Audit Evidence – like you’ve never seen it before

Audit Evidence – like you’ve never seen it before

Watch as Roger Philipp, CPA, CGMA, creates the mental framework to help you truly understand Audit Evidence and how to ensure these findings are sufficient and appropriate for the auditor's conclusions.

Tune in to learn:

  • Where obtaining evidence fits into the overall flow of the audit
  • The 4 levels of Audit Evidence
  • Different types of substantive testing
  • Helpful mnemonics for organizing and understanding information about Audit Evidence

Roger Philipp, CPA, CGMA presents:

Welcome, welcome to the next section called Audit Evidence, Audit Evidence. Now, this is an important area because as we look at the audit, and at least here the steps in the audit process, let's come on over here.

We've talked about preparing for the audit, so that's getting ready, we talked about that in the first section. We're getting ready for the audit, we have to decide, are we gonna take the job? Do they have integrity? Am I properly trained? Am I proficient? Am I independent, clear mental attitude? Can I act with skill? Can I act with due diligence? Am I, as I said, independent?

Then we said, okay, let's go up to obtaining and understanding. This was internal control, obtaining and understanding in internal control, assessing RMM, performing T of C, that was very heavily tested, that talks about understanding internal control, so we need to understand the design, document it, assess Control Risk, reassess, do your T of C, reassess, and then draw conclusions, document it.

We talked about internal control reports, different types, if it was in conjunction with the financial statement audit where you not give an opinion, versus statements on stance for attestation engagements where you're giving an opinion, versus PCOB audit where you're giving an opinion on both the internal control and the financial statements.

So we've gone through all that, we decided, "Hey, if reliance is high, great, I'll do less Substantive Testing, relia--" And we've been talking about that since day one, remember day one when you still cared about this exam? Are you excited about being a CPA?

We said, "Hey, if reliance is high that means Control Risk is low, or RMM is low, that means we're willing to let our acceptable level of Detection Risk go up, that means we'll do less Substantive Testing. Vice versa, if reliance is low Control Risk is high, Detection Risk's low, that means we're gonna do more Substantive."

Well, since day one we've been saying, reliance inverse relationship, if this goes up this goes down, if this goes down this goes up. So we've talked about reliance, that your T of C, that your ARCC and your RIIO, what are we testing for? Authorization, recording, custody, comparison.

The person that does this should not do this, should not do this, should not do this. The person that authorizes should not record, should not have custody of the assets, should not do the check or the comparison, the bank reconciliation.

And how do we do that? Noah built an ark and he sail to where? Rio de Janeiro! Woohoo! For carnival, which ends in February, by the way. So once you pass the exam, hey! Go to carnival! Re-performance, Inquiry, Inspection, Observation, those are your Tests of Controls, not to be confused with your Risk Assessment procedures which was kind of similar but it was AIIO, Analytical procedures, Inquiry, Inspection, Observation.

So it was kind of similar, those are Risk Assessment procedures and these are your actual Test of Control. So that's how you're tying it together to do your T of C, what are we trying to do? We're trying to understand internal control, can we or can we not?

Well, since day one we've been saying "less Substantive, more Substan--", what is Substantive Testing? That is what we're doing to substantiate or corroborate the numbers in the statements. Whose statements are these? Management's.

So we're trying to corroborate, 'cause at the end of the day we're trying to give an opinion. "In my opinion the statements referred to above presents fairly, in all material respects, the financial of this position of X Co. as of 12th April 1800, and the results of its operations in conformity with the applicable financial reporting framework or GAAP." So that's what we're looking at.

So, as we continue on, now we're here performing our substantive procedures, then formulated opinion, and draft the report. So this is what we're ta-- So keep in your mind where we are in the scope of things, where are we in the course of the audit, we've gone all the way over to here doing our Substantive Testing.

Now, what does that mean? Quick overview, it means that we're picking up these statements-- Whose statements are these? Management's. In the statements they are making certain assertions in the form of these financial statements, what are the assertions they're making? And we're gonna see that, a good way to remember it is this mnemonic or memory aid U-PERCV.

