The collection and evaluation of audit evidence plays an important role in assessing an organization’s compliance with established standards. The American Institute of Certified Public Accountants (AICPA) serves as a guiding force, establishing methods that auditors should use to carry out their duties effectively. As auditors start their examination, they first collect and analyze various types of audit evidence, each serving as a piece of the puzzle that forms the auditor’s report.

This article focuses on audit documentation, the nature of the audit procedures, the collection of audit evidence, and the role of internal controls within the broader context of the audit evidence process.

What Is Audit Documentation?

Audit documentation refers to the written record of the procedures, evidence, and conclusions obtained during an audit engagement. It provides a detailed account of the specific documentation, such as working papers, checklists, and memos, that support the evidence gathered and the auditor’s conclusions.

The purposes and extent of audit documentation are multi-fold. Firstly, it serves as a tool for quality control by documenting the planning, execution, and supervision of the audit engagement, thereby ensuring compliance with auditing standards and requirements. In addition, it facilitates the review of the audit work by providing a comprehensive record of the procedures performed, which can serve as a foundation for future audits.

Audit evidence is a critical component of the audit documentation process. It refers to the information and supporting documentation obtained during the fieldwork phase of an audit.

Audit evidence is essential for auditors to evaluate the reliability of financial information and to substantiate the significant findings and conclusions derived from the audit.

To fulfill audit documentation requirements, enhance audit quality, and accomplish the audit objectives in a timely manner, it’s vital to develop well-designed audit programs to document the evidence effectively.

Why Is Audit Evidence Important?

Audit evidence plays a vital role in auditing, allowing auditors to justify their conclusions effectively. The opinions expressed by auditors in their audit reports rely heavily on the quality of the evidence they have gathered.
Moreover, should any disputes arise regarding the audit findings, auditors depend on the strength and credibility of the audit evidence to substantiate their stance.

Publicly traded companies must undergo an audit of their financial statements to investors every year. Those statements contain an enormous amount of information that investors use to decide whether to commit their money — so the accuracy of those financial statements is a high priority.

For the audit opinion to be credible, the company’s claims about its financial performance must be corroborated either by external evidence (such as a bank statement) or through an analysis conducted by the auditors. By exercising their professional judgments, experienced auditors assure the accuracy of the information provided by the company.

What Is Audit Risk?

Audit risk is the risk that material errors or weaknesses still exist in a company’s systems, even though the auditor gives a “clean” opinion of the company’s internal controls. Put another way, it’s the risk that the auditor misses something important.

There are several types of audit risk:

  1. Control risk is when the client’s internal control systems do not detect or prevent potential material misstatements.
  2. Detection risk is the possibility of a significant misrepresentation or error going undetected by the audit procedures.
  3. Inherent risk is the “natural chance” of a significant error or misstatement before any controls are implemented to reduce that risk.

One goal of the audit team is to lower the risk of missing any significant errors that may be present. Auditors can do this by performing more checks to reduce the risk of making mistakes. At a practical level, that means gathering more evidence during the audit process.

How Is Audit Evidence Obtained?

Audit evidence is collected via audit procedures. Those procedures are categorized as risk assessment procedures and audit procedures. The latter includes tests of controls and substantive procedures.

There are seven types of audit procedures, and the purpose of the procedure typically dictates which one is used:

  1. Inspection. Auditors collect evidence by inspecting physical assets, records, or documents.
  2. Observation. Auditors observe the client’s business processes and operations to identify deficiencies.
  3. Inquiry. Auditors talk with the client’s senior management to gain a deeper understanding of business processes for the auditing process. Inquiry alone, however, isn’t considered sufficient audit evidence to reduce the risk.
  4. External confirmation. This involves obtaining written or oral responses directly from third parties, such as customers, suppliers, or financial institutions
  5. Recalculation. The auditors perform calculations to verify that the final account balances match those reported by the client.
  6. Reperformance. The auditor independently performs procedures or controls that were originally performed by the entity to verify their effectiveness.
  7. Analytical procedures. The auditor analyzes financial and non-financial data, such as comparing current and prior year financial ratios or trends, to identify unusual fluctuations or patterns that may indicate potential errors.

