and even paper documents. All can contain evidence you might need to provide to your auditor to demonstrate that you’ve met your compliance and financial reporting obligations.

So how do you find and track everything you need? And if you need to comply with multiple regulations or industry auditing standards, or have business contracts that include compliance obligations (including demonstrating tests of control or details), then collecting the evidence of your compliance efforts from various information systems becomes that much more challenging.

In this article we’ll review what audit evidence is and why it’s important for compliance, and consider techniques to help with gathering evidence, including electronic data sources.

What Is Audit Evidence?

Audit evidence is the information you collect about processes related to the operations of a specific department within your organization. Auditors use this information to make findings about your compliance efforts and to prepare audit reports.

What Is Electronic Auditing?

Electronic audit evidence is likely to be a substantial part of your information collection process, where you gather your evidence from electronic environments and information systems. In today’s world auditors increasingly inspect and rely on electronic information for authenticity and integrity, and such evidence has largely been accepted as a valid form of documentation, especially for business processes.

What Are the Types of Audit Evidence?

Audit evidence can include documents, logs, and correspondence generated within your organization, as well as materials generated externally.

Internal documents include:

  • Process documents
  • Policy documents
  • Accounting records
  • Invoices
  • Account balance statements
  • System logs
  • Financial reporting documents

External sources of gathering electronic audit evidence can include information from:

  • Banks
  • Debtors
  • Suppliers
  • Customers
  • Stock exchanges
  • The Internal Revenue Service

We compiled a detailed walkthrough of the different types of evidence compiled during an audit. For clarity, regardless of whether the audit in question is conducted internally or externally, all audits typically focus on key risk areas identified through risk analysis.

Audit Evidence and Risk Analysis

Audits first became popular in the late 1800s, when companies performed them to help understand, report on, and control costs.

External auditors traditionally focused on identifying poorly performing areas and then advising management on potential improvements. With the introduction of automation, this approach to audits became inefficient, especially for larger companies.

Auditors responded by moving to a more risk-based approach. That is, audits now target parts of the business that are most prone to reputational, legal, or financial risk. That allows organizations to identify and mitigate problematic parts of the business more quickly.

From a technical perspective, we can define audit risk as the possibility of an event occurring that harms the achievement of business objectives – so the ability to identify risks is crucial to taking a risk-based approach to audits. A risk assessment is how an organization gets started.

Risk assessments use a dynamic process to identify and assess risks. For the most thorough risk assessment possible, establish clear objectives for operations, reporting, and compliance. Then ask: what events can thwart our ability to achieve those objectives?

Risk assessments alone, however, don’t provide sufficient or appropriate audit evidence that an auditor can use to issue an opinion. You need to supplement risk assessment procedures with additional audit procedures, including control testing, and with substantive procedures as well.

Audit Evidence and Internal Controls

Internal controls are policies, procedures, or technical safeguards designed to prevent problems and to protect your organization’s assets. You need three types of internal controls to avoid or minimize loss.

  • Detective internal controls help managers discover an issue after the event has happened. Such controls include:
    • Internal audits
    • Document reviews
    • Reconciliations
    • Interviews
  • Preventive internal controls exist to prevent unwanted events from happening in the first place. These controls include:
    • Training programs
    • Written policies
    • Drug testing
    • Firewalls
    • Computer and server backups
  • Corrective internal controls are put in place after detective controls discover a problem, to rectify whatever failure allowed the event to happen. These include:
    • Disciplinary action
    • Reports filed
    • Software patches
    • New policies

You’ll need to test your controls when: (1) the auditor conducts a risk assessment and wants to know the effectiveness of those controls; or (2) your substantive procedures alone do not provide sufficient, appropriate audit evidence.

To improve your systems consistently, analyze and review your organization’s internal controls on a regular basis. We compiled a detailed list of all the audit procedures to use on your internal controls.

Sufficient, Appropriate Audit Evidence

When auditors assess your organizational risks and decide the audit procedures they’ll perform, they consider the sufficiency and appropriateness of audit evidence provided.

