Evidence, Documentation, and the Testing Strategy

Every audit conclusion rests on evidence, and the Institute of Internal Auditors sets four qualities good evidence must have. Sufficient means there's enough of it to support the conclusion; one data point proves nothing. Reliable means it comes from a trustworthy, ideally independent source.

Relevant means it actually addresses the objective you're testing rather than something adjacent. And useful means it helps the institution understand and act. Hold these four in mind whenever you evaluate a finding: a conclusion built on insufficient or unreliable evidence won't survive scrutiny, from management, from regulators, or from the exam.

Not all evidence is equally reliable, and the exam expects you to rank it. Evidence you obtain yourself outranks evidence the auditee hands you, because the auditee has an interest in the outcome. Evidence from independent external sources, a regulator, a third-party confirmation, outranks purely internal records.

Evidence you generate by directly re-performing a control outranks merely asking someone whether the control works; inquiry alone is the weakest form. And original documents and system records outrank photocopies and verbal assertions. So when two pieces of evidence conflict, weight the more reliable one.

When a control owner says it works but your re-performance shows it doesn't, your re-performance wins.

Those reliability levels map onto specific techniques. Inquiry is simply asking the people involved; it's a starting point but weak on its own. Observation is watching a process happen, useful but limited to the moment you watched.

Inspection is examining documents, records, and configurations, the workhorse of AML testing. And re-performance is redoing the control yourself, re-running a monitoring rule, re-screening a name against the sanctions list, to see whether the system produced the right result. Re-performance gives the strongest evidence because you're not taking anyone's word for it.

A good test plan usually combines techniques: inquire to understand the control, then inspect and re-perform to prove whether it works.

All of this must be documented in workpapers, and documentation is graded heavily in audit quality. The standard is simple: a competent reviewer who wasn't there should be able to re-trace exactly what you did and reach the same conclusion. So each workpaper records the objective, the procedure performed, the sample selected and why, the results observed, and the conclusion drawn.

Every finding must link back to the specific evidence that supports it. The auditor's maxim is blunt: if it isn't documented, it didn't happen. A correct conclusion with no supporting workpaper is, for review and regulatory purposes, an unsupported conclusion, and the exam treats it that way.

Pull this together into a testing strategy, the plan for how you'll gather enough reliable evidence to conclude. Start from the engagement objective and the risk: what exactly must you prove, and how confident must you be? Then choose techniques and a sampling approach to match, statistical sampling and re-performance where you need a defensible population conclusion, judgmental selection and inspection where you're probing specific known risks.

Combine methods deliberately, because corroborated evidence is stronger than any single source; if inquiry, inspection, and re-performance all point the same way, your conclusion is robust, and where they diverge, you've found something worth investigating. And plan only tests you can actually evidence and document, since a clever procedure that leaves no traceable workpaper can't support a finding. A good testing strategy is the bridge between everything you decided in planning and the fieldwork you're about to perform, and it's what keeps fieldwork purposeful rather than a fishing expedition.

Recapping: good evidence is sufficient, reliable, relevant, and useful, and you rank it by reliability, with independent, auditor-obtained, re-performed evidence at the top and uncorroborated inquiry at the bottom. Choose techniques to match, favoring re-performance over inquiry, and document everything so a reviewer can re-trace your work, because an undocumented conclusion is an unsupported one. That closes the planning module.

And build a deliberate testing strategy that ties techniques and sampling back to the objective and the risk, combining methods so your evidence corroborates rather than rests on a single source. Next, we open fieldwork and evaluation, the heaviest module on the exam at roughly forty percent, starting with the crucial distinction between design effectiveness and operating effectiveness. Test yourself on evidence and documentation first.