What Are Audit Procedures for Internal Controls?

Audit procedures are the processes and methods auditors use to obtain sufficient, appropriate audit evidence to give their professional judgment about the effectiveness of an organization’s internal controls.

Internal controls are the mechanisms and standards that businesses use to protect their sensitive data and IT systems; or as a means of providing accountability on financial statements and accounting records.

What Is the Purpose of the Audit Process?

In the case of an audit on internal controls, the auditor must assess the client’s risk of ineffective internal controls. That means the auditor must learn as much as possible about the client’s mechanisms for internal control, however good or bad those mechanisms might be.

The American Institute of Certified Public Accountants (AICPA) requires that auditors assess a client’s internal controls using a variety of audit procedures.

During this process, the auditor must understand the client’s information systems, including the communication and business processes that are relevant to the client’s financial reporting.

What are the Major Limitations of Auditing?

Unfortunately, auditing comes with several limitations. Let’s take a look at them now.

Audits Are Limited to Relevant Controls Only

In the event of an internal control audit, the audit objectives are strictly limited to internal controls. Therefore, the auditor can not comment on any potential inefficiencies, or offer ways to improve organizational performance.

Audits Are Limited to a Sample of Transactions

Another limitation is that generally speaking, it’s not possible for the auditor to review the entire set of transactions (say, all accounts payable transactions) in a large organization. So the auditor must use a representative sample that suggests how well internal controls do or don’t work. That sample might strongly correlate to the untested whole – but then again, perhaps not; it’s only a sample.

Auditors Must Rely on Other Experts

Auditors depend on subject matter experts such as lawyers or engineers for the valuation of fixed assets and other relevant information on potential liabilities.

Additional Financial Burden

Lastly, an internal control audit can be a significant financial burden for an organization, and that’s on top of the burden of implementing the internal controls, tests controls, further internal audits, and improving any that may need improvement.

What Are Audit Control Procedures?

There is no single, universal approach to understanding internal controls, business processes, and the effectiveness of a control. Rather, the requirements differ for each audit.

An auditor must also understand each component of the client’s financial reporting controls, including the overall control environment, the risk assessment process, information systems, control activities that relate to the audit, and how the client monitors internal controls.

What Are the Two Types of Audit Procedures?

While it varies from case to case, typically two types of audit procedures are used: substantive and analytical procedures.

Substantive Procedures

Substantive procedures are classified as processes, steps, and physical examinations done by auditors. These procedures provide evidence relating to the correctness, completeness, disclosure, rights, and valuations included in statements related to the company’s financial position.

When performing audit procedures, the auditor is expected to gather sufficient evidence to corroborate his or her audit opinion. This should be enough to enable another auditor to apply the same conclusion about the operating effectiveness of controls.

Analytical Procedures

Analytical procedures are the processes, steps, and evaluations done to determine plausible relationships between both financial and non-financial data. Depending on which financial information is being audited, analytical auditing procedures can look different.

What Is the Audit Process Step-by-Step?

Every fiscal year-end, the auditor is supposed to evaluate the design of