Most audits are reduced to asking the following three general questions:
- Is satisfactory progress evident towards the achievement of organisational objectives?
- Have suspected risks materialised affecting the organisation?
- Are the necessary controls present and working as expected?
Internal auditors establish engagement objectives, define the scope of their review, and collect information to answer the questions that the audit is supposed to solve. This must be done competently and as best as possible, conclusively. The answers to the three questions above don’t have to be exhaustive, but internal auditors must do enough work until they are reasonably confident about the answers. This is what we refer to as providing “reasonable assurance.”
Evidence is something that provides proof and it proves or disproves something. It is presented as verification of the facts at issue and generally includes the testimony of witnesses, and the examination of records, documents, and objects.
Evidence has many forms, and there are qualitative elements also to consider:
This type of evidence consists of verbal or written statements made by individuals, especially those who perform the work being audited. While others, such as managers and business leaders may have a great deal of knowledge, they may not always know enough about the details of the program or process being examined, so it is best for internal auditors to give enough thought to whom they are interviewing.
Testimony is generally the weakest type of evidence and should only be relied upon to gather information and while testing lower-risk controls.
Internal auditors are encouraged to go and see for themselves the conditions, practices, properties, and events relevant to the audit being performed. By witnessing these dynamics themselves, internal auditors acquire more conclusive evidence than that obtained merely by testimony, mainly if this testimony is obtained verbally and remotely.
Walkthroughs are a type of observation internal auditors perform during planning and fieldwork. These are step-by-step tests of all the procedures for a program or process completed with audit clients who explain their methods by using a “live” document or transaction. As the item navigates the process, the steps are documented, so the auditor gains a better understanding of each action and to verify agreement between the practice and formal procedures documentation.
The quality of observation may be dependent on whether those being observed know this is happening. If those being observed know the auditor is observing their behavior, they may change their actions, so the auditor views them favorably. The issue with this behavioral change is that the auditor will have an inaccurate understanding of how the work is being performed. So, it is essential to consider whether it is more beneficial to complete the observations without the knowledge of those being observed. When doing so, however, internal auditors should also weigh the risk they may be considered duplicitous or devious.
This can be an important consideration while performing construction, and environmental health and safety (EHS) audits. While touring the facilities is a standard procedure, it is often done while accompanied by the safety or plant manager who explains conditions, procedures, answers questions and introduces auditors to key employees. During these walks, everyone is usually in their best behavior. Internal auditors may even notice that the tour given is following a well-selected and pre-determined course, so asking to go off path a little may be a good idea to see other places and practices. By embracing these techniques, internal auditors can observe dynamics in their natural setting and gain a more realistic understanding of how the work is being performed.
This type of evidence consists of reviewing already existing information such as reports, letters, memos, photographs, videos, drawings, charts, worksheets, contracts, invoices, and other records. Documents can be internal or external to the entity, program or process being audited.
An important attribute of documentation is their age, or recency: Is the evidentiary information recent or old? In general, current information is preferable to older documents. However, some evidence is best if it is older because it is close to when the event occurred. For example, an older picture documenting the condition of a warehouse is preferable to the recent verbal testimony of the warehouse manager who describes the status of the warehouse a long time ago.
The quality of evidence is also dependent on how authoritative the source is. The evidence is more persuasive if it is provided by someone with a significant degree of authority, prestige or expertise on the subject. Authoritativeness is not always synonymous with the person’s hierarchical position because a high-ranking individual may have a meaningful title, but not have detailed knowledge, expertise or overall competence on the subject.
Examples of Internal and External Evidence
Analytical Review and Recalculation
This is a procedure to determine if transactions or events meet expectations. If they don’t, the reviewer then performs other procedures to identify with more certainty if there is an issue or finding. The analytical review may include a search for outliers, deviation from expected values, gaps in a sequence of figures, or insufficient variability when some are expected. Items subject to analysis and re-calculation often include verification of the accuracy of depreciation, the reserves for uncollectable balances, the number of accruals, the value of inventory, the appropriateness of fuel and material usage, timing and amount of contracted payables, and allowances for excess and obsolete inventory, among others.
Relying on the Work of Others
Internal auditors should consider building on the work of others if these parties are objective and competent in performing their work. This determination is based on the other assurance provider’s quality and depth of work, which helps to determine if the information received, and the findings derived from them, are based on sufficient, reliable, relevant, and useful information.
The work of these other assurance providers must be appropriately planned, supervised, documented, and reviewed. If it is, the auditor may decide if additional work or test procedures are needed to gain appropriate and sufficient audit evidence. Auditors should be satisfied based on their knowledge of the business; the risks, controls and work environment; operating procedures; techniques; and information used by the assurance provider that the findings are reasonable. To increase the level of reliance on these results, the organisation’s internal auditors may need to retest the results of the other assurance providers.
Internal auditors collect evidence to answer the audit questions convincingly and to do this they receive and review evidence that must be sufficient (to be convincing), reliable (to be credible), relevant (to the audit being performed) and useful (to the audit client).
Internal auditors may need to collect and examine multiple types of evidence to conclude that the objectives are being achieved, that risks are managed appropriately, and that controls are present and working as intended. When this happens, there is comfort in the knowledge that the three main questions are answered to the auditors’ satisfaction, and reasonable assurance can be provided confidently.