Performance Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

6010 Evidence-Gathering Methods
May-2024

Overview

In order to plan the audit strategy, the engagement team thinks through how it will gather sufficient appropriate evidence to enable it to conclude against the audit objectives. This work is documented in the audit logic matrix (ALM) and further expanded in audit programs.

CPA Canada Copyright

CSAE 3001 Requirements

26. In order to establish whether the preconditions for a direct engagement are present, the practitioner shall, on the basis of a preliminary knowledge of the engagement circumstances and discussion with the appropriate party(ies), determine whether:

[...]

(b) The engagement exhibits all of the following characteristics:

[...]

(iv) The practitioner expects to be able to obtain the evidence needed to support the practitioner’s conclusion; (Ref: Para. A51-A53)

[...]

55. When designing and performing procedures, the practitioner shall consider the relevance and reliability of the information to be used as evidence. If:

(a) Evidence obtained from one source is inconsistent with that obtained from another; or

(b) The practitioner has doubts about the reliability of information to be used as evidence, the practitioner shall determine what changes or additions to procedures are necessary to resolve the matter, and shall consider the effect of the matter, if any, on other aspects of the engagement.

68. The practitioner shall evaluate the sufficiency and appropriateness of the evidence obtained in the context of the engagement and, if necessary in the circumstances, attempt to obtain further evidence. The practitioner shall consider all relevant evidence, regardless of whether it appears to corroborate or to contradict the measurement or evaluation of the underlying subject matter against the applicable criteria. If the practitioner is unable to obtain necessary further evidence, the practitioner shall consider the implications for the practitioner’s conclusion in paragraph 69. (Ref: Para. A147-A153)

CSAE 3001 Application Material

A51. The quantity or quality of available evidence is affected by:

(a) The characteristics of the underlying subject matter. For example, less objective evidence might be expected when the underlying subject matter deals with matters that are future oriented rather than historical; and

(b) Other circumstances, such as when evidence that could reasonably be expected to exist is not available because of, for example, the timing of the practitioner’s appointment, an entity’s document retention policy, inadequate information systems, or a restriction imposed by the responsible party.

Ordinarily, evidence will be persuasive rather than conclusive.

A110. The practitioner chooses a combination of procedures to obtain reasonable assurance or limited assurance, as appropriate. The procedures listed below may be used, for example, for planning or performing the engagement, depending on the context in which they are applied by the practitioner:

Inspection;
Observation;
Confirmation;
Recalculation;
Reperformance;
Analytical procedures; and
Inquiry.

A114. An assurance engagement is an iterative process, and information may come to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to perform additional procedures.

Sufficiency and Appropriateness of Evidence (Ref: Para. 14(j), 68)

A147. Evidence is necessary to support the practitioner’s conclusion and assurance report. It is cumulative in nature and is primarily obtained from procedures performed during the course of the engagement. It may, however, also include information obtained from other sources such as previous engagements (provided the practitioner has determined whether changes have occurred since the previous engagement that may affect its relevance to the current engagement) or a firm's quality policies or procedures for acceptance and continuance of client relationships and assurance engagements. Evidence may come from sources inside and outside the appropriate party(ies). Also, information that may be used as evidence may have been prepared by an expert employed or engaged by the appropriate party(ies). Evidence comprises both information that supports and corroborates aspects of the underlying subject matter, and any information that contradicts aspects of the underlying subject matter. In addition, in some cases, the absence of information (for example, refusal by the appropriate party(ies) to provide a requested representation) is used by the practitioner and, therefore, also constitutes evidence. Most of the practitioner's work in forming the assurance conclusion consists of obtaining and evaluating evidence.

A148. The sufficiency and appropriateness of evidence are interrelated. Sufficiency is the measure of the quantity of evidence. The quantity of evidence needed is affected by the risks of the underlying subject matter containing a significant deviation (the higher the risks, the more evidence is likely to be required) and also by the quality of such evidence (the higher the quality, the less may be required). For certain types of direct engagements such as performance audits, there may also be a higher risk of concluding that there is a significant deviation when that is not the case. The appropriateness of the practitioner’s decision regarding whether a matter identified is a significant deviation is affected by the quantity and quality of evidence obtained.

