See Audithink's Latest Events →

Audit Evidence: Definition, Types, Characteristics, and Examples

audit evidence

Topic Recommendations

Share Article

Ready To Improve Your Internal Audit Process?

Discover Audithink's full features and choose a pricing plan that works for your audit team. Start audit transformation now!

Table Of Contents

Audit evidence is all the information collected and evaluated. auditor to draw conclusions that form the basis of an audit opinion or finding. Without sufficient and appropriate audit evidence, a finding remains merely an assumption—unaccountable and unresponsible to management.

For the internal audit team, audit evidence is more than just an administrative requirement. It determines whether your recommendation is accepted at the audit committee meeting or rejected due to its weak basis.

This article discusses the meaning of audit evidence, the standards that govern it, the procedures for obtaining it, the types and hierarchy of its reliability, and the practical challenges of managing it in an internal audit environment.

What is Audit Evidence?

audit evidence
Illustration of the audit process (Freepik.com)

Audit evidence is data or information that auditors use to test whether a condition, transaction, or control complies with established criteria.

Its scope is broader than is often imagined. Audit evidence includes:

  • Accounting records underlying financial statements (journals, ledgers, reconciliations)
  • Supporting information outside the accounting records (contracts, meeting minutes, correspondence, field photos, system logs)
  • Information generated by the auditor himself (results of recalculation, analysis, observation documentation)

In internal audits, audit evidence also includes non-financial matters: evidence of compliance with SOPs, approval trails in the system, results of interviews with process owners, and records of user activity in the application.

Its main functions are three:

  1. Supporting findings — ensure every finding stands on fact, not opinion.
  2. Reducing audit risk — the stronger the evidence, the less likely the auditor is to draw a wrong conclusion.
  3. Protecting auditors — when findings are disputed, the working papers and evidence are your defense.

Basis of Audit Evidence Standards

Audit evidence is not a concept that can be freely interpreted. There is a standard framework that governs it, and understanding this framework is essential to maintaining audit quality.

SA 500 / ISA 500 — Audit Evidence

Audit Standards (SA) 500 published by IAPI, adopting ISA 500, regulates the auditor's obligation to design and perform audit procedures to obtain sufficient and appropriate audit evidence (sufficient appropriate audit evidence). This standard also regulates consideration of the relevance and reliability of information used as evidence.

SA 501, 505, 520 — Specific Considerations

Some derivative standards govern specific types of evidence:

StandardsFocus
SA 501Audit evidence for selected elements (inventory, litigation, segments)
SA 505External confirmation
AT 520Analytical procedures
AT 530Sampling audit

IIA Standards for Internal Auditing

For internal auditors, the main reference is Global Internal Audit Standards from The Institute of Internal Auditors (IIA). This standard emphasizes that internal auditors must base their conclusions and engagement results on adequate analysis and evaluation, and document sufficient, reliable, relevant, and useful information.

In the Indonesian government sector, APIP also refers to the Indonesian Government Internal Audit Standards (AAIPI) which contains similar principles within the SPIP framework.

Editorial note: verify the number and naming of the current standard (SA/ISA and IIA Standards applicable edition) before publication, as numbering may change after standard revision.

Procedures for Obtaining Audit Evidence

Audit evidence does not appear on its own; it is obtained through procedures designed by the auditor. Here are seven main procedures that are commonly used.

1. Inspection

Examination of records, documents, or physical assets. Inspection of documents provides evidence of the existence and content of a transaction. Inspection of physical assets provides evidence of the asset's existence, but does not necessarily establish ownership or fair value.

2. Observation

Observing processes or procedures being carried out by other parties. For example, observing the stocktaking process or procurement approval flow.

The weakness: observation only proves the conditions at the time of observation. There is a risk Hawthorne effect behavior changes due to feeling watched.

3. External Confirmation

Obtaining written statements directly from third parties: banks, customers, suppliers, or attorneys. Because they come from outside the entity, external confirmations are considered highly reliable evidence.

4. Request for Information (Inquiry)

Interviews or requests for information from internal or external parties. This procedure is the quickest to do, but the weakest reliability. Results inquiry almost always needs to be corroborated with other evidence.

5. Recalculation (Recalculation)

Verifying the mathematical accuracy of documents or records e.g. recalculating depreciation, accruals, or tax calculations.

6. Re-implementation (Reperformance)

The auditor independently carries out the procedures or controls that the entity should have carried out. This is different from observation. reperformance test whether the control actually works.

7. Analytical Procedures

Evaluating information through analyzing relationships between data, both financial and non-financial. For example, comparing total payroll expenses to the number of employees to detect anomalies such as ghost employee.

