SPOTLIGHT
Inspection Observations Related to
Auditor Use of Data and Reports
April 2024
This document represents the views of PCAOB staff and
not necessarily those of the Board. It is not a rule, policy, or
statement of the Board.
April 2024 | 2
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
CONTENTS
Overview 3
Common Areas of Inspection Deficiencies
Related to Data and Reports 5
Testing Accuracy and Completeness of IPC 5
Considering Relevance and Reliability of Audit Evidence 6
Testing Controls Over IPC Used in the Operation of a Control 7
Assessing Information Used in Expectations for Substantive
Analytical Procedures 8
Assessing Information Produced by a Service Organization 9
Testing Supplemental Information Accompanying Audited
Financial Statements 10
Use of Data by an Auditor-Engaged Specialist 11
Reminders for Auditors 11
Good Practices 12
April 2024 | 3
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
OVERVIEW
Auditors must obtain sufficient and
appropriate audit evidence to provide a
reasonable basis for their opinion. Sufficiency is
the measure of the quantity of audit evidence,
and appropriateness is the measure of the
quality of the audit evidence. To be appropriate
under PCAOB standards, audit evidence must
be both relevant and reliable in providing
support for the conclusions on which the
auditor’s opinion is based.
As noted in previously issued “Staff Update and
Preview” Spotlights (2020–2023), PCAOB staff
has observed significant and consistent rates
of deficiencies related to auditors’ evaluation
of audit evidence, including information from
external sources, and testing of information
produced by the company (“IPC”) and used
in the performance of control activities and
substantive testing.
y IPC includes company-produced information
such as invoices issued by the company,
shipping documents created by the
company, and other data and reports from
company information technology systems.
y Information received from external sources
includes, among other things, purchase
orders submitted by customers, shipping
records, records from the bank showing cash
received from a customer as payment for an
invoice, or information produced by a service
organization.
Approximately 17% of the total comment forms
1
for each of the 2021 and 2022 inspection cycles
contained deficiencies where the auditor did
not perform sufficient procedures to test (or
sufficiently test controls over) the accuracy and
completeness of IPC or other data and reports
including information produced by service
Why Is Accuracy
and Completeness
Necessary?
As auditors receive information from
a multitude of sources within the
company during an audit, it is important
to understand why the accuracy and
completeness of that information
matter. Accuracy and completeness
of information are necessary in the
detection of errors, as well as in the
detection of fraud.
For example, the auditor testing fixed
asset additions for the period needs
to ensure he or she has a complete
population of the additions, relevant to
the system of record being reviewed
(e.g., the fixed asset subledger). Without
testing completeness of the listing of
additions produced by the company, the
auditor may not be in a position to detect
errors or fictitious additions during his or
her substantive testing.
Testing the accuracy of information
produced by the company is just as
important. For example, if the auditor
did not test the accuracy of pension
participant data produced by the
company that is used by the auditor in
his or her substantive procedures, it is
possible that he or she may not detect a
misstatement in the recorded balance.
1
A “comment form” is the initial communication to audit firms of observed deficiencies from our inspections. Please refer to Basics
of Inspections for additional information.
April 2024 | 4
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
organizations. Observations in our comment
forms may subsequently result in one or
more deficiencies being discussed as findings
included in Part I.A of our inspection reports.
2
To improve audit quality and assist auditors
of public companies and brokers and dealers
(“broker-dealers”), this Spotlight highlights
recent staff observations on the use of IPC
and information from external sources in the
audit. Our observations, including common
audit deficiencies, good practices, and other
reminders, may help auditors understand
how the testing of IPC and information from
external sources is properly performed.
2
Part I.A of our PCAOB inspection reports discusses deficiencies, if any, that were of such significance that we believe the firm, at
the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion(s) on the public
company’s financial statements and/or internal control over financial reporting (ICFR).
Confirmations
Information obtained by the auditor
directly from external sources, including
through confirmation, can be an
important source of evidence obtained
as part of an audit. Although this
Spotlight does not expressly discuss
observations related to confirmations, in
September 2023, the PCAOB approved
a new standard, AS 2310, The Auditor’s
Use of Confirmation, that will replace
the existing auditing standard on the
confirmation process. This new standard
emphasizes the auditor’s responsibilities
for obtaining relevant and reliable audit
evidence through the confirmation
process. The new standard will apply for
audits of financial statements for fiscal
years ending on or after June 15, 2025.
What Is Relevance
and Reliability?
