ISA 500: Audit Evidence: Complete Guide

What is ISA 500?

ISA 500, titled “Audit Evidence,” is the conceptual backbone of audit fieldwork. While ISA 315 identifies risks and ISA 330 designs responses, ISA 500 governs what those responses actually produce (evidence) and how the auditor evaluates whether it is good enough.

The standard operates at a principles level. It does not prescribe specific procedures for specific accounts (ISA 501 does that for selected items, ISA 505 for confirmations, ISA 540 for estimates). Instead, ISA 500 establishes the framework within which all other evidence-gathering standards operate.

A revision of ISA 500 is currently underway as part of the IAASB’s Audit Evidence project (combined with ISA 330 and ISA 520). The proposed ISA 500 (Revised) expands guidance on evaluating the relevance and reliability of information intended to be used as audit evidence, including from external information sources and technology-generated data. Until the revision is finalised, the current ISA 500 remains in effect.

Sufficient appropriate audit evidence

ISA 500.6 establishes the core concept:

Sufficiency is the measure of quantity. The quantity of evidence needed depends on the assessed risk of misstatement (higher risk = more evidence) and the quality of evidence obtained (higher quality = less quantity may suffice).

Appropriateness is the measure of quality, comprising:

• Relevance is the logical connection between the evidence and the assertion being tested. Evidence about the existence of a receivable is not relevant to its valuation. Evidence about the design of a control is not relevant to its operating effectiveness.
• Reliability is the degree to which the evidence can be trusted to provide accurate information about the assertion.

The reliability hierarchy

ISA 500.A31 provides general principles about reliability (though all are subject to important exceptions):

These are generalisations. The auditor must always consider the specific circumstances. An internal document produced by a well-controlled process may be more reliable than an external document of unknown provenance.

The seven types of audit procedures

ISA 500.A14–A25 describes the seven fundamental types of audit procedures. Every audit test is built from one or more of these:

1. Inspection of records and documents

Examining records or documents (internal or external, in paper or electronic form). Provides evidence of varying reliability depending on the source and the effectiveness of controls over the document’s production. Inspecting a bank statement confirms the balance; inspecting a purchase order confirms that the purchase was authorised.

2. Inspection of tangible assets

Physical examination of assets (such as inventory, fixed assets, cash, or securities). Provides reliable evidence about existence but not necessarily about rights and obligations (ownership) or valuation.

3. Observation

Looking at a process or procedure being performed by others (such as observing inventory counting or the performance of control activities). Observation is limited to the point in time at which it occurs and may be affected by the fact that being observed changes behaviour.

4. Inquiry

Seeking information from knowledgeable persons, both financial and non-financial, within or outside the entity. Inquiry can be formal (written) or informal (oral), and ranges from structured questionnaires to casual discussions. Inquiry alone is generally not sufficient as audit evidence for most assertions. It must be corroborated by other procedures.

5. Confirmation

A specific type of inquiry: obtaining a direct written response from a third party to the auditor. Covered in detail by ISA 505. Confirmations are particularly relevant for existence and rights assertions (bank balances, receivables, investments held by custodians).

6. Recalculation

Checking the mathematical accuracy of documents or records, manually or using technology. Recalculating depreciation schedules, interest accruals, tax computations, or pension obligations.

7. Re-performance

The auditor’s independent execution of procedures or controls that were originally performed by the entity. Re-performing a bank reconciliation, re-performing a three-way match for purchases, or re-performing a journal entry authorisation check.

8. Analytical procedures

Evaluating financial information through analysis of plausible relationships among financial and non-financial data. Covered in detail by ISA 520. Can serve as risk assessment procedures (ISA 315), substantive procedures (ISA 330), or overall review procedures (ISA 520).

Using information as audit evidence

Information produced by the entity

ISA 500.9 requires the auditor, when using information produced by the entity as audit evidence, to evaluate whether the information is sufficiently reliable for the auditor’s purposes. This includes:

• Obtaining evidence about the accuracy and completeness of the information.
• Evaluating whether the information is sufficiently precise and detailed for the purpose.

For example, if the auditor uses the entity’s fixed asset register to recalculate depreciation, the auditor must first verify that the register is complete and accurate. Otherwise the recalculation is built on unreliable data.

Information from external sources

When using information from external sources (e.g., market data, industry benchmarks, published interest rates, valuation indices), the auditor considers the source’s credibility, the process by which the information was prepared, and whether it is relevant and reliable for the auditor’s purpose.

Information from management’s experts

ISA 500.8 addresses situations where the entity uses a management’s expert (actuary, valuer, engineer) to prepare financial statement information. The auditor must:

• Evaluate the competence, capabilities, and objectivity of the expert.
• Obtain an understanding of the expert’s work.
• Evaluate the appropriateness of the expert’s work as audit evidence.

This does not require the auditor to second-guess specialist expertise, but the auditor must understand the expert’s methodology, assumptions, and data sources well enough to evaluate whether the output is reasonable audit evidence.