See also: Complete Guide to Audit procedures, stages, types and examples

Types of Audit Evidence

Apart from being based on procedures, audit evidence can be grouped based on its source and nature.

Based on Source

  • Internal evidence — generated and stored within the entity (internal memos, registers, internal emails, production reports)
  • External evidence — originate from parties outside the entity (bank statements, supplier invoices, customer confirmations, notarial documents)
  • Evidence prepared by the auditor — results of analysis, recalculation, or documentation of the auditor's own observations

Based on Nature

  • Direct evidence (direct evidence) — directly proves assertion tested. Example: a physical inspection report that proves the existence of fixed assets.
  • Indirect evidence (circumstantial evidence) — support conclusions inferentially. Example: effective testing of controls does not prove every transaction is correct, but it reduces the likelihood of material misstatement.

Indirect evidence remains valuable. However, it usually needs to be combined with direct evidence to establish a strong conclusion.

Hierarchy of Audit Evidence Reliability

Not all evidence is equal. This is an often overlooked concept, yet it is crucial to the quality of findings.

In general, the reliability of audit evidence increases in the following order:

LevelTypes of EvidenceExample of
HighestDirect evidence obtained by the auditorRecalculation, physical examination, reperformance
HighExternal evidence directly to the auditorBank confirmation, receivable confirmation
Medium–HighExternal evidence through entitiesSupplier invoices, bank statements from clients
CurrentlyInternal evidence with strong controlsDocuments from the ERP system with approval workflow
LowInternal evidence with weak controlsManual spreadsheet without revision trail
LowestOral evidenceInterview results without supporting documentation

The practical principle is simple:

  • Proof external more reliable than internal evidence
  • Proof written more reliable than oral evidence
  • Proof original more reliable than photocopying, scan, or screenshot
  • Evidence from entities with effective internal controls more reliable than from entities with weak controls
  • The evidence that obtained directly by the auditor more reliable than those obtained indirectly

Characteristics of Audit Evidence: Sufficient and Appropriate

These two words are the standards for assessing audit evidence: Enough (sufficient) dan appropriate (appropriate). Both are related but measure different things.

Sufficiency (Quantity)

Adequacy refers to amount evidence obtained. How much is needed depends on:

  • Level of risk of material misstatement — the higher the risk, the more evidence is needed
  • The quality of the evidence itself — high-quality evidence allows for fewer

Accuracy (Quality)

Accuracy refers to quality evidence, which consists of two dimensions:

Relevance — whether the evidence relates to the specific assertion being tested. Example: examining shipping documents proves the assertion occurrence sales, but does not prove completeness. To test completeness, the direction of testing should be reversed from shipping documents to sales records.

Reliability — whether the evidence is credible, as described in the hierarchy above.

Their Relationship

Quality cannot completely replace quantity, and vice versa. Weak evidence, no matter how much is collected, will not lead to strong conclusions. Conversely, a single piece of high-quality evidence is not necessarily enough to draw conclusions about a population.

Audit Evidence in the Context of Internal Audit

Most of the audit evidence literature is written from the perspective of external audits of financial statements. However, the characteristics of internal audits differ in several important ways.

Wider Coverage

Internal auditing doesn't stop at numbers. Its scope includes operational audits, compliance audits, information systems audits, and... risk-based audit (RBIA). Consequently, the forms of evidence are much more diverse:

  • Log system and application audit trail
  • Recording approval workflow in ERP
  • Field photos and documentation
  • TABK/CAAT test results on the full population
  • Meeting minutes and authority matrix

Different Criteria

Internal auditors test for compliance with internal SOPs, management policies, and sectoral regulations, not just accounting standards. In state-owned enterprises and government agencies, these criteria may include: SPIP provisions, GCG principles, or sector regulations such as POJK.

Follow-up as Part of the Cycle

Unlike external audits which end with an opinion, internal audits continue to follow-up. This means that evidence is not only collected during the assignment, evidence of completion of recommendations must also be collected, verified, and documented in the following period.

Examples of Audit Evidence in Practice

The following are concrete examples of audit evidence based on the assignment area:

Audit AreaExample of EvidenceProcedureReliability
Who & bankBank statement from bank, balance confirmationExternal confirmationHigh
Accounts receivableCustomer confirmation response, aging scheduleConfirmation, analytical proceduresHigh
PreparationStock opname minutes, stock cardsPhysical inspection, observationHigh
Fixed assetsProof of ownership, results of physical inspectionInspectionHigh
ProcurementContracts, tender documents, vendor evaluation matrixDocument inspectionMedium–High
PayrollHRIS data, reconciliation of employee count vs. payroll expenseAnalytical procedures, recalculationCurrently
SOP ComplianceLog system approval, application audit trailInspection, reperformanceMedium–High
IT ControlUser access test results, log activityReperformanceHigh
Operational processesProcess owner interview resultsInquiryLow

Note the last line: the interview results are at the lowest level of reliability. This is why findings that rely solely on the interviewee's verbal statements are easily invalidated when exit meeting.

