Audit evidence is evidence obtained by auditors during a financial audit and recorded in the audit working papers.
Audit evidence is required by auditors to determine if a company has correct information considering their financial statements. If the information is correct, a CPA (Certified Public Accountant) can confirm the company's financial statements. Audit evidence is the primary support for an auditor's opinion on if there is a reasonable assurance that the company's financial statements are not materially misstated due to fraud or error. [1] Audit evidence consists of various audit procedures and can often have a different role in the different stages of an audit. Audit evidence must be sufficient and appropriate, which means it is reliable and relevant. [2] The auditor must use their own professional judgement when determining if the audit evidence is persuasive and sufficient. [2]
Audit evidence has undergone significant change with the emergence of Artificial Intelligence, Big Data, and audit data analytics. As the field of accounting is transforming, technologies such as AI (artificial intelligence) are playing a role in audit evidence. AI is enhancing the collection of audit evidence due to the large quantities of data that can be processed with very little error. [3] Audit evidence collection is also being improved through audit data analytics, which also provide the auditor the ability to view the entire population of data, rather than just a sample. [4] Viewing greater amounts of data leads to a more efficient audit and a greater understanding of the audit evidence.
Along with audit data analytics, big data has allowed auditors to use more sources for audit evidence and helps increase the quality and efficiency of audits. Alternatively, the quality of the data in these new sources can not always be seen as reliable, which can be a drawback to big data’s contributions.
The Public Company Accounting Oversight Board (PCAOB) describes the procedures used to get audit evidence. This includes inspection, observation, inquiry, confirmation, recalculation, reperformance, and analytical procedures. [5]
Audit evidence plays a role in each phase of the audit. In the acceptance and continuance phase, audit evidence is the information the auditor considers before making their decision. Some examples of this are the competency and capability of the audit team, integrity of key employees in the client company, if relevant ethical requirements are able to be met, and any other implications that will affect the completion of the audit. [7] In the audit planning stage, audit evidence is the information that the auditor considers when determining the most effective and efficient approach for the audit. [8] For example, reliability of internal control procedures, and analytical review systems. In the control testing stage, audit evidence is used by the auditor to consider the mix of audit test of controls and audit substantive tests. [9] In the substantive testing stage, audit evidence is defined as the information that the auditor needs to support the appropriation of financial statement assertions. [10] Finally in the conclusion and opinion formulation stage, audit evidence is the information considered by the auditor before determining whether the financial statements as a whole present with completeness, validity, accuracy, and consistency with the auditor's understanding of the entity. [11]
There are a couple aspects of evidence that make various audit evidence good quality. This consists of sufficiency and appropriateness. Audit evidence is sufficient when there is an acceptable amount of evidence found. This changes based on the risk of material misstatement and the quality of evidence that was found. The higher the risk that the financial statements are materially misstated, the more evidence an auditor should collect. The better a specific piece of evidence is, the less an auditor needs to find additional evidence. [5]
For audit evidence to be appropriate, it needs to be relevant and reliable. It is relevant when it is heavily related to the assertion or control that is being tested. The audit’s design can change the level of relevancy. This includes whether they are testing the identified assertion or control or they are testing materiality of statement differences. Next, reliability is decided based on where the evidence came from and what happened to obtain it. Evidence obtained externally from an expert or professional that is unrelated to the client has a high level of reliability compared to evidence from within the client’s company. The reliability of internal evidence can be improved by ensuring that the company’s internal controls are functioning properly. Another very reliable form of evidence is direct knowledge, which means the auditor learned this information directly. [5]
The collection of audit evidence has transformed with the use of artificial intelligence (AI). This new technology allows auditors to examine large quantities of evidence efficiently, allowing auditor's to quickly determine the validity of the audit evidence they are examining. [3] Due to the fact that large quantities of data can be collected and condensed, auditors can use the information from AI to make more efficient decisions throughout the audit. Additionally, AI can be programmed to find certain things such as material misstatements, and can identify these mistakes in less time than humans. [3] Technology is capable of reformatting different pieces of audit evidence so that it is comparable with other evidence that has been found, improving the auditor's efficiency. [12] AI that is properly functioning and maintained can also reduce substantive testing of audit evidence, which will reduce the time of the audit. [12]
While AI can make the auditing process easier, there are concerns that AI will dismiss audit evidence that humans would not have overlooked due to immateriality. [3] Currently, many auditors that use AI are utilizing its abilities to analyze evidence efficiently, but are still depending on human judgment and professional skepticism. [3] The technology of AI is still relatively new, meaning that a lot of training still needs to be done before auditors worldwide can use this application. [3]
Audit technology has allowed auditors to acquire audit evidence from multiple sources, both financial and non-financial. [2] Technology that works with big data can work alongside audit evidence to increase the quality and efficiency of an audit. Big data uses pattern recognition, natural-language processing, and data mining to elevate audit data analytics, [2] which is briefly discussed in the paragraph below. Additionally, big data is characterized by its size, velocity, veracity, and variety. [2] These characteristics allow big data to contribute to the sufficiency and relevancy of audit evidence. Big data is an external source obtained directly by the auditor, and therefore, can increase reliability of the audit evidence. [2] Since it is real-time data from external sources and is so large, it is more difficult for an individual to tamper with, increasing the reliability. [2] If an auditor is having difficulties retrieving clients' information, using big data can serve as an alternative way to obtain relevant information for the audit or can be used in conjunction with existing evidence as a supplement. [2]
On the other hand, big data could have some drawbacks. There are some concerns regarding the data quality you get with big data due to the possibility of increased false positives, which would decrease reliability. [2] Additionally, big data evidence can be an indicator of association, but can be misinterpreted as causation, which could lead to inaccurate conclusions. [2] As for challenges auditors would face, one would be linking the big data with the relevant, traditional audit evidence in order to complement it. [2] Another challenge would involve efficiently and accurately sorting and summarizing the large volume of data, which can be achieved through the use of data mining if done successfully. [2] Some sources of big data may come from outlets such as news articles or social media, which could be influenced by biases and make the evidence inappropriate to use as representative of the population. [2]
