COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
1051 Sufficient appropriate audit evidence
Sufficient appropriate audit evidence must be obtained to provide a reasonable basis to support the conclusion(s) expressed in an assurance engagement report.
This section explains
- the concept of sufficient appropriate audit evidence,
- the sources of audit evidence, and
- the determination of the relevance and reliability of audit evidence.
CPA Canada Assurance Standards
Performance Audit, Special Examination, and Other Assurance Engagements
CAS 200.17 To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor's opinion. (Ref: Para. A31-A57)
Sufficiency and Appropriateness of Audit Evidence
CAS 200.A31 Audit evidence is necessary to support the auditor's opinion and report. It is cumulative in nature and is primarily obtained from audit procedures performed during the course of the audit. It may, however, also include information obtained from other sources such as previous audits (provided the auditor has determined whether changes have occurred since the previous audit that may affect its relevance to the current audit) or a firm's quality control procedures for client acceptance and continuance. In addition to other sources inside and outside the entity, the entity's accounting records are an important source of audit evidence. Also, information that may be used as audit evidence may have been prepared by an expert employed or engaged by the entity. Audit evidence comprises both information that supports and corroborates management's assertions, and any information that contradicts such assertions. In addition, in some cases, the absence of information (for example, management's refusal to provide a requested representation) is used by the auditor and, therefore, also constitutes audit evidence. Most of the auditor's work in forming the auditor's opinion consists of obtaining and evaluating audit evidence.
Note: CAS 500.A5 has same content.
CAS 200.A32 The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by the auditor's assessment of the risks of misstatement (the higher the assessed risks, the more audit evidence is likely to be required) and also by the quality of such audit evidence (the higher the quality, the less may be required). Obtaining more audit evidence, however, may not compensate for its poor quality.
Note: CAS 500.A8 has same content.
CAS 200.A33 Appropriateness is the measure of the quality of audit evidence; that is, its relevance and its reliability in providing support for the conclusions on which the auditor's opinion is based. The reliability of evidence is influenced by its source and by its nature, and is dependent on the individual circumstances under which it is obtained.
Note: CAS 500.A9 has same content.
CAS 200.A34 Whether sufficient appropriate audit evidence has been obtained to reduce audit risk to an acceptably low level, and thereby enable the auditor to draw reasonable conclusions on which to base the auditor's opinion, is a matter of professional judgment. CAS 500 and other relevant CASs establish additional requirements and provide further guidance applicable throughout the audit regarding the auditor's considerations in obtaining sufficient appropriate audit evidence.
CAS 500.6 The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence. (Ref: Para. A5-A29)
CAS 500.A6 Most of the auditor's work in forming the auditor's opinion consists of obtaining and evaluating audit evidence. Audit procedures to obtain audit evidence can include inspection, observation, confirmation, recalculation, reperformance and analytical procedures, often in some combination, in addition to inquiry. Although inquiry may provide important audit evidence, and may even produce evidence of a misstatement, inquiry alone ordinarily does not provide sufficient audit evidence of the absence of a material misstatement at the assertion level, nor of the operating effectiveness of controls.
CAS 500.A7 As explained in CAS 200, reasonable assurance is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.
CAS 500.A10 CAS 330 requires the auditor to conclude whether sufficient appropriate audit evidence has been obtained. Whether sufficient appropriate audit evidence has been obtained to reduce audit risk to an acceptably low level, and thereby enable the auditor to draw reasonable conclusions on which to base the auditor's opinion, is a matter of professional judgment. CAS 200 contains discussion of such matters as the nature of audit procedures, the timeliness of financial reporting, and the balance between benefit and cost, which are relevant factors when the auditor exercises professional judgment regarding whether sufficient appropriate audit evidence has been obtained.
Sources of Audit Evidence
CAS 500.A11 Some audit evidence is obtained by performing audit procedures to test the accounting records, for example, through analysis and review, reperforming procedures followed in the financial reporting process, and reconciling related types and applications of the same information. Through the performance of such audit procedures, the auditor may determine that the accounting records are internally consistent and agree to the financial statements.
