The main objective of the work performed by the auditor in an audit engagement is that of obtaining reasonable assurance as to whether the financial statements, as a whole, are free from material misstatement, so that the auditor is able to express an opinion on the financial statements and report accordingly in the auditor’s report.

To obtain reasonable assurance about the financial statements, which is a high but not absolute level of assurance, the auditor needs to design and perform audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion.

ISA (UK and Ireland) 500, Audit Evidence, explains what are the auditor’s responsibilities in obtaining audit evidence that can underpin the auditor’s opinion and what constitutes sufficient appropriate audit evidence for such purpose.

Sufficient appropriate audit evidence

A large part of the work involved in the performance of an audit consists of obtaining and evaluating audit evidence, which is primarily derived from audit procedures carried out during the course of the engagement, but that can also be gained from other sources. For example sources  like previous audits; provided that changes occurred in the meantime have been carefully taken into account; or the firm’s quality control procedures, especially around client acceptance and continuance.

Audit procedures that are used to obtain audit evidence are various and are often applied in combination. They can include inspection, observation, confirmation, recalculation, reperformance and analytical procedures, in addition to inquiry, as the latter does not normally provide sufficient audit evidence on its own.

However, audit evidence obtained will only be useful in reducing to an acceptably low level the risk that the auditor could express an inappropriate opinion when the financial statements are materially misstated and, therefore, allow the auditor to draw reasonable conclusions, when it is sufficient and appropriate to the circumstances.

Sufficiency and appropriateness of audit evidence are two qualities that are interrelated. Sufficiency is the measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by the risks of misstatement assessed by the auditor, whereby the higher the risks the more audit evidence required, and by the quality of the evidence, where the higher the quality the less evidence perhaps required. A large amount of audit evidence may, however, not compensate for its poor quality.

Appropriateness is the measure of the quality of audit evidence. The quality of audit evidence depends on whether it is relevant and reliable in providing support to the conclusions on which the auditor’s opinion is based. Whether evidence is reliable also depends on its source; for instance, whether it is generated by the client, a third party or the auditor; and also from its nature, whereby documentary evidence is normally more reliable than verbal evidence.

Whether the audit evidence obtained in the course of an engagement is sufficient and appropriate to support the auditor’s opinion is a matter of professional judgment that the auditor needs to establish. Professional judgment is not, however, an abstract and subjective category of the auditor’s frame of mind, and should be informed by a structured approach to gathering evidence that is based on the assessed risks of material misstatement of the financial statements.

Designing and performing audit procedures for obtaining audit evidence

A number of ISAs (UK and Ireland), namely ISA 300, ISA 315 and ISA 330, require and explain that audit evidence should be obtained by performing risk assessment procedures and further audit procedures. Further audit procedures include tests of controls and substantive procedures, including tests of details and substantive analytical procedures.

In particular, alongside an overall audit strategy that indicates the scope of the work, the resources of staff allocated to specific areas and the timing of the engagement, a more detailed audit plan should indicate the audit procedures to be performed in respect of specific assertions in the financial statements and their timing.

The results of the initial risk assessment procedures, like the entity’s business risk assessment or the assessment of internal controls, are the basis on which to design the nature, timing and extent of further audit procedures to be performed in respect of the risks identified.

Further audit procedures should respond to the assessed risks of material misstatement at the assertion level, so that sufficient appropriate evidence can be obtained in respect of those risks.

The detailed audit plan records the risk assessment procedures and the further audit procedures at the assertion level in response to the assessed risks. The audit plan describes the nature, extent and timing of the audit procedures to be performed by team members in respect of specific classes of transactions, account balances and disclosures. In the case of an audit of a small entity, the audit plan would normally be included in standard audit programmes and schedules used for the various transactions and account balances. In any case, the standard programmes need to be tailored so that the approach to an item, in terms of the use of substantive procedures, tests of controls or both, is proportional to the risk assessed for that item and is directed at obtaining audit evidence capable of verifying the underlying assertions.

The audit evidence generated by the planned audit procedures should be sufficient and appropriate to support and corroborate, or to contradict, the management’s assertions in respect of specific classes of transactions, account balances or disclosures in the financial statements.

Audit procedures in respect of specific items in the financial statements should be designed with the objective of providing evidence capable of verifying the assertions embodied in an item, so that the auditor can draw a reasonable conclusion about that item. Audit evidence and the auditor’s conclusions in respect of the various assertions tested contribute to the overall audit evidence on which the auditor’s opinion is based.