Audit Evidence

By Dr. Hernan Murdock ,VP – Content and Programming at ACI Learning


Using High-Quality Evidence to Provide Reasonable Assurance

Most audits can be reduced to asking the following three general questions:

  1. Is acceptable progress evident towards the achievement of organizational objectives?
  2. Have suspected risks materialized affecting the organization? and
  3. Are the necessary controls present and working as expected?

Internal auditors establish engagement objectives, define the scope of their review, and collect information to answer the questions that the audit is supposed to answer.  This must be done competently and as best as possible, conclusively. 

The answers to the three questions above don’t have to be exhaustive, but internal auditors must do enough work until they are reasonably confident about the answers.  This is what we refer to as providing “reasonable assurance”.

Evidence is something that provides proof and it proves or disproves something.  It is presented as verification of the facts at issue and generally includes the testimony of witnesses, and the examination of records, documents, and objects. We need evidence to answer the three questions.


Evidence has many forms and there are qualitative elements to also consider.



This type of evidence consists of verbal statements made by individuals, especially those who perform the work being audited.  While others, such as managers and business leaders may have a great deal of knowledge, they may not always know enough about the details of the program or process being examined, so it is best for internal auditors to give enough thought to whom they are interviewing.

Testimony is generally the weakest type of evidence and should only be relied upon to gather information and while testing lower-risk controls.



Internal auditors are encouraged to go and see for themselves the conditions, practices, properties, and events relevant to the audit being performed.  By witnessing these dynamics themselves, internal auditors acquire more conclusive evidence than that obtained merely by testimony, especially if this testimony is obtained verbally and remotely.

Walkthroughs are a type of observation internal auditors perform during planning and fieldwork.  These are step-by-step tests of all the procedures for a program or process performed with audit clients who explain their procedures by using a “live” document or transaction.  As the item navigates the process, the steps are documented so the auditor gains a better understanding of each action and to verify agreement between the practice and official procedures documentation.

The quality of observation may be dependent on whether those being observed know this is happening.  If those being observed know the auditor is observing their behavior, they may change their actions so the auditor views them favorably.  The issue with this behavioral change is that the auditor will have an inaccurate understanding of how the work is being performed.  So, it is important to consider whether it is more beneficial to perform the observations without the knowledge of those being observed.  When doing so, however, internal auditors should also weigh the risk they may be considered duplicitous or devious.

This can be an important consideration while performing construction and environmental health and safety (EHS) audits.  While touring the facilities is a standard procedure, it is often done while accompanied by the safety or plant manager who explains conditions, procedures, answers questions and introduces auditors to key employees.  During these walks everyone is usually in their best behavior.  Internal auditors may even notice that the tour given is following a well-selected and pre-determined course, so asking to go off course a little may be a good idea to see other places and practices.  By embracing these techniques, internal auditors can observe dynamics in their natural setting and gain a more realistic understanding of how the work is really being performed, if access restrictions are practiced consistently, and if safety protocols are being followed.

Observation is also common to verify the existence and condition of assets. When travel limitations or restrictions are in place, auditors may consider using video images from either a stationary device, or obtaining the assistance of a reliable individual who could record or live-stream images. Wearable or portable cameras should be considered.



This type of evidence consists of reviewing already existing information such as reports, letters, memos, photographs, videos, drawings, charts, worksheets, contracts, invoices and other records.  Documents can be internal or external to the entity, program or process being audited. 

An important attribute of documentation is their age, or recency: Is the evidentiary information recent or old?  In general, recent information is preferable to older documents.  However, some evidence is best if it is older because it may be closer to when the event occurred.  For example: An older picture documenting the condition of a warehouse is preferable to the recent verbal testimony of the warehouse manager who describes the condition of the warehouse a long time ago.  

The quality of evidence is also dependent on how authoritative the source is.  Evidence is more persuasive if it is produced or provided by someone who has a great degree of authority, prestige or expertise on the subject.  Authoritativeness is not always synonymous with the person’s hierarchical position because a high-ranking individual may have an important title, but not have a detailed knowledge, expertise or overall competence on the subject.  

Examples of Internal and External Evidence

Internal External
Policies and Procedures

Purchase Orders

Purchase Requisitions

Exception Reports

Inventory Counts



Packing Slips

Bank Statements



Analytical Review and Recalculation

This is a procedure to determine if transactions or events meet expectations.  If they don’t, the reviewer then performs other procedures to determine with more certainty if there is an issue or finding.  The analytical review may include a search for outliers, deviation from expected values, gaps in a sequence of figures, or insufficient variability when some is expected. Items subject to analysis and re-calculation often include verification of the accuracy of depreciation, the reserves for uncollectable balances, the amount of accruals, the value of inventory, the appropriateness of fuel and material usage, timing and amount of contracted payables, and allowances for excess and obsolete inventory, among others.


Relying on the Work of Others

Internal auditors should consider relying on the work of others if these parties are objective and competent in performing their work.  This determination is based on the other assurance provider’s quality and depth of work, which helps to determine if the information received, and the findings derived from them, are based on sufficient, reliable, relevant, and useful information.    

The work of these other assurance providers must be appropriately planned, supervised, documented, and reviewed.  If it is, the auditor may decide if additional work or test procedures are needed to gain appropriate and sufficient audit evidence. Auditors should be satisfied based on their knowledge of the business; the risks, controls and work environment; operating procedures; techniques; and information used by the assurance provider that the findings are reasonable.  To increase the level of reliance on these results, the organization’s internal auditors may need to retest results of the other assurance providers.

Internal auditors collect evidence to convincingly answer the audit questions, and to do this they collect and review evidence that must be sufficient (to be convincing), reliable (to be credible), relevant (to the audit being performed) and useful (to the audit client).

Internal auditors may need to collect and examine multiple types of evidence to conclude that the objectives are being achieved, that risks are managed appropriately, and that controls are present and working as intended.  When this happens, there is comfort in the knowledge that the three main questions are answered to the auditors’ satisfaction, and reasonable assurance can be provided confidently.

Latest posts by Dr. Hernan Murdock (see all)