ISA 500 — Audit Evidence: Complete Guide

Key Takeaways

ISA 500 is the foundational standard for audit evidence — it establishes what constitutes evidence, how the auditor obtains it, and how its quality is evaluated. Every audit procedure exists to obtain audit evidence.
Sufficiency is the measure of the quantity of evidence. Appropriateness is the measure of its quality — comprising relevance (does it relate to the assertion being tested?) and reliability (can it be trusted?).
Sufficiency and appropriateness are interrelated: higher-quality evidence may reduce the quantity needed, and higher assessed risks require more or better evidence. But more evidence of poor quality does not compensate for lack of quality.
The standard identifies seven types of audit procedures: inspection (of records and tangible assets), observation, inquiry, confirmation, recalculation, re-performance, and analytical procedures. These can serve as risk assessment procedures, tests of controls, or substantive procedures depending on context.
Evidence reliability follows a hierarchy: external sources are generally more reliable than internal ones, auditor-generated evidence is more reliable than entity-generated evidence, documentary evidence is more reliable than oral representations, and original documents are more reliable than copies.
When using information produced by the entity as audit evidence, the auditor must evaluate its accuracy and completeness. When using information from external sources or management's experts, the auditor must consider competence, objectivity, and the relevance and reliability of the work.
If audit evidence from one source is inconsistent with evidence from another, the auditor must determine what additional procedures are needed to resolve the inconsistency.

What is ISA 500?

ISA 500, titled "Audit Evidence," is the conceptual backbone of audit fieldwork. While ISA 315 identifies risks and ISA 330 designs responses, ISA 500 governs what those responses actually produce — evidence — and how the auditor evaluates whether it is good enough.

The standard operates at a principles level. It does not prescribe specific procedures for specific accounts (ISA 501 does that for selected items, ISA 505 for confirmations, ISA 540 for estimates). Instead, ISA 500 establishes the framework within which all other evidence-gathering standards operate.

A revision of ISA 500 is currently underway as part of the IAASB's Audit Evidence project (combined with ISA 330 and ISA 520). The proposed ISA 500 (Revised) enhances guidance on evaluating the relevance and reliability of information intended to be used as audit evidence, including from external information sources and technology-generated data. Until the revision is finalised, the current ISA 500 remains in effect.

Sufficient Appropriate Audit Evidence

ISA 500.6 establishes the core concept:

Sufficiency — the measure of quantity. The quantity of evidence needed depends on the assessed risk of misstatement (higher risk = more evidence) and the quality of evidence obtained (higher quality = less quantity may suffice).

Appropriateness — the measure of quality, comprising:

Relevance — the logical connection between the evidence and the assertion being tested. Evidence about the existence of a receivable is not relevant to its valuation. Evidence about the design of a control is not relevant to its operating effectiveness.
Reliability — the degree to which the evidence can be trusted to provide accurate information about the assertion.

The reliability hierarchy

ISA 500.A31 provides general principles about reliability (though all are subject to important exceptions):

More Reliable	Less Reliable
Evidence from independent external sources	Evidence from internal sources
Evidence generated by the auditor (re-performance, recalculation)	Evidence obtained from the entity
Documentary evidence (written, electronic)	Oral representations
Original documents	Copies (photocopies, scans, faxes)
Evidence from effective internal controls	Evidence from weak or absent controls

These are generalisations — the auditor must always consider the specific circumstances. An internal document produced by a well-controlled process may be more reliable than an external document of unknown provenance.

The Seven Types of Audit Procedures

ISA 500.A14–A25 describes the seven fundamental types of audit procedures. Every audit test is built from one or more of these:

1. Inspection of records and documents

Examining records or documents — internal or external, in paper or electronic form. Provides evidence of varying reliability depending on the source and the effectiveness of controls over the document's production. Inspecting a bank statement confirms the balance; inspecting a purchase order confirms that the purchase was authorised.

2. Inspection of tangible assets

Physical examination of assets — such as inventory, fixed assets, or cash. Provides reliable evidence about existence but not necessarily about rights and obligations (ownership) or valuation.

3. Observation

Looking at a process or procedure being performed by others — such as observing inventory counting or the performance of control activities. Observation is limited to the point in time at which it occurs and may be affected by the fact that being observed changes behaviour.

4. Inquiry

Seeking information from knowledgeable persons — both financial and non-financial, within or outside the entity. Inquiry can be formal (written) or informal (oral), and ranges from structured questionnaires to casual discussions. Inquiry alone is generally not sufficient as audit evidence for most assertions — it must be corroborated by other procedures.

5. Confirmation

A specific type of inquiry — obtaining a direct written response from a third party to the auditor. Covered in detail by ISA 505. Confirmations are particularly relevant for existence and rights assertions (bank balances, receivables, investments held by custodians).

6. Recalculation

Checking the mathematical accuracy of documents or records — manually or using technology. Recalculating depreciation schedules, interest accruals, tax computations, or pension obligations.

7. Re-performance

The auditor's independent execution of procedures or controls that were originally performed by the entity. Re-performing a bank reconciliation, re-performing a three-way match for purchases, or re-performing a journal entry authorisation check.

8. Analytical procedures

Evaluating financial information through analysis of plausible relationships among financial and non-financial data. Covered in detail by ISA 520. Can serve as risk assessment procedures (ISA 315), substantive procedures (ISA 330), or overall review procedures (ISA 520).