A149. Appropriateness is the measure of the quality of evidence; that is, its relevance and its reliability in providing support for the practitioner’s conclusion. The reliability of evidence is influenced by its source and by its nature, and is dependent on the individual circumstances under which it is obtained. Generalizations about the reliability of various kinds of evidence can be made; however, such generalizations are subject to important exceptions. Even when evidence is obtained from sources external to the appropriate party(ies), circumstances may exist that could affect its reliability. For example, evidence obtained from an external source may not be reliable if the source is not knowledgeable or objective. While recognizing that exceptions may exist, the following generalizations about the reliability of evidence may be useful:

Evidence is more reliable when it is obtained from sources outside the appropriate party(ies).
Evidence that is generated internally is more reliable when the related controls are effective.
Evidence obtained directly by the practitioner (for example, observation of the application of a control) is more reliable than evidence obtained indirectly or by inference (for example, inquiry about the application of a control).
Evidence is more reliable when it exists in documentary form, whether paper, electronic, or other media (for example, a contemporaneously written record of a meeting is ordinarily more reliable than a subsequent oral representation of what was discussed).

A150. The practitioner ordinarily obtains more assurance from consistent evidence obtained from different sources or of a different nature than from items of evidence considered individually. In addition, obtaining evidence from different sources or of a different nature may indicate that an individual item of evidence is not reliable. For example, corroborating information obtained from a source independent of the appropriate party(ies) may increase the assurance the practitioner obtains from a representation from the appropriate party(ies). Conversely, when evidence obtained from one source is inconsistent with that obtained from another, the practitioner determines what additional procedures are necessary to resolve the inconsistency.

A151. In terms of obtaining sufficient appropriate evidence, it is generally more difficult to obtain assurance about the underlying subject matter covering a period than about underlying subject matter at a point in time. In addition, conclusions provided on processes ordinarily are limited to the period covered by the engagement; the practitioner provides no conclusion about whether the process will continue to function in the specified manner in the future.

A152. Whether sufficient appropriate evidence has been obtained on which to base the practitioner's conclusion is a matter of professional judgment.

A153. In some circumstances, the practitioner may not have obtained the sufficiency or appropriateness of evidence that the practitioner had expected to obtain through the planned procedures. In these circumstances, the practitioner considers that the evidence obtained from the procedures performed is not sufficient and appropriate to be able to form a conclusion on the underlying subject matter. The practitioner may:

Extend the work performed; or
Perform other procedures judged by the practitioner to be necessary in the circumstances.

Where neither of these is practicable in the circumstances, the practitioner will not be able to obtain sufficient appropriate evidence to be able to form a conclusion. This situation may arise even though the practitioner has not become aware of a matter(s) that causes the practitioner to believe the underlying subject matter may have a significant deviation, as addressed in paragraph 54L.

Financial Administration Act Requirements for Special Examinations

FAA 138(5): An examiner shall, to the extent he considers practicable, rely on any internal audit of the corporation being examined conducted pursuant to subsection 131(3).

OAG Policy

Engagement teams shall obtain sufficient and appropriate audit evidence to provide a reasonable basis to support the conclusion(s) expressed in the assurance engagement report. [Nov-2011]

Engagement teams shall design detailed audit programs, setting out the procedures that are appropriate to obtain sufficient appropriate audit evidence through the selected use of

inspection
observation
external confirmation
recalculation
reperformance
analytical procedures
inquiry [Nov-2011]

When using data as input to perform audit procedures or to support audit findings and conclusions, the engagement teams shall evaluate whether the data is reliable for its intended purpose, including obtaining audit evidence about its completeness and accuracy. [May-2024]

Definitions

Per the CPA Canada Handbook—Assurance, the following terms have the meanings attributed below:

Audit evidence—Information used by the practitioner in arriving at the practitioner’s conclusion. Evidence includes both information contained in relevant information systems, and other information.

Appropriateness (of audit evidence)—The measure of the quality of audit evidence; that is, its relevance and its reliability in providing support for the practitioner’s conclusion.

Sufficiency (of audit evidence)—The measure of the quantity of audit evidence. The quantity of the evidence needed is affected by the risks of the underlying subject matter containing a significant deviation (the higher the risks, the more evidence is likely to be required) and also by the quality of such evidence (the higher the quality, the less may be required).

Criteria—The benchmarks used to measure or evaluate the underlying subject matter. The “applicable criteria” are the criteria used for the particular engagement. (Ref: Para. A12, Appendix 2).

Audit procedure—Tasks performed by an auditor designed either to gather audit evidence as a basis for assessing and/or responding to risk or other audit work that is necessary to comply with requirements. The performance of audit procedures collectively enables the auditor to comply with standards, draw conclusions, and support the audit opinion.

Underlying subject matter—The phenomenon that is measured or evaluated by applying criteria.

OAG Guidance

What CSAE 3001 means for evidence-gathering methods

CSAE 3001 requires sufficient appropriate evidence to be obtained in order to support the conclusion of the assurance report. It notes that “sufficiency is the measure of the quantity of evidence” and “appropriateness is the measure of the quality of evidence (relevance and reliability).”

