What is sufficient appropriate audit evidence?
ISA 500.6 states the auditor's objective: to design and perform audit procedures in such a way as to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion. This is the standard the engagement partner evaluates before signing.
The concept has two distinct dimensions. Sufficiency (ISA 500.A2) is a measure of quantity — how much evidence is needed. It depends on the assessed risk of material misstatement and the quality of each individual item of evidence obtained. Appropriateness (ISA 500.A3) is a measure of quality — whether the evidence is relevant to the assertion being tested and reliable given its source and nature.
ISA 330.28 requires the engagement partner to evaluate at completion whether sufficient appropriate audit evidence has been obtained. This is not a planning exercise alone. If results differ from expectations — higher error rates, lower confirmation response rates, new information about risks — the sufficiency assessment changes. ISA 330.29 is clear: if sufficient appropriate evidence cannot be obtained, the auditor must express a qualified opinion or disclaim.
Key Points
- Sufficient = quantity, appropriate = relevance + reliability. These are separate dimensions. A large volume of low-quality evidence does not substitute for a smaller amount of high-quality evidence.
- More low-quality evidence does not compensate for missing high-quality evidence. ISA 500.A3 is explicit — obtaining more of the same weak evidence does not improve the conclusion.
- The engagement partner must evaluate sufficiency at completion (ISA 330.28), not just at planning. If audit results deviate from expectations, the assessment must be updated.
- Inspection findings frequently cite missing evidence for specific assertions — the team documented procedures but did not evaluate whether the evidence obtained was enough to conclude on the assertion at risk.
Why it matters in practice
The most common gap inspectors find is the evaluation gap. Teams document the procedures performed and the results obtained, but they do not document the ISA 330.28 evaluation — the explicit conclusion that the evidence obtained is sufficient and appropriate for each significant assertion. The AFM has flagged this repeatedly: running procedures is not the same as concluding that the evidence is enough.
On estimation-heavy balances, the gap is more specific. Teams recalculate management's model and confirm the arithmetic is correct, then treat that as sufficient evidence for valuation. But ISA 500.A3 requires the auditor to evaluate whether the evidence is relevant and reliable given its source. When the only evidence is management's own calculation, the appropriateness threshold is rarely met for high-risk estimates without corroborating external data or independent challenge of assumptions.
Key standard references
- ISA 500.6: Objective — to obtain sufficient appropriate audit evidence to draw reasonable conclusions.
- ISA 500.A2: Sufficiency as a measure of quantity, influenced by assessed risk and quality of evidence.
- ISA 500.A3: Appropriateness as a measure of quality — relevance and reliability.
- ISA 330.28-29: Evaluation at completion; modified opinion when sufficient appropriate evidence cannot be obtained.
- ISA 200.17: Reasonable assurance as a high but not absolute level of assurance, obtained when sufficient appropriate audit evidence has been obtained.
Related terms
Related reading
Frequently asked questions
What is the difference between sufficiency and appropriateness?
Sufficiency (ISA 500.A2) refers to the quantity of evidence, which depends on the assessed risk and the quality of each item. Appropriateness (ISA 500.A3) refers to relevance to the assertion and reliability of the source. More evidence of low quality does not compensate for a lack of high-quality evidence.
When must sufficiency be evaluated?
ISA 330.28 requires evaluation at completion, not just at planning. If results differ from expectations (higher error rates, lower confirmation response rates), the sufficiency assessment changes. ISA 330.29 states that if sufficient appropriate evidence cannot be obtained, the auditor must qualify the opinion.
Can internal evidence alone meet the appropriateness threshold?
Rarely for high-risk areas. ISA 500.A3 requires the auditor to evaluate whether evidence is relevant and reliable given its source. On estimation-heavy balances, relying solely on management's own calculations typically does not meet the appropriateness threshold.