Rather than replacing or eliminating traditional audit techniques completely, audit data analytics can be used alongside the traditional methods to optimize the sufficiency and relevance of audit evidence. [13] Audit data analytics allows auditors to look at an entire population rather than just a sample, which can help the audit by providing more assurance to the auditor and provide higher quality audit evidence. [4] This complete testing can make the evidence more accurate. Audit data analytics can also provide the auditor with a greater understanding of the evidence, leading to more informed decisions. [14] The audit data analytics process may take some years to become fully functioning. In the first year, the company must find the appropriate data set, and the auditor must perform data wrangling on that data set in order for analytics procedures to be carried out. [4] In this case, data wrangling refers to when an auditor reconciles and formats a data set. [4] This process performed in the first year will require extra time added to the traditional audit, so it may initially take longer than sampling. [13]
Additionally, audit data analytics can assist with an auditor's risk assessment; the auditor can identify the company's trends and compare them to the industry norms using this technology. [13] If the auditor finds an unusual difference or discrepancy, they can investigate it further. [13] More specifically, the planning stage can be improved by the auditors using the technology to enhance their understanding of the company and its industry. [13] Data analytics can also provide a thorough, detailed analysis of a company's general ledger or sub ledgers, which can provide more evidence to the auditor. [13]
In relation to specific kinds of audit evidence, there are a couple examples where audit data analytics can alter the methods of collection. Traditionally, bank confirmations, analytical procedures, and journal entry testing would most likely be carried out at the client site by the audit team itself. [13] With the use of this technology, these kinds of procedures could be handed off to other groups to be completed remotely (specialists, third parties) rather than having to personally travel to the sites. [13]
With the emergence and growing popularity of audit data analytics, the accounting profession is tasked with evolving its auditing standards to encompass the usage of data analytics technology, big data, and “continuous auditing.” [13]
Accounting, also known as accountancy, is the processing of information about economic entities, such as businesses and corporations. Accounting measures the results of an organization's economic activities and conveys this information to a variety of stakeholders, including investors, creditors, management, and regulators. Practitioners of accounting are known as accountants. The terms "accounting" and "financial reporting" are often used interchangeably.Financial reporting refers to the process of presenting financial information and data about a company's financial performance and position to external parties, such as investors, creditors, and regulatory bodies
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.
A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.
Forensic accounting, forensic accountancy or financial forensics is the specialty practice area of accounting that investigates whether firms engage in financial reporting misconduct, or financial misconduct within the workplace by employees, officers or directors of the organization. Forensic accountants apply a range of skills and methods to determine whether there has been financial misconduct by the firm or its employees.
An auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit, as an assurance service in order for the user to make decisions based on the results of the audit.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in October 2002. The original exposure draft was distributed in February 2002. Please see PCAOB AS 2401.
Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
The Public Company Accounting Oversight Board (PCAOB) is a nonprofit corporation created by the Sarbanes–Oxley Act of 2002 to oversee the audits of US-listed public companies. The PCAOB also oversees the audits of broker-dealers, including compliance reports filed pursuant to federal securities laws, to promote investor protection. All PCAOB rules and standards must be approved by the U.S. Securities and Exchange Commission (SEC).
Generally Accepted Auditing Standards, or GAAS are sets of standards against which the quality of audits are performed and may be judged. Several organizations have developed such sets of principles, which vary by territory. In the United States, the standards are promulgated by the Auditing Standards Board, a division of the American Institute of Certified Public Accountants (AICPA).
A going concern is an accounting term for a business that is assumed will meet its financial obligations when they become due. It functions without the threat of liquidation for the foreseeable future, which is usually regarded as at least the next 12 months or the specified accounting period. The presumption of going concern for the business implies the basic declaration of intention to keep operating its activities at least for the next year, which is a basic assumption for preparing financial statements that comprehend the conceptual framework of the IFRS. Hence, a declaration of going concern means that the business has neither the intention nor the need to liquidate or to materially curtail the scale of its operations.
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public accountants (CPAs) for non-public company audits. Created in October 1978, it is composed of 19 members representing various industries and sectors, including public accountants and private, educational, and governmental entities. It issues pronouncements in the form of statements, interpretations, and guidelines, which all CPAs must adhere to when performing audits and attestations.
Management assertions or financial statement assertions are the implicit or explicit assertions that the preparer of financial statements (management) is making to its users. These assertions are relevant to auditors performing a financial statement audit in two ways. First, the objective of a financial statement audit is to obtain sufficient appropriate audit evidence to conclude on whether the financial statements present fairly, in all material respects, the financial position of a company and the results of its operations and cash flows. In developing that conclusion, the auditor evaluates whether audit evidence corroborates or contradicts financial statement assertions. Second, auditors are required to consider the risk of material misstatement through understanding the entity and its environment, including the entity's internal control. Financial statement assertions provide a framework to assess the risk of material misstatement in each significant account balance or class of transactions.
Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.
Entity-level controls are controls that help to ensure that management directives pertaining to the entire entity are carried out. They are the second level of a to understanding the risks of an organization. Generally, entity refers to the entire company.
Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.
Audit technology is the use of computer technology to improve an audit. Audit technology is used by accounting firms to improve the efficiency of the external audit procedures they perform.