The decision on whether enough evidence has been obtained will be influenced by the risk of the underlying subject matter containing a significant deviation from the applicable criteria used to evaluate it (the higher the risks, the more evidence is likely to be required) and also by the quality of such evidence (the higher the quality, the less amount of evidence may be required). Evidence for an “audit level of assurance” is obtained by different means and from different sources as described below.

Audit evidence

Audit evidence is information used by the practitioner in arriving at a conclusion. Evidence includes both information contained in relevant information systems, if any, and other information (Exhibit 1). Evidence provides grounds for concluding that a particular finding is true by providing persuasive support for a fact or a point in question. Evidence must support the contents of an assurance report, including any descriptive material, all observations leading to recommendations, and the audit conclusions.

Exhibit 1—Sources of audit evidence

It is important that the engagement team obtain evidence from a variety of sources, as different perspectives and conclusions may be presented from multiple sources.

There are 4 types of audit evidence that can be used by engagement teams (Exhibit 2).

Exhibit 2—Types of audit evidence

Type of evidence	Description
Physical evidence	Evidence that is obtained by the auditor’s direct inspection or observation. This is done by seeing, listening, and observing directly by the auditor, including for example work shadowing, observing silently, taking videos or photos, or mystery shopping.
Testimonial evidence	Evidence that is obtained from others through oral or written statements in response to an auditor’s inquiries. Techniques that could be used to gather testimonial evidence include interviews, focus groups, surveys, expert opinions, and external confirmation.
Documentary evidence	Evidence that is obtained from information and data found in documents or databases. Techniques that could be used to gather documentary evidence include entity’s documents, file reviews, databases and spreadsheets, internal audits and evaluations, reports from consultants, studies from other jurisdictions, recalculation, and reperformance.
Analytical evidence	Evidence that is obtained by examination and analysis of plausible relations among and between sets of data. These analyses may include statistical analysis, data analytics, regressions, benchmarking and comparisons, simulation and modelling of quantitative data, and text mining or content analysis of qualitative data.

Obtaining audit evidence

Audit evidence can be obtained directly or indirectly (Exhibit 3).

Exhibit 3—Direct and indirect evidence

Type	Description
Directly obtained evidence	Evidence that is obtained through the team’s direct examination. Some of the procedures used include but are not limited to observation, computation, and inspection; for example, observation that a control has been applied.
Indirectly obtained evidence	Evidence that is obtained through others, such as reports from internal audits, experts, or third parties.

Designing evidence-gathering procedures

Engagement teams can use different audit procedures to gather audit evidence. The following table provides a brief description of each evidence-gathering procedure (Exhibit 4).

Exhibit 4—Evidence-gathering procedures

Procedure	Description
Inspection	Inspection involves examining records or documents, whether internal or external, in paper form, electronic form, or other media, or physically examining an asset.
Observation	Observation consists of looking at a process or procedure being performed by others.
External confirmation	An external confirmation represents audit evidence obtained by the auditor as a direct written response to the auditor from a third party (the confirming party) in paper form or by electronic or other medium.
Recalculation	Recalculation consists of checking the mathematical accuracy of documents or records.
Reperformance	Reperformance involves the auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control.
Analytical procedures	Analytical procedures consist of examining and analyzing plausible relations among and between sets of information or data.
Inquiry	Inquiry consists of seeking information of knowledgeable persons, both financial and non-financial, within the entity or outside the entity.

These evidence-gathering procedures can be used to perform different type of tests as presented in the table below (Exhibit 5).

Exhibit 5—Types of tests

Test type	Description
Control testing	An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, deviations against the criteria.
Substantive testing	Tests involving the examination of support for individual items that make up the population under review.
Substantive analytics	Evaluations of information through analysis of plausible relationships among data. Analytical procedures also encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent with other relevant information or that significantly differ from expectations. Analytical procedures may be used at all stages of the audit.

The flow chart below shows the relationships between the evidence-gathering procedures and the different type of tests (Exhibit 6).

Exhibit 6—Relationships between procedures and types of tests

Relationships between procedures and types of tests

The evidence-gathering methods shall be designed and performed in order to respond to the assessed risks of significant deviation from the applicable criteria used to evaluate the subject matter. The ALM (OAG Audit 4044 Developing the Audit Strategy: Audit Logic Matrix) sets out the methods that the team expects to use for evidence gathering and analysis. Engagement teams should describe in the ALM how they will gather audit evidence to assess whether the assessed risk of significant deviation from the applicable criteria has been addressed and the audit criteria have been met, thus allowing them to draw conclusions against the audit objectives. The ALM then guides the development of audit programs, which describe in more detail how the engagement team intends to gather evidence (OAG Audit 4070 Audit Programs). Audit procedures can be incorporated into the ALM or in separate audit programs.

