Audit procedures are the processes and methods auditors use to obtain sufficient, appropriate audit evidence to give their professional judgment about the effectiveness of an organization’s internal controls.
Internal controls are the mechanisms and standards businesses use to protect their sensitive data and IT systems or to provide accountability on financial statements and accounting records.
What Is Control Testing?
Control testing is the process of evaluating whether internal controls are properly designed and operating effectively to mitigate various types of risks, including financial risks, reputation risk, and operational risks. It involves examining the company’s policies, procedures, and practices to determine if they can prevent, detect, or correct errors, fraud, or disruptions in day-to-day operations.
During control testing, auditors check whether controls work like they’re supposed to and if risk mitigation is adequate. There are two tests of controls: the design and their operating effectiveness.
- Design testing: Evaluates whether controls are logically structured to address specific risks, including risks from external events that may impact business operations.
- Operating effectiveness testing: Examines whether controls consistently work as designed over time to support an organization’s strategic objectives and initiatives.
Strong controls that pass testing means auditors have to do less substantive testing. It also helps organizations align their control environment with their risk appetite and strategic planning.
Conversely, weak or failing controls require more extensive audit work to ensure there are no material misstatements in financial statements and that business decisions are based on reliable information.
Understanding the Audit Process
In the case of an audit on internal controls, the auditor must assess the client’s risk of ineffective internal controls. That means the auditor must learn as much as possible about the client’s mechanisms for internal control, however good or bad those mechanisms might be.
During the fieldwork phase, the American Institute of Certified Public Accountants (AICPA) requires auditors assess a client’s internal controls using a variety of audit procedures. This involves understanding the client’s information systems, including the communication and business processes relevant to the client’s financial reporting.
Four Major Limitations of Auditing
Unfortunately, auditing comes with several limitations. Let’s take a look at them now.
- Audits are limited to relevant controls only: Audit objectives focus strictly on effectiveness of internal controls and do not extend to evaluating overall business strategy or suggesting performance improvements. While audits assess risk management processes, they do not directly influence strategic decisions or business objectives.
- Audits are limited to a sample of transactions: Auditors can’t review all transactions in large organizations. They must use representative samples to evaluate control effectiveness. This approach may not always capture the full potential impact of control deficiencies or business risk across the entire organization.
- Auditors must rely on other experts: Auditors depend on subject matter experts, such as lawyers or engineers, to evaluate specialized areas like fixed assets and potential liabilities. This dependency introduces a level of risk, as external expertise influences audit conclusions and may be affected by external factors beyond the auditor’s control.
- Financial burden: Internal control audits come with significant costs in addition to expenses for implementing, testing, and improving internal controls.
Internal vs. External Audits: Purpose, Process, and Impact
Organizations rely on two key audits: internal and external. Understanding their differences helps assess their impact on operations, compliance, and financial reporting.
Scope and Objectives
- Internal Audit (Objective: Risk management and operational efficiency): Conducted by internal teams to assess internal controls, risk identification, and operational efficiencies. This often includes creating an audit program and plan to support the organization’s risk register and short-term control improvements.
- External Audit (Objective: Financial accuracy and compliance): Performed by independent auditors to review financial statements for accuracy and compliance with accounting standards. This provides an unbiased audit report to external stakeholders.
Parties Involved and Reporting
- Internal Audit: Conducted by employees or an internal audit team reporting to senior management or the audit committee. Findings contribute to decision-making and improving internal processes.
- External Audit: Performed by third-party auditors who report to shareholders, regulatory bodies, and external stakeholders, ensuring transparency.
Frequency and Follow-Up
- Internal Audit: Conducted periodically or as needed for continuous monitoring and corrective actions.
- External Audit: Typically annual, providing a financial snapshot. Findings may lead to management-imposed corrective actions.
What Are Audit Control Procedures?
There is no universal approach to understanding internal controls, business processes, and the effectiveness of a control. Instead, the requirements differ for each audit.
An auditor must also understand each component of the client’s financial reporting controls, including the overall control environment, the risk assessment process, information systems, control activities related to the audit, and how the client monitors internal controls.
Types of Audit Procedures
Auditors use several specific procedures to gather evidence and assess internal controls. Here are the main types.
