Most disclosure teams think about the audit as something that happens to their work after it is complete. The auditors arrive, review the files, ask questions, and issue an opinion. The team's job is to answer the questions and provide whatever the auditors request.
That framing is backwards, and it is expensive. Disclosure teams that understand what auditors are actually required to evaluate under current PCAOB (Public Company Accounting Oversight Board) standards build their evidence packages from the start of the period in a way that eliminates most of the back-and-forth entirely. The teams that do not understand this spend the final weeks of every audit cycle in reactive mode, locating documents that should have been organised from the outset, reconstructing rationale that should have been documented at the time of the decision, and explaining the provenance of data that should have been traceable from its first use.
This post maps the financial audit requirements that directly affect your disclosure team, in the order you would naturally encounter them. By the end, you will know what auditors are required to evaluate, what evidence your team needs to produce for each requirement, and how Finrep's Tesseract QA and audit evidence module make audit-readiness a by-product of the disclosure workflow rather than a separate exercise at period end.
What Does a Financial Audit Actually Require From the Finance Team?
A financial audit requires your team to produce evidence that supports every assertion embedded in your financial statements and disclosures. The auditor's job is to evaluate that evidence and reach an independent opinion on whether your financial statements are fairly presented. Your job is to produce evidence that is sufficient, appropriate, and traceable enough for the auditor to do that efficiently.
The gap between what most finance teams produce and what auditors need to evaluate efficiently is where audit overruns, late-cycle queries, and findings originate. Under PCAOB Auditing Standard AS 1000 (General Responsibilities of the Auditor in Conducting an Audit), effective for fiscal years beginning on or after December 15, 2024, auditors are required to exercise due professional care in planning and performing the audit and in evaluating audit evidence. That due professional care standard requires auditors to question evidence that is ambiguously sourced, inconsistently documented, or insufficiently detailed to support the conclusion it is meant to sustain.
In practical terms, every piece of documentation your team provides to the auditor will be evaluated against three questions: is there enough of it to support the conclusion (sufficiency), is it from a reliable source that is relevant to the assertion being tested (appropriateness), and can the auditor follow the chain from the conclusion back to the underlying data without additional explanation from your team (traceability). Those three dimensions govern the entire audit evidence standard.
According to the SEC's approval of PCAOB AS 1000 and the related AS 1105 amendments, the updated standards reaffirm, consolidate, and modernise the general principles and responsibilities of the auditor when conducting an audit, explicitly covering the auditor's duty to protect investors through the preparation and issuance of informative, accurate, and independent auditor's reports.
What Is Audit Evidence in Financial Reporting?
Audit evidence is all the information used by the auditor in arriving at the conclusions on which the auditor's opinion is based. Under PCAOB AS 1105 (Audit Evidence), audit evidence includes information from audit procedures and from other sources, covering both information that supports management's assertions and information that contradicts them.
Audit evidence is not the same as audit documentation. Evidence is what your team provides: the supporting schedules, source documents, accounting memos, peer benchmarks, and external data that underpin your financial statements. Documentation is the written record the auditor creates in their own files based on what they found when they evaluated your evidence.
The most common misconception among disclosure teams is that producing a disclosure draft is itself audit evidence. It is not. The disclosure draft is the output. The evidence is the chain of support behind the draft: the accounting standard that authorises the treatment, the data that was assessed, the alternative approaches that were considered and rejected, and the contemporaneous record of the decision. Producing the draft without the evidence chain requires the auditor to build that chain themselves, which is additional audit work that consumes time your team does not have at period end.
The reliability hierarchy under AS 1105 matters for how you organise your evidence. Evidence obtained directly from independent external sources is the most reliable. Evidence obtained from internal company sources is reliable to the extent that the controls over its preparation and maintenance are effective and documented. Evidence that is oral or reconstructed after the fact is the least reliable and generates the most auditor follow-up.
What Financial Statement Assertions Do Auditors Test in Disclosures?