More information on evidence-gathering procedures can be found in the Evidence and Evidence-Gathering Techniques.

Type of audit evidence

As mentioned previously, evidence can be obtained in the form of information contained in relevant information systems or other information (Exhibit 7).

Exhibit 7—Sources of audit evidence

Information contained in relevant information systems

Information contained in relevant information systems may vary widely in form from source data, a digital representation of facts, transactions, or events, to information in system-generated outputs (Exhibit 8). OAG Audit 6020 Assessing the Reliability of Data contains relevant information on this topic and sets out the procedures that engagement teams may use to assess the reliability of source data and system-generated outputs.

Exhibit 8—Types of information

Types of information

Other information

There is a wide range of other information that could be used as evidence by engagement teams. Below are some examples of the most common “other information” used as evidence in direct engagements.

Information obtained from experts or internal audit

The engagement team may rely on the work performed by experts and the internal audit function and assess whether the work performed by them can be used as audit evidence.

CSAE 3001 requires considering many matters before relying on the work performed by a practitioner’s expert, entity’s expert, or the internal audit function. More information on these matters can be found in OAG Audit 4030 Reliance on Internal Audit and OAG Audit 2070 Use of Experts.
Information not contained in relevant information systems provided by entity officials
This is information such as records of minutes, hard copy files, reports, testimony, or other. The engagement teams may find it necessary to test management’s procedures or directly test the information to obtain assurance about the accuracy and completeness of the information received.
Information obtained by an external source
This is information such as published statistics and information from a supplier or contractor.

Determining the extent of the reliability assessment

Engagement teams should consider the elements below when determining the extent of the assessment:

the purpose for which the information is used
the significance of the information as evidence
the risks that the information is not reliable

There is no specific formula or recipe to precisely determine the extent of work to assess the reliability of information. Engagement teams need to consider the elements listed above and conclude based on their professional judgment.

The purpose for which the information is used

The purpose for which the information is to be used will affect the level of effort and the nature of audit evidence required (Exhibit 9).

Exhibit 9—Purpose for using the information in a direct engagement

Engagement teams will need to devote no or less effort when assessing the credibility of information to be used as contextual information or background information as opposed to information used to support audit procedures, audit findings, and conclusions as described in the exhibit above.

Contextual or background information

Background information generally sets the tone for reporting the engagement results or provides information that puts the results in proper context. Information used as contextual or background information in the assurance report is typically not evidence supporting the audit conclusion. While it is not supporting the audit conclusion, it is still important that such information be credible. Credibility of the information refers to whether the source has the competence to generate the information and whether the source can be trusted.

Factors

There are multiple factors that engagement teams may consider when assessing the credibility of contextual or background information, depending on whether the information is obtained from the entity or not.

Factors the practitioner may consider in assessing the credibility of information obtained from the audited entity may include

engagement teams’ knowledge of the operations and business that underlie the functioning of the database or information source
level of knowledge, competency, and skills of those in charge of such information
controls over the credibility of the information
extent of work performed by the entity to ensure that the information is credible
existence of any quality test performed that satisfies engagement teams’ needs

Factors the practitioner may consider in assessing the credibility of information from an external source may include

the nature and authority of the external source; for example, a central bank or government statistics office with a legislative mandate to provide information to the public
whether the entity has the ability to influence the information obtained from the external source
evidence of general market acceptance by users of the relevance and/or reliability of information
the nature and extent of disclaimers or other restrictive language relating to the information obtained

Procedures

When contextual or background information is obtained from the best available external sources, generally recognized as known to be reliable, there is no need to assess its completeness and accuracy. For example, such information may include price indices or inflation rates published by the Bank of Canada.

Simple attribution to the source (to an entity or a third party), although always useful and advisable, could be insufficient in some cases. For example, when the contextual or background information is obtained from the audited entity or is from an unknown or non reliable source, engagement teams need to devote a minimum of effort to assess the credibility of such information. This also applies when the audited entity obtained the information from an external source and modified it.

The table below outlines some procedures that engagement teams may use to assess the credibility of the contextual or background information (Exhibit 10).