Management is asserting that everything is understandable and properly classified, your job is to obtain enough good evidence, sufficient, appropriate, corroborative Audit Evidence to substantiate that. Management is asserting, and basically this is one of the broad categories but presentation disclosure, everything's properly presented, adequately disclosed. Existence and occurrence, all the assets exist, all the transactions that created the asset actually occurred.

So if we have accounts receivable, they exist, and the sale that created the receivable actually occur. Rights and obligations, rights ownership, who has the pink slip to the car? Who has title to the asset? Who has the deed? Rights, insurance? Completeness and cutoff means everything is in there for the whole periodicity, cutoff testing.

And again, you're thinking about it again, don't assume the client is honest, if the committee wants to make themselves look better they wanna overstate assets, overstate revenues, they wanna make all their assets look current, they wanna understate liabilities, understate expenses, they want all their liabilities to look not current, see?

So that's what we're looking in cutoff testing because they may pull in January's revenues to today, and December's expenses push them off to tomorrow, that's where periodicity or cutoff completeness. They're asserting everything is complete, your job to obtain enough evidence.

Valuation, allocation, accuracy, that means, for example, everything is proper amount, lower cost to market, net realizable value. So that kind of relates to your financial accounting knowledge which I know is vast knowledge, but that's what we're looking at as far as these are the assertions. So these are the assertions management makes, your objective is, you'll find out, will be to corroborate these assertions, the way you're gonna do it is by doing your Substantive Test.

Now, I've been saying substantive, substantive, substantive, since day one, everyone was, "what's a Substantive Test?" Here they are! These are your Substantive Tests or your audit procedures, these are the actual tests you're gonna do to corroborate or substantiate the assertions that management is making. Hello? It's my mom. I love you too.

So, what are the audit procedures? ICORRIIA. What is ICORRIIA mean? We're gonna Ask Questions, we're gonna Confirm, Observe, Recalculate, Re-perform, Inspection of assets, Iinspection or examination of documents, records and documents, and then Analytical procedures, which we mentioned in planning.

We'll expand on today, we'll go through a whole bunch of formula and ratios, but I'm giving you a quick overview. So, what we're doing today? We're picking up these statements-- Whose statements are these? Management's. Management is asserting these things here, our objective is to substantiate or corroborate those, how are we going to do it?

By doing these audit procedures called Substantive Testing. So when we say reliance is low, more Substantive Testing, when we say reliance is high, less Substantive Testing, that's what we're looking at as far as the different types of tests we're gonna perform.

So again, just so you kind of understand where we are, and again in looking in the steps of the audit, we are now here, that means in the future we'll go ahead and actually draft the report, draw an opinion, formulate an opinion, issue the audit report, we'll study the report, learn the report, learn the report modifications... It just gets better and better with every hour, yeah, loving it.

Alright, let's look in our notes. "Audit Evidence." AU-C 500 requires an auditor "to design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate Audit Evidence".

So when we go through and talk about it we're saying sufficient appropriate Audit Evidence, enough good evidence. We're gonna have to break down those terms, sufficiency, appropriateness and Audit Evidence, because it seems like, again, all like, "Oh, it's just a word, sufficient appropriate Audit Evidence," but that's what we need.

One more time, "Requires the auditor to design and perform different procedures," audit procedures, that's your ICORRIIA, "that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate Audit Evidence." So that's what we're looking at.

It says, "That's discussed in internal controls, based on the understanding the auditor will determine the nature," what? Timing, when, extent. What, when, how much. Nature is what, timing is when, extent how much.

"…of the Substantive Test necessary to gather enough appropriate evidence. Sufficiency relates to the extent of testing, appropriateness to the nature, timing is a matter of recognizing the test, at year-end are stronger, then test supplied in the interim date." Because we'll be looking at, "Gee! Should I do it at December 31st or can I do it in October and do a roll forward to the end of the year?" So that's what we're looking at as far as Audit Evidence.