Auditors test specific financial statement assertions in every audit procedure they perform. Understanding which assertions apply to your disclosures is the foundation of building an adequate evidence package. Under AS 1105, financial statement assertions fall into three categories.
For account balances, the assertions are existence (the balance exists), completeness (all balances are included), valuation (the balance is measured correctly), rights and obligations (the company has the right to the asset or the obligation for the liability), and presentation and disclosure (the balance is correctly classified and described).
For transactions and events, the assertions are occurrence (the transaction happened), completeness (all transactions are recorded), accuracy (transactions are recorded at the correct amounts), cutoff (transactions are recorded in the correct period), and classification (transactions are recorded in the correct accounts).
For disclosures specifically, the assertions are occurrence and rights and obligations (disclosed events occurred and relate to the entity), completeness (all required disclosures are included), classification and understandability (information is clearly expressed and appropriately presented), and accuracy and valuation (disclosed amounts and other information are fairly stated).
The disclosure assertion category is where most finance teams leave their evidence packages most incomplete. The accounting for a transaction is often well-evidenced. The financial statement disclosure of that transaction is frequently supported by nothing more than the disclosure draft itself. When an auditor asks how you determined a disclosure is complete and accurate, the answer needs to point to specific evidence for each assertion, not to the draft text.
The presentation and disclosure assertion in particular requires evidence that your team demonstrates accuracy of disclosed amounts, completeness of required disclosures under the applicable standard, and understandability of the description for a reader without your team's internal knowledge of the transaction.
What Is the PCAOB AS 1105 Audit Evidence Standard?
PCAOB AS 1105 is the auditing standard that defines what constitutes audit evidence and establishes the requirements for designing and performing audit procedures to obtain sufficient appropriate audit evidence. It is the primary standard governing the quality of evidence that auditors must obtain, and by extension, the quality of evidence your team must produce for auditors to rely on.
The standard has three core requirements. First, auditors must obtain evidence that is sufficient: enough in quantity to support the conclusion. Second, auditors must obtain evidence that is appropriate: relevant to the assertion being tested and reliable enough to be persuasive given its source. Third, auditors must evaluate evidence on a cumulative basis across the engagement, which means a weakness in one piece of evidence cannot be offset simply by providing more evidence of the same type.
For disclosure teams, AS 1105 establishes a practical standard for every document you provide to the audit team. Does it clearly identify its purpose and the assertion it is meant to support? Does it identify its source in a way that allows the auditor to assess reliability? Does it contain enough detail to support the conclusion without requiring additional procedures?
The standard was most recently amended effective for fiscal years beginning on or after December 15, 2025, with new requirements specifically addressing externally sourced electronic data. Those amendments are described in the next section because they represent the single most significant change to the financial audit evidence requirements for disclosure teams in recent years.
What Changed in PCAOB Audit Evidence Rules in 2025 and 2026?
The 2025 amendment to PCAOB AS 1105 added paragraph .10A, a new requirement specifically addressing the reliability of external information provided by the company in electronic form. This is the most significant change to the audit evidence standard for disclosure teams in several years, and most teams are not yet prepared for its practical implications.
Under paragraph .10A, effective for fiscal years beginning on or after December 15, 2025, auditors must evaluate the reliability of company-provided external electronic information by obtaining an understanding of the source and of the company's process for receiving, maintaining, and processing that information. The PCAOB's October 2025 guidance on implementing paragraph .10A provides illustrative examples and clarifies the circumstances in which separate testing of external data may be required.
In practical terms, this amendment covers any externally sourced data your disclosure team provides as audit support. Market data used to support fair value measurements. Peer filing benchmarks used to support disclosure completeness assessments. Interest rate indices used in lease liability calculations under ASC 842 (Leases). Regulatory guidance sourced from external databases. ESG (Environmental, Social, and Governance) metrics from third-party data providers.
