COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
Sufficient appropriate audit evidence must be obtained to provide a reasonable basis to support the conclusion(s) expressed in an assurance engagement report.
This section explains
The concepts of sufficient (quantity) and appropriate (quality) in relation to evidence are interrelated.
Auditors use professional judgment and exercise professional skepticism to determine the quantity and quality of audit evidence (OAG Audit 1041 and OAG Audit 1042), and thus its sufficiency and appropriateness to support the assurance engagement opinion and/conclusion and/or report. Ordinarily, auditors find it necessary to rely on audit evidence that is persuasive rather than conclusive. In gathering and evaluating audit evidence, auditors cannot be satisfied with audit evidence that is less than persuasive. The quantity of evidence is sufficient if, when taken as a whole, its weight is adequate to provide persuasive support for the contents of the assurance engagement report. For evidence to be appropriate, the information must be relevant, reliable, and valid. In exercising professional judgment, auditors should ask themselves whether the collective weight of the evidence that exists would be enough to persuade a reasonable person that the observations and conclusions are valid, and that the recommendations are appropriate. Important factors to consider in making these judgments include
the quality of the evidence (its relevance, reliability, and validity);
the level of materiality (in dollar terms) or the significance of the observation or conclusion (in general, the higher the level of significance or materiality, the higher the standard that evidence will have to meet);
whether an audit level of assurance or reasonable assurance (high) or a review level of assurance or limited assurance (moderate) is required (for example, a higher level of assurance is required for evidence to support observations than is required to support contextual information included in the report);
the risk involved in making an incorrect observation or reaching an invalid conclusion (for example, if any risk of legal action against the auditee results from reporting an observation, the standard of evidence demanded will be high); and
the cost of obtaining additional evidence relative to likely benefits in terms of supporting observations and conclusions (as in most things, diminishing returns apply in gathering audit evidence—at some point, incurring the cost of obtaining more evidence will not be justified by changes in the persuasiveness of the total body of evidence).
We use one or more types of audit procedures to obtain audit evidence. When selecting audit procedures, it is reasonable to take into account the relationship between the cost of obtaining the audit evidence and the usefulness of the information obtained. Consequently, in forming the assurance engagement opinion/conclusion and/or report, auditors are generally not required to examine all the information available because they can ordinarily reach conclusions using sampling and other means of selecting items for testing. The following rules of thumb have proven helpful in judging the appropriateness of evidence:
Documentary evidence is usually better than testimonial evidence.
Audit evidence is more reliable when the auditor obtains consistent evidence from different sources or of a different nature (e.g., testimonial evidence that is corroborated by other sources is better than testimonial evidence alone).
Receiving and reviewing an original document is better than receiving a photocopy.
Evidence from credible third parties may be better than evidence generated within the audited organization.
The quality of information generated by the audited organization is directly related to the strength of the organization's internal controls (the auditors should have a good understanding of internal controls as they relate to the objectives of the audit).
Evidence generated through the auditor's direct observation, inspection, and computation is usually better than evidence obtained indirectly.
The Office balances different types of audit evidence to perform an audit that is both effective and efficient.
If sufficient appropriate audit evidence has not been obtained, follow the guidance in OAG Annual Audit 1022 on determining the need for additional audit procedures, and consider the impact on the opinion based on the overall objectives of the auditor as set out in OAG Annual Audit 1011.
Records from a single source often do not provide sufficient audit evidence on which to base an audit opinion, so auditors obtain additional audit evidence. For example, accounting records are verified by performing audit procedures to test their attributes through, for example, analysis and review, re-performance, and reconciliation. Through the performance of such audit procedures, the auditor may determine that the accounting records are internally consistent and agree with the financial statements.
More assurance is ordinarily obtained from consistent audit evidence obtained from different sources or of a different nature than from items of audit evidence considered individually. For example, corroborating information obtained from a source independent of the entity may increase the assurance the auditor obtains from audit evidence that is generated internally, such as evidence existing within records, minutes of meetings, or a management representation.
Information that auditors may use as audit evidence includes
Relevance refers to the extent to which the information bears a clear and logical relationship to the audit criteria and objectives.
Relevance also refers to the relationship of evidence to its use. The information used to prove or disprove an issue is relevant if it has a logical, sensible relationship to that issue. Information that does not is irrelevant and, therefore, should not be included as evidence.
Reliability concerns whether there is a likelihood of coming up with the same answers when either the audit test is repeated or information is obtained from different sources. This means that a measurement or evidence-gathering process is more reliable when repeated measures or performances of the process produce the same result or a consistent result that is minimally affected by measurement errors (or a random distribution of measurement errors).
When using entity-produced information, an evaluation should be undertaken to ascertain whether the information is sufficiently reliable for the auditor’s purpose, including, as required by the circumstances, obtaining audit evidence concerning the accuracy and completeness of the information and evaluating the sufficiency of the precision and detail of the information for the auditor's purpose. If the reliability of information is in doubt, the audit team modifies the audit procedures as necessary to resolve the issues.
An engagement rarely involves the authentication of documentation, nor are auditors trained or expected to be experts in such authentication. However, the reliability of information to be used as audit evidence is considered. This is of particular relevance where original documentation may not be readily available and engagement teams may be provided only with scanned or digitized copies, for example, when entities use a shared service centre. In such circumstances, engagement teams need to assess the adequacy and reliability of such documents as appropriate audit evidence.
While recognizing that exceptions may exist, the reliability of audit evidence often increases when it is obtained from independent sources outside the entity. Corroborating information obtained from a source independent of the entity may increase the assurance the auditor obtains from audit evidence generated internally, such as evidence existing within the entity's records, minutes of meetings, or a management representation.
Regarding communications from third parties, the more important the evidential nature of the communication, the more important it is to have a signed original. For example, for annual audits, a confirmation from a lender with respect to a significant loan transaction is more reliable when we receive it in original form or in electronic form through Capital Confirmation Inc. Confirmation.com (CCI) (see guidance in OAG Annual Audit 7054).
Other audit evidence is not acceptable in other than original form, such as certain management representations and other important evidence of a similar nature.
We need to apply professional skepticism throughout the entire audit process and our skepticism needs to extend to the reliability of information and audit evidence obtained. This includes, but is not limited to, considering and, where relevant, obtaining further evidence as to reliability. The nature and extent of additional audit procedures necessary is a matter of professional judgment and depends on the engagement circumstances. Some examples of procedures designed to obtain evidence about reliability of information and/or audit evidence, include the following:
Comparing scanned documents back to originals on an accept-reject basis;
Performing completeness and accuracy tests (substantive and/or controls testing) on system generated information (see the guidance and decision tree in OAG Audit 4028.4);
Performing procedures, such as real-time observation or comparing information to other independent sources, to check the authenticity of information downloaded by clients from third party systems (for online banking information—see the guidance in OAG Audit 7054);
Verifying information received by e-mail or fax was sent by the intended source by communicating directly with the sender to validate the source and details of the information sent (see the guidance in OAG Audit 7052);
Independently confirming information with third parties.