So as we go through this there's gonna be some really important terms that we're gonna have to look at, and it kind of reminds me back in internal control when we talked about understanding, and we said, "Hmm, what do you mean by understand internal control?" And it's not like a relationship where you go, "Honey, you don't understand me". No, it's like, these are six steps to understanding.

Same thing here, we talked about Audit Evidence but we get very specific as to what the Audit Evidence is. So, what does it say we need? We need sufficient appropriate Audit Evidence. We are gonna perform different procedures to obtain enough good evidence. Why do we care? Because it gives us a basis for expressing an opinion on these numbers. So that tells us we need what? We need Audit Evidence, that's what it says, we need Audit Evidence.

But when we say we need Audit Evidence there are two qualities that make it good, we need sufficiency, we need appropriateness. So we need sufficient appropriate and sufficiency. So sufficiency and appropriateness.

Now, as far as appropriateness, appropriateness basically says, and it says in your notes, "It relates to the measure of the quality of the auditor's evidence including relevance and reliability in providing support for the conclusions on which the auditor's opinion is based."

So again, "Measure of the quality of the auditor's evidence including relevance and reliability." So what it tells us is, as far as sufficiency, that's the quantity, appropriateness is the quality, we need enough good Audit Evidence. Again, sufficient appropriate Audit Evidence, sufficiency is the quantity, how much do I need? Appropriateness is the quality, how good is it?

Now, in order to look at how good it is there are two elements that make it appropriate, relevance and reliability. So we need relevant and reliable information, relevance and reliability. Let's go back to sufficiency for just a moment. It says, "Sufficiency relates to the quantity of corroborative evidence obtained, the amount is based on the auditor's judgment."

So when we talk about the quantity is how much we need. Now, when we talk about how much we need it talks about sufficiency, sufficiency deals with things like, it says here, "Must rely on evidence that is persuasive rather than conclusive due to the limitations of an audit."

So when we talk about how much we need it depends on a couple of things, it depends on Internal Control Reliance, it also depends on the cost-benefit. So, Internal Control Reliance, as we've said since day one, if reliance is high we need less Audit Evidence, if reliance is low we need more. So it depends on Internal Control Reliance, again there's that inversed relationship between reliance and how much Substantive Testing we have to do.

It also depends on cost-benefit, you wanna make sure the cost does not outweigh the benefit. We talked about that with internal control. 

When you're looking at internal control there may be times where you go, "Dude, there's so few transactions, to test the internal controls over these will cost me more than the benefit, let's just do more Substantive Testing in that area and less internal control testing in that area." So cost-benefit is pervasive, it kind of flows through a bunch of areas.

Now, it says there, "Must rely on evidence that is persuasive rather than conclusive," what does that mean? Remember we need what we call Reasonable Assurance. Now, with Reasonable that means we don't need information that convinces us, we don't need absolute assurance, what we're looking for, everybody? Reasonable. Based on what? Cost-benefit. So that means we need information not that-- We don't need to convince, we don't need absolute, we need it to persuade us.

So this was asked before. You'll see here it says, "Must rely on evidence that is persuasive rather than convincing.” So the question is, how much evidence? "Relates to the amount of evidence that is obtained, the other will have to consider both the cost and benefit. The quantity of evidence requires us to affect both the Risk of Material Misstatement and the quality of the evidence."

As you drop down then you see appropriateness. Now, with the appropriateness that deals with not the quantity but the quality.

Now, in looking at this we need information that is relevant and reliable, relevant and reliable. Relevance means it's relevant, it pertains to the assertion that it supports. When we talk about the assertions, that would be U-PERCV, and you'll see a couple of different memory aids today, you'll see U-PERCV, or RACED or ROKU or...

And so on and so forth, but basically they all build out of this. So I like to use this 'cause it's more general, it covers all of these, but you'll see how we're gonna weave through 'em in just a minute.