Previously, auditors evaluated the reliability of such information primarily through analytical procedures. Under paragraph .10A, there is now an explicit procedural requirement: the auditor must understand your team's process for receiving, maintaining, and processing the information, and that understanding must be documented. Disclosure teams without provenance documentation for externally sourced data will face increased requests for process walkthroughs and controls documentation in every audit cycle from 2026 onward.
Looking ahead to December 2026, the amendments to AS 1215 (Audit Documentation) will further tighten requirements around significant matters involving the selection, application, and consistency of accounting principles including related disclosures. Disclosure teams that are not already producing source-linked, assertion-mapped evidence for accounting policy disclosures will face materially higher audit evidence request volumes when these amendments are fully embedded in audit firm methodologies.
What Does Audit Documentation Actually Require From Disclosure Teams?
Audit documentation under PCAOB AS 1215 must be prepared in sufficient detail to provide a clear understanding of its purpose, source, and the conclusions reached, and must be appropriately organised to provide a clear link to the significant findings or issues it addresses.
Three specific requirements from AS 1215 translate directly into obligations for your disclosure team.
The first is documented purpose and source. Every piece of support you provide must clearly identify which assertion it is meant to support and where the underlying data or guidance came from. A spreadsheet labelled only "prepared by finance team" without identifying the data source, the system it was extracted from, or the controls over that extraction is documentation without provenance. Auditors must perform additional work to establish its reliability before they can use it.
The second is a clear link to significant conclusions. AS 1215 requires documentation that provides a clear link between evidence and the financial statement conclusions it supports. For disclosures, this means that for any material accounting judgment embedded in a disclosure, there must be a traceable chain from the disclosed conclusion back to the guidance that supports it, the data that was assessed, and the documentation of the decision itself. A disclosure that exists without that chain is a disclosure without an audit trail.
The third is completeness of accounting principle documentation. AS 1215 specifically requires documentation of significant matters involving the selection, application, and consistency of accounting principles including related disclosures. If your team changed a disclosure accounting policy during the period or made a significant disclosure judgment about which standard applies, that decision needs its own documentation trail, not just a reference to the prior period approach.
The PCAOB's auditing standards make clear that audit documentation should be prepared contemporaneously with the audit work, not reconstructed after the fact. The same principle applies to the evidence your team provides: a decision memo written the day after the disclosure decision is made is less defensible than a memo written before the filing was submitted and reviewed by the disclosure committee.
What Makes Audit Evidence Sufficient, Appropriate, and Traceable?
These three qualities are the operational criteria by which every piece of evidence in your disclosure package will be evaluated. Understanding each one in practical terms is the difference between an evidence package that auditors can use efficiently and one that generates weeks of follow-up queries.
Sufficiency is the measure of quantity. For disclosure teams, insufficiency typically appears in two patterns. Scope insufficiency means the evidence covers the valuation question but not the completeness or presentation question. A team that produces strong balance sheet support for a goodwill amount but thin evidence for the impairment testing assumptions disclosure has produced scope-insufficient evidence. Depth insufficiency means the evidence reaches a conclusion without walking through the analysis that supports it. A memo that concludes a lease modification should be accounted for as a new separate contract under ASC 842 without working through the two-condition test in ASC 842-25 is depth-insufficient. The auditor must perform additional procedures to evaluate the basis for the conclusion.
Appropriateness combines relevance and reliability. Evidence is relevant when it directly addresses the assertion being tested. Evidence is reliable when it comes from a trustworthy source and has been maintained through adequate controls. The paragraph .10A amendment specifically targets the reliability dimension for externally sourced electronic data. When your team provides peer benchmarking data from a third-party database or market data from a financial data provider, the auditor must now evaluate the reliability of that data by understanding its source and your processing controls. Evidence without documented provenance fails the appropriateness test regardless of how relevant it is to the assertion.