Sufficiency is the quantity of audit evidence the auditor wants to collect. It partly depends on the auditor’s assessment of the risks of material misstatement – that is, the chance that some evidence you provide is incorrect. The higher the risk of misstatement, the more audit evidence your auditor will want to see.

Appropriateness measures the quality of audit evidence; it considers relevance and reliability. “Reliability” depends on where the evidence comes from, what kind of evidence it is, and the circumstance under which it was obtained. “Relevance” concerns how the evidence connects to the audit procedure’s purpose and the opinion the auditor is trying to make.

Sufficiency and appropriateness can influence each other. That is, if the evidence you provide is highly relevant and reliable, the auditor might decide he or she needs less of it – and vice-versa.

When evaluating the sufficiency and appropriateness of audit evidence, auditors may redesign their audits during the examination stage. If they aren’t getting the level of assurance they need from the evidence they’re collecting, they may take corrective action, which can delay their findings and increase your costs.

To form their opinion, auditors will gather and evaluate audit evidence using procedures including:

  • Inspection (both documents and records as well as tangible assets)
  • Observation
  • External confirmation
  • Recalculation
  • Reperformance
  • Analytical procedures
  • Inquiry

Auditors won’t always examine all the information you have. So long as the audit evidence is sufficient and appropriate, they may view only a sampling to draw reasonable conclusions and render their opinions.

What Are the Types of Audit Evidence?

Auditors might collect as many as eight types of audit evidence during an audit process.

Physical Examinations
Physical examinations are one of the main sources of audit evidence for fixed assets. In these, auditors physically verify the existence of various assets, such as by visiting offices and warehouses, counting supplies, and so forth. Auditors usually collect this type of audit evidence themselves and can use a physical examination to verify the state or condition of an asset.

Confirmations consist of contacting a third party (say, one of your company’s banks) to confirm information such as the closing balance recorded in financial statements.

Documentary Evidence
Documentary evidence is critical to any audit. It requires auditors to gather documents regarding different aspects of an audit. The sources of audit evidence also matter to documentation. Various techniques, such as vouching or tracing, may be used as part of the audit procedures.

Analytical Procedures
Analytical procedures include performing analyses to identify any trends or discrepancies and can help auditors detect any changes since the last audit.

Oral Evidence
Oral evidence is obtained through inquiries and helps auditors to understand the process to design audit procedures. Inquiries may not be considered a strong form of audit evidence.

Accounting Systems
Accounting systems allow auditors to obtain all the information related to an organization’s audit of financial statements, and can help auditors to gather other types of audit evidence.

Reperformance evaluates internal controls to check for deficiencies and determine control risk.

Observatory Evidence
Observatory evidence differs from a physical examination as it focuses on processes rather than physical assets. In observation, auditors observe various aspects of your operations or processes (for example, how the security team vets the security of cloud-based technology partners).

See also

Automating GRC: The Next Frontier in Risk Management

Examining the Key Audit Evidence Gathering Techniques

Each type of audit evidence has a corresponding procedure for collection. There are a number of procedures auditors can use, often in combination, to obtain and evaluate audit evidence.

Let’s examine each technique for audit evidence gathering and further evaluate how each can be used to prepare for an audit.


Inspection involves examining documents or records in paper form, electronic form, or other media. Whether internal or external, an inspection of documents and records may give evidence of ownership (for example, title deeds), evidence that a control is operating (say, stamped invoices), or evidence about cut-off (the dates on invoices). This evidence can confirm value and purchase costs. Inspection of tangible assets usually gives evidence of existence or valuation.


Observation consists of looking at processes or procedures. It either confirms or denies that control was operating at the time of the observation, keeping in mind that the auditor’s presence may have had an influence on behaviors. Examples include an auditor’s observation of inventory counting or of the performance of control activities.

External Confirmation

External confirmation is audit evidence obtained by the auditor as a direct written response to the auditor from a third party. The confirmation can be in paper form, electronic form, or other media. External confirmations may give good evidence of the existence of balances but may not necessarily give reliable evidence of valuation.


