ISA 500 – Audit Evidence

by

ISA 500 (Revised) EXPLAINS what constitutes Audit Evidence in an ‘Audit‘ of Financial Statements and DEALS with the auditor’s responsibility to DESIGN and PERFORM audit procedures to obtain sufficient appropriate audit evidence.

International Standards on Auditing
IAASB Standard Issued by: IAASB
Effective: Global Adoption
Topic: Audit Evidence
Replaces: ISA 500 (2004)

Introduction

What is ISA 500?

ISA 500, titled “Audit Evidence,” is one of the foundational International Standards on Auditing issued by the International Auditing and Assurance Standards Board (IAASB). It establishes the framework auditors must follow when designing and performing audit procedures to obtain sufficient appropriate audit evidence to draw reasonable conclusions upon which to base the audit opinion.

Every financial statement audit conducted under ISAs relies on ISA 500 as its evidence-gathering backbone. Without a sound understanding of this standard, auditors cannot fulfill their fundamental professional obligation providing an independent, evidence-based opinion on whether financial statements are presented fairly in all material respects.

The objective of the auditor is to design and perform audit procedures in a way that enables the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion.

ISA 500, Paragraph 4

ISA 500 applies to all audits of financial statements conducted in accordance with International Standards on Auditing. It works in close conjunction with other ISAs, particularly ISA 315 (identifying and assessing risks) and ISA 330 (responding to assessed risks) forming an integrated evidence-gathering cycle throughout the Audit Engagement.

Core Purpose

Objective of ISA 500

The standard’s primary objective is straightforward but demanding in practice: auditors must obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. This twin criterion i.e. sufficiency and appropriateness, forms the conceptual heart of the standard.

The auditor’s opinion cannot be based on intuition, professional guesswork, or management representations alone. ISA 500 demands that every material assertion in the financial statements be supported by corroborating evidence gathered through systematic audit procedures.

Key Principle: Audit evidence is cumulative in nature. Auditors obtain evidence progressively throughout the audit, not just at a single point. Each procedure adds to or refines the evidentiary base used to form the final opinion.

Foundational Definitions

Key Concepts in ISA 500

ISA 500 introduces and clarifies several critical concepts that shape how auditors approach evidence-gathering. Understanding these definitions precisely is essential for consistent professional application.

Sufficiency

Sufficiency is the measure of the quantity of audit evidence. The quantity required is influenced by the auditor’s assessment of the risks of material misstatement, and also by the quality of the evidence obtained. Higher risk generally requires more evidence; however, gathering more evidence of poor quality does not compensate for its inadequacy.

Appropriateness

Appropriateness is the measure of the quality of audit evidence, its relevance and its reliability in providing support for the conclusions on which the auditor’s opinion is based. Relevant evidence addresses the specific assertion being tested; reliable evidence is obtained through methods and sources considered trustworthy under professional standards.

Audit Evidence Defined

Under ISA 500, audit evidence refers to information used by the auditor in arriving at the conclusions on which the auditor’s opinion is based. Audit evidence includes both information contained in the accounting records underlying the financial statements and other information obtained through inquiry, observation, inspection, and analytical procedures.

Sources and Forms of Audit Evidence

📄

Accounting Records

Records of initial entries and supporting records such as checks and electronic fund transfers, invoices, contracts, journals, ledgers, and worksheets supporting cost allocations.

🏢

External Sources

Information obtained from sources outside the entity, including confirmations from third parties, market data, analyst reports, and publicly available information.

👁️

Auditor-Generated

Evidence produced directly by the auditor through observation, re-performance, recalculation, and analytical procedures performed during the audit.

📋

Management Representations

Written representations from management, recognised as a necessary form of evidence but one that requires corroboration through other independent procedures.

Methods of Evidence Gathering

Audit Procedures Under ISA 500

ISA 500 recognises several categories of audit procedures for obtaining evidence. These procedures are applied across risk assessment, tests of controls, and substantive testing phases of the audit.

  1. Inspection Examining records, documents, or tangible assets. Inspection of records and documents provides varying degrees of reliability depending on their nature and source. Physical inspection of tangible assets provides reliable evidence about existence but not necessarily valuation or ownership.
  2. Observation Looking at a process or procedure being performed by others, such as attending inventory counts. Evidence from observation pertains only to the point in time when it is performed and does not guarantee the procedure is carried out the same way at other times.
  3. External Confirmation Obtaining a direct written response from a third party (the confirming party) in paper or electronic form. External confirmation is particularly powerful for asserting the existence of account balances, such as bank balances or accounts receivable, due to its independence from the client.
  4. Recalculation Checking the mathematical accuracy of documents or records, either manually or electronically. This provides highly reliable evidence for the accuracy assertion but is limited in scope to mathematical correctness.
  5. Re-performance The auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control. It provides strong evidence that controls actually function as described.
  6. Analytical Procedures Evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. ISA 520 governs these procedures in detail; their use as substantive tests depends on the precision with which they can detect misstatements.
  7. Inquiry Seeking information from knowledgeable persons, both financial and non-financial, within or outside the entity. Inquiry alone is insufficient and must be corroborated. Management’s responses to inquiries, while important, are inherently less reliable than independently obtained external evidence.