Traceability is not a separate PCAOB standard category but it is the operational quality that determines whether sufficiency and appropriateness can be established efficiently. Traceable evidence allows the auditor to follow the chain from a disclosed conclusion back to the underlying data and the guidance that supports it in a single continuous path without asking your team for additional explanation. The most common traceability failures are multiple document versions without clear version control, supporting schedule data that does not tie to the disclosed number without an unexplained reconciling item, guidance citations that name a standard without specifying the applicable paragraph, and decision memos that state a conclusion without documenting alternatives considered and rejected.
Each traceability failure is a separate audit query. Across a complex disclosure package, they compound into the weeks of late-cycle back-and-forth that most finance teams experience as an annual audit rhythm rather than a solvable problem.
How Do You Make Financial Disclosures Defensible Under Audit?
Defensibility is the quality that matters when the audit is not the only review your disclosures will face. The SEC may review your filing. Your audit committee will sign off on it. Your CFO and CEO will certify it under Sections 302 and 906 of the Sarbanes-Oxley Act (SOX). Each of those parties needs a defensible basis for their action.
A defensible disclosure has three elements. A cited source that is authoritative for the specific conclusion reached. A traceable path from the conclusion back to that source. And documentation that was created contemporaneously with the decision rather than reconstructed after the question was asked.
Contemporaneous documentation is the element most frequently underestimated. When an auditor, the SEC, the audit committee, or opposing counsel in litigation asks why your team made a specific disclosure decision, the strength of your answer depends almost entirely on when the supporting documentation was created. A memo written before the filing was submitted and reviewed by the disclosure committee is the most defensible form of evidence. A memo written the day after the disclosure was finalised is meaningfully less defensible. A memo written after the auditor or the SEC raises the question is far less defensible still.
According to the Harvard Law School Forum on Corporate Governance, disclosure committees at leading public companies now require that significant disclosure judgments be documented before the filing is submitted, with that documentation reviewed and approved as part of the pre-filing sign-off process. This is not a best practice aspiration. It is a prerequisite for defensibility under the audit and SEC review standards that apply to every periodic report your company files.
The three-element defensibility standard applies to every material accounting judgment in your disclosures, not just the ones you anticipate being questioned. The judgment that goes unquestioned in year one is often the judgment that generates an SEC comment letter or an audit finding in year three, when a reviewer with fresh eyes looks at the same disclosure and asks what should have been a straightforward question.
What Disclosure Areas Have the Most Audit Evidence Gaps?
Three disclosure areas consistently produce the highest volume of audit evidence requests, auditor findings, and SEC comment letter activity. They share a common structure: the accounting for the underlying transaction is well-evidenced but the disclosure of that transaction is not.
Related party transaction disclosures. The completeness assertion for related party disclosures under ASC 850 (Related Party Disclosures) is routinely under-evidenced. Finance teams typically produce strong evidence that identified related party transactions are accurately described. They produce weak evidence that all related party transactions have been identified in the first place. Auditors must test completeness, which requires a process for identifying all related parties and all transactions with those parties, not just the ones already in the disclosure. Without a documented identification process, the auditor cannot conclude the disclosure is complete.
Fair value measurement disclosures. The valuation assertion for fair value measurements is typically well-evidenced through valuation reports and model documentation. The presentation and disclosure assertion is frequently not. Disclosures that describe a fair value measurement without specifying the valuation technique used, the significant inputs applied, and the sensitivity of the measurement to those inputs leave the auditor unable to evaluate whether the disclosure meets the requirements of ASC 820 (Fair Value Measurement) without performing additional procedures. Those additional procedures are additional audit time charged to your engagement.
ASC 842 lease modification disclosures. Lease modification accounting generates audit evidence gaps because the accounting conclusion (new separate contract versus modification of the existing lease) depends on a two-condition test in ASC 842-25 that must be applied to the specific facts of each modification. Finance teams frequently document the conclusion without documenting the two-condition test analysis. The auditor must then reconstruct the analysis from the underlying lease documents, which is both time-consuming and a sign that your internal controls over lease modification accounting may not be operating as designed.
