Audit Evidence Standards in Financial Services

Audit evidence standards define the quality, quantity, and documentation requirements that govern the information auditors collect before forming an opinion on financial statements. In financial services, these standards carry particular weight because regulators including the SEC, FDIC, and PCAOB impose additional layers of scrutiny on top of baseline professional requirements. Understanding how evidence standards work — and how they interact with sector-specific regulations — is essential for any firm navigating the financial statement audit process or preparing for regulatory examination.

Definition and scope

Audit evidence, as defined under AU-C Section 500 of the AICPA's Clarified Statements on Auditing Standards, encompasses all information used by the auditor in arriving at the conclusions that form the basis of the audit opinion. This includes accounting records underlying the financial statements as well as corroborating information from other sources.

The scope of evidence standards in financial services extends across three primary professional frameworks:

1. GAAS (Generally Accepted Auditing Standards) — Issued by the AICPA, GAAS establishes baseline sufficiency and appropriateness requirements applicable to audits of non-public entities, including most credit unions, insurance companies, and privately held financial firms.
2. PCAOB Auditing Standards — Applicable to audits of public companies and broker-dealers registered with the SEC, PCAOB AS 1105 governs audit evidence directly, defining "sufficiency" as the measure of the quantity of audit evidence and "appropriateness" as the measure of quality.
3. GAGAS (Generally Accepted Government Auditing Standards) — Published by the U.S. Government Accountability Office, GAGAS applies when federal funds are involved and imposes additional evidence documentation requirements above GAAS.

The concept of audit materiality in financial services operates in direct relationship to evidence standards: lower materiality thresholds require proportionally greater volumes of higher-quality evidence.

How it works

Evidence gathering in a financial services audit follows a structured sequence tied to the auditor's assessment of risk. The process does not proceed uniformly — evidence requirements intensify wherever inherent or control risk is elevated.

Phase 1 — Risk Assessment
Auditors identify material misstatement risks at the financial statement and assertion level. Under PCAOB AS 2110, this includes understanding the entity's business environment, internal controls, and risk of fraud. Financial institutions present elevated risk in areas such as loan loss provisioning, fair value measurement, and revenue recognition.

Phase 2 — Evidence Planning
Auditors determine the nature, timing, and extent of procedures needed. Audit sampling methods are selected here — statistical sampling producing quantifiable precision rates, non-statistical sampling relying on auditor judgment. PCAOB AS 2315 governs audit sampling for public company engagements.

Phase 3 — Evidence Collection
Evidence types fall into two classification categories:

• Direct evidence — Physical inspection of assets, auditor-generated recalculations, and observation of processes. Considered more reliable because the auditor controls its creation.
• Indirect evidence — Confirmations from third parties (e.g., bank confirmations under AU-C Section 505), management representations, and analytical procedures. Reliability depends heavily on the independence of the source.

A key contrast: evidence obtained directly by the auditor from external parties (such as positive confirmations from correspondent banks) is treated as more reliable than evidence sourced exclusively from client-prepared documents under both GAAS AU-C 500 and PCAOB AS 1105.

Phase 4 — Evaluation and Documentation
Collected evidence must be documented in the audit workpapers with sufficient detail to allow an experienced auditor with no prior connection to the engagement to understand the procedures performed, the evidence obtained, and the conclusions reached — a standard codified in PCAOB AS 1215.

Common scenarios

Financial services audits produce recurring evidence challenges tied to the sector's complexity:

Loan portfolio valuation — Auditing the allowance for credit losses under FASB's Current Expected Credit Loss (CECL) model requires evidence supporting management's forward-looking estimates. Auditors must evaluate the reasonableness of model assumptions, gather historical loss data, and assess macroeconomic scenario inputs — all documented as substantive analytical procedures.

Fair value measurements — For broker-dealers and investment advisers, Level 3 fair value assets (those with no observable market inputs) demand the highest evidentiary burden. PCAOB AS 2502 requires auditors to evaluate the appropriateness of the valuation method, test the significant assumptions, and consider using a specialist.

BSA/AML compliance evidence — When an engagement intersects with BSA and Bank Secrecy Act audit obligations, evidence must demonstrate the adequacy of transaction monitoring systems, suspicious activity report filing procedures, and customer due diligence programs — drawing on FinCEN guidance as a benchmark source.

IT general controls — An IT audit in financial services generates evidence related to access controls, change management, and data integrity. Weak IT general controls increase the risk that automated controls are unreliable, elevating the required volume of substantive evidence.

Decision boundaries

Three criteria determine whether evidence is sufficient to support an audit conclusion:

1. Sufficiency — The quantity of evidence must be proportionate to the assessed risk of material misstatement. Higher risk mandates larger sample sizes or more extensive procedures, not merely more documents.
2. Appropriateness — Evidence must be both relevant (tied to the assertion being tested) and reliable (sourced from credible, independent channels). Management representations alone are not sufficient for significant assertions under PCAOB AS 1105.
3. Documentation completeness — Workpaper documentation must satisfy the "experienced auditor" standard. The PCAOB's inspection program under PCAOB inspections of financial services auditors has identified incomplete evidence documentation as among the most frequent deficiency categories in inspected engagements.

A comparison of evidentiary standards across frameworks highlights one critical boundary: under GAAS, auditors exercise significant professional judgment in determining sufficiency; under PCAOB standards applicable to public company and broker-dealer audits, prescriptive requirements in AS 1105 and related standards reduce discretion and impose more explicit documentation minimums. Firms subject to both frameworks — such as a public bank holding company with a privately held subsidiary — must navigate which standard governs each component of the engagement, a topic covered in depth at internal vs. external audit differences and financial services audit standards in the US.

References

• AICPA AU-C Section 500 — Audit Evidence
• PCAOB AS 1105 — Audit Evidence
• PCAOB AS 1215 — Audit Documentation
• PCAOB AS 2110 — Identifying and Assessing Risks of Material Misstatement
• PCAOB AS 2315 — Audit Sampling
• PCAOB AS 2502 — Auditing Fair Value Measurements and Disclosures
• U.S. Government Accountability Office — Generally Accepted Government Auditing Standards (GAGAS / Yellow Book)
• Financial Crimes Enforcement Network (FinCEN) — BSA Regulations
• FASB Accounting Standards Codification Topic 326 — Credit Losses (CECL)