COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
1052 Audit procedures for obtaining audit evidence
Auditors design detailed audit procedures to obtain sufficient appropriate audit evidence. Procedures can include inspection, observation, confirmation, recalculation, reperformance, and analytical procedures, often in some combination.
This section further explains
- audit procedures for obtaining audit evidence, and
- specific types of audit procedures.
CPA Canada Assurance Standards
Performance Audit, Special Examination, and Other Assurance Engagements
CAS 500.6 The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence. (Ref: Para. A5-A29)
CAS 500.A6 Most of the auditor’s work in forming the auditor’s opinion consists of obtaining and evaluating audit evidence. Audit procedures to obtain audit evidence can include inspection, observation, confirmation, recalculation, reperformance and analytical procedures, often in some combination, in addition to inquiry. Although inquiry may provide important audit evidence, and may even produce evidence of a misstatement, inquiry alone ordinarily does not provide sufficient audit evidence of the absence of a material misstatement at the assertion level, nor of the operating effectiveness of controls.
CAS 500.A7 As explained in CAS 200, reasonable assurance is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.
Sources of Audit Evidence
CAS 500.A11 Some audit evidence is obtained by performing audit procedures to test the accounting records, for example, through analysis and review, reperforming procedures followed in the financial reporting process, and reconciling related types and applications of the same information. Through the performance of such audit procedures, the auditor may determine that the accounting records are internally consistent and agree to the financial statements.
CAS 500.A12 More assurance is ordinarily obtained from consistent audit evidence obtained from different sources or of a different nature than from items of audit evidence considered individually. For example, corroborating information obtained from a source independent of the entity may increase the assurance the auditor obtains from audit evidence that is generated internally, such as evidence existing within the accounting records, minutes of meetings, or a management representation.
CAS 500.A13 Information from sources independent of the entity that the auditor may use as audit evidence may include confirmations from third parties, and information from an external information source, including analysts’ reports, and comparable data about competitors (benchmarking data).
CAS 500.A14 As required by, and explained further in, CAS 315 and CAS 330, audit evidence to draw reasonable conclusions on which to base the auditor’s opinion is obtained by performing:
(a) Risk assessment procedures; and
(b) Further audit procedures, which comprise:
(i) Tests of controls, when required by the CASs or when the auditor has chosen to do so; and
(ii) Substantive procedures, including tests of details and substantive analytical procedures.
CAS 500.A15 The audit procedures described in paragraphs A18-A29 below may be used as risk assessment procedures, tests of controls or substantive procedures, depending on the context in which they are applied by the auditor. As explained in CAS 330, audit evidence obtained from previous audits may, in certain circumstances, provide appropriate audit evidence where the auditor performs audit procedures to establish its continuing relevance.
CAS 500.A16 The nature and timing of the audit procedures to be used may be affected by the fact that some of the accounting data and other information may be available only in electronic form or only at certain points or periods in time. For example, source documents, such as purchase orders and invoices, may exist only in electronic form when an entity uses electronic commerce, or may be discarded after scanning when an entity uses image processing systems to facilitate storage and reference.
CAS 500.A17 Certain electronic information may not be retrievable after a specified period of time, for example, if files are changed and if backup files do not exist. Accordingly, the auditor may find it necessary as a result of an entity’s data retention policies to request retention of some information for the auditor’s review or to perform audit procedures at a time when the information is available.
CAS 500.A18 Inspection involves examining records or documents, whether internal or external, in paper form, electronic form, or other media, or a physical examination of an asset. Inspection of records and documents provides audit evidence of varying degrees of reliability, depending on their nature and source and, in the case of internal records and documents, on the effectiveness of the controls over their production. An example of inspection used as a test of controls is inspection of records for evidence of authorization.
CAS 500.A19 Some documents represent direct audit evidence of the existence of an asset, for example, a document constituting a financial instrument such as a stock or bond. Inspection of such documents may not necessarily provide audit evidence about ownership or value. In addition, inspecting an executed contract may provide audit evidence relevant to the entity’s application of accounting policies, such as revenue recognition.
CAS 500.A20 Inspection of tangible assets may provide reliable audit evidence with respect to their existence, but not necessarily about the entity’s rights and obligations or the valuation of the assets. Inspection of individual inventory items may accompany the observation of inventory counting.
CAS 500.A21 Observation consists of looking at a process or procedure being performed by others, for example, the auditor’s observation of inventory counting by the entity’s personnel, or of the performance of controls. Observation provides audit evidence about the performance of a process or procedure, but is limited to the point in time at which the observation takes place, and by the fact that the act of being observed may affect how the process or procedure is performed. See CAS 501 for further guidance on observation of the counting of inventory.
CAS 500.A22 An external confirmation represents audit evidence obtained by the auditor as a direct written response to the auditor from a third party (the confirming party), in paper form, or by electronic or other medium. External confirmation procedures frequently are relevant when addressing assertions associated with certain account balances and their elements. However, external confirmations need not be restricted to account balances only. For example, the auditor may request confirmation of the terms of agreements or transactions an entity has with third parties; the confirmation request may be designed to ask if any modifications have been made to the agreement and, if so, what the relevant details are. External confirmation procedures also are used to obtain audit evidence about the absence of certain conditions, for example, the absence of a “side agreement” that may influence revenue recognition. See CAS 505 for further guidance.