Matching procedures to assertions

One of the most common audit quality deficiencies is performing procedures that do not address the relevant assertion. Testing whether a receivable exists (by confirming the balance with the customer) does not tell you whether it is recoverable (valuation). Testing whether a payment was properly authorised (test of controls — occurrence) does not tell you whether the amount was correctly recorded (accuracy). Always start from the assertion you need to test and work backwards to the procedure that provides evidence about that specific assertion.

Using Information as Audit Evidence

Information produced by the entity

ISA 500.9 requires the auditor, when using information produced by the entity as audit evidence, to evaluate whether the information is sufficiently reliable for the auditor's purposes. This includes:

Obtaining evidence about the accuracy and completeness of the information.
Evaluating whether the information is sufficiently precise and detailed for the purpose.

For example, if the auditor uses the entity's fixed asset register to recalculate depreciation, the auditor must first verify that the register is complete and accurate — otherwise the recalculation is built on unreliable data.

Information from external sources

When using information from external sources (e.g., market data, industry benchmarks, published interest rates, valuation indices), the auditor considers the source's credibility, the process by which the information was prepared, and whether it is relevant and reliable for the auditor's purpose.

Information from management's experts

ISA 500.8 addresses situations where the entity uses an expert (actuary, valuer, engineer) to prepare financial statement information. The auditor must:

Evaluate the competence, capabilities, and objectivity of the expert.
Obtain an understanding of the expert's work.
Evaluate the appropriateness of the expert's work as audit evidence.

This does not require the auditor to second-guess specialist expertise, but the auditor must understand the expert's methodology, assumptions, and data sources well enough to evaluate whether the output is reasonable audit evidence.

Selecting Items for Testing

ISA 500.10 requires the auditor to determine means of selecting items for testing that are effective in meeting the purpose of the audit procedure. The options are:

Selecting all items (100% examination) — appropriate for small populations, high-value items, or significant risks where anything less than complete testing would not provide sufficient evidence.

Selecting specific items — targeting particular items based on their characteristics (high-value items, items older than a threshold, unusual items, items identified as risk indicators). Provides evidence about those specific items but does not allow projection to the population.

Audit sampling — selecting items such that each sampling unit has a chance of being selected, enabling the auditor to project the results to the population. Governed by ISA 530.

Inconsistent Evidence

ISA 500.11 addresses a critical situation: when audit evidence from one source is inconsistent with evidence from another, or when the auditor has doubts about the reliability of information to be used as audit evidence.

The auditor must determine what modifications or additions to audit procedures are necessary to resolve the inconsistency. For example, if the client's accounts receivable ageing shows no overdue balances but confirmations reveal disputed amounts, the auditor must investigate the discrepancy — one or both sources may be unreliable.

The auditor must also consider the effect of the inconsistency on other aspects of the audit — if one piece of evidence is unreliable, other evidence obtained from the same source or through the same process may also be unreliable.

ISA 500 in Your Jurisdiction

Netherlands. COS 500 follows ISA 500 closely. AFM inspections frequently cite insufficient or inappropriate audit evidence as the root cause of quality deficiencies — particularly reliance on inquiry without corroboration, insufficient evaluation of the accuracy and completeness of entity-produced information used for analytical procedures, and failure to resolve inconsistencies between different sources of evidence.

Germany. IDW PS 500 adapts ISA 500. German practice traditionally emphasises documentary evidence and detailed testing, reflecting the Prüfungssicherheit tradition. The WPK's inspections focus on whether the nature and extent of evidence are commensurate with the assessed risks.

United Kingdom. ISA (UK) 500 is substantively aligned with ISA 500. The FRC's inspections consistently identify audit evidence quality as a key concern — particularly over-reliance on management representations without sufficient corroboration, and insufficient challenge to management's estimates and judgments.

France. NEP 500 implements ISA 500 within the French statutory framework. French practice integrates the evidence requirements with the specific documentation expected in the dossier de travail (working papers), which must demonstrate the nature, timing, and extent of procedures performed and the evidence obtained.

Frequently Asked Questions

How does the auditor know when enough evidence has been obtained?

There is no mechanical formula. The auditor exercises professional judgment, considering the assessed risk for each assertion, the nature and quality of evidence obtained, the results of procedures performed, and whether the evidence is consistent or contradictory. ISA 330.26 requires the auditor to conclude whether sufficient appropriate evidence has been obtained before forming the opinion.

Is inquiry ever sufficient on its own?

Rarely. ISA 330.A4 notes that inquiry alone is not sufficient to test operating effectiveness of controls. For substantive purposes, inquiry may be sufficient for very low-risk assertions or as corroboration of other evidence, but it is generally one of the weakest forms of evidence and should be supplemented by inspection, recalculation, or other procedures.

How does the auditor evaluate evidence from a management expert?

The auditor evaluates the expert's competence, capabilities, and objectivity; obtains an understanding of the expert's field, methodology, and assumptions; and evaluates whether the work is appropriate as audit evidence for the relevant assertion. The auditor is not required to be an expert in the specialist's field but must understand enough to evaluate reasonableness.

What if the auditor cannot obtain sufficient evidence?

If sufficient appropriate evidence cannot be obtained, the auditor must consider the implications for the audit opinion under ISA 705. This may result in a qualified opinion (if the possible effects are material but not pervasive) or a disclaimer of opinion (if the possible effects are material and pervasive).