If your organization is required to follow one or more compliance frameworks, an external third party may demand an audit to verify that your company has actually met those compliance standards.
When an organization is undergoing an audit, it must provide audit evidence, such as financial statements, internal documents, logs, and emails. The auditor uses that evidence to reach a conclusion about whether or not the client organization has achieved compliance.
Audit evidence is collected through audit procedures. The evidence might either support the organization’s claim of achieving compliance, or disprove the claim.
While a company can always conduct an internal audit of its own, most audits are performed by independent, third-party auditors. Some compliance frameworks and regulatory requirements even specify that the audit must be done by an external auditor.
For example, an independent certified public accountant (CPA) must perform a financial audit for a publicly traded corporation, but an internal auditor may suffice if the organization wants to evaluate its own processes and procedures.
Why Is Audit Evidence Important?
Audit evidence is critical for any auditor to substantiate his or her conclusions. After all, the opinion presented by an auditor following the end of an audit depends on the audit evidence gathered. In addition, if the findings from the audit are disputed, auditors will rely on the strength of the audit evidence to support their opinion.
Gathering audit evidence is particularly important for financial information since auditors must assure that the financial statements provided by the client match the financial reporting framework. Financial statements are often used to make certain assertions by the client, which can be categorized as existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure.
Any statements or records provided by the client must be corroborated by an external third party (such as a bank); or the auditor must perform his or her own calculations and analyses to verify the legitimacy of information provided by the client.
How Is Audit Evidence Obtained?
Audit evidence is collected via audit procedures. Those procedures are categorized into two main categories: risk assessment procedures and further audit procedures, The latter includes tests of controls and substantive procedures.
Typically, the purpose of the audit procedure will dictate the type of procedure it is. There are seven types of audit procedures:
- Inspection. Auditors collect evidence by inspecting physical assets, records, or documents.
- Observation. Auditors observe the client’s business processes and operations to identify deficiencies.
- External confirmation. Auditors may reach out to third parties to verify the financial information and accounting records provided by the client.
- Recalculation. The auditors perform their own calculations to verify that the final accounting balances match those reported by the client.
- Reperformance. Auditors may reperform certain tasks or processes to identify deficiencies and discover opportunities for further optimization.
- Analytical procedures. Auditors analyze the client’s financial records to find discrepancies.
- Inquiry. Auditors talk with the client’s senior management to gain a deeper understanding of business processes for the auditing process. Inquiry alone, however, is not considered sufficient audit evidence to reduce the audit risk.
Audit evidence is an integral part of the overall audit process. That said, it’s just as important to consider how the evidence is collected, where it’s sourced from, and whether there is sufficient evidence available to approve or reject the assertions made by the company prior to the audit.
What Are the Qualities of Obtained Audit Evidence?
According to the Public Company Accounting Oversight Board (PCAOB), any audit evidence obtained must be sufficient and appropriate. Sufficiency measures the quantity of the audit evidence. Appropriateness refers to the quality of audit evidence.
The sufficiency of the audit evidence is affected by both the risk of material misstatement or risk associated with the control and the quality of the audit evidence obtained.
The appropriateness of audit evidence is affected by its relevance and reliability:
- Relevance refers to the relationship between the audit evidence and the control or claim being tested, and depends on the design and timing of the audit procedure used.
- Reliability refers to how the evidence is collected and its source.
What Are the Types of Audit Evidence?
There are eight different types of audit evidence. Each type is used to achieve a specific purpose, depending on the purpose of the audit, the client, and the assertion being tested.
- Physical examination. Physical evidence gathered by the auditors themselves to verify whether or not certain assets actually exist, or to verify the asset’s condition. Physical examination is also a main source of audit evidence used primarily for any fixed assets, such as usage of machinery or supplies.
- Confirmations. This refers to relying on third parties such as banks to confirm various aspects of the financial statements (for example, the closing bank balance or accounts payable records).
- Documentary evidence. Auditors will gather documentation such as internal process documents, emails, or logs, to help with different portions of the overall audit. The auditors may use documentation for vouching or tracing as part of the audit procedures.
- Analytical procedures. Any analysis performed by the auditors where they use their own calculations to substantiate the financial information and any accounting records provided by the client to find any discrepancies.
- Oral evidence. Auditors may hold Q&A sessions with their client’s senior leadership team to inquire about the business operations prior to designing the audit procedures.
- Accounting system. Allows the auditor to access financial reporting documents and any information related to financial statements. The accounting system may also act as the source of audit evidence.
- Reperformance. The auditor assesses the control risk by reperforming key internal control processes to check for deficiencies.
- Observatory evidence. The auditors observe how their clients conduct their operations, policies, and protocols to find weaknesses; and make their own notes about how those processes work.
Maintain Your Compliance with ZenGRC
Assure you remain in compliance with the right frameworks when you use ZenGRC. ZenGRC is the ultimate compliance and risk management tool for businesses in a variety of industries. Schedule a demo today to learn how we can help your company.