Module 5: Audit Evidence and Triangulation

OVERVIEW

The audit team aims to obtain sufficient, relevant, and reliable audit evidence to ensure that
the contents of the audit report stand up to critical review. When providing an audit opinion
as in a Statement of Assurance, the evidence should allow for reaching a conclusion with
reasonable assurance.

CONCEPT OF AUDIT EVIDENCE

Audit evidence is all the information used by the auditor in arriving at the conclusions on
which the audit opinion is based and includes the information contained in the accounting
records underlying the financial statements and other information. Auditors are not
expected to examine all information that may exist. Audit evidence, which is cumulative in
nature, includes audit evidence obtained from audit procedures performed during the audit
and may include audit evidence obtained from other sources, such as previous audits and a
firm's quality control procedures for client acceptance and continuance.

Accounting records generally include the records of initial entries and supporting records,
such as checks and records of electronic fund transfers; invoices; contracts; the general and
subsidiary ledgers, journal entries, and other adjustments to the financial statements that
are not reflected in formal journal entries; and records such as worksheets and
spreadsheets supporting cost allocations, computations, reconciliations, and disclosures. The
entries in the accounting records are often initiated, authorized, recorded, processed, and
reported in electronic form. In addition, the accounting records may be part of integrated
systems that share data and support all aspects of the entity's financial reporting,
operations, and compliance objectives.
Management is responsible for the preparation of the financial statements based on the
accounting records of the entity. The auditor should obtain audit evidence by testing the
accounting records, for example, through analysis and review, reperforming procedures
followed in the financial reporting process, and reconciling related types and applications of
the same information. Through the performance of such audit procedures, the auditor may
determine that the accounting records are internally consistent and agree to the financial
statements. However, because accounting records alone do not provide sufficient
appropriate audit evidence on which to base an audit opinion on the financial statements,
the auditor should obtain other audit evidence.

Other information that the auditor may use as audit evidence includes minutes of meetings;
confirmations from third parties; industry analysts' reports; comparable data about
competitors (benchmarking); controls manuals; information obtained by the auditor from
such audit procedures as inquiry, observation, and inspection; and other information
developed by or available to the auditor that permits the auditor to reach conclusions
through valid reasoning.

SUFFICIENCY

Sufficiency relates to the quantity of audit evidence - auditors should collect enough
evidence to enable them to substantiate their conclusions in relation to the audit objective.
Audit evidence is sufficient if there is enough of it to persuade a reasonable person that the
audit findings and conclusions are valid, and that the recommendations are appropriate.
Auditors typically do not examine all data available. This would be impractical, prohibitively
costly and unnecessary, as conclusions and opinions can generally be reached by using
sampling and other means of selecting items for testing. There is no formula to express in
absolute terms how much evidence there must be for it to be considered sufficient.
However, the quantity needed is affected by the degree of risk and the quality of such audit
evidence - the higher the quality, the less evidence may be required.

RELIABILITY

Audit evidence is reliable if it fulfills the necessary requirements for credibility if the same
findings arise when tests are carried out repeatedly or when information is obtained from
different sources. The reliability of audit evidence is affected by its source and type and is
dependent on the circumstances under which it is obtained. While recognizing that
exceptions may exist, audit evidence is considered more reliable when it is:

 provided by original documents rather than photocopies or faxes

 in documentary form, whether paper, electronic, or another medium, rather than
verbal statements. However, correspondence, memos and reports may be
incomplete, ambiguous or even incorrect, whilst interviews can provide an in-depth
understanding not only of facts, but also of constraints and the environment.
Nevertheless, evidence collected from interviews needs to be corroborated from
other sources;
 obtained directly by the auditor (e.g., observation of the application of a control,
computation) rather than indirectly (e.g., inquiry about the application of a control);
  obtained from independent sources outside the entity (e.g., confirmation received
from a third party), as opposed to being generated within the auditee organization or
if the third party is related to the auditee organization;
 subject to effective related controls if internally generated because strong internal
controls within the auditee organization can improve the quality of information
obtained. Testing the auditee's internal controls over information, including general
and application controls over computer-processed data can help in evaluating the
accuracy and completeness (reliability) of such information.

SOURCES OF EVIDENCE

Audit evidence may emanate from the following sources:

Sources Examples of evidence Quality as

evidence

Generated Direct inspection and observation, records of Highest

directly by the interviews or focus group discussion, questionnaire,
auditors analysis of survey responses, analysis, computation,
analytical review of financial statements, individual
accounts, and expenditure trends.

Provided by Third-party confirmations (e.g., from banks); work of Higher

third parties other auditors such as the Supreme Audit Institution
external to the or the certifying bodies of the member states; reports
entity of auditor's experts; national statistical data.