CAS 500.A12 More assurance is ordinarily obtained from consistent audit evidence obtained from different sources or of a different nature than from items of audit evidence considered individually. For example, corroborating information obtained from a source independent of the entity may increase the assurance the auditor obtains from audit evidence that is generated internally, such as evidence existing within the accounting records, minutes of meetings, or a management representation.
CAS 500.A13 Information from sources independent of the entity that the auditor may use as audit evidence may include confirmations from third parties, and information from an external information source, including analysts' reports, and comparable data about competitors (benchmarking data).
CAS 330.27 If the auditor has not obtained sufficient appropriate audit evidence as to a material financial statement assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall express a qualified opinion or disclaim an opinion on the financial statements.
CAS 500.7 When designing and performing audit procedures, the auditor shall consider the relevance and reliability of the information to be used as audit evidence, including information obtained from an external information source. (Ref: Para. A30-A44)
Relevance and Reliability (Ref: Para. 7)
CAS 500.A30 As noted in paragraph A5, while audit evidence is primarily obtained from audit procedures performed during the course of the audit, it may also include information obtained from other sources such as, for example, previous audits, in certain circumstances, firm's quality control procedures for client acceptance and continuance and complying with certain additional responsibilities under law, regulation or relevant ethical requirements (e.g., regarding an entity's non-compliance with laws and regulations) . The quality of all audit evidence is affected by the relevance and reliability of the information upon which it is based.
CAS 500.A31 Relevance deals with the logical connection with, or bearing upon, the purpose of the audit procedure and, where appropriate, the assertion under consideration. The relevance of information to be used as audit evidence may be affected by the direction of testing. For example, if the purpose of an audit procedure is to test for overstatement in the existence or valuation of accounts payable, testing the recorded accounts payable may be a relevant audit procedure. On the other hand, when testing for understatement in the existence or valuation of accounts payable, testing the recorded accounts payable would not be relevant, but testing such information as subsequent disbursements, unpaid invoices, suppliers' statements, and unmatched receiving reports may be relevant.
CAS 500.A32 A given set of audit procedures may provide audit evidence that is relevant to certain assertions, but not others. For example, inspection of documents related to the collection of receivables after the period end may provide audit evidence regarding existence and valuation, but not necessarily cut-off. Similarly, obtaining audit evidence regarding a particular assertion, for example, the existence of inventory, is not a substitute for obtaining audit evidence regarding another assertion, for example, the valuation of that inventory. On the other hand, audit evidence from different sources or of a different nature may often be relevant to the same assertion.
CAS 500.A33 Tests of controls are designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. Designing tests of controls to obtain relevant audit evidence includes identifying conditions (characteristics or attributes) that indicate performance of a control, and deviation conditions which indicate departures from adequate performance. The presence or absence of those conditions can then be tested by the auditor.
CAS 500.A34 Substantive procedures are designed to detect material misstatements at the assertion level. They comprise tests of details and substantive analytical procedures. Designing substantive procedures includes identifying conditions relevant to the purpose of the test that constitute a misstatement in the relevant assertion.
CAS 500.A35 The reliability of information to be used as audit evidence, and therefore of the audit evidence itself, is influenced by its source and its nature, and the circumstances under which it is obtained, including the controls over its preparation and maintenance where relevant. Therefore, generalizations about the reliability of various kinds of audit evidence are subject to important exceptions. Even when information to be used as audit evidence is obtained from sources external to the entity, circumstances may exist that could affect its reliability. For example, information obtained from a source independent of the entity may not be reliable if the source is not knowledgeable, or a management's expert may lack objectivity. While recognizing that exceptions may exist, the following generalizations about the reliability of audit evidence may be useful:
CAS 500.9 When using information produced by the entity, the auditor shall evaluate whether the information is sufficiently reliable for the auditor's purposes, including, as necessary in the circumstances:
(a) Obtaining audit evidence about the accuracy and completeness of the information; and (Ref: Para. A60-A61)
(b) Evaluating whether the information is sufficiently precise and detailed for the auditor's purposes. (Ref: Para. A62)
Information Produced by the Entity and Used for the Auditor's Purposes (Ref: Para. 9(a)-(b))
CAS 500.A60 In order for the auditor to obtain reliable audit evidence, information produced by the entity that is used for performing audit procedures needs to be sufficiently complete and accurate. For example, the effectiveness of auditing revenue by applying standard prices to records of sales volume is affected by the accuracy of the price information and the completeness and accuracy of the sales volume data. Similarly, if the auditor intends to test a population (for example, payments) for a certain characteristic (for example, authorization), the results of the test will be less reliable if the population from which items are selected for testing is not complete.
