How it works
In any assurance engagement, the practitioner does not directly observe or measure the claim itself. Instead, the practitioner evaluates the subject matter information that supports that claim. In a financial statement audit under ISA 315.6, the subject matter information includes the accounting records, transaction logs, subsidiary ledgers, journals, and supporting documents. In an ISAE 3402 Type II engagement, the subject matter information is the control operation itself: the logs showing when controls ran, the exception reports, the remediation records, the system configurations. ISAE 3000.13 states that subject matter information is "the underlying data, records, systems, processes, and conditions to which the criteria are applied." The practitioner's role is to evaluate whether that information exists, is complete, is accurate, and supports the assertion being made.
The challenge in practice is that subject matter information often lives across multiple systems. A single transaction might have data in the invoice system, the GL, the bank records, and the subsidiary ledger. A control might have evidence in both manual logs and system outputs. The practitioner must identify all the places where relevant subject matter information exists, determine which sources are reliable, and ensure nothing material is missed.
Worked example: Nexus Logistics B.V.
Client: Dutch logistics operator, FY2024, revenue €127M, IFRS reporter. The client operates a fleet of 340 trucks and engages Nexus Assurance to provide a Type II report on the effectiveness of controls over fuel card transactions (compliance with group policy: all fuel purchases must be recorded within 2 business days and coded to the correct cost center).
Step 1: Identify where subject matter information resides
The practitioner identifies that fuel card transaction subject matter information exists in three places: (1) the fuel card provider's transaction portal (showing date, amount, location, driver ID), (2) the expense management system (showing date entered, amount, cost center code assigned), and (3) the GL fuel expense account (summarized monthly balances).
Documentation note: Memo prepared mapping all three data sources, confirming dates of system access, and identifying which source is authoritative for each element (fuel card portal = truth for transaction occurrence and amount; expense system = truth for timeliness and cost center coding).
Step 2: Assess completeness of subject matter information
The team downloads 12 months of fuel card transactions (4,847 transactions totaling €2.14M). They check the expense system for all corresponding entries. They discover that the expense system shows only 4,681 entries. The difference is 166 transactions.
Documentation note: Exception log created showing 166 fuel card transactions not yet entered in the expense system as of the agreed-upon cutoff date. Practitioner contacted the client to determine whether these are in-flight entries or unrecorded transactions.
Step 3: Evaluate reliability of subject matter information
For the 4,681 matched entries, the team traces entry dates to transaction dates. They find that 847 entries (18%) were recorded more than 2 business days after the transaction date. The cost center coding is correct on 4,621 entries (99%).
Documentation note: Control exception summary prepared showing timeliness exceptions and cost center exceptions. For timeliness, practitioner notes whether the delay occurred consistently (suggesting a process delay) or sporadically (suggesting isolated oversights). For cost center, practitioner determines whether exceptions were concentrated in specific cost centers or spread across the operation.
Conclusion: The subject matter information for fuel card transactions exists, is largely complete and accurate, but contains measurable exceptions in timeliness. The practitioner has sufficient subject matter information to conclude that the control operates with exceptions, and to quantify the exceptions. If the exceptions were material to the group's internal control objective, the Type II report would note them. If the subject matter information had been unavailable, incomplete, or so unreliable that tracing and matching were impossible, the practitioner would face a scope limitation and might disclaim an opinion on the control's effectiveness.
What reviewers and practitioners get wrong
Treating subject matter information as a checkbox. Many practitioners treat the gathering of subject matter information as a preliminary step completed in week 1, then move on. ISAE 3000.13 and ISA 500.5(a) require the practitioner to evaluate the reliability and sufficiency of subject matter information throughout the engagement. This is not a one-time data pull. Inspection findings frequently show that practitioners gathered initial subject matter information but did not reassess it when conditions changed (system was updated mid-period, staff turnover affected process controls, new locations were added). If the subject matter information materially changes after the practitioner's initial assessment, the practitioner must re-evaluate.
Assuming electronic systems are complete. A common error is to assume that if a transaction is in a system, all transactions are captured. System completeness requires testing, not assumption. The fuel card example above found 166 missing entries because the practitioner did not assume completeness. International inspection data from the FRC and PCAOB shows that missing or delayed transaction posting is a routine finding. Always verify the completeness of subject matter information through reconciliation or analytical procedures before relying on it.
Confusing subject matter with criteria. Subject matter information is the underlying data. Criteria are the standards applied to evaluate that data (IFRS, internal policy, regulatory requirement). A practitioner might have perfect subject matter information (all transactions recorded, all fields complete) but fail to apply the criteria correctly (failing to identify that a transaction violates the client's own policy). Document clearly which elements are subject matter information and which are criteria being applied to it.