Audit Evidence Standards & Ensuring Quality and Sufficiency

Ensure audit evidence is sufficient, appropriate, relevant, reliable, and valid by testing data, considering audit objectives, and verifying computerized information systems controls.

Audit evidence must meet specific standards of sufficiency and appropriateness to ensure the validity and reliability of audit findings and conclusions. Auditors are tasked with obtaining enough high-quality evidence to reasonably support their audit objectives, making use of relevant, reliable, and valid criteria while considering the scope and coverage of the audit.

Key Insights

  • Audit evidence sufficiency pertains to the quantity of evidence needed to support audit findings and conclusions, taking into account the audit universe and scope.
  • The appropriateness of audit evidence involves its relevance, reliability, and validity, ensuring that it logically relates to the audit objectives and supports the findings accurately.
  • The reliability of computer-based data used in audits depends on the adequacy of system controls; auditors must test data reliability if it is critical to their findings and conclusions.

This lesson is a preview from our Government Auditor Level I Certificate Program. Enroll in a course for detailed lessons, live instructor support, and project-based training.

This is a lesson preview only. For the full lesson, purchase the course here.

GAGAS requires auditors to obtain sufficient appropriate evidence to provide a reasonable basis for addressing audit objectives and supporting findings and conclusions. This requirement is outlined in GAGAS paragraph 8.90.

Sufficiency refers to the quantity of evidence needed to support findings and conclusions related to audit objectives (GAGAS 8.99).

Appropriateness refers to the quality of evidence and includes its relevance, reliability, and validity (GAGAS 8.102).

Sufficiency of Evidence

In determining sufficiency, auditors must obtain enough evidence to persuade intended users of the validity of findings, the reasonableness of conclusions, and the value of recommendations when applicable. Statistical sampling methods may be used to help establish sufficiency.

Sufficiency is judged relative to the audit universe, meaning the population within the audit scope. The universe may consist of locations, individuals, transactions, programs, or outputs.

Auditors generally have three options when determining coverage:

  • Examine the entire universe.
  • Sample the universe.
  • Limit findings to the portion examined.

The audit scope should provide enough relevant evidence to answer the audit objectives without overstating or generalizing beyond the evidence obtained. Sufficiency ensures that findings are properly supported and not exaggerated.

Relevance of Evidence

Evidence must be logically related to the audit objectives and the specific issues being examined. Evidence is relevant if it helps answer the audit objectives.

Relevant evidence should relate to:

  • The overall audit objectives
  • The audit subject
  • The time period under review
  • The specific performance aspects being examined
  • The finding element to which it pertains

Auditors must also confirm that the criteria used remain current and applicable. Laws, regulations, policies, directives, and best practices can become outdated, so their continued relevance should be affirmed before relying on them.

Elements of a Finding

Evidence typically supports one or more elements of a finding: criteria, condition, cause, and effect.

  • Condition: Evidence must pertain to the audit subject, performance aspects, and relevant time period. Outdated information may not be relevant unless needed for historical context.
  • Effect: Evidence on effect should logically extend from and be consistent with the condition.
  • Cause: Evidence on cause must demonstrate a clear causal relationship to the condition. The cause should be correctable, and auditors should support it with evidence rather than speculation.

When identifying causes, auditors may use benchmarking or comparisons to best practices. Auditors must also demonstrate that corrective action is warranted and that the benefits outweigh the costs.

Appropriateness of Evidence

Appropriateness addresses the quality of evidence and includes relevance, reliability, and validity.

Validity refers to whether the evidence provides a reasonable and meaningful basis for measuring what is being evaluated.

Reliability refers to the consistency and dependability of evidence. Reliable evidence is sufficiently complete and free from significant error so that a reasonable person would not doubt the finding or conclusion based on it.

Reliable evidence is often described as accurate, complete, and authentic. Some error may exist, but it must not be significant enough to undermine confidence in the results.

A useful guiding question is: Are we reasonably confident that our evidence presents a picture that is not significantly different from reality and that our analysis techniques are appropriate?