In accordance with AS 1105, Audit
Evidence, the relevance of audit
evidence refers to its relationship to
the assertion or to the objective of the
control being tested. The relevance of
audit evidence depends on: design of
the audit procedure used to test the
assertion or control, in particular whether
it is designed to (1) test the assertion
or control directly and (2) test for
understatement or overstatement; and
the timing of the audit procedure used to
test the assertion or control.
The reliability of evidence depends on
the nature and source of the evidence
and the circumstances under which it
is obtained. The reliability of information
generated internally by the company is
increased when the company’s controls
over that information are effective.
Evidence obtained directly by the
auditor is more reliable than evidence
obtained indirectly. Evidence provided by
original documents is more reliable than
evidence provided by photocopies or
facsimiles, or documents that have been
filmed, digitized, or otherwise converted
into electronic form, the reliability of
which depends on the controls over the
conversion and maintenance of those
documents.
April 2024 | 5
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
COMMON AREAS OF INSPECTION DEFICIENCIES
RELATED TO DATA AND REPORTS
This section summarizes information about deficiencies identified in our 2021 and 2022 comment
forms issued to audit firms related to IPC and other audit evidence.
Testing Accuracy and Completeness of IPC
Applicable Standards Examples of PCAOB Staff Observations
In accordance with AS 1105, Audit Evidence,
paragraph .10, when using information produced
by the company as audit evidence, the auditor
should evaluate whether the information is
sufficient and appropriate for purposes of the
audit by performing procedures to:
y Test the accuracy and completeness of the
information, or test the controls over the
information; and
y Evaluate whether the information is sufficiently
precise and detailed for purposes of the audit.
In accordance with AS 1105.A8, the auditor should
also test the accuracy and completeness of
company-produced data used by a company’s
specialist and evaluate the relevance and
reliability of data from sources external to the
company that are used by the specialist.
For broker-dealer audits conducted in accordance
with AT No. 1, Examination Engagements
Regarding Compliance Reports of Brokers and
Dealers, in accordance with paragraph .09, the
auditor should obtain an understanding of the
broker’s or dealer’s processes, including relevant
controls regarding compliance with the financial
responsibility rules. These procedures should
include understanding the degree to which the
broker’s or dealer’s compliance depends on the
completeness and accuracy of the broker’s or
dealer’s internally generated data.
We have observed deficiencies where the auditor
did not perform sufficient procedures to test, or
sufficiently test controls over, the completeness of
the IPC that was used to make selections for tests
of details, such as for a financial account with a
significant risk.
We also identified deficiencies where the auditor
failed to test the accuracy and completeness of
the non-financial data prepared by the company
and non-financial information used by the
company’s specialists in developing an estimate,
such as reserves in the oil and gas industry or
participant data for a pension liability.
Additional deficiencies have been identified in
tests to evaluate data used in a software-assisted
correlation analysis (e.g., an analysis that shows
the level of correlation between specified factors).
In broker-dealer inspections, we noted
deficiencies where the auditor did not test the
accuracy and completeness of IPC used by the
auditor as part of its compliance procedures as of
the broker-dealer’s year end.
April 2024 | 6
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
Considering Relevance and Reliability of Audit Evidence
Applicable Standards Examples of PCAOB Staff Observations
In accordance with AS 1105.04, the auditor must
plan and perform audit procedures to obtain
sufficient appropriate audit evidence to provide a
reasonable basis for his or her opinion.
In accordance with AS 1105.06, to be appropriate,
audit evidence must be both relevant and reliable
in providing support for the conclusions on which
the auditor’s opinion is based.
Auditors can also consider PCAOB staff guidance,
Evaluating Relevance and Reliability of Audit
Evidence Obtained From External Sources.”
We have identified deficiencies where the auditor
failed to evaluate the relevance and reliability of
non-financial information, such as growth rates,
used by the company’s specialists in developing
an estimate.
We noted deficiencies where the auditor did not
perform any procedures to evaluate the relevance
and reliability of information provided by external
parties, such as risk-free rates and equity-risk
premiums, that was used in assessing long-lived
assets for impairment.
April 2024 | 7
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
Testing Controls Over IPC Used in the Operation of a Control
Applicable Standards Examples of PCAOB Staff Observations
In accordance with AS 2201, An Audit of Internal
Control over Financial Reporting That is
Integrated with an Audit of Financial Statements,
paragraph .39, the auditor should test those
controls that are important to the auditor’s
conclusion about whether the company’s
controls sufficiently address the assessed risk of
misstatement to each relevant assertion.
