If your organization is required to follow one or more compliance frameworks, you’ll likely be required to have a third party perform an audit to verify that your company consistently meets compliance standards.
When an organization undergoes an audit, it must provide audit evidence, also called audit documentation. This could include financial statements, internal documents, policies, procedures, logs, and emails. The auditor uses that evidence to assess how well the client organization is adhering to internal controls, following processes, and fulfilling requirements.
Audit evidence is collected through audit procedures. The evidence might either support the organization’s claim of achieving compliance or disprove that claim.
Internal audits are valuable for identifying issues before an external audit (when discovery of an issue will likely raise more red flags and cost more to fix). Compliance frameworks often require internal audits for ongoing monitoring. External audits are performed by independent, third-party audit firms.
For example, an independent certified public accountant (CPA) must perform financial audits for publicly traded corporations. An internal auditor may be sufficient if the organization wants to verify its processes and procedures before the external auditor arrives or to placate business partners who might be skittish about engaging the company.
What Is Audit Risk?
Audit risk is the risk that there are material errors or weaknesses in a company’s systems, even though the auditor gives a “clean” opinion of the company’s internal controls. Put another way, it’s the risk that the auditor misses something important.
To reduce audit risk, auditors can conduct more audit procedures. Lowering audit risk to a manageable level – that is, reducing the chance that the auditor misses a material error that does actually exist – is an essential aspect of the audit function. The more audit evidence the auditor collects, the lower the risk.
There are several types of audit risk:
- Control risk is when potential material misstatements are not detected or prevented by the client’s internal control systems.
- Detection risk is the possibility of a significant misrepresentation or error going undetected by the audit procedures.
- Inherent risk is the “natural chance” of a significant error or misstatement before any controls are put into place to reduce that risk.
- Residual risk is the risk of material error or misstatement that remains after controls are put into place.
Why Is Audit Evidence Important?
Audit evidence is critical for any auditor to substantiate his or her conclusions. First, the opinion presented by an auditor after an audit is done depends on the evidence gathered. Second, if the findings from the audit are disputed, auditors will rely on the strength of the audit evidence to support their opinion.
In particular, publicly traded companies must undergo an audit of their financial statements to investors every year. Those statements contain an enormous amount of information that investors use to make decisions about whether to commit their money – so the completeness and accuracy of those financial statements is a high priority.
Any assertion the company makes about its financial performance must either be corroborated by outside evidence (such as a bank statement); or the auditors must perform their own analysis to verify the legitimacy of the information provided by the company.
How Is Audit Evidence Obtained?
Audit evidence is collected via audit procedures. Those procedures are categorized as risk assessment procedures and audit procedures. The latter includes tests of controls and substantive procedures.
There are seven types of audit procedures, and the purpose of the procedure typically dictates which one is used:
- Inspection. Auditors collect evidence by inspecting physical assets, records, or documents.
- Observation. Auditors observe the client’s business processes and operations to identify deficiencies.
- External confirmation. Auditors may reach out to third parties to verify the client’s financial information and accounting records.
- Recalculation. The auditors perform their own calculations to verify that the final account balances match those reported by the client.
- Reperformance. Auditors may re-perform specific tasks or processes to identify deficiencies and discover opportunities for further optimization.
- Analytical procedures. Auditors analyze the client’s financial records to find discrepancies.
- Inquiry. Auditors talk with the client’s senior management to gain a deeper understanding of business processes for the auditing process. Inquiry alone, however, not considered sufficient audit evidence to reduce the risk.
Audit evidence is an integral part of the overall audit process. That said, it’s just as important to consider how the evidence is collected, where it’s sourced from, the audit sampling process, and whether sufficient evidence is available to approve or reject the assertions made by the company before the audit.
What Are the Qualities of Obtained Audit Evidence?
According to the Public Company Accounting Oversight Board (PCAOB), any audit evidence that’s obtained must be sufficient and appropriate. Sufficiency measures the quantity of the audit evidence, while appropriateness refers to the quality of audit evidence.
The sufficiency of the audit evidence is affected by both the risk of material misstatement or the risk associated with the control and the quality of the audit evidence obtained.
The appropriateness of audit evidence is affected by its relevance and reliability.
- Relevance refers to the relationship between the audit evidence and the control or claim being tested and depends on the design and timing of the audit procedure used.
- Reliability refers to how the evidence is collected and its source.
What Are the Types of Audit Evidence?
There are eight types of audit evidence. Each class is used to achieve a specific purpose, depending on the audit’s goal, the client’s objectives, and the assertion being tested.
- Physical examination. Auditors gather physical evidence to verify whether certain assets exist or to confirm the asset’s condition. Physical examination is also the primary source of audit evidence used primarily for any fixed assets, such as the usage of machinery or supplies.
- Confirmations. This refers to relying on third parties such as banks to confirm various aspects of the financial statements (for example, the closing bank balance or accounts payable records).
- Documentary evidence. Auditors will gather documentation such as internal process documents, emails, or logs, to help with different portions of the overall audit. For example, the auditors may use the documentation for vouching or tracing a process flow as a part of the audit procedures.
- Analytical procedures. This includes any analysis performed by the auditors using their calculations to substantiate the financial information and any accounting records provided by the client to find discrepancies.
- Oral evidence. Auditors may hold question-and-answer sessions with their client’s senior leadership team to inquire about the business operations when they are doing audit planning and designing the audit procedures.
- Accounting system. This allows the auditor to access financial reporting documents and any information related to financial statements. The accounting system may also act as the source of audit evidence.
- Re-performance. The auditor assesses the control risk by re-performing key internal control processes to check for deficiencies.
- Observatory evidence. The auditors observe how their clients conduct their operations, policies, and protocols to find weaknesses. The auditors will assess risks and make notes about how those processes work.
What Are Internal Controls?
Organizations are shielded against financial, operational, and strategic risks by internal controls, which are protocols, processes, and best practices meant to prevent those risks. For instance, internal controls can help a company to protect its data from cybersecurity threats or to protect financial operations from fraud.
Keep in mind that internal controls are not limited to technology solutions, such as user access controls. Internal control includes physical security measures, consistent staff training, audits, and investigations. Your company’s threats and the likely damage from each hazard will determine the controls you use.
In addition, the different types of internal controls (divided into preventive, corrective, and detective) allow you to adapt them to the issues or needs of your organization.
Why Are Internal Controls Important?
Internal controls are meant to reduce risks and protect your company’s ability to maintain operations should an event occur. These systems reduce fraud risk, assure business continuity, and help you grow your business in the future.
In addition, solid internal control procedures can help you increase security, streamline processes, save money, and improve stakeholder confidence (and overall peace of mind).
Maintain Your Compliance with Reciprocity ZenComply
Assure that you remain in compliance with the right frameworks by using Reciprocity ZenComply. ZenComply is the ultimate compliance and risk management tool for businesses in various industries.
Reciprocity ZenComply’s document repository is a single source of truth to assure audit evidence is quickly available. Automated workflows drive tasks to completion while leaving a clear audit trail. Prepare for external audits by performing internal audits in just a few clicks. Dashboards and insightful reporting promote visibility at all levels of the organization.
Schedule a demo today to learn how ZenComply can help you make sure your organization is always audit-ready.