Computerized Data and Information Systems

When audit evidence relies on computerized data, auditors must determine whether information systems controls are adequate to support the audit objectives.

Auditors should understand:

  • General controls
  • Application controls
  • User controls

The extent of testing depends on how the data will be used. If computerized data serve as the sole support for findings and conclusions, more extensive testing is required. If system controls appear adequate, testing may be more limited.

Assessing the Reliability of Data

Auditors can use practical questions to assess the reliability of data, including:

  • Do individuals who receive the data actually use it?
  • Do users believe the data are accurate and reliable for their purposes?
  • Do users review the data to identify errors?
  • If errors are identified, is there a process for reporting and correcting them?
  • Are corrections confirmed and re-reviewed?

These inquiries help determine whether the data environment supports valid and reliable reporting.

Summary

To comply with GAGAS evidence standards, auditors must obtain evidence that is both sufficient in quantity and appropriate in quality. Evidence must be relevant, reliable, and valid, and it must logically support the audit objectives and findings. When properly applied, these standards ensure that audit conclusions are well supported and credible.

photo of Penny Popps

Penny Popps

Penny N. Popps recently joined the Graduate School USA instructor team in early 2025, teaching in the area of Audit. She is an exceptional leader with over 20 years of private and public sector experience in accounting, audit, compliance, risk management, fraud, and internal controls. A recipient of numerous public service, recognition, and performance awards, she is committed to developing the next generation of financial management and audit professionals.

During her nearly 15 years as a Federal Government Public Servant, Penny held several pivotal transformational leadership roles, including serving as the first Fraud Risk Manager at the U.S. Small Business Administration (SBA), where she successfully helped mature its Fraud Risk Management Program.

She holds a B.B.A. in Accounting from the University of Texas at Arlington, an MBA from Texas Woman’s University, an Advanced Technical Certificate in Professional Accountancy from Dallas College, and multiple professional credentials, including Certified Fraud Examiner (CFE), Certified Internal Controls Auditor (CICA), Department of Defense Financial Management Certification, and an ICF Associate Certified Coach (ACC) Certification.

Prior to her tenure at SBA, Penny spent more than six years at the Department of Housing and Urban Development (HUD), managing projects that advanced the delivery of affordable, safe, and decent housing while safeguarding HUD programs from fraud, waste, and abuse. She led multiple audit teams in conducting complex quality control reviews of independent public accounting firms, CIGIE reviews, financial assessments, staffing studies, and annual OMB A-123 risk assessment reviews for the Accountability, Integrity, & Risk (AIR) Program.

During her federal career, Penny also served as the Branch Chief of Financial Reporting at the DHS ICE OCFO, Office of FM–Financial Service Center. She oversaw the operations of the Payroll and Fund Balance with Treasury Units for all DHS ICE components, which processed approximately $5.2 billion in payroll transactions and reconciled $10.1 billion in cash transactions, significantly improving financial management operations.

She also led and supervised audit teams at the Defense Contract Audit Agency (DCAA), recovering millions in questioned costs from contractors. In state government, she recovered millions in sales and use tax dollars owed to the Texas State Comptroller of Public Accounts, ensuring taxpayer funds were used responsibly and efficiently.

Penny’s private-sector experience includes helping build successful internal audit divisions at major corporations such as Essilor Group and Fossil Group. Throughout her career, she has continued to expand her expertise while paying it forward by mentoring, coaching, and training professionals entering the accounting, audit, compliance, risk management, fraud, and internal controls fields.

Deeply committed to service, Penny is passionate about her philanthropic and volunteer work, especially with Alpha Kappa Alpha Sorority, Inc. and the Junior League of Washington. Her mission is to provide service to all mankind throughout her career, retirement, and life. She currently resides in Alexandria, VA, and enjoys spending her leisure time reading.

More articles by Penny Popps

How to Learn Auditing

Build practical, career-focused federal auditing skills through hands-on training designed for beginners and professionals alike. Learn fundamental tools and workflows that prepare you for real-world projects or industry certification.