Selecting items for testing

ISA 500.10 requires the auditor to determine means of selecting items for testing that are effective in meeting the purpose of the audit procedure. The options are:

Selecting all items (100% examination). Appropriate for small populations, high-value items, or significant risks where anything less than complete testing would not provide sufficient evidence.

Selecting specific items. Targeting particular items based on their characteristics (high-value items, items older than a threshold, unusual items, items identified as risk indicators). Provides evidence about those specific items but does not allow projection to the population.

Audit sampling. Selecting items such that each sampling unit has a chance of being selected, enabling the auditor to project the results to the population. Governed by ISA 530.

Inconsistent evidence

ISA 500.11 addresses a critical situation: when audit evidence from one source is inconsistent with evidence from another, or when the auditor has doubts about the reliability of information to be used as audit evidence.

The auditor must determine what modifications or additions to audit procedures are necessary to resolve the inconsistency. For example, if the client’s accounts receivable ageing shows no overdue balances but confirmations reveal disputed amounts, the auditor must investigate the discrepancy. One or both sources may be unreliable.

The auditor must also consider the effect of the inconsistency on other aspects of the audit. If one piece of evidence is unreliable, other evidence obtained from the same source or through the same process may also be unreliable.

Worked example: evaluating evidence sufficiency for revenue

Claessens Transport NV is a Belgian logistics company with €45M in revenue from freight forwarding, warehousing, and customs brokerage. Revenue recognition is identified as a significant risk under ISA 315 because contracts include variable consideration (fuel surcharges, volume discounts) and performance obligations are satisfied over time for warehousing but at a point in time for individual freight shipments. The team needs to determine what evidence is sufficient and appropriate for the revenue assertion.

1. Map assertions to the risk. The assessed risk relates to occurrence (are recorded shipments real?), accuracy (are fuel surcharges and discounts correctly calculated?), and cut-off (are December shipments recorded in the correct period?). Completeness is assessed as lower risk because the company has limited incentive to understate revenue.

Documentation note: working paper maps each assertion to the specific revenue stream and explains why occurrence, accuracy, and cut-off are higher risk than completeness for this entity.

1. Design procedures that match each assertion. For occurrence: select a sample of 25 freight invoices from the revenue journal and trace to signed delivery confirmations (CMR documents), GPS tracking data, and customer purchase orders. For accuracy: recalculate fuel surcharges on 15 invoices using the contractual formula and compare to the billed amount. For cut-off: select the last 20 shipments before and first 20 after 31 December, compare delivery dates on CMR documents to the recording date.

Documentation note: each procedure references ISA 500.A14 (inspection), ISA 500.A21 (recalculation), and the specific assertion it addresses. The rationale for sample sizes references the assessed risk level and the ISA 530 sampling methodology used.

1. Evaluate the reliability of each evidence source. CMR delivery confirmations are external, signed by the recipient, and generated outside the entity’s control (high reliability under ISA 500.A31). GPS tracking data is entity-generated but from an automated system with IT general controls tested by the team (moderate reliability). Customer purchase orders are external (high reliability). The fuel surcharge formula is from the signed contract (external, high reliability), but the calculation is performed internally.

Documentation note: reliability assessment documented for each source, explaining why the combination provides sufficient appropriate evidence without relying on inquiry or management representations alone.

1. Assess sufficiency across all three assertions. Occurrence is covered by two independent sources (CMR documents and GPS data). Accuracy is covered by recalculation against contractual terms. Cut-off is covered by detailed testing around the period boundary. The team concludes that the evidence is sufficient because the assessed risk (significant) is matched by high-reliability procedures, and no inconsistencies were found between sources.

Documentation note: conclusion paragraph summarises the sufficiency assessment, references ISA 330.26, and states that the evidence obtained reduces audit risk for the revenue assertion to an acceptably low level.

The file shows a reviewer that each procedure was designed for a specific assertion, that evidence reliability was assessed per source (not assumed), and that sufficiency was evaluated based on the risk level rather than on volume of testing alone.

Practical checklist

1. For every substantive procedure in the audit program, confirm it addresses a specific assertion (ISA 500.A14-A25). If a procedure tests existence but the risk relates to valuation, redesign or supplement it.
2. Before using any entity-generated report as audit evidence (ageing reports, fixed asset registers, inventory listings), test its accuracy and completeness separately (ISA 500.9). Do not skip this step because “we used it last year.”
3. Assess the reliability of each evidence source against the ISA 500.A31 hierarchy. Document why the source is reliable enough for the assertion and risk level, not just what the source is.
4. When evidence from two sources conflicts, perform additional procedures to resolve the inconsistency before concluding (ISA 500.11). Do not default to the source that supports the client’s position.
5. For significant risks, verify that the evidence mix includes at least one source that is external or auditor-generated (ISA 330.21). Inquiry combined with internal documents alone is rarely sufficient at this risk level.

