Everywhere companies turn, they encounter more demands for risk assurance – that is, demands for proof that the company has complied with a certain regulatory standard or has kept some other risk in check.

Companies provide that assurance by providing audit evidence.

Audit evidence is just what the phrase implies: it is the information that an auditor gathers to render his or her audit opinion about an organization’s financial statements, cybersecurity, privacy program, or some other element of the company’s internal control system.

For example, an external auditor might collect evidence about a company’s bank balances, outstanding invoices, and inventory amounts to determine whether the company’s financial statements are accurate. An internal auditor might collect evidence of cybersecurity controls’ effectiveness, to give the board of directors an opinion on whether the company’s cybersecurity program addresses all risks adequately. A company might agree to annual audits of its data privacy program as part of a regulatory settlement, where that auditor collects evidence of how well the company’s privacy program works.

That evidence ultimately goes into an audit report, which stakeholders can use to decide how well the company is or isn’t living up to its regulatory compliance and risk management goals.

What Is Audit Evidence?

Audit evidence is the information you collect about processes related to the operations of a specific department within your organization. Auditors use this information to make findings about your compliance efforts and prepare audit reports.

You may also include electronic audit evidence obtained as part of your data collection efforts, where you rely on several information systems and electronic reports for verification.

What Is the Difference Between Audit Documentation and Audit Evidence?

Audit documentation is an audit file which serves as the documented outcome of all the inputs gathered and evidence collected during the audit. The purpose of the audit documentation is to serve as a long-term summary of the audit objectives, as well as a detailed reference for all the auditor’s conclusions derived from the procedures performed.

Audit documentation also serves as a compilation of the audit evidence that provides validation of these audit findings. This is to serve as a reference point for any future auditor to refer back to the compiled evidence at a later point in time.

In other words, audit documentation is a written summary of how the audit happened. Audit evidence is the actual information collected, which is described in the audit documentation.

What Are the Types of Audit Evidence?

Audit evidence can include documents, logs, and correspondence generated internally within your organization, as well as materials generated externally. Documentation requirements for audit evidence may vary from company to company, but the following lists below should serve as a typical example to follow.

Internal documents include:

  • Process documents
  • Policy documents
  • Accounting records and journal entries
  • Results of control tests
  • Invoices
  • Account balance statements
  • System logs
  • Financial reporting documents
  • Internal working papers

External sources of gathering electronic audit evidence can include information from:

  • Banks
  • Debtors
  • Suppliers
  • Customers
  • Stock exchanges
  • Internal Revenue Service and other regulators

To perform the audit, an auditor must first create a comprehensive audit plan to establish the truthfulness of the system to record these transactions. For example, as part of the plan, an auditor can verify the financial information on the financial statements by reviewing the financial information from various data sources, including inventory reports, available receipts, and payments to suppliers.

We compiled a comprehensive guide listing the different types of audit evidence you might come across to create a series of checklists as part of your audit programs.

Methods of Collecting Audit Evidence

Auditors use a mix of internal and external audit procedures to perform a risk assessment and obtain audit evidence. During a typical audit engagement, these procedures include observation, inspection, confirmation, recalculation, reperformance, and analytical procedures, and asking questions. For your reference as an auditor, we have compiled an extensive list of internal audit procedures.

Data analytics can improve the quality of an audit by enabling experienced auditors to discover and analyze patterns, deviations, and inconsistencies. Data analytics can also help the auditors to find other useful information in the data that is related to the subject matter of an audit. For example, some inquiries might also require historical data as audit evidence, so it’s to determine the data retention policies, especially for electronic data.

Analytical procedures are a type of audit evidence used during an audit that can indicate potential issues with an organization’s financial records, which the auditors can then investigate more completely. Auditors use analytical procedures to evaluate financial information by cross-referencing plausible relationships between financial information and nonfinancial information.

In most instances, these relationships should remain consistent over time. If that’s not the case, the client’s financial records could be incorrect, maybe because of errors or fraudulent financial reporting activity.

Two related qualities of audit evidence are sufficiency and appropriateness of audit evidence. The sufficiency of audit evidence is the amount or quantity of audit evidence. The greater the “audit risk” – that is, the chance of a mistake leading to a material error – the more evidence the auditor should collect.

That said, the higher the quality of evidence an auditor collects, the less of that evidence the auditor might actually need. (Still, a large amount of audit evidence will likely not make up for the poor quality of the audit evidence.)

Appropriateness is the measure of the quality of the audit evidence: the reliability and relevance of the material. To be appropriate, the audit evidence must be reliable and relevant to support the conclusions that the auditor makes.

The audit evidence should also be sufficient and appropriate to support and corroborate – or contradict, if necessary – management’s assertions about specific transaction classes, account balances, or financial statements or related disclosures.

Managing and Documenting Audits with ROAR

Audits can be a tremendous challenge, with significant time, resources, and effort from all parties involved. A compliance management solution can help you streamline the time spent on an audit report by integrating risk control information and storing all your compliance inputs in one shared space.

This is where Reciprocity’s ROAR platform enters the picture. Our software-as-a-service automatically monitors your vendors and compiles results automatically from all sources to serve as a single source of truth for your auditing needs. It can also provide you a consolidated view of your compliance posture and analysis on an intuitive platform.

Schedule a demo today to learn more about how ROAR can streamline your audit process.