CAS 500.A61 Obtaining audit evidence about the accuracy and completeness of such information may be performed concurrently with the actual audit procedure applied to the information when obtaining such audit evidence is an integral part of the audit procedure itself. In other situations, the auditor may have obtained audit evidence of the accuracy and completeness of such information by testing controls over the preparation and maintenance of the information. In some situations, however, the auditor may determine that additional audit procedures are needed.
CAS 500.A62 In some cases, the auditor may intend to use information produced by the entity for other audit purposes. For example, the auditor may intend to make use of the entity's performance measures for the purpose of analytical procedures, or to make use of the entity's information produced for monitoring activities, such as reports of the internal audit function. In such cases, the appropriateness of the audit evidence obtained is affected by whether the information is sufficiently precise or detailed for the auditor's purposes. For example, performance measures used by management may not be precise enough to detect material misstatements.
CAS 500.11 If:
(a) audit evidence obtained from one source is inconsistent with that obtained from another; or
(b) the auditor has doubts over the reliability of information to be used as audit evidence,
the auditor shall determine what modifications or additions to audit procedures are necessary to resolve the matter, and shall consider the effect of the matter, if any, on other aspects of the audit. (Ref: Para. A68)
CAS 500.A68 Obtaining audit evidence from different sources or of a different nature may indicate that an individual item of audit evidence is not reliable, such as when audit evidence obtained from one source is inconsistent with that obtained from another. This may be the case when, for example, responses to inquiries of management, internal auditors, and others are inconsistent, or when responses to inquiries of those charged with governance made to corroborate the responses to inquiries of management are inconsistent with the response by management. CAS 230 includes a specific documentation requirement if the auditor identified information that is inconsistent with the auditor's final conclusion regarding a significant matter.
CSAE 3001.53R Based on the practitioner’s understanding (see paragraph 51R) the practitioner shall: (Ref: Para. A110-A114)
(a) Identify and assess the risks of significant deviation; and
(b) Design and perform procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. In addition to any other procedures on the underlying subject matter that are appropriate in the engagement circumstances, the practitioner’s procedures shall include obtaining sufficient appropriate evidence as to the operating effectiveness of relevant controls over the underlying subject matter when:
(i) The practitioner intends to rely on the operating effectiveness of those controls in determining the nature, timing and extent of other procedures, or
(ii) Procedures other than testing of controls cannot alone provide sufficient appropriate evidence.
The Nature, Timing and Extent of Procedures (Ref: Para. 53(L)–54(R))
CSAE 3001. A110 The practitioner chooses a combination of procedures to obtain reasonable assurance or limited assurance, as appropriate. The procedures listed below may be used, for example, for planning or performing the engagement, depending on the context in which they are applied by the practitioner:
CSAE 3001.A111 Factors that may affect the practitioner’s selection of procedures include the nature of the underlying subject matter; the level of assurance to be obtained; and the information needs of the intended users and the engaging party, including relevant time and cost constraints.
CSAE 3001.A112 In some cases, a subject-matter-specific CSAE may include requirements that affect the nature, timing and extent of procedures. For example, a subject-matter-specific CSAE may describe the nature or extent of particular procedures to be performed or the level of assurance expected to be obtained in a particular type of engagement. Even in such cases, determining the exact nature, timing and extent of procedures is a matter of professional judgment and will vary from one engagement to the next.
CSAE 3001.A113 In some engagements, the practitioner may not identify any areas where a significant deviation is likely to arise. Irrespective of whether any such areas have been identified, the practitioner designs and performs procedures to obtain a meaningful level of assurance.