These three areas are also among the most frequently commented disclosure areas in SEC annual report reviews. The correlation is not accidental. Disclosures with weak audit evidence tend to have weaker disclosure depth, because the same documentation discipline that produces good audit evidence produces disclosures that satisfy SEC completeness expectations.
How Does AI Help With Audit Evidence and Disclosure Documentation?
AI tools built specifically for financial reporting address the audit evidence problem at its structural root: evidence needs to be built during the disclosure workflow, not assembled after the audit inquiry arrives. General-purpose AI tools do not solve this problem because they generate outputs without citing verifiable sources, which means the evidence chain they produce cannot be evaluated by an auditor under the AS 1105 reliability standard.
Purpose-built financial reporting AI solves this by grounding every output in retrieved, cited source documents from the relevant financial reporting data universe: EDGAR filings, the FASB Accounting Standards Codification (free access; license agreement required on first visit) at asc.fasb.org, and regulatory publications. Every conclusion is linked to a specific source that the auditor can retrieve and verify. The AI's role is retrieval, organisation, and synthesis of verifiable material, not generation of uncited conclusions.
Finrep's Tesseract QA is built on this principle. For each disclosure checklist item, Tesseract QA captures the evidence supporting that item at the point of review, linking each disclosure assertion directly to its supporting source: the ASC codification paragraph that authorises the accounting treatment, the EDGAR peer filing that benchmarks the disclosure approach, and the internal data reference that supports the disclosed amount.
The evidence-per-checklist-item feature organises the output by assertion rather than by document. When an auditor asks which evidence supports the ASC 842 lease modification disclosure, the answer is a direct link to the checklist item, the sources attached to it, and the reviewer who approved it, with timestamps throughout. There is no assembly step. The evidence package is a by-product of the review workflow itself.
Finrep's audit evidence module addresses the paragraph .10A electronic evidence requirement specifically. For any externally sourced data included in your disclosure support, the module documents the source, the access date, and the processing steps applied, creating the provenance record that auditors must now evaluate under the 2025 AS 1105 amendment. This replaces a manual documentation step that most teams currently either skip or reconstruct after the audit inquiry arrives.
According to Finrep client data, 2025, teams using Finrep's disclosure intelligence tools reduce their month-end SEC reporting preparation time from 10 days to 3 to 4 days, with 60 to 70% fewer review loops with auditors. The reduction in auditor review loops is directly attributable to evidence quality improvement: fewer unexplained reconciling items, fewer undocumented sources, fewer decision memos written after the fact.
Request access to Finrep's Tesseract QA and audit evidence module
Frequently Asked Questions
What does a financial audit actually require from the finance team?
A financial audit requires your finance and disclosure team to produce evidence that is sufficient, appropriate, and traceable for every financial statement assertion embedded in your disclosures. Under PCAOB AS 1105, sufficiency means enough evidence to support the conclusion. Appropriateness means evidence that is relevant and reliable, with documented provenance for externally sourced data under the 2025 paragraph .10A amendment. Traceability means the auditor can follow the chain from each disclosed conclusion back to the underlying data and guidance without additional explanation. Evidence that fails any of these three criteria requires auditors to perform additional procedures, which is the primary driver of audit overruns and late-cycle queries.
What is audit evidence in financial reporting?
Audit evidence is all the information used by the auditor in arriving at the conclusions on which the auditor's opinion is based. It includes information from audit procedures and from other sources, covering both information that supports management's assertions and information that contradicts them. Audit evidence is distinct from the financial statements and disclosures themselves. The disclosure is the output. The evidence is the chain of support behind the output: the authoritative guidance, the data assessed, the alternatives considered, and the contemporaneous record of the decision.
What financial statement assertions do auditors test in disclosures?