CAS 500.A23 Recalculation consists of checking the mathematical accuracy of documents or records. Recalculation may be performed manually or electronically.
CAS 500.A24 Reperformance involves the auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control.
CAS 500.A25 Analytical procedures consist of evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount. See CAS 520 for further guidance.
CAS 500.A26 Inquiry consists of seeking information of knowledgeable persons, both financial and non-financial, within the entity or outside the entity. Inquiry is used extensively throughout the audit in addition to other audit procedures. Inquiries may range from formal written inquiries to informal oral inquiries. Evaluating responses to inquiries is an integral part of the inquiry process.
CAS 500.A27 Responses to inquiries may provide the auditor with information not previously possessed or with corroborative audit evidence. Alternatively, responses might provide information that differs significantly from other information that the auditor has obtained, for example, information regarding the possibility of management override of controls. In some cases, responses to inquiries provide a basis for the auditor to modify or perform additional audit procedures.
CAS 500.A28 Although corroboration of evidence obtained through inquiry is often of particular importance, in the case of inquiries about management intent, the information available to support management’s intent may be limited. In these cases, understanding management’s past history of carrying out its stated intentions, management’s stated reasons for choosing a particular course of action, and management’s ability to pursue a specific course of action may provide relevant information to corroborate the evidence obtained through inquiry.
CAS 500.A29 In respect of some matters, the auditor may consider it necessary to obtain written representations from management and, where appropriate, those charged with governance to confirm responses to oral inquiries. See CAS 580 for further guidance.
CSAE 3001.53R Based on the practitioner’s understanding (see paragraph 51R) the practitioner shall: (Ref: Para. A110-A114)
(a) Identify and assess the risks of significant deviation; and
(b) Design and perform procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. In addition to any other procedures on the underlying subject matter that are appropriate in the engagement circumstances, the practitioner’s procedures shall include obtaining sufficient appropriate evidence as to the operating effectiveness of relevant controls over the underlying subject matter when:
(i) The practitioner intends to rely on the operating effectiveness of those controls in determining the nature, timing and extent of other procedures, or
(ii) Procedures other than testing of controls cannot alone provide sufficient appropriate evidence.
Revision of Risk Assessment in a Reasonable Assurance Engagement
CSAE 3001.54R The practitioner’s assessment of the risks of significant deviation may change during the course of the engagement as additional evidence is obtained. In circumstances where the practitioner obtains evidence which is inconsistent with the evidence on which the practitioner originally based the assessment of the risks of significant deviation, the practitioner shall revise the assessment and modify the planned procedures accordingly. (Ref: Para. A114)
The Nature, Timing and Extent of Procedures (Ref: Para. 53(L)–54(R))
CSAE 3001.A110 The practitioner chooses a combination of procedures to obtain reasonable assurance or limited assurance, as appropriate. The procedures listed below may be used, for example, for planning or performing the engagement, depending on the context in which they are applied by the practitioner:
CSAE 3001.A111 Factors that may affect the practitioner’s selection of procedures include the nature of the underlying subject matter; the level of assurance to be obtained; and the information needs of the intended users and the engaging party, including relevant time and cost constraints.
CSAE 3001.A112 In some cases, a subject-matter-specific CSAE may include requirements that affect the nature, timing and extent of procedures. For example, a subject-matter-specific CSAE may describe the nature or extent of particular procedures to be performed or the level of assurance expected to be obtained in a particular type of engagement. Even in such cases, determining the exact nature, timing and extent of procedures is a matter of professional judgment and will vary from one engagement to the next.
CSAE 3001.A113 In some engagements, the practitioner may not identify any areas where a significant deviation is likely to arise. Irrespective of whether any such areas have been identified, the practitioner designs and performs procedures to obtain a meaningful level of assurance.
CSAE 3001.A114 An assurance engagement is an iterative process, and information may come to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to perform additional procedures.
Auditors shall design detailed audit programs, setting out the procedures that are appropriate to obtain sufficient appropriate audit evidence through the selected use of
- external confirmation
- analytical procedures
- inquiry [Nov-2011]
Audit programs shall be reviewed and approved before the start of the execution/examination phase. Any changes to an approved audit program shall be reviewed and approved on a timely basis. [Nov-2011]
Note: CAS 500—Audit Evidence, contains significant guidance explaining what constitutes audit evidence. It deals with the auditor’s responsibility to design and perform audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion. If not displayed, selected requirements and application guidance found in CAS 500 may be viewed by clicking the “more” feature displayed in the standards information above.
Audit procedures for obtaining audit evidence
The evidence-gathering process involves the following steps:
- designing the audit procedures or tests;
- carrying out the audit procedures or tests and/or gathering evidence;
- analyzing evidence and drawing conclusions, which may also involve evaluating performance against the audit criteria; and
- making decisions about whether additional information is required and can be obtained (go back to step 1) or whether sufficient appropriate evidence exists.