CSAE 3001.55 When designing and performing procedures, the practitioner shall consider the relevance and reliability of the information to be used as evidence. If:
(a) Evidence obtained from one source is inconsistent with that obtained from another; or
(b) The practitioner has doubts about the reliability of information to be used as evidence,
the practitioner shall determine what changes or additions to procedures are necessary to resolve the matter, and shall consider the effect of the matter, if any, on other aspects of the engagement.
CSAE 3001.56 The practitioner shall consider whether individual deviations identified during the engagement (other than those that are clearly trivial) have characteristics, for example a root cause or a problematic pattern, that indicate the aggregate effect of individual deviations is likely to be significant. (Ref: Para A120)
CSAE 3001.A114 An assurance engagement is an iterative process, and information may come to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to perform additional procedures.
Concept of sufficient appropriate audit evidence
The concepts of sufficient (quantity) and appropriate (quality) in relation to evidence are interrelated.
Auditors use professional judgment and exercise professional skepticism to determine the quantity and quality of audit evidence (OAG Audit 1041 and OAG Audit 1042), and thus its sufficiency and appropriateness to support the assurance engagement opinion and/conclusion and/or report. Ordinarily, auditors find it necessary to rely on audit evidence that is persuasive rather than conclusive. In gathering and evaluating audit evidence, auditors cannot be satisfied with audit evidence that is less than persuasive. The quantity of evidence is sufficient if, when taken as a whole, its weight is adequate to provide persuasive support for the contents of the assurance engagement report. For evidence to be appropriate, the information must be relevant, reliable, and valid. In exercising professional judgment, auditors should ask themselves whether the collective weight of the evidence that exists would be enough to persuade a reasonable person that the observations and conclusions are valid, and that the recommendations are appropriate. Important factors to consider in making these judgments include
the quality of the evidence (its relevance, reliability, and validity);
the level of materiality (in dollar terms) or the significance of the observation or conclusion (in general, the higher the level of significance or materiality, the higher the standard that evidence will have to meet);
whether an audit level of assurance or reasonable assurance (high) or a review level of assurance or limited assurance (moderate) is required (for example, a higher level of assurance is required for evidence to support observations than is required to support contextual information included in the report);
the risk involved in making an incorrect observation or reaching an invalid conclusion (for example, if any risk of legal action against the auditee results from reporting an observation, the standard of evidence demanded will be high); and
the cost of obtaining additional evidence relative to likely benefits in terms of supporting observations and conclusions (as in most things, diminishing returns apply in gathering audit evidence—at some point, incurring the cost of obtaining more evidence will not be justified by changes in the persuasiveness of the total body of evidence).
We use one or more types of audit procedures to obtain audit evidence. When selecting audit procedures, it is reasonable to take into account the relationship between the cost of obtaining the audit evidence and the usefulness of the information obtained. Consequently, in forming the assurance engagement opinion/conclusion and/or report, auditors are generally not required to examine all the information available because they can ordinarily reach conclusions using sampling and other means of selecting items for testing. The following rules of thumb have proven helpful in judging the appropriateness of evidence:
Documentary evidence is usually better than testimonial evidence.
Audit evidence is more reliable when the auditor obtains consistent evidence from different sources or of a different nature (e.g., testimonial evidence that is corroborated by other sources is better than testimonial evidence alone).
Receiving and reviewing an original document is better than receiving a photocopy.
Evidence from credible third parties may be better than evidence generated within the audited organization.
The quality of information generated by the audited organization is directly related to the strength of the organization's internal controls (the auditors should have a good understanding of internal controls as they relate to the objectives of the audit).
Evidence generated through the auditor's direct observation, inspection, and computation is usually better than evidence obtained indirectly.
The Office balances different types of audit evidence to perform an audit that is both effective and efficient.
If sufficient appropriate audit evidence has not been obtained, follow the guidance in OAG Annual Audit 1022 on determining the need for additional audit procedures, and consider the impact on the opinion based on the overall objectives of the auditor as set out in OAG Annual Audit 1011.