But going through that, what does relevance relate to? It says that it relates to the assertions, these are the assertions we'll cover in detail, understandability, existence, rights, completeness, valuation and so on. Those are the assertions, so relevance pertains to the assertion.

As far as reliability, reliability of all the evidence is based on the source, and when we talk about it, we need information that is persuasive, okay? So we're looking at the persuasiveness of evidence, and the persuasiveness depends on the different sources.

And as far as the sources we have four different sources that we're gonna look at. We're gonna look at auditor-developed, we're gonna talk about outside, we're gonna talk about outside/inside, and we're gonna talk about inside or client-developed.

And what does this mean? It says that the sources, where is it coming from? Now, this is the highest source, right? In other words, the best source is more persuasive, more co-- We don't need information that's convincing but it should persuade us.

So auditor-developed, this is information obtained directly by the auditor, so the auditor goes out, he's doing an inventory observation, "One chair, two chairs, three chairs, four, five chairs, six chairs, seven chairs, more..." Right?

Assuming the auditor is competent and he can count, "One, two, three," therefore that's auditor-developed, that's a good source. That is very reliable, assuming it's relevant, it's very appropriate and it's good quality, we may not need as much for it to be good Audit Evidence. Uh! What does it say we need? Sufficient appropriate Audit Evidence, this tells us the quality, the appropriateness, the quality, where is it coming from? Auditor-developed.

The next one is called outside, outside is something created outside, so in other words you get it from directly outside, the client didn't get their grubby little fingers on it, like a conformation, bank conformation, inventory conformation, receivable, payable conformation.

So that is something that we prepare, client authorizes, signs it, we send it outside of the company, they respond directly to us, that means, again, the clien-- Because we don't want the client to get their grubby fingers on it, otherwise they could just adjust it, they could alter it. So that's called outside. That's good, it's not as good as something we do but it's still pretty good.

Then you've got outside/inside, that is something prepared outside of the company, but who do you get it from? The client. So in other words I go, "Hey, I need some information from you, how about for example bank statement?"

So the bank statement's prepared by the bank but you get it from the client, what is a potential problem? "Hey, Bob, how much do we have in account number 12?" "Hmm, there you go." They could just recreate it themselves, so it's still good, it's not as persuasive as this, not as persuasive as this.

Then you've got client-developed or inside, that is something completely generated within the client, for example a client's sales invoice. So when you're doing your audit, your detail testing, you go out there and you say to the client, "Hey, I need invoice 2106", and they go, "2106, 2106, 2106, 2106, here it is, I found it for you." So you don't know if it's the original or if they just created it.

So, are these all valid forms of evidence? Yes, they're all valid, they're all reliable, they're all valid forms of evidence. So we can call reliability or validity, right? They're all valid. The question is, what's the most persuasive? The higher up the list you go, the better, the more persuasive.

Again, does it have to be convincing? No. It has to be what? Persuasive rather than convincing, that's the persuasiveness. So, a good way to remember this as you're doing your audit, if it's all number one, hey, then you're done. If it's all number four, hey, you need more. Loser, thank you, that's why I was single, for so long in my life.

Anyway, so that's what's going on as far as different sources, where the information is coming from. So again, you'll see that in your notes as far as the information and the persuasiveness. It also says, "Concerned with accuracy and completeness when using information provided by the client," 'cause we wanna feel that the information is accurate and it's complete.

So, what is this saying here? What is AU-C 500 saying? It basically says we need sufficient appropriate Audit Evidence from different audit procedures in order to corroborate or substantiate management's assertions.

In order to do so, let's look back, we need sufficient appropriate Audit Evidence. Now, we talked about sufficiency, we talked about appropriateness, now let's talk about Audit Evidence. What is the Audit Evidence?

So when we talk about Audit Evidence, basically Audit Evidence comes in a couple of different forms, we have accounting records and we have other information, and this is other information to corroborate or substantiate the information. So, let's say other info.