For disclosures specifically, auditors test four assertion categories under PCAOB AS 1105: occurrence and rights and obligations (disclosed events occurred and relate to the entity), completeness (all required disclosures are included under the applicable standard), classification and understandability (information is clearly expressed and appropriately presented), and accuracy and valuation (disclosed amounts and other information are fairly stated). Most finance teams produce strong evidence for the accuracy and valuation assertion and weak evidence for the completeness and presentation assertions. Those gaps are where audit evidence requests concentrate.
What changed in PCAOB audit evidence rules in 2025?
The 2025 amendment to PCAOB AS 1105 added paragraph .10A, requiring auditors to evaluate the reliability of external electronic information provided by the company. This covers market data, peer filing benchmarks, interest rate indices, regulatory guidance from external databases, and ESG metrics from third-party providers. Auditors must now understand your team's process for receiving, maintaining, and processing this data, not just analytically corroborate it. Disclosure teams without documented provenance for externally sourced data will face increased audit requests for process documentation in every cycle from 2026 onward.
How do you make financial disclosures defensible under audit?
Defensible disclosures require three elements: a cited source that is authoritative for the specific conclusion reached, a traceable path from the conclusion back to that source, and documentation created contemporaneously with the decision rather than reconstructed after the question was asked. Contemporaneous documentation is the most frequently underestimated element. A decision memo written before the filing was submitted and reviewed by the disclosure committee is the most defensible form of evidence. Documentation reconstructed after an auditor or the SEC raises a question is the least defensible.
How does Finrep's Tesseract QA improve audit evidence quality?
Finrep's Tesseract QA captures evidence supporting each disclosure checklist item at the point of review, linking each disclosure assertion directly to its supporting source: the ASC codification paragraph, the EDGAR peer filing, and the internal data reference. The evidence-per-checklist-item feature organises the output by assertion rather than by document, making it directly usable for auditor review without a separate assembly step. The audit evidence module addresses the paragraph .10A requirement by documenting source, access date, and processing steps for externally sourced data. Teams using Finrep's disclosure intelligence tools reduce auditor review loops by 60 to 70% per Finrep client data, 2025.
Key Takeaways
- A financial audit requires your team to produce evidence that is sufficient, appropriate, and traceable for every assertion in your financial statements and disclosures, not just for the accounting entries. The disclosure assertion category is where most evidence packages are weakest.
- The 2025 amendment to PCAOB AS 1105 paragraph .10A requires auditors to evaluate the reliability of externally sourced electronic data your team provides, including peer benchmarks, market data, and regulatory guidance. Provenance documentation for this data is now an explicit audit requirement for fiscal years beginning December 15, 2025.
- AS 1215 amendments effective December 15, 2026 will further tighten documentation requirements for significant disclosure accounting judgments. Teams not yet producing source-linked, assertion-mapped evidence for accounting policy disclosures will face materially higher audit request volumes after these amendments take effect.
- Contemporaneous documentation is the single most underestimated element of audit defensibility. A decision memo created before the filing was submitted is significantly more defensible than one reconstructed after the auditor raises the question.
- Related party transaction completeness, fair value measurement presentation assertions, and ASC 842 lease modification two-condition test analysis are the three disclosure areas most consistently generating audit evidence gaps, additional procedures, and late-cycle audit queries.
- Finrep's Tesseract QA and audit evidence module build audit-ready evidence as a by-product of the disclosure review workflow, reducing auditor review loops by 60 to 70% per Finrep client data, 2025.
Request access to Finrep's Tesseract QA and audit evidence module
Finrep is an AI-powered financial disclosure intelligence platform for the Office of the CFO. 40 purpose-built AI agents for SEC reporting, technical accounting, investor relations, legal counsel, and disclosure committee functions. SOC2 Type II and ISO 27001 certified. Zero data residency. Backed by Accel. Trusted by CFO teams at FOX, Roku, HP, RingCentral, Wells Fargo, and Infosys.
For further reading on related disclosure quality topics, see the complete guide to SEC forms 10-K, 10-Q, and 8-K.