Sources of audit evidence
Records from a single source often do not provide sufficient audit evidence on which to base an audit opinion, so auditors obtain additional audit evidence. For example, accounting records are verified by performing audit procedures to test their attributes through, for example, analysis and review, re-performance, and reconciliation. Through the performance of such audit procedures, the auditor may determine that the accounting records are internally consistent and agree with the financial statements.
More assurance is ordinarily obtained from consistent audit evidence obtained from different sources or of a different nature than from items of audit evidence considered individually. For example, corroborating information obtained from a source independent of the entity may increase the assurance the auditor obtains from audit evidence that is generated internally, such as evidence existing within records, minutes of meetings, or a management representation.
Information that auditors may use as audit evidence includes
- minutes of meetings;
- communications with third parties;
- comparable data about others (benchmarking);
- control descriptions;
- information obtained from audit procedures such as inquiry, observation, and inspection; and
- any other information developed by or available to them to reach conclusions through valid reasoning.
Relevant audit evidence
Relevance refers to the extent to which the information bears a clear and logical relationship to the audit criteria and objectives.
Relevance also refers to the relationship of evidence to its use. The information used to prove or disprove an issue is relevant if it has a logical, sensible relationship to that issue. Information that does not is irrelevant and, therefore, should not be included as evidence.
Reliable audit evidence
Reliability concerns whether there is a likelihood of coming up with the same answers when either the audit test is repeated or information is obtained from different sources. This means that a measurement or evidence-gathering process is more reliable when repeated measures or performances of the process produce the same result or a consistent result that is minimally affected by measurement errors (or a random distribution of measurement errors).
When using entity-produced information, an evaluation should be undertaken to ascertain whether the information is sufficiently reliable for the auditor’s purpose, including, as required by the circumstances, obtaining audit evidence concerning the accuracy and completeness of the information and evaluating the sufficiency of the precision and detail of the information for the auditor's purpose. If the reliability of information is in doubt, the audit team modifies the audit procedures as necessary to resolve the issues.
An engagement rarely involves the authentication of documentation, nor are auditors trained or expected to be experts in such authentication. However, the reliability of information to be used as audit evidence is considered. This is of particular relevance where original documentation may not be readily available and engagement teams may be provided only with scanned or digitized copies, for example, when entities use a shared service centre. In such circumstances, engagement teams need to assess the adequacy and reliability of such documents as appropriate audit evidence.
While recognizing that exceptions may exist, the reliability of audit evidence often increases when it is obtained from independent sources outside the entity. Corroborating information obtained from a source independent of the entity may increase the assurance the auditor obtains from audit evidence generated internally, such as evidence existing within the entity's records, minutes of meetings, or a management representation.
Regarding communications from third parties, the more important the evidential nature of the communication, the more important it is to have a signed original. For example, for annual audits, a confirmation from a lender with respect to a significant loan transaction is more reliable when we receive it in original form or in electronic form through Capital Confirmation Inc. Confirmation.com (CCI) (see guidance in OAG Annual Audit 7054).
Other audit evidence is not acceptable in other than original form, such as certain management representations and other important evidence of a similar nature.
We need to apply professional skepticism throughout the entire audit process and our skepticism needs to extend to the reliability of information and audit evidence obtained. This includes, but is not limited to, considering and, where relevant, obtaining further evidence as to reliability. The nature and extent of additional audit procedures necessary is a matter of professional judgment and depends on the engagement circumstances. Some examples of procedures designed to obtain evidence about reliability of information and/or audit evidence, include the following:
Comparing scanned documents back to originals on an accept-reject basis;
Performing completeness and accuracy tests (substantive and/or controls testing) on system generated information (see the guidance and decision tree in OAG Audit 6025);
Performing procedures, such as real-time observation or comparing information to other independent sources, to check the authenticity of information downloaded by clients from third party systems (for online banking information—see the guidance in OAG Audit 7054);
Verifying information received by e-mail or fax was sent by the intended source by communicating directly with the sender to validate the source and details of the information sent (see the guidance in OAG Audit 7052);
Independently confirming information with third parties.
Information obtained from an expert, knowledgeable, objective, and external source is usually considered more reliable than that obtained from within the audited organization.
Relying on the work of others as evidence
See OAG Audit 6034 Evaluation of the work of the internal auditors for guidance.