What auditors actually accept as evidence.
Audit evidence must be sufficient, meaning enough of it, and appropriate, meaning relevant and reliable. That is the core of ISA 500. In practice, most evidence produced by internal teams fails on reliability: it cannot prove where it came from or that nobody altered it. Here is what passes, and why.
The two tests every piece of evidence faces.
ISA 500 asks two questions of everything an auditor relies on. Is it sufficient, meaning does the quantity cover the assessed risk? And is it appropriate, meaning is it relevant to the assertion being tested and reliable in origin? Reliability is where internally produced evidence usually dies. The standard explicitly ranks evidence by source, and information produced by the audited company itself ranks lowest, unless the controls over its production are themselves demonstrated.
Why screenshots and exports fail.
A screenshot proves that a screen looked a certain way to somebody, once. A CSV export proves nothing about completeness (what was filtered out?), timing (when was it pulled?) or integrity (what was edited afterwards?). Auditors know this, which is why entity-produced exports trigger re-performance: the audit team pulls the data again themselves, on billable hours. The evidence was not wrong. It was unverifiable, and unverifiable is the same as absent.
The four properties of reliance-grade evidence.
- Provenance. Every data point names its source system and extraction time, mechanically, not by assertion.
- Completeness. The evidence covers the full population of the period and can show that it does, through record counts, period pinning and gap detection.
- Integrity. Alterations after creation are impossible or visible. Append-only storage with cryptographic chaining makes tampering evident rather than merely forbidden.
- Independent verifiability. The auditor can check all of the above without trusting the producer, ideally by running a verification tool themselves.
What this changes economically.
Evidence with these four properties moves work off the external auditor's plate. Instead of re-performing sampling-based tests, the auditor verifies the evidence chain and relies on it, and that difference shows up directly in audit fees. This is the design brief behind RiskForge's evidence packages: period-pinned, source-attributed, hash-chained, shipped with an independent verification script. The principle stands regardless of tooling. If your evidence cannot prove its own history, you are paying your auditor to rebuild it.
See RiskForge on your own processes.
A 30-minute walkthrough against realistic SAP scenarios: payment runs, journal entries, transports. No slides, just the actual product.