Provided by the Data from databases, documents, accounting and Lower, due to
auditee budget information, activity statements, management potential bias
representations (Annual activity reports and
statements by the Directorates-General), impact
assessments and evaluations, and internal audit
reports.
TYPES OF EVIDENCE

Audit evidence may be physical, documentary, oral or analytical.

Types of Examples of evidence

evidence

Physical Notes, photographs, drawings, samples, or audiovisual material

obtained from direct inspection or observation of people, property, or
events.

Documentary Documents, accounting records, management representations and

reports, policies, manuals and procedures, system descriptions, letters,
contracts, literature, the internet, postal or web-based surveys.

Oral Summary of information obtained through inquiry or interviews of

auditee staff or third parties; also, through focus groups, expert panels
in performance audits, or reviews.

Analytical Such evidence is obtained by using professional judgment to evaluate

physical, documentary, and oral evidence through reasoning,
reclassification, computation, and comparison, including ratio analysis,
regression analysis, and benchmarking.

CORROBORATION

Different sources should be employed when collecting evidence to make it more persuasive.
Audit evidence provides a higher degree of confidence when items of evidence from
different sources or of a different nature are consistent with one another. This is known as
corroboration or triangulation. In addition, obtaining audit evidence from different sources
or of a different nature may indicate that an individual item of audit evidence is not reliable.
Conversely, when audit evidence obtained from one source is inconsistent with that
obtained from another, the audit team should determine what additional audit procedures
are necessary to resolve the inconsistency and thus allow the information to be used as
audit evidence.

RELEVANCY

For evidence to be relevant, it should help to answer the audit objective or assertion.
Relevance also bears upon the audit criteria, audit findings, and the purpose of the audit
procedure.
The more an audit objective is judgment-based (like in performance audits), the more likely
the audit evidence available is to be persuasive ("points towards the conclusion that...")
than conclusive ("right/wrong") in nature.

Relevance also requires the evidence to apply to the period under review. If the audit
objective so requires, the total evidence must be representative of the entire period being
audited.

AUDIT CONSIDERATIONS

There are no precise guidelines to measure the degree of proof required. When evaluating
audit evidence for sufficiency, reliability, and relevancy, the auditor uses professional
judgment and exercises professional skepticism. These qualities are interrelated and must
be considered together with the objective and context of the audit and the nature of the
audit finding:

 High-quality evidence can lead to a reduction in the need for a large quantity of
evidence; a large quantity of evidence can sometimes, but not always, be
persuasive, even though individual pieces of evidence are not of high quality.
However, merely obtaining more evidence does not compensate for its poor quality.
 The higher the combined level of inherent and control risks, the more persuasive
evidence the audit team needs to obtain directly, e.g., through tests of details in
financial and compliance audits. Similarly, the greater risk of making incorrect
findings, reaching invalid conclusions, legal action, controversy, or surprise from
reporting an audit finding, the higher the standard of evidence needed.
 While the audit team can obtain some audit evidence by testing the database records
(e.g., by computation or analysis), this alone is not persuasive enough as evidence
on which to base an audit conclusion about the characteristics of the underlying
transactions, and other procedures should also be used, e.g., inspection,
observation, inquiry, and confirmation.
 The higher the level of materiality in monetary terms or the significance of the audit
finding, the higher the standard of evidence required.
 The auditor should balance the persuasiveness of evidence against the cost of
obtaining it. At some point, the cost of obtaining more evidence will outweigh the
improved persuasiveness of the total body of evidence.
 The auditor should consider the purpose for which the evidence will be used. A
higher standard is required for evidence supporting its findings than for background
information provided in the audit report.
 In performance audits, important facts are often not of an individual nature, but
rather comprise several interrelated facts. The strength of the combined facts may
be as important, r even more so, than the strength of the individual facts.
 Useful information may not always be documented, thus also necessitating the use of
other approaches than the documentary review.
 Whilst the physical evidence is usually the most persuasive, the auditors must be
aware that their presence may distort what would normally occur, thus reducing the
quality of the evidence.
 Oral evidence may be important, as information obtained in this manner is up-to-
date and may not be available elsewhere. However, information should be
corroborated, and statements confirmed if they are being used as evidence. Only on
 the rarest of occasions will the auditor accept information obtained in interviews to
be reliable.

Detailed assessments of information needs should be carried out at both the audit planning
and examination phases so that the auditors are not swamped by excessive data.

Evidence is obtained at the audit examination phase by carrying out a mixture of audit
procedures to collect and analyze data. The audit team needs to make a judgment as to
which method of obtaining persuasive evidence will be suitable for the audit objective. They
need to also consider the extent of their skills in designing and applying the methods, as
their skills will determine the quality of the evidence.