Recalculation consists of checking the mathematical accuracy of documents or records.


Reperformance is the auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control.

Analytical Procedures

Analytical procedures consist of evaluations of information through analysis of plausible relationships among data. They’re used throughout the audit process for the following purposes:

  • Risk assessment, to identify high-risk areas; which auditors can use to inform the nature, timing, and extent of audit procedures
  • Substantive testing to determine accuracy or to identify potential misstatements or errors, as a substitute for tests of details
  • Overall conclusion, for assessing the propriety of audit conclusions reached and in evaluating the overall opinion and report
  • Understanding the business, to better understand your enterprise
  • Entity communications, for a better understanding of relevant business and audit issues


Inquiries involve seeking information from knowledgeable persons within or outside your enterprise. Auditors conduct inquiries to:

  • Get information about your business
  • Develop the preliminary audit approach
  • Collect specific evidence
  • Corroborate evidence collected by other means

Inquiry considers the knowledge, objectivity, experience, responsibility, and qualifications of the individuals to be interviewed. It requires auditors to ask clear and concise questions; use open or closed questions appropriately; listen actively and effectively; maintain a skeptical mindset; and evaluate the interviewee’s responses based on an understanding of the entity and other audit procedures performed.

Although inquiry has always been an important part of an audit, it is becoming an increasingly integral part of collecting audit evidence due to the increasing use of “soft information” – that is, information based on estimates, expectations, and assumptions.

Now that we’ve covered what audit evidence is and how it can be gathered to prepare for an audit, let’s look more closely at why audit evidence is relevant to compliance and whether your organization needs additional tools to help with the audit evidence collection process.

Can Audit Documentation Be in Electronic Form?

Yes. Since most of the data gathered from different business functions and financial information are in electronic form, audit documentation is also accepted in electronic form too, subject to additional controls and requirements.

For most organizations, gaining certification from a third party – say, passing a SOC 2 audit of your cybersecurity program; or an ISO audit of your quality management program – is increasingly important to conducting business. External audits are often crucial to that certification, but they can be expensive and time consuming. Conducting an internal audit first, to prepare for an external audit later, can help smooth the way for your organization to achieve some necessary certification or to verify compliance efforts. (For reference, we compiled a helpful guide to external audit planning so you can prepare ahead.)

ISO certification, which is a voluntary process, requires an audit by an independent professional. Becoming ISO-compliant requires enormous investments of time, work, and money, especially for organizations using old-fashioned spreadsheets to keep track of compliance tasks.

Likewise, IT security audits can help to prevent data threat events. Security audits involve technical reviews reporting on configurations, technologies, infrastructure, and more. Understanding potential risks in the IT realm could mean avoiding the loss of money or reputation due to a breach.

Being prepared for an audit by gathering audit evidence ahead of time can save your organization time and money. Using an automated tool can help improve your operational efficiencies and increase productivity.

Using GRC Software to Gather Audit Evidence

Governance, risk, and compliance (GRC) software can help the parties involved in an audit collaborate more efficiently. That helps you save money and time, adding financial value to your organization’s compliance program. You can streamline risk and compliance work by integrating risk control information with internal audit goals and storing compliance documentation in one shared space.

The Reciprocity® ROAR Platform automates the entire compliance process by alerting you to compliance gaps in your system and telling you how to close them. The ROAR platform continuously monitors your systems to ensure that you maintain compliance between audits and alerts you in real-time to issues and vulnerabilities.

Our software-as-a-service automatically monitors your third-party vendors, helps you generate and send vendor surveys, and compiles results automatically. By gathering and storing audit documentation in a “single source of truth” repository, the ROAR platform provides an in-a-glance view of your compliance posture on user-friendly, color-coded dashboards.

Finally, the ROAR platform performs unlimited self-audits in a few clicks and analyzes the findings.

When audits go more smoothly, your profits increase. Schedule a demo today to learn more about how Reciprocity can help your organization automate the audit evidence-gathering process.

Automating GRC: The Next Frontier
in Risk Management