In accordance with AS 2201.40, there might
be more than one control that addresses the
assessed risk of misstatement to a particular
relevant assertion; conversely, one control might
address the assessed risk of misstatement to more
than one relevant assertion. It is neither necessary
to test all controls related to a relevant assertion
nor necessary to test redundant controls, unless
redundancy is itself a control objective.
Note, Staff Practice Alert 11 says for example,
if a control selected for testing uses system-
generated data or reports, the effectiveness of
the control depends in part on the controls over
the accuracy and completeness of the system-
generated data or reports. In those situations,
supporting a conclusion on the effectiveness of
the selected control involves testing both the
selected control and the controls over the system-
generated data and reports.
We have identified deficiencies where the
auditor did not identify and test controls over
the accuracy and completeness of data used by
the control owner in the operation of a control
important to the auditor’s conclusions about
whether the company’s controls sufficiently
address the assessed risk of misstatement to each
relevant assertion.
April 2024 | 8
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
Assessing Information Used in Expectations for Substantive
Analytical Procedures
Applicable Standards Examples of PCAOB Staff Observations
In accordance with AS 2305, Substantive
Analytical Procedures, paragraph .16, before using
the results obtained from substantive analytical
procedures, the auditor should either test the
design and operating effectiveness of controls
over financial information used in the substantive
analytical procedures or perform other procedures
to support the completeness and accuracy of
the underlying information. The auditor obtains
assurance from analytical procedures based
upon the consistency of the recorded amounts
with expectations developed from data derived
from other sources. The reliability of the data
used to develop the expectations should be
appropriate for the desired level of assurance
from the analytical procedure. The auditor should
assess the reliability of the data by considering
the source of the data and the conditions
under which it was gathered, as well as other
knowledge the auditor may have about the data.
The following factors influence the auditor’s
consideration of the reliability of data for purposes
of achieving audit objectives:
y Whether the data was obtained from
independent sources outside the entity or
from sources within the entity;
y Whether sources within the entity were
independent of those who are responsible for
the amount being audited;
y Whether the data was developed under a
reliable system with adequate controls;
y Whether the data was subjected to audit
testing in the current or prior year; and
y Whether the expectations were developed
using data from a variety of sources.
We have repeatedly observed deficiencies where
the auditor did not assess the reliability of data
(e.g., system generated reports) used to develop
its expectation in a revenue substantive analytical
procedure.
April 2024 | 9
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
Assessing Information Produced by a Service Organization
Applicable Standards Examples of PCAOB Staff Observations
In accordance with AS 2601, Consideration of an
Entity’s Use of a Service Organization, paragraph
.14, if the user auditor decides to use a service
auditor’s report, the user auditor should consider
the extent of the evidence provided by the report
about the effectiveness of controls intended to
prevent or detect material misstatements in the
particular assertions. The user auditor remains
responsible for evaluating the evidence presented
by the service auditor and for determining its
effect on the assessment of control risk at the user
organization.
In accordance with AS 2301, The Auditor’s
Responses to the Risks of Material Misstatement,
paragraph .08, the auditor should design
and perform audit procedures in a manner
that addresses the assessed risks of material
misstatement for each relevant assertion of each
significant account and disclosure.
We identified deficiencies where the public
company used a service organization to process
and record revenue transactions. The auditor’s
approach to substantively test revenue included
reliance on controls, including controls over the
accuracy and completeness of transaction data
that the public company obtained from the
service organization. The auditor did not perform
any procedures to test the operating effectiveness
of complementary user controls at the public
company that the service auditor specified should
be in place in its service organization control
report (“SOC report”).
We observed deficiencies where the auditor used
certain data produced by the public company’s
benefit plan record keeper in testing participant
contributions. The auditor did not perform any
procedures that addressed the accuracy and
completeness of this data. In this instance, the
auditor used the information produced by a
service organization and did not test controls over
the relevance and reliability of this information or
test controls over the accuracy and completeness
of this information or data to support the extent of
its use.
April 2024 | 10
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
Auditor Considerations When Using a Service
Organization
The auditor may want to consider the following:
y When using information produced by a service organization, did the SOC report cover
controls relevant to that information?
y Are there exclusions in the scope of the SOC report?
y Are complementary user entity controls being addressed by the public company or
broker-dealer?
y Has the auditor performed procedures to test the complementary user entity controls?
y If the SOC report does not address controls over accuracy and completeness of
information produced by the service organization, did the auditor identify and test
alternate, compensating, or mitigating controls at the public company or broker-dealer
over accuracy and completeness of information produced by the service organization?
y How much time has elapsed since the period covered by the SOC reports compared
to the period under audit? Have there been any changes in the controls that may have
occurred at the service organization during the period not covered by the SOC report?