TRIANGULATION OF AUDIT EVIDENCE IN FRAUD RISK ASSESSMENTS

Recent regulation both in the USA (SAS 99; AICPA, 2002; PCAOB, 2007) and internationally
(ISA 240) has placed increased responsibility on auditors for the detection of financial
statement fraud. The Public Company Accounting Oversight Board (PCAOB) has reminded
auditors of the importance of being diligently focused on their responsibilities to detect fraud
(PCAOB, 2007, PCAOB, 2008). However, fraud can be difficult to detect as “some members
of management may even seek to conceal outright fraud by strategically altering
information they expect the auditor will obtain as evidence” (Bell, Peecher, & Solomon,
2005, p. 19).

This changing regulatory environment, as well as society’s demand for greater protection,
implies increasing minimum evidence requirements and increased responsibilities for
auditors in relation to fraud detection (Peecher, Schwartz, & Solomon, 2007). This focuses
interest on how auditors respond to different types of evidence when making fraud-related
judgments. With the aim of meeting society’s expectations with respect to financial
statement fraud, new evidence frameworks have been developed. In Bell et al. (2005) the
concept of evidentiary triangulation is positioned as a conceptually normative way for
auditors to acquire and evaluate complementary sources of evidence and to rely on that
evidence in updating their risk assessments.

As part of triangulation, the auditor can obtain evidence from the management-controlled
financial statement process, management-controlled evidence depicting performance in key
business processes (e.g., internal controls, production, and marketing reports), or external
evidence on whether a key business objective has been attained (e.g., information from
customers or other external parties). The use of this external evidence is of particular
interest because it is not easily manipulated by management compared with other sources
of evidence that are subject to different degrees of management influence (Peecher et al.,
2007).

Understanding the use of evidentiary triangulation (hereafter referred to as ‘triangulation’)

by auditors is important given the view that “triangulation enables audit quality
improvement”, particularly in situations where the auditor is concerned about intentional
misstatement (Bell et al., 2005, p. 29). Specifically, Peecher et al. (2007) notes that while
the triangulation framework provides considerable promise for improving auditor fraud
detection capabilities, there is a need for research that demonstrates more precisely the
conditions under which external evidence, providing information about underlying business
performance, can better detect material misstatements that stem from management fraud
(Peecher et al., 2007). It is this question that we address.

ILLUSTRATION

In the context of accounting fraud, we test hypotheses for auditors’ use of external evidence
depicting the performance of a key business process. Management has implemented an
accounting fraud involving overstated client revenue (and profitability) using one of two
types of strategies to conceal the fraud (‘concealment strategies’). The two concealment
strategies produce financial results that have different levels of compatibility with the
client’s strategic business objectives and results of operations during the period. In all
treatments, the controller provided the same fraudulent explanation for the higher-than-
expected revenue number. To assess fraud risks at the planning stage of an audit, senior
auditors were given the unaudited financial statement numbers (under the two different
concealment strategies), business process performance evidence, and external evidence on
levels of achieved customer satisfaction for increased sales. Given both consistent and
inconsistent fraud risk implications for profiles of the financial statement and internal
business process performance evidence, we examine the impact of fraud risk assessments
of external evidence on the performance of a key business objective.

There are three major contributions of this research. First, in an environment where there is
increased emphasis on fraud detection, there is a need to rethink the types of evidence
used (Hammersley, 2011, Hoffman and Zimbelman, 2009, Peecher et al., 2007). Here we
examine fraud risk assessments of auditors when they simultaneously use different sources
of evidence that are subject to different degrees of management influence. While some
forms of evidence can be manipulated by management, other evidence is generally more
difficult to manipulate as it comes from outside the organization.

Second, as suggested by Peecher et al. (2007), there is a need for research that addresses
the conditions under which auditors are more versus less likely to engage in triangulation.
Importantly, we find that external evidence, related to key business objectives, impacts
fraud assessments when the implications of two types of management-controlled evidence
are inconsistent. However, given the ability of management to manipulate this evidence,
external evidence related to business objectives should also be useful to detect fraud in
situations where the two types of evidence controlled by management both consistently
suggest a low likelihood of fraud. This was not the case in our study even though it is this
very situation where external evidence should be of most benefit in detecting fraud.

Third, we report results on the ability of auditors to use evidence on the performance of the
client’s business model to assess the risk of a (seeded) accounting fraud. We manipulate the
financial statements such that there is either relatively high or low compatibility of the
asserted financial statement numbers with the design and performance of the client’s
business model. While a lack of compatibility does not necessarily indicate a misstatement,
it should result in auditors refining their misstatement and non-misstatement expectations
(Peecher et al., 2007). We find that auditors can use evidence on the performance of the
client’s business model, and its compatibility with the financial statements, to interpret
appropriately the fraud risk implications.