In a previous blog, we discussed Internal Control Testing. Evidence is a critical component of internal control testing. Management and auditors are expecting to obtain persuasive evidence to support the determination that internal controls are present and functioning. What is persuasive evidence? In this blog, we will discuss internal control evidence.
To be persuasive evidence, the evidence should satisfy the following four attributes.
4 Attributes of Persuasive Evidence
- Relevance: The relevance of evidence refers to its relationship to the assertion or to the objective of the control being tested. For example, a control may be worded “Bank reconciliations are reviewed and approved by the Controller." What is the relevant evidence for this control? Bank reconciliations with the documented evidence of review and approval by the controller.
- Reliability: The reliability of evidence refers to the nature and source of the evidence and circumstances under which it is obtained. Usually, there are several scenarios.
- Evidence obtained from an independent third party is more reliable than evidence obtained from internal organization sources.
- Evidence obtained is more reliable if the organization has an effective internal control system.
- Evidence obtained from secure information systems is more reliable than manually manipulated information.
- Evidence obtained directly is more reliable than evidence obtained indirectly.
- Evidence based on independent analysis/calculation by auditors or testers is more reliable.
- Evidence provided by original documents is more reliable than evidence provided by copies.
- Sufficiency: The sufficiency of evidence refers to the amount of evidence that is adequate and convincing to support the conclusions drawn by management and auditors. For example, a control may word “All payment checks over $10,000 must obtain dual signatures by project managers based on the delegation of authorities.” Is one check with proper dual signatures sufficient to support the conclusion that the control is in place and effective? The answer is NO. Management and auditors should gather sufficient evidence through effective sampling. How much is sufficient? Sufficiency is a professional judgement so there is no fixed number. Management and auditors should demonstrate their judgment in determining the size of population to review in order to support their conclusions. Management and auditors also should demonstrate their sampling methods, i.e. random sampling, judgmental sampling or fixed interval sampling, etc.
- Timeliness: The timeliness of evidence has two meanings: 1) Evidence obtained should be in a proper time period; and 2) the timing of the testing procedure used to test the assertion or control. For example, if you test a control for year 2016, the evidence occurred in 2015 or 2014 won’t support the effectiveness of the control in 2016.
5 Types of Evidence
The four attributes together make persuasive evidence. After discussing the attributes of evidence, let’s discuss the types of evidence. Usually, there are five types of evidence.
- Physical evidence: Physical evidence first includes physical examination. Physical examination is a combination of observation and inspection. This type of evidence is usually associated with assets, i.e. inventory and cash. For example, testers or auditors count inventory at the year-end or count petty cash quarterly. Physical evidence also includes observation and inquires. When there is no documented evidence for a control, testers or auditors need to observe or inquire then document what has been observed and inquired as the evidence for the control. For example, a system control may be worded “Invoices related to intercompany are posted through the A/P module of the general ledger which posts all necessary entries (expenses, due to/from and the vendor liability) on both entity's books." How do you test this control? The observation may be the best way to observe posting intercompany invoices in the A/P module to ensure this system control is functioning.
- Confirmation: A confirmation response represents evidence obtained from a third party. For example, a service-use organization may require SOC 1 (Service Organization Controls Type 1) or SOC 2 (Service Organization Controls Type 2) report from the service organization to meet SSAE 16 (Statement on Standards for Attestation Engagements No. 16) requirements. Another familiar example is to require bank statements directly from a bank.
- Documentation: Documentation includes records or documents, whether internal or external, in paper form, electronic form, or other media. Inspecting documentation is an often used testing method. An example of inspection used as a test of controls is inspection of records for evidence of authorization and approval.
- Re-performance: In the blog Internal Control Testing, we discussed the testing methods and one of them is re-performance. Re-performance is not only a testing method but also a form of evidence. Re-performance involves the independent execution of procedures or controls that were originally performed by organization personnel. A familiar example of re-performance is to recalculate key spreadsheets confirming their accuracy, then document the procedures performed and draw conclusions.
- Analytical procedures: Analytical procedures are often used by external auditors to help auditors understand an organization’s business and changes in business. Analytical procedures consist of evaluations of financial information and include the investigation of significant differences from expected amounts. An example is using analytical procedures to assess an organization’s ability to continue as a going concern. However, analytical procedures are seldom used to test internal controls.
After understanding the evidence and the type of evidence, we will provide a download file, Best Practices in Internal Control Evidence, to provide best practices to maintain internal control evidence. Please click the button below to download the file and let us know when you have any comments or questions.
Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.