According to the Public Company Accounting Oversight Board (PCAOB), which regulates audit firms in the United States, any audit evidence obtained must be sufficient and appropriate.

Sufficiency measures the quantity of audit evidence; appropriateness refers to the quality of audit evidence. The sufficiency of the audit evidence is affected by both the risk of material misstatement and the risk associated with the control and the quality of the audit evidence obtained.

What Are the Types of Audit Evidence?

There are eight types of audit evidence. Each type has a specific purpose depending on the audit’s goal, the client’s objectives, and the assertion being tested.

  1. Physical examination. This involves inspecting tangible assets, such as inventory, machinery, or documents, to verify their existence, condition, or ownership. Physical examination provides direct evidence and is often documented in audit work papers.
  2. Confirmations. This refers to relying on third parties such as banks to confirm various aspects of the financial statements (for example, the closing bank balance or accounts payable records).
  3. Documentary evidence. Auditors will gather documentation such as internal process documents, emails, or logs, to help with different portions of the overall audit. For example, the auditors may use the documentation for vouching or tracing a process flow as a part of the audit procedures.
  4. Analytical procedures. This includes any analysis performed by the auditors using their calculations to substantiate the financial information and any accounting records provided by the client to find discrepancies.
  5. Oral evidence. Auditors may hold question-and-answer sessions with their client’s senior leadership team to inquire about the business operations when audit planning and designing the audit procedures.
  6. Accounting system. This allows the auditor to access financial reporting documents and any information related to financial statements. The accounting system may also act as the source of audit evidence.
  7. Re-performance. The auditor assesses the control risk by re-performing key internal control processes to check for deficiencies.
  8. Observatory evidence. Auditors may observe activities or processes during site visits or walkthroughs. This allows them to assess the effectiveness of internal controls, compliance with regulatory requirements, or adherence to specific procedures.

What Are Internal Controls?

Internal controls are safeguards that organizations put in place to protect themselves from various risks. These risks can be related to finances, day-to-day operations, or long-term strategies.

Internal controls consist of specific rules and proven methods to minimize these risks. For example, they can help a company secure its data against online attacks or assure that financial transactions are not compromised by fraudulent activities.

Keep in mind that internal controls are not limited to technology solutions, such as user access controls. Internal control includes physical security measures, staff training, audits, investigations, or even a speech from the CEO stressing the importance of good conduct. Your company’s threats and the likely damage from each hazard will determine the controls you use.

Why Are Internal Controls Important?

Internal controls are essential for businesses for several reasons.

  1. Risk Reduction

    By identifying and mitigating risks, internal controls safeguard the company’s ability to maintain operations, protecting it from events that could disrupt its functioning.

    These systems establish checks and balances, ensuring accurate financial reporting and safeguarding of assets, which helps maintain the company’s stability and reputation.

  2. Fraud Prevention

    Internal controls are crucial in detecting and preventing fraud. They establish segregation of duties, requiring multiple individuals to be involved in critical processes such as cash handling, financial approvals, and inventory management.

    This reduces the opportunity for one person to manipulate or misuse company resources for personal gain, effectively mitigating the risk of fraud.

  3. Business Continuity

    In unforeseen circumstances or disruptions, internal controls help maintain business operations smoothly and efficiently. They establish clear procedures and guidelines for employees to follow, minimizing the disruption of staff turnover, absences, or emergencies.

    By providing a structured approach, internal controls assure operational stability, customer satisfaction, and the ability to meet business objectives.

Maintain Your Compliance with ZenGRC

GRC software improves audit collaboration and efficiency, saving time and money while enhancing the financial value of your organization’s compliance program.

The ZenGRC automates the entire compliance process, identifying compliance gaps in your system and providing guidance on addressing them. This platform continuously monitors your systems, ensuring compliance between audits and promptly alerting you to any issues or vulnerabilities.

Schedule a demo today to see how RiskOptics can help your organization automate the audit evidence-gathering process.

The Experts Guide to Evaluating GRC Tools