Common mistakes

• Testing the wrong assertion. The PCAOB’s 2024 inspection report found a 39% deficiency rate across inspected engagements, with revenue testing among the top areas flagged. A recurring pattern: teams perform procedures that confirm a transaction occurred but fail to test whether the amount was accurately recorded or allocated to the correct period. The procedure produces evidence, but not evidence that addresses the assessed risk.
• Relying on entity-produced data without testing it. The AFM’s January 2025 report on fraud risk procedures (“Controlewerkzaamheden bij frauderisico’s”) found that in 23 of 32 inspected audits, procedures were not adequately adapted to specific risks. One common pattern: using the entity’s own reports (sales listings, ageing schedules) as the basis for analytical procedures without first verifying their accuracy and completeness under ISA 500.9. The analytical procedure is only as reliable as the data it runs on.
• Treating inquiry as corroboration. The FRC’s Annual Review 2025 identified over-reliance on management representations as a persistent finding, with 38% of files rated as requiring more than limited improvements. When a team obtains a management explanation for an unusual variance and records that as “corroborated,” the file is weaker than it looks. Inquiry corroborates other evidence; other evidence does not corroborate inquiry.

Related content

• Audit evidence (glossary): defines sufficiency and appropriateness and explains the relationship between quantity and quality of evidence, directly underpinning the ISA 500 framework covered in this guide.
• ISA 530 sampling calculator (tool): when ISA 500 requires testing a sample of items, this calculator determines the appropriate sample size based on the assessed risk, tolerable misstatement, and expected error rate.
• ISA 330: responses to assessed risks (blog): ISA 500 defines what good evidence looks like; ISA 330 determines what procedures to perform to obtain it. The two standards work as a pair on every engagement.

ISA 500 in your jurisdiction

Netherlands. COS 500 follows ISA 500 closely. AFM inspections frequently cite insufficient or inappropriate audit evidence as the root cause of quality deficiencies, particularly reliance on inquiry without corroboration, insufficient evaluation of the accuracy and completeness of entity-produced information used for analytical procedures, and failure to resolve inconsistencies between different sources of evidence.

Germany. IDW PS 500 adapts ISA 500. German practice traditionally emphasises documentary evidence and detailed testing, reflecting the Prüfungssicherheit tradition. The WPK’s inspections focus on whether the nature and extent of evidence are commensurate with the assessed risks.

United Kingdom. ISA (UK) 500 is substantively aligned with ISA 500. The FRC’s inspections consistently identify audit evidence quality as a key concern, particularly over-reliance on management representations without sufficient corroboration and insufficient challenge to management’s estimates and judgments.

France. NEP 500 implements ISA 500 within the French statutory framework. French practice integrates the evidence requirements with the specific documentation expected in the dossier de travail (working papers), which must demonstrate the nature, timing, and extent of procedures performed and the evidence obtained.

Frequently asked questions

How does the auditor know when enough evidence has been obtained?

There is no mechanical formula. The auditor exercises professional judgment, considering the assessed risk for each assertion, the nature and quality of evidence obtained, the results of procedures performed, and whether the evidence is consistent or contradictory. ISA 330.26 requires the auditor to conclude whether sufficient appropriate evidence has been obtained before forming the opinion.

Is inquiry ever sufficient on its own?

Rarely. ISA 330.A4 notes that inquiry alone is not sufficient to test operating effectiveness of controls. For substantive purposes, inquiry may be sufficient for very low-risk assertions or as corroboration of other evidence, but it is generally one of the weakest forms of evidence and should be supplemented by inspection, recalculation, or other procedures.

How does the auditor evaluate evidence from a management expert?

The auditor evaluates the expert’s competence, capabilities, and objectivity; obtains an understanding of the expert’s field, methodology, and assumptions; and evaluates whether the work is appropriate as audit evidence for the relevant assertion. The auditor is not required to be an expert in the specialist’s field but must understand enough to evaluate reasonableness.

What if the auditor cannot obtain sufficient evidence?

If sufficient appropriate evidence cannot be obtained, the auditor must consider the implications for the audit opinion under ISA 705. This may result in a qualified opinion (if the possible effects are material but not pervasive) or a disclaimer of opinion (if the possible effects are material and pervasive).

Further reading and source references

• IAASB Handbook 2024: ISA 500 full text — The authoritative source including all application material.
• ISA 501: Audit Evidence — Specific Considerations for Selected Items (inventory, litigation, segments).
• ISA 505: External Confirmations — detailed guidance on confirmation procedures.
• ISA 520: Analytical Procedures — guidance on using analytical procedures as audit evidence.
• ISA 530: Audit Sampling — guidance on sampling techniques for obtaining evidence.
• ISA 540 (Revised): Auditing Accounting Estimates — evidence requirements for estimates.

This guide reflects the ISA 500 text as published in the IAASB 2024 Handbook. A revision (proposed ISA 500 Revised) is in development as part of the IAASB’s Audit Evidence project. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools: