What is sufficient appropriate audit evidence?
Every inspection cycle, regulators flag the same problem: teams run procedures and fill the WPs without ever asking whether what they collected actually supports the assertion at risk. Senior reviewers call it "ticking and bashing." In our experience, about one in three inspection findings on evidence comes down to this gap (not a lack of work performed, but a lack of evaluation that the work was enough).
ISA 500.6 frames the objective: design and perform procedures that produce sufficient appropriate audit evidence (SAAE) so the engagement partner can draw reasonable conclusions and sign the opinion. Two separate dimensions sit inside that phrase. Sufficiency ( ISA 500 .A2) measures quantity. It depends on the assessed risk of material misstatement and the quality of each item obtained. Appropriateness ( ISA 500 .A3) measures quality, specifically whether the evidence is relevant to the assertion being tested and reliable given its source.
ISA 330.28 requires the partner to evaluate SAAE at completion, not only at planning. If results differ from expectations (higher error rates, lower confirmation response rates) the assessment changes. ISA 330.29 is clear: if SAAE cannot be obtained, the auditor must qualify or disclaim.
Key points
- Sufficiency and appropriateness are separate dimensions. A large volume of low-quality evidence does not substitute for a smaller amount of high-quality evidence.
- ISA 500 .A3 is explicit: obtaining more of the same weak evidence does not fix an appropriateness problem.
- ISA 330.28 requires the partner to evaluate SAAE at completion, not only at planning. If results deviate from expectations, the assessment must be updated.
- Inspection findings frequently cite the evaluation gap: teams documented procedures but never concluded whether the evidence was enough for the assertion at risk.
Why it matters in practice
Inspectors keep finding the same gap. Teams document procedures performed and results obtained, but skip the ISA 330.28 evaluation (the explicit conclusion that evidence collected is sufficient and appropriate for each significant assertion). The AFM has flagged this repeatedly: running procedures is not the same as concluding that the evidence is enough. A good engagement partner will tell the team that the file should tell a story, one where each significant assertion has a clear thread from risk assessment through to conclusion.
This is the finding that generates the most review notes. Nobody wants to reopen completed sections, but when the SAAE evaluation is missing, the file goes back.
On estimation-heavy balances the gap gets more specific. Teams recalculate management's model and confirm the arithmetic, then treat that as sufficient evidence for valuation. ISA 500 .A3 requires the auditor to evaluate whether the evidence is relevant and reliable given its source. When the only evidence is management's own calculation, the appropriateness threshold is rarely met for high-risk estimates without corroborating external data or an independent challenge of key assumptions.
Key standard references
- ISA 500.6 sets the objective: obtain SAAE to draw reasonable conclusions.
- ISA 500 .A2 defines sufficiency as a measure of quantity, influenced by assessed risk and quality of evidence.
- ISA 500 .A3 defines appropriateness as a measure of quality (relevance and reliability).
- ISA 330.28 -29 requires evaluation at completion and a modified opinion when SAAE cannot be obtained.
- ISA 200.17 links reasonable assurance to obtaining SAAE. Assurance is high but not absolute.
Related terms
Related tools
Related reading
Frequently asked questions
What is the difference between sufficiency and appropriateness?
Sufficiency (ISA 500.A2) refers to the quantity of evidence, which depends on assessed risk and the quality of each item. Appropriateness (ISA 500.A3) refers to relevance to the assertion and reliability of the source. More low-quality evidence does not compensate for missing high-quality evidence.
When must sufficiency be evaluated?
ISA 330.28 requires evaluation at completion, not only at planning. If results differ from expectations (higher error rates or lower confirmation response rates), the sufficiency assessment changes. ISA 330.29 states that if SAAE cannot be obtained, the auditor must qualify the opinion.
Can internal evidence alone meet the appropriateness threshold?
Rarely for high-risk areas. ISA 500.A3 requires the auditor to evaluate whether evidence is relevant and reliable given its source. On estimation-heavy balances, relying solely on management's own calculations does not meet the appropriateness threshold at firms we have worked with.