What Is the New SAS 142 Audit Evidence Standard?

The American Institute of Certified Public Accountants (AICPA) issued Statement on Auditing Standards (SAS) No. 142, “Audit Evidence,” effective for audits of financial statements for periods ending on or after December 15, 2022. The issuance of SAS 142 was a response to the evolution in how businesses operate, driven by technological advancements and the increasing availability of diverse data sources. This standard modernizes auditing principles to keep pace with a more digital and data-centric environment. It provides an updated framework for auditors to evaluate information, ensuring that audit procedures remain effective with automated systems and complex data streams.

The Modernized Framework for Audit Evidence

The primary objective of an auditor remains to obtain sufficient appropriate audit evidence to form a reasonable basis for the opinion in the audit report. While this core purpose is unchanged, SAS 142 introduces a more structured framework to guide an auditor’s judgment, moving beyond a simple checklist approach to evidence gathering.

SAS 142 modernizes the definition of audit evidence, formally acknowledging that it extends beyond traditional documents like paper invoices or bank statements. The principles-based framework is designed to be applied to the wide array of information types and sources common in a digital environment. This flexibility addresses the changing nature of business records.

The framework emphasizes the auditor’s thought process, requiring a conscious assessment of whether information supports their conclusions. This encourages a dynamic approach where procedures are tailored to the specific risks of the entity being audited. This approach is intended to make the auditor’s evaluation of evidence more transparent and defensible.

Attributes of Information Used as Audit Evidence

SAS 142 establishes a framework for evaluating information based on two attributes: relevance and reliability. These benchmarks determine if information qualifies as appropriate audit evidence. Auditors must consider these characteristics when planning and performing audit procedures.

Relevance pertains to the connection between the information and the specific assertion being tested. An assertion is a claim by management within the financial statements, such as the existence of inventory. Relevant evidence must provide insight into that assertion; for example, inspecting an asset is relevant to its existence but not its valuation.

Reliability concerns the trustworthiness of the information, which is influenced by its source. Evidence generated directly by the auditor is more reliable than evidence from the client. Information from independent third parties is also more reliable than client data, though it still requires evaluation.

The nature of the information also impacts its reliability, as an original document is more reliable than a copy. Auditors must also consider the effectiveness of the client’s internal controls over the information. Data from a system with strong controls is more reliable than from a system with weak controls.

An auditor must also consider if the information is susceptible to management bias by assessing the source’s objectivity. The evaluation of relevance and reliability is a continuous process that informs the auditor’s decisions about which procedures to perform and how much evidence is needed.

Addressing Emerging Technologies and Data Sources

The principles of relevance and reliability apply directly to emerging technologies and diverse data sources. SAS 142 provides a framework for auditors to assess information from these sources, allowing technology to be leveraged for more effective and efficient audit procedures.

Auditors can use audit data analytics to examine large populations of data, such as every transaction in a period, rather than relying on sampling. When using these tools, the auditor must evaluate the relevance and reliability of the underlying data. This includes understanding how the data was captured and maintained and assessing controls around the IT systems.

The standard also addresses remote observation tools, such as video conferencing or drones, to gather evidence like observing a client’s inventory count. In this scenario, the auditor must consider the reliability of the technology, such as video clarity and the potential for manipulation, as well as the relevance of the observation to the inventory’s condition.

Even digital evidence like a screenshot requires careful evaluation under SAS 142. An auditor must apply professional skepticism and consider the reliability of the screenshot, including its source and whether it could be easily altered. The auditor might need to corroborate the information with other evidence to be satisfied.

Information from sources like blockchain ledgers or cloud-based service providers also falls under this standard. When evaluating information from a blockchain, an auditor would assess its design and controls to determine reliability. For data hosted by a third-party cloud provider, an auditor might review a Service Organization Control (SOC) report to assess the provider’s controls.

Auditor Responsibilities and Professional Skepticism

SAS 142 places a renewed emphasis on the auditor’s responsibility to exercise professional skepticism throughout the audit. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. This mindset is a requirement for gathering sufficient appropriate audit evidence.

This focus on skepticism is important when auditors are dealing with information from less traditional sources or from systems where internal controls may be weak. The standard requires auditors to be alert for evidence that contradicts management’s assertions and to investigate any inconsistencies. If an auditor has doubts about the reliability of information, they are obligated to perform additional procedures.

The standard also has implications for audit documentation. Auditors must now be more explicit in their workpapers about how they evaluated the relevance and reliability of the information used as audit evidence. This documentation should articulate the auditor’s thought process and the basis for their conclusions, especially in areas involving judgment.

This requirement for more detailed documentation provides a clear record of the work performed, facilitates supervision and review, and demonstrates compliance with professional standards. Ultimately, SAS 142 reinforces that the responsibility for obtaining sufficient appropriate audit evidence rests with the auditor and does not replace the need for professional judgment.