Collecting and evaluating audit evidence is essential in assessing an organization’s compliance with established standards. The American Institute of Certified Public Accountants (AICPA) serves as a guiding force, setting methods auditors should use to carry out their duties effectively. As auditors start their examination, they first collect and analyze various types of audit evidence, each serving as a piece of the puzzle that forms the auditor’s report.

This article focuses on audit documentation, the nature of the audit procedures, the collection of audit evidence and documentation, and the role of internal controls within the broader context of the audit evidence process.

What Is Audit Documentation?

Audit documentation refers to the written record of the procedures, evidence, and conclusions obtained during an audit engagement. It provides a detailed account of the specific documentation, such as working papers, checklists, and memos, that support the evidence gathered and the auditor’s conclusions.

The purposes and extent of audit documentation are multi-fold. Firstly, it serves as a tool for quality control by documenting the planning, execution, and supervision of the audit engagement, thereby ensuring compliance with auditing standards and requirements. In addition, it facilitates the review of the audit work by providing a comprehensive record of the procedures performed, which can serve as a foundation for future audits.

Audit evidence is a critical component of the audit documentation process. It refers to the information and supporting documentation obtained during the fieldwork phase of an audit.

Audit evidence is essential for auditors to evaluate the reliability of financial information and substantiate the significant findings and conclusions derived from the audit.

To fulfill audit documentation requirements, enhance audit quality, and accomplish the audit objectives on time, it’s vital to develop well-designed audit programs to document the evidence effectively.

What Documents are Required for an Audit?

The specific documents required for an audit depend on the type of audit being conducted and the industry, but some standard documents include:

  • Financial statements
  • Bank statements and reconciliations
  • Invoices, purchase orders, and other supporting documentation
  • Payroll records
  • Tax returns
  • Inventory records
  • Contracts and agreements
  • Policy and procedure manuals
  • Regulatory filings
  • Information technology documentation
  • Minutes from board meetings

Proper documentation retention and organized audit files are crucial for ensuring audit evidence is readily accessible and facilitating efficient audits of financial statements. Maintaining the ability to quickly retrieve records requested by Certified Public Accountants (CPAs) and adhering to professional standards around audit documentation is vital for a smooth audit process.

Best Practices for Gathering Audit Documentation

Gathering thorough audit documentation is crucial for ensuring auditors have the information they need to conduct an efficient and effective audit. Following best practices around audit documentation enables transparent collaboration with auditors and adherence to regulations.

Some essential best practices include:

  • Maintain organized records that are easy to locate and filed logically based on a documented retention schedule. Understand ahead of time what materials may be relevant to auditors for specific documentation requirements.
  • Digitize records whenever possible for straightforward sharing along with proper access controls. Keep thorough version histories to track changes to documents related to significant matters.
  • Establish robust information destruction policies that align with regulations and professional auditing standards around documentation retention periods.
  • Proactively index materials so auditors can search for audit evidence efficiently. Keep related disclosures and oral explanations well documented.
  • Plan for consultation on reporting or disclosure issues by retaining memos and email threads related to amendments of final conclusions.

Why Is Audit Evidence Important?

Audit evidence plays a vital role in auditing, allowing auditors to justify their conclusions effectively. The opinions expressed by auditors in their audit reports rely heavily on the quality of the evidence they have gathered.
Moreover, should any disputes arise regarding the audit findings, auditors depend on the strength and credibility of the audit evidence to substantiate their stance.

Publicly traded companies must undergo an audit of their financial statements to investors every year. Those statements contain an enormous amount of information that investors use to decide whether to commit their money — so the accuracy of those financial statements is a high priority.

For the audit opinion to be credible, the company’s claims about its financial performance must be corroborated either by external evidence (such as a bank statement) or through an analysis conducted by the auditors. By exercising their professional judgments, experienced auditors ensure the accuracy of the information provided by the company.

What Is Audit Risk?

Audit risk is the risk that material errors or weaknesses still exist in a company’s systems, even though the auditor gives a “clean” opinion of the company’s internal controls. Put another way, it’s the risk that the auditor misses something important.

There are several types of audit risk:

  1. Control risk is when the client’s internal control systems do not detect or prevent potential material misstatements.
  2. Detection risk is the possibility of a significant misrepresentation or error going undetected by the audit procedures.
  3. Inherent risk is the “natural chance” of a significant error or misstatement before any controls are implemented to reduce that risk.

One goal of the audit team is to lower the risk of missing any significant errors that may be present. Auditors can do this by performing more checks to reduce the risk of making mistakes. Practically, that means gathering more evidence during the audit process.

How Is Audit Evidence Obtained?

Audit evidence is collected via audit procedures. Those procedures are categorized as risk assessment procedures and audit procedures. The latter includes tests of controls and substantive procedures.

There are seven types of audit procedures, and the purpose of the process typically dictates which one is used:

  1. Inspection. Auditors collect evidence by inspecting physical assets, records, or documents.
  2. Observation. Auditors observe the client’s business processes and operations to identify deficiencies.
  3. Inquiry. Auditors talk with the client’s senior management to gain a deeper understanding of business processes for the auditing process. Inquiry alone, however, isn’t considered sufficient audit evidence to reduce the risk.
  4. External confirmation. This involves obtaining written or oral responses from third parties, such as customers, suppliers, or financial institutions.
  5. Recalculation. The auditors perform calculations to verify that the final account balances match those reported by the client.
  6. Reperformance. The auditor independently performs procedures or controls that were initially performed by the entity to verify their effectiveness.
  7. Analytical procedures. The auditor analyzes financial and non-financial data, such as comparing current and prior-year financial ratios or trends, to identify unusual fluctuations or patterns that may indicate potential errors.