Documentation and Management of Audit Evidence

Strong evidence is useless if it is not properly documented. Documentation of audit evidence must meet several requirements:

Traced (traceable) — every finding must be traceable back to its supporting evidence, and every piece of evidence must be traceable to its origins.

Related to working papers — evidence must be connected to the audit procedures in working paper, not just attached as a separate file.

Maintain integrity — there is clarity on who collected it, when, and whether the document was ever changed.

To have-review — there are traces review from the team leader or supervisor before the findings are finalized.

Stored according to the retention period — can be accessed again when follow-up, external audit, or BPK/BPKP audit.

Common Challenges in Collecting Audit Evidence

characteristics of audit evidence related to accuracy of evidence
Illustration of audit evidence (Freepik.com)

In practice, the following obstacles recur in almost all organizations:

The evidence is scattered all over the place. Some in email, some in folder together, some in chat WhatsApp with the auditee. When review, the team spends time searching rather than analyzing.

The document version is unclear. The auditee submitted a revision, but the team is unsure which version was ultimately used as the basis for the findings.

Data requests are pending. The auditee was slow to respond, but there was no formal record of when the request was sent and when it was promised to be completed — making it difficult to escalate.

Footsteps review not recorded. The team leader gave verbal corrections, there is no track record of whether the corrections were followed up.

It's hard to trace at the moment follow-up. Six months later, while verifying the follow-up, the team had difficulty finding the initial evidence on which the recommendation was based.

Multi-location audit. For organizations with multiple branches or work units, consistency of format and completeness of evidence between teams becomes a problem in itself.

Most of these challenges are not auditor competency issues, but rather management system. When audit evidence is managed in a single platform that is connected to working papers, findings, and follow-up, most of the above obstacles disappear by themselves.

Frequently Asked Questions

What is the difference between sufficient and appropriate audit evidence?

Enough (sufficient) refers to the quantity of evidence, while precise (appropriate) refers to its quality—namely, relevance and reliability. Both must be met simultaneously. Excessive but irrelevant evidence will not support the audit conclusion, and vice versa.

What type of audit evidence is most reliable?

In general, the evidence obtained by the auditor directly through recalculation, physical examination, or reperformance has the highest reliability. After that, external evidence received directly from third parties, such as bank confirmations, is considered reliable. Oral evidence from interviews has the lowest reliability.

Can screenshots be used as audit evidence?

Yes, but its reliability is limited because it is easily manipulated and lacks robust metadata. Screenshot It should be accompanied by information about the time of retrieval, the system source, and if possible, supported by direct data export from the system or log application.

How much audit evidence is needed for one finding?

There is no standard number. The amount is determined by the level of risk and the quality of the available evidence. The higher the risk of material misstatement and the lower the quality of the evidence, the more evidence is needed. In principle, the evidence should be sufficient to convince another competent auditor to reach the same conclusion.

What happens if audit evidence is inadequate?

The auditor cannot draw a conclusion on the matter. In an external audit, this could result in a qualified opinion or a disclaimer of opinion. In an internal audit, findings with weak evidence risk being rejected by the auditee or not being acted upon by management.

What is the difference between audit evidence and audit working papers?

Audit evidence is the information gathered, while audit working papers are the documentation that records the procedures performed, the evidence obtained, and the conclusions drawn. Working papers are the container; audit evidence is the content.

Manage Audit Evidence in One Integrated Platform

The quality of audit evidence determines the strength of your findings. However, in practice, the challenge is less understanding the standards than managing the evidence so that it remains traceable, linked to the workpapers, and easily accessible during follow-up.

Audithink helps internal audit teams manage the entire audit cycle in one platform: risk-based planning, evidence collection and documentation, working papers with trails review, to monitoring follow-up recommendations.

Schedule a Demo to see how Audithink can be applied to your organization's audit process.

Consultation on Your Needs and discuss your audit team's specific challenges with our Product Experts.

Find out how the implementation of the audit application can have a positive impact on the company on an ongoing basis.

Consultation on Your Needs

Related Articles

internal audit of mining companies
public sector internal audit
internal audit standards in Indonesia