Exhibit 10—Procedures for assessing the credibility of contextual or background information

Procedure	Description
Cross-check and compare information	For consistency, cross-check and compare information and findings gathered with the information acquired from other or outside sources.
Ascertain the implicit controls in place for publication of research papers and academic studies	When using third-party research papers or academic studies, ascertain the implicit controls in place for publication of those documents (for example, the disclosure policy for a journal). The reputation of the developer of the information and the extent to which its source has been proven by wide use are important factors to note. When using reports from other departments and agencies, check to see if the OAG has in the past conducted an audit of aspects related to that report, such as report methodology or supporting database controls (for example, Statistics Canada).
Examine consistency	When using several sources of information (databases, studies, papers, and so on), engagement teams could examine the general consistency of their findings and conclusions. Different information sources providing the same observations can be compelling. It is wise once again to examine these general conclusions with the findings from audit field work.

Information used as input to audit procedures, findings, and conclusions

Per Exhibit 9, more persuasive audit evidence is needed when information is used as input to audit procedures or to support audit findings and conclusions. Therefore, engagement teams need to devote considerably more effort when assessing the reliability of information to be used as input to audit procedures or to support audit findings and conclusions.

Factors

The engagement team will conduct its own review and analysis of the reliability of information. The following factors, presented in the table below (Exhibit 11), are some considerations to help engagement teams decide whether evidence collected during the engagement is reliable or not.

Exhibit 11—Considerations in assessing the reliability of information

Documentary evidence like contracts or detailed meeting minutes

Factor	Generally more reliable	Generally less reliable
Information creator	Independent third party	Entity
Internal controls	Effective related internal controls	Ineffective or inexistent related internal controls
Directly versus indirectly obtained evidence	Directly obtained evidence, like the observation of the application of a control or the inspection of documents	Indirectly obtained evidence, like inquiring about the application of a control or gathered by others such as internal audit or experts
Documentary evidence versus testimonial evidence	Documentary evidence like contracts or detailed meeting minutes	Testimonial evidence obtained from interviews
Original documents versus copies	Original documents	Photocopies, facsimiles, scans

Procedures

All the evidence-gathering procedures and types of tests presented in the flow chart below (Exhibit 12) may be used by engagement teams to assess the reliability of the information.

Exhibit 12—Relationships between procedures and types of tests

Relationships between procedures and types of tests

Engagement teams can rarely examine an entire population of items, which necessitates their review of just a selection. For more information on the selection of items to review, please refer to OAG Audit 6040 Selection of Items for Review.

When assessing information contained in relevant information systems (such as data), it is essential to consider the reliability of the systems and processes used to produce the information we want to rely on. OAG Audit 6020 Assessing the Reliability of Data contains relevant information on this topic and sets out the procedures that engagement teams may use to assess the reliability of source data and system-generated outputs.

Evaluation of the sufficiency and appropriateness of the evidence gathered

Direct engagements at the OAG are considered “reasonable assurance engagements,” also referred to as “audit engagements,” where the practitioner needs to reduce the engagement risk (risk of expressing an inappropriate conclusion) to an acceptably low level.

The decision on whether sufficient appropriate evidence has been obtained will be influenced by the risks of the subject matter containing a significant deviation from the applicable criteria. The higher the risks of significant deviation from the applicable criteria, the higher the quality and quantity of evidence is required. The decision will also be affected by the quality of evidence obtained. The higher the quality of evidence is obtained, the lower the quantity may be.

For more information on the sufficiency and appropriateness of audit evidence, refer to OAG Audit 1051 Sufficient appropriate audit evidence and OAG Audit 7021 Evaluate the Sufficiency and Appropriateness of Audit Evidence.

Audit Guidance

Evidence and Evidence-Gathering Techniques

Breadcrumb

Performance Audit Manual

6010 Evidence-Gathering Methods
May-2024

Overview

CSAE 3001 Requirements

CSAE 3001 Application Material

Financial Administration Act Requirements for Special Examinations

OAG Policy

Definitions

OAG Guidance

What CSAE 3001 means for evidence-gathering methods

Audit evidence

Designing evidence-gathering procedures

Type of audit evidence

Determining the extent of the reliability assessment

Evaluation of the sufficiency and appropriateness of the evidence gathered

Audit Guidance

Primary navigation (left column)

Institutional links

Direct Engagement Manual

Footer

Breadcrumb

Performance Audit Manual

6010 Evidence-Gathering Methods May-2024

Overview

CSAE 3001 Requirements

CSAE 3001 Application Material

Financial Administration Act Requirements for Special Examinations

OAG Policy

Definitions

OAG Guidance

What CSAE 3001 means for evidence-gathering methods

Audit evidence

Designing evidence-gathering procedures

Type of audit evidence

Determining the extent of the reliability assessment

Evaluation of the sufficiency and appropriateness of the evidence gathered

Related Sections

Audit Guidance

Primary navigation (left column)

Footer

6010 Evidence-Gathering Methods
May-2024