Audit procedures typically focus on the key risk areas identified through a risk analysis.
It is not unusual for audits to be redesigned during the examination stage as teams encounter unforeseen difficulties in gathering sufficient evidence of appropriate quality. Auditors have to be alert to any signs that the evidence-gathering process may not be achieving the level of assurance required for the audit assignment and take appropriate corrective action. If there are any potential amendments to the audit program, communicate these changes and raise any other issues, on a timely basis, with the senior members of the audit team. In instances where modifications did not take place before the start of field work, modify the audit steps as the work progresses, obtain approval for changes to audit programs, and include appropriate information on the nature, timing, and extent of steps to be performed.
See OAG Annual Audit 5011 for guidance on risk assessment and related activities.
See OAG Annual Audit 6051 for guidance on developing and executing a controls test plan and OAG Annual Audit 5035 for guidance on walk-through procedures.
See OAG Annual Audit 6056 for guidance on using audit evidence obtained in previous audits.
See OAG Annual Audit 7015 for guidance on appropriate timing for performance of audit procedures and using audit information obtained during an interim period.
See OAG Annual Audit 7031 for guidance on substantive analytics.
See OAG Annual Audit 7041 for guidance on tests of detail.
Inspection. Inspection of documents and records provides varying degrees of reliability, depending on the nature and source of the documents. Inspection of physical assets provides highly reliable evidence of existence and some indication of value (if it does not appear damaged or obsolete) but not necessarily of ownership or value.
Observation. Observation of the application of a client’s or entity’s policy or procedure provides assurance of that procedure at a given point in time, but not necessarily of its performance at other times during the year.
See OAG Annual Audit 7062 for guidance on observation of inventory counting.
External confirmation. Confirmation is a written request addressed to third parties.
See OAG Annual Audit 7050 for guidance on external confirmations.
Recalculation. Computation or recalculation provides a high level of assurance regarding arithmetical accuracy.
See OAG Annual Audit 7591 for guidance on use of computer-assisted audit techniques (CAATs).
Reperformance. Reperformance techniques may be performed manually or through the use of computer-assisted audit techniques (CAATs).
See OAG Annual Audit 6051 for guidance on testing controls without using CAATs.
See OAG Annual Audit 7591 for guidance on use of CAATs.
Analytical procedures are used throughout the audit process and are conducted for the following primary and secondary purposes:
- Risk assessment—to direct attention to higher risk areas in determining the nature, timing, and extent of audit procedures
- Substantive testing—to obtain audit evidence of accuracy or to identify potential misstatements/errors as a substitute for tests of details
- Overall conclusion—to assist in assessing the propriety of audit conclusions reached and in evaluating the overall opinion/report
- Understanding the business—to deepen our understanding of the entity
- Entity communications—to develop more meaningful entity communications through a deeper understanding of the relevant business and audit issues.
See OAG Annual Audit 5012 for guidance on use of risk assessment analytical procedures.
See OAG Annual Audit 7030 for guidance on use of substantive analytical procedures.
See OAG Annual Audit 9021 for guidance on use of overall conclusion analytical procedures.
Auditors use analysis at various stages of the audit for different purposes. They use preliminary analytical procedures when planning the audit to confirm the planned audit approach or to identify new risk areas that need to be addressed during the audit. At the reporting phase of the audit, auditors use analytical procedures to assess whether the opinion/report taken as a whole is reasonable and consistent with their knowledge of the subject matter and the expected results where applicable.
Inquiry is used throughout the engagement to
- obtain knowledge of the entity;
- develop the preliminary audit approach;
- collect specific evidence; and
- corroborate evidence collected by other means.
A solid understanding of the control environment is important in order to assess the extent to which inquiry will be effective in obtaining reliable evidence. For example, in an environment in which management’s integrity and trustworthiness are high, the auditor may be able to place relatively more reliance on inquiry. A decision regarding the extent to which inquiry will provide sufficient, appropriate evidence is required.
- considering the knowledge, objectivity, experience, responsibility, and qualifications of the individual to be interviewed;
- asking clear and concise questions;
- using open or closed questions appropriately;
- listening actively and effectively;
- maintaining a skeptical mindset; and
- evaluating the interviewee’s responses based on our understanding of the entity and other audit procedures performed, and asking follow-up questions.
Inquiries can often be efficiently combined with other testing procedures such as observation and will frequently be followed up by further audit procedures to obtain sufficient appropriate evidence.
Inquiry is sometimes referred to as in-depth inquiry to emphasize that the technique is expected to be performed with rigour. Do not infer from seeing the word inquiry on its own that it means rigour is unnecessary.
See OAG Annual Audit 9052 for guidance on written representations.
Although inquiry has always been an integral part of audit, it is becoming an increasingly important method of collecting audit evidence due to the increasing use of “soft information” in financial statements. Specifically, soft information is based on estimates, expectations, and assumptions. In addition, more reliance is placed on management controls where little documentation may exist to support the existence of the review being performed and follow-up action taken when results are out of line with management expectations. In such cases, inquiry may be the primary (or only) source of evidence that the controls are in place and working effectively.