- Inspection: Examining records, documents, or physical assets. This includes reviewing invoices, contracts, and board minutes, as well as checking inventory or equipment. Inspections verify the existence and condition of assets.
- Observation: Watching others perform processes or procedures. For example, watching inventory counts or how employees handle cash. This helps auditors understand if controls work as described.
- Confirmation: Getting written statements from third parties to verify information. This includes sending requests to banks, customers, or vendors to confirm account balances or transaction details. Confirmation provides independent evidence.
- Reperformance: Independently executing procedures or controls that were originally performed as part of the company’s internal control system. This might include recalculating figures or redoing reconciliations to test accuracy.
- Analytical procedures: Evaluating financial information by analyzing relationships among data.
- Trend analysis: Comparing current period data with previous periods
- Ratio analysis: Calculating and comparing financial ratios to industry benchmarks
- Reasonableness tests: Checking if recorded amounts make sense based on expectations
- Inquiry: Asking questions of knowledgeable people within or outside the organization. While inquiry alone rarely provides sufficient evidence, it guides auditors toward other procedures and helps clarify understanding.
Timing for Audit Testing Procedures
Choosing the right time to apply different audit tests affects both the quality of evidence collected and reliability of the final conclusions.
Planning Phase
During the initial planning, auditors determine when to execute various procedures based on several factors:
- Areas evaluated: Different business processes and control points require testing at specific times. For example, inventory-related controls might need testing during physical count periods, while revenue recognition controls might require testing at month-end closing.
- Audit objectives: The specific goals of the audit influence timing decisions. If the objective is to evaluate year-end financial statement accuracy, substantive testing might be concentrated near period-end.
- Population size: The volume of transactions affects timing. Larger populations often require interim testing throughout the year instead of only at year-end to manage the workload.
Interim vs. Year-End Testing
Interim testing happens during the fiscal year and helps identify control weaknesses early, so management has time to implement corrective actions. This approach is useful for:
- High-volume transaction cycles
- Preliminary risk assessments
- Testing the design of controls
Year-end testing focuses on the final period and provides evidence about the financial statement balances. This timing is essential for:
- Final account balances
- Cutoff procedures
- Management assertions regarding year-end figures
Procedure-Specific Timing
Different procedures have optimal timing windows.
Inquiry procedures are often done early to gain understanding, but may be repeated throughout the audit as new relevant information emerges. Both internal auditors and external auditors use inquiry at various stages.
Observation procedures must be timed to coincide with the actual performance of the
control activities being observed, such as inventory counts or cash handling.
Analytical procedures can be performed at multiple stages—preliminary analytics during planning, detailed analytics during fieldwork, and final analytics during conclusion.
Level of Precision Considerations
The level of precision required affects timing decisions. More precise testing might need to occur closer to year-end, while broader control environment assessments can happen earlier in the process.
The optimal timing strategy balances resource constraints, risk assessments, and the need for sufficient appropriate evidence to support audit conclusions.
Audit Process Best Practices
Following best practices facilitates evaluation precision and seamless improvements. Here are some best practices to consider.
- Thorough planning and scope clarification: Define the scope of the audit and set a clear time frame. Then, establish a detailed audit plan with steps for practical fieldwork and evaluation of internal controls.
- Precise execution: Use a strong audit program and make sure all work follows the planned method carefully. This process needs careful attention when doing internal audits to make sure they are accurate.
- Insightful observations and recommendations: Gather observations during the audit to form the basis for valuable recommendations. These insights are key for the auditee to implement corrective action plans.
- Effective communication and reporting: Have meetings before and after the audit for clarity and alignment. Talking after the audit is an opportunity to discuss findings before presenting the draft audit report. This paves the way for a comprehensive audit report with key audit results.
- Continuous improvement: After the report is issued, follow-up to check if the suggested improvements have been implemented. Work with audit clients and the internal audit office to ensure continuous enhancement of practices.
ZenGRC Makes Audit Preparation More Efficient
Auditing software like ZenGRC simplifies your audit plan with integrated framework templates and a reporting dashboard with real-time documentation status. The ZenGRC risk assessment modules provide valuable insight into where your reporting is lacking, so you can take quick action to compile the documentation you need.
Contact our team today to get your free ZenGRC consultation and demo.