Professional Judgment Considerations

Factors Affecting Reliability of Audit Evidence

ISA 500 acknowledges that not all evidence carries equal weight. Several generalizations while not absolute rules, guide auditors in evaluating the reliability of evidence obtained:

FactorHigher ReliabilityLower Reliability
SourceExternal sources (e.g., confirmations)Internal sources with weak controls
NatureDocumentary evidence obtained directlyOral evidence (inquiries alone)
Internal ControlEntity has effective internal controlsWeak or unreliable internal controls
Original vs. CopyOriginal documentsPhotocopies, faxes, scanned documents
Auditor InvolvementObtained directly by the auditorProvided by management without verification
CorroborationConsistent with other evidenceInconsistent or contradicted by other evidence

Important: These are generalizations. The auditor must exercise professional judgment when evaluating specific pieces of evidence. A single reliable piece of evidence may outweigh multiple less-reliable items in certain circumstances.

Standard Requirements

Specific Requirements of ISA 500

Using Information Produced by the Entity

When audit evidence consists of information produced by the entity, the auditor must evaluate whether the information is sufficiently reliable for the auditor’s purposes. This includes, where necessary, obtaining audit evidence about the accuracy and completeness of the information, and evaluating whether it is sufficiently precise and detailed for the auditor’s purposes.

Selecting Items for Testing

The auditor must select appropriate items to test by using professional judgment to determine which specific items should be selected. Auditors typically use one or a combination of three selection methods: all items (100% examination), specific items, or audit sampling as governed by ISA 530.

Inconsistency in, or Doubts over Reliability of, Audit Evidence

If audit evidence from one source is inconsistent with evidence from another, or if the auditor has doubts about the reliability of information to be used as audit evidence, the standard requires the auditor to determine what modifications or additions to audit procedures are necessary to resolve the matter, and consider its effect on other aspects of the audit.

Relationship to Financial Statement Assertions

A critical requirement under ISA 500 is that audit evidence must be linked to specific financial statement assertions, the representations by management embedded in the financial statements. These assertions include:

Existence / Occurrence

Assets, liabilities, and equity interests exist; transactions have occurred and pertain to the entity.

Completeness

All assets, liabilities, and transactions that should be recorded have been recorded.

Accuracy / Valuation

Amounts and other data have been recorded appropriately and at appropriate amounts.

Cut-off & Classification

Transactions have been recorded in the correct period and in the appropriate accounts.

Common Questions

Frequently Asked Questions – ISA 500

What is the difference between sufficient and appropriate audit evidence?

Sufficiency refers to the quantity of evidence i.e. how much evidence an auditor collects. Appropriateness refers to the quality of that evidence, encompassing both its relevance (does it address the assertion being tested?) and reliability (is it from a trustworthy source and obtained through a sound method?). The two concepts are interrelated: higher quality evidence may reduce the quantity required, but poor quality evidence cannot be compensated for simply by gathering more of it.

Can management representations alone constitute sufficient audit evidence?

No. ISA 500 is clear that while written representations from management (governed in detail by ISA 580) are a form of audit evidence, they are not sufficient on their own for any material financial statement assertion. Representations from management do not affect the need for other audit evidence, and their reliability is inherently lower because they come from a party that has a direct interest in the financial statements.

How does ISA 500 interact with ISA 315 and ISA 330?

ISA 315 governs the identification and assessment of risks of material misstatement through understanding the entity and its environment. ISA 330 requires auditors to design and implement responses to those assessed risks. ISA 500 then underpins both standards by defining what constitutes valid audit evidence and how it must be obtained. Together, they form the risk-response-evidence cycle that drives a modern risk-based audit.

Does ISA 500 apply to reviews and assurance engagements?

No. ISA 500 specifically applies to audits of financial statements conducted under ISAs. For limited assurance review engagements, ISRE 2400 and ISRE 2410 apply. For other assurance engagements, ISAE 3000 is relevant. These standards have their own evidence-gathering frameworks, generally with lower evidence thresholds commensurate with the lower level of assurance provided.

What happens when audit evidence is contradictory or unreliable?

ISA 500 requires the auditor to resolve such inconsistencies. This may involve performing additional procedures to gather further corroborating evidence, reconsidering the assessed risk level and adjusting the audit approach accordingly, or, where the matter cannot be resolved satisfactorily, considering the implications for the auditor’s report. Auditors must document how contradictions or concerns about reliability were resolved in the audit file.

Is digital or electronic evidence treated differently under ISA 500?

ISA 500 does not prescribe specific rules for electronic evidence but provides principles applicable to all forms. The auditor must evaluate the reliability of electronic evidence by considering the controls over its creation, transmission, and storage. Electronic confirmations, for example, are addressed in ISA 505, which requires specific procedures to validate the authenticity of electronically received confirmations. The increasing use of data analytics does not change the fundamental evidence requirements.