Now, as far as the Audit Evidence, accounting records, it says here, "Audit Evidence. AU-C 500 defines Audit Evidence as all the information used by the auditor in arriving at the conclusions on which the auditor opinion is based, including the information contained in the accounting records, underline the financial statements, and other information."

So let's get more specific, so when I say I need sufficient appropriate Audit Evidence, I need enough good Audit Evidence, I'm saying enough good what? Audit Evidence. What is Audit Evidence? Accounting records, other information. What are examples of accounting records?

It says, and this is stuff you generally get from the client, "Checks, invoices, contracts, general and subsidiary ledgers, journal entries and other adjustments, worksheets, spreadsheets, and other records that support the cost allocations, computations, reconciliations, disclosures..." That is all the stuff that we're getting from the client, that is what we mean by accounting records.

Then it says, "Other information," that is the information we get to corroborate or substantiate it, so let's do this for example. These are the client's-- Whose statements are these? Management. These are client's books and records.

So when we say I need to give an opinion on these numbers, what do we mean by Audit Evidence? I need enough good Audit Evidence. What is Audit Evidence? Is this stuff right here, that's the Audit Evidence, and everything I obtain, the other information I obtain to corroborate or substantiate these numbers.

What is the other information? Board of Director's minutes, conformations-- Now, who do you get a conformation from? Someone outside the company. Comparable data about competitors, called benchmarking, information obtained by the auditor from audit procedures such as inquiry, observations, inspection of documents, that's what we mean by other information.

So, we need enough good evidence, again sufficiency, appropriateness, quantity, quality, Audit Evidence. What's Audit Evidence? The accounting records and these. Very important point, you'll see this, "Underlining accounting data alone is not sufficient appropriate Audit Evidence upon which to base the auditor's opinion."

Huh? When I look at their information this alone is not enough upon which to base my opinion, I need the accounting information and everything else, the other information, to corroborate or substantiate the assertions they are making.

So, you'll see that in the questions, is the accounting data alone sufficient enough? No, because the accounting data is generally from the client, you need that and other stuff to corroborate or substantiate what it is management is actually saying.

It says, "The auditor uses judgment to evaluate both the sufficiency and the appropriateness of Audit Evidence. The auditor should consider the significance and likelihood of potential misstatements, the effectiveness of management's responses and controls. Experience gained during previous audits," so if it's a continuing client or a re-audit, "results of audit procedures performed, source reliability and persuasiveness of Audit Evidence, and understanding the entity in its environment."

Alright, so again, that deals with the sources. Now, a couple of things on sources, Audit Evidence obtained directly by the auditor is more reliable than Audit Evidence obtained indirectly, so again, direct is more reliable than indirect.

So when we go through this, that's kind of a list again, auditor-developed, outside, outside/inside, inside. It says, "The reliability of evidence is increased when it is obtained from independent sources, outside, next comes outside/inside, and then internally."

It says, "Audit Evidence in documentary form, whether paper or electronic or other media, is more reliable than oral," so written is more reliable than oral, for example. "Audit Evidence obtained by original documents is more reliable than photos, faxes, documents that have been filmed, digitized or other.”

And of course that makes sense. I mean, if you can see the original, like, you know, my employees, right? I'm professional skepticism, "everyone's out to get me," so what do I need? If you do an expense report I need the original documentation, right? Not a copy 'cause you could just use that copy every couple of weeks, "Hey, Rog, here's this, here's this, here's another hotel, here's another hotel," I'm like, "Dude, what are you doing? Sleeping in hotels? Can't do that." So that's why we need original information.

So to start out, what are we saying here? We need sufficient appropriate Audit Evidence. Why do we need, what is the Audit Evidence? The Audit Evidence is, boom, this stuff, the accounting records and other information, here is where it comes from.

Why do I need that? I need that in order to corroborate these assertions. Why? Because my objective is to corroborate those that are material. How do I do it? By doing Substantive Test or audit procedures, these are the test I'm going to do in order to substantiate or corroborate the assertions that management is making. So that's kind of the big picture of where we're about to go.