If so, the auditor may consider obtaining an updated SOC report or if performing other
procedures are required.
Testing Supplemental Information Accompanying Audited
Financial Statements
Applicable Standards Examples of PCAOB Staff Observations
In accordance with AS 2701, Auditing
Supplemental Information Accompanying
Audited Financial Statements, paragraph
.04, in performing the audit procedures on
supplemental information, the auditor should,
among other things, perform procedures to test
the completeness and accuracy of the information
presented in the supplemental information to the
extent that it was not tested as part of the audit of
financial statements.
We observed deficiencies where the auditor did
not perform, or sufficiently perform, procedures
to test the completeness and accuracy of
information presented in customer and
broker-dealer reserve computations, including
information produced by the broker-dealers or
the broker-dealers’ service organizations used to
prepare the computations.
April 2024 | 11
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
Use of Data by an Auditor-Engaged Specialist
Applicable Standards Examples of PCAOB Staff Observations
In accordance with AS 1210, Using the Work of
an Auditor-Engaged Specialist, paragraph .09,
the engagement partner and, as applicable,
other engagement team members performing
supervisory activities should review the report,
or equivalent documentation, provided by
the specialist pursuant to paragraph .06d and
evaluate whether the specialist’s work provides
sufficient appropriate evidence, specifically
whether:
y The specialist’s work and report, or equivalent
documentation, are in accordance with the
auditor’s understanding with the specialist; and
y The specialist’s findings and conclusions are
consistent with results of the work performed
by the specialist, other evidence obtained by
the auditor, and the auditor’s understanding of
the company and its environment.
We observed deficiencies where the auditor did
not sufficiently evaluate the work of the auditor-
engaged Specialist and identify that such work
did not provide sufficient appropriate audit
evidence.
REMINDERS FOR
AUDITORS
Audit firms and auditors are encouraged to
consider the following reminders:
y It is important for the auditor to clearly
identify and document the linkage between
the likely sources of potential misstatement
and the controls, if applicable, to be tested,
including the testing of data and reports
that may be used as audit evidence, when
planning the audit response.
y It is important for the auditor to understand
the sources of data, both internal and
external to the public company, to better
identify required audit procedures for
testing the accuracy and completeness and
evaluating the relevance and reliability to be
able to use such data as audit evidence.
y If the service auditor’s report does not
provide audit evidence regarding the
accuracy and completeness of information,
including reports produced by a service
organization, the auditor should perform
appropriate procedures for the facts and
circumstances.
y It is important for the auditor to identify the
sources of the underlying data in reports as
well as how the reports are generated, when
testing data and reports that may be used as
audit evidence.
y If the auditor is using the work of a
company’s specialist, PCAOB standards
require the auditor to test the accuracy
and completeness of company-produced
data used by the company’s specialist and
evaluate the relevance and reliability of data
from sources external to the company that
are used by the company’s specialist.
April 2024 | 12
Spotlight: Inspection Observations Related to Auditor Use of
Data and Reports
y If the auditor is using the work of an auditor-
engaged specialist, PCAOB standards
require the auditor to inform the specialist
of the work to be performed, which
includes establishing and documenting an
understanding with the specialist regarding
the degree of responsibility of the specialist
for testing data produced by the company
or evaluating the relevance and reliability of
data from sources external to the company.
GOOD PRACTICES
Many audit firms, ranging from large global
network firms to sole proprietorships, continue
to take steps to improve their processes
related to testing data and reports, which we
believe positively influence audit quality. Some
examples of these good practices we have
observed include the following:
y Use of firm risk assessment templates that
helped engagement teams capture well-
documented linkage between likely sources
of potential misstatements and the controls
to be tested, including data and reports.
y Integration and collaboration between
the core audit engagement team and the
information technology engagement team
members to understand and document
data flows, system interfaces, and the use of
data and reports within a process flow.
y Use of a central repository of reports
identified during the audit, including a link
to the applicable information technology
application, the associated testing approach
for the report, testing of the report, and the
testing conclusion.
y Clear communication between the core
audit engagement team and auditor-
engaged specialists that demonstrates all
data being used by the specialist is subjected
to testing procedures as appropriate.
We Want To Hear
From You
The PCAOB strives to improve our
external communications and provide
information that is timely, relevant, and
accessible. We invite you to share your
views on this document by filling out our
survey, which should take no more than
two minutes to complete.
Contact Us
STAY CONNECTED TO THE PCAOB
@PCAOB_NewsPCAOBSubscribe