According to the Public Company Accounting Oversight Board (PCAOB), which regulates audit firms in the United States, any audit evidence obtained must be sufficient and appropriate.

Sufficiency measures the quantity of audit evidence; appropriateness refers to the quality of audit evidence. The sufficiency of the audit evidence is affected by both the risk of material misstatement and the risk associated with the control and the quality of the audit evidence obtained.

What Are the Types of Audit Evidence?

There are eight types of audit evidence. Each type has a specific purpose depending on the audit’s goal, the client’s objectives, and the assertion being tested.

  1. Physical examination. This involves inspecting tangible assets, such as inventory, machinery, or documents, to verify their existence, condition, or ownership. Physical examination provides direct evidence and is often documented in audit work papers.
  2. Confirmations. This refers to relying on third parties such as banks to confirm various aspects of the financial statements (for example, the closing bank balance or accounts payable records).
  3. Documentary evidence. Auditors will gather documentation, such as internal process documents, emails, or logs, to help with different portions of the overall audit. For example, the auditors may use the documentation for vouching or tracing a process flow as a part of the audit procedures.
  4. Analytical procedures. This includes any analysis performed by the auditors using their calculations to substantiate the financial information and any accounting records provided by the client to find discrepancies.
  5. Oral evidence. Auditors may hold question-and-answer sessions with their client’s senior leadership team to inquire about the business operations when planning and designing the audit procedures.
  6. Accounting system. This allows the auditor to access financial reporting documents and any information related to financial statements. The accounting system may also act as the source of audit evidence.
  7. Re-performance. The auditor assesses the control risk by re-performing key internal control processes to check for deficiencies.
  8. Observatory evidence. Auditors may observe activities or processes during site visits or walkthroughs. This allows them to assess the effectiveness of internal controls, compliance with regulatory requirements, or adherence to specific procedures.

What Are Internal Controls?

Internal controls are safeguards that organizations put in place to protect themselves from various risks. These risks can be related to finances, day-to-day operations, or long-term strategies.

Internal controls consist of specific rules and proven methods to minimize these risks. For example, they can help a company secure its data against online attacks or ensure that fraudulent activities do not compromise financial transactions.

Remember that internal controls are not limited to technology solutions, such as user access controls. Internal control includes physical security measures, staff training, audits, investigations, or even a speech from the CEO stressing the importance of good conduct. Your company’s threats and the likely damage from each hazard will determine the controls you use.

Why Are Internal Controls Important?

Internal controls are important for businesses for several reasons.

  1. Risk Reduction
    By identifying and mitigating risks, internal controls safeguard the company’s ability to maintain operations, protecting it from events that could disrupt its functioning.
    These systems establish checks and balances, ensuring accurate financial reporting and safeguarding of assets, which helps maintain the company’s stability and reputation.
  2. Fraud Prevention
    Internal controls are crucial in detecting and preventing fraud. They establish segregation of duties, requiring multiple individuals to be involved in critical processes such as cash handling, financial approvals, and inventory management.
    This reduces the opportunity for one person to manipulate or misuse company resources for personal gain, effectively mitigating the risk of fraud.
  3. Business Continuity
    In unforeseen circumstances or disruptions, internal controls help maintain business operations smoothly and efficiently. They establish clear procedures and guidelines for employees to follow, minimizing the interruption of staff turnover, absences, or emergencies.
    By providing a structured approach, internal controls assure operational stability, customer satisfaction, and the ability to meet business objectives.

How internal controls can help with audit preparations?

Adequate internal controls and ongoing monitoring activities enable better preparation for quality audits that align with professional standards. Some key ways internal controls facilitate smooth audit engagements include:

  • Internal control documentation around processes provides auditors insights to inform risk-based audit planning procedures.
  • Evidence of controls operating effectively allows engagement teams to reduce substantive testing potentially.
  • Control deficiencies flagged early by internal audit can be remediated ahead of external audit fieldwork, reducing overall findings.
  • Continuous internal control monitoring helps ensure financial reporting processes adhere to procedures between audit cycles.
  • Management testing results assure the auditor of control effectiveness when assessing audit risk and scoping areas needing heightened focus.

Maintaining strong internal controls not only enables audit readiness but fosters reliable reporting. Optimal collaboration with auditors hinges on sound access controls and working paper retention for transparent traceability.

Maintain Your Compliance with ZenGRC

GRC software improves audit collaboration and efficiency, saving time and money while enhancing the financial value of your organization’s compliance program.

The ZenGRC automates the entire compliance process, identifying compliance gaps in your system and providing guidance on addressing them. This platform monitors your systems, ensuring compliance between audits and promptly alerting you to any issues or vulnerabilities.

Schedule a demo today to see how RiskOptics can help your organization automate the audit evidence-gathering process.

The Experts Guide to Evaluating GRC Tools