Evidence

Bottom of Page TOC PREVIOUS NEXT


GAO-03-673G Government Auditing Standards > Chapter 7 Field Work Standards for Performance Audits > Evidence


7.48 The field work standard related to evidence for performance audits performed in accordance with GAGAS is:

Sufficient, competent, and relevant evidence is to be obtained to provide a reasonable basis for the auditors’ findings and conclusions.

7.49 A large part of auditors’ work on an audit concerns obtaining and evaluating evidence that ultimately supports their judgments and conclusions pertaining to the audit objectives. In evaluating evidence, auditors consider whether they have obtained the evidence necessary to achieve specific audit objectives. When internal control or compliance requirements are significant to the audit objectives, auditors should also collect and evaluate evidence relating to controls or compliance.

7.50 Evidence may be categorized as physical, documentary, testimonial, and analytical. Physical evidence is obtained by auditors’ direct inspection or observation of people, property, or events. Such evidence may be documented in memoranda, photographs, drawings, charts, maps, or physical samples. Documentary evidence consists of created information such as letters, contracts, accounting records, invoices, and management information on performance. Testimonial evidence is obtained through inquiries, interviews, or questionnaires. Analytical evidence includes computations, comparisons, separation of information into components, and rational arguments.

7.51 The guidance in the following paragraphs is intended to help auditors judge the quality and quantity of evidence needed to satisfy audit objectives. Paragraphs 7.52 through 7.61 are intended to help auditors determine what constitutes sufficient, competent, and relevant evidence to support their findings and conclusions. Paragraphs 7.62 through 7.65 describe the elements of an audit finding.

Tests of Evidence

7.52 Evidence should be sufficient, competent, and relevant to support a sound basis for audit findings, conclusions, and recommendations:

a. Evidence should be sufficient to support the auditors’ findings. In determining the sufficiency of evidence, auditors should ensure that enough evidence exists to persuade a knowledgeable person of the validity of the findings. When appropriate, statistical methods may be used to establish sufficiency.

b. Evidence is competent if it is valid, reliable, and consistent with fact. In assessing the competence of evidence, auditors should consider such factors as whether the evidence is accurate, authoritative, timely, and authentic. When appropriate, auditors may use statistical methods to derive competent evidence.

c. Evidence is relevant if it has a logical relationship with, and importance to, the issue being addressed.

7.53 The following presumptions are useful in judging the competence of evidence. However, these presumptions are not to be considered sufficient in themselves to determine competence. The amount and kinds of evidence required to support auditors’ conclusions should be based on auditors’ professional judgment.

a. Evidence obtained when internal controls are effective is more competent than evidence obtained when controls are weak or nonexistent. Auditors should be particularly careful in cases where controls are weak or nonexistent and should, therefore, plan alternative audit procedures to corroborate such evidence.

b. Evidence obtained through the auditors’ direct physical examination, observation, computation, and inspection is more competent than evidence obtained indirectly.

c. Examination of original documents provides more competent evidence than do copies.

d. Testimonial evidence obtained under conditions where persons may speak freely is more competent than testimonial evidence obtained under compromising conditions (for example, where the persons may be intimidated).

e. Testimonial evidence obtained from an individual who is not biased or has complete knowledge about the area is more competent than testimonial evidence obtained from an individual who is biased or has only partial knowledge about the area.

f. Evidence obtained from a credible third party may in some cases be more competent than that secured from management or other officials of the audited entity.

7.54 Auditors may find it useful to obtain written representations concerning the competence and completeness of certain evidence from officials of the audited entity. Written representations ordinarily confirm oral representations given to auditors, indicate and document the continuing appropriateness of such representations, and reduce the possibility of misunderstandings concerning the matters that are the subject of the representations. Written representations can take several forms, including summary documents prepared by the auditors and signed by the entity’s management. If officials of the audited entity refuse to provide a written representation that the auditors have requested, the auditors should consider the effects of the refusal on results of the audit.

7.55 The auditors’ approach to determining the sufficiency, competence, and relevance of evidence depends on the source of the information that constitutes the evidence. Information sources include original data gathered by auditors and existing data gathered by either officials of the audited entity or a third party. Data from any of these sources may be obtained from computer-based systems. (See paragraphs 7.63 through 7.65 for additional documentation requirements when using information from a computer-based system.)

7.56 Data gathered by auditors: Data gathered by auditors include the auditors’ own observations and measurements. Among the methods for gathering this type of data are questionnaires, structured interviews, direct observations, and computations. The design of these methods and the skill of the auditors applying them are the keys to ensuring that these data constitute sufficient, competent, and relevant evidence. When these methods are applied to determine cause, auditors are concerned with eliminating conflicting explanations.

7.57 Data gathered by management: Auditors can use data gathered by officials of the audited entity as part of their evidence. However, auditors should determine the validity and reliability of data that are significant to the audit objectives and may do so by direct tests of the data. Auditors can reduce the direct tests of the data if they test the effectiveness of the entity’s internal controls over the validity and reliability of the data and these tests support the conclusion that the controls are effective. The nature and extent of data testing will depend on the significance of the data to support the auditors’ findings. How the use of unaudited data gathered by officials of the audited entity affect the auditors’ report depends on the data’s significance to the auditors’ findings. For example, in some circumstances, auditors may use unaudited data to provide background information; however, the use of such unaudited data would generally not be appropriate to support audit findings and conclusions.

7.58 Data gathered by third parties: The auditors’ evidence may also include data gathered by third parties. In some cases, these data may have been audited by others, or the auditors may be able to audit the data themselves. In other cases, however, it will not be practical to obtain evidence of the data’s validity and reliability. How the use of unaudited third-party data affects the auditors’ report depends on the data’s significance to the auditors’ findings. For example, in some circumstances, auditors may use unaudited data to provide background information; however, the use of such unaudited data would generally not be appropriate to support audit findings and conclusions.

7.59 Validity and reliability of data from computer-based systems: Auditors should obtain sufficient, competent, and relevant evidence that computer-processed data are valid and reliable when these data are significant to the auditors’ findings. This work is necessary regardless of whether the data are provided to auditors or auditors independently extract them. Auditors should determine if officials of the audited entity or other auditors have worked to establish the validity and reliability of the data or the effectiveness of the controls over the system that produced the data. If the results of such work are current, auditors may be able to rely on that work. (See paragraphs 7.32 through 7.34 for requirements when relying on the work of others.) Auditors may also determine the validity and reliability of computer-processed data by direct tests of the data.

7.60 Auditors can reduce the direct tests of the data if they test the effectiveness of general and application controls over computer-processed data and these tests support the conclusion that the controls are effective. If auditors determine that internal controls over data that are significantly dependent upon computerized information systems are not effective or if auditors do not plan to test the effectiveness of such controls, auditors should include audit documentation regarding the basis for that conclusion by addressing (1) the reasons why the design or operation of the controls is ineffective, or (2) the reasons why it is inefficient to test the controls. In such circumstances, auditors should also include audit documentation regarding their reasons for concluding that the planned audit procedures, such as direct tests of the data, are effectively designed to achieve specific audit objectives. This documentation should address

a. the rationale for determining the types and extent of planned audit procedures;

b. the kinds and competence of available evidence produced outside a computerized information system; and

c. the effect on the audit report if the evidence gathered during the audit does not allow the auditors to achieve audit objectives.

7.61 When the auditors’ tests of data disclose errors in the data, or when they are unable to obtain sufficient, competent, and relevant evidence about the validity and reliability of the data, they may find it necessary to

a. seek evidence from other sources,

b. redefine the audit’s objectives to eliminate the need to use the data, or

c. use the data, but clearly indicate in their report the data’s limitations and refrain from making unwarranted conclusions or recommendations.

Audit Findings

7.62 Audit findings often have been regarded as containing the elements of criteria, condition, and effect, plus cause when problems are found. However, the elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the elements of a finding. Criteria are discussed in paragraph 7.28, and the other elements of a finding--condition, effect, and cause--are discussed in the following paragraphs:

7.63 Condition: Condition is a situation that exists. It has been determined and documented during the audit.

7.64 Effect: Effect has two meanings that depend on the audit objectives. When the auditors’ objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, “effect” is a measure of those consequences. Auditors often use effect in this sense to demonstrate the need for corrective action in response to identified problems. When the auditors’ objectives include estimating the extent to which a program has caused changes in physical, social, or economic conditions, “effect” is a measure of the impact achieved by the program. Here, effect is the extent to which positive or negative changes in actual physical, social, or economic conditions can be identified and attributed to program operations.

7.65 Cause: Like effect, cause also has two meanings that depend on the audit objectives. When the auditors’ objectives include explaining why a particular type of positive or negative performance identified in the audit occurred, the reasons for that performance are referred to as “cause.” Identifying the cause of problems can assist auditors in making constructive recommendations for correction. Because problems can result from a number of plausible factors or multiple causes, the recommendation can be more persuasive if auditors can clearly demonstrate and explain with evidence and reasoning the link between the problems and the factor or factors they have identified as the cause. When the auditors’ objectives include estimating the program’s effect on changes in physical, social, or economic conditions, auditors seek evidence of the extent to which the program itself is the “cause” of those changes. Auditors may identify significant deficiencies in internal control as the cause of deficient performance. In reporting this type of finding, the internal control deficiency would be described as the “cause.”


Top of Page TOC PREVIOUS NEXT

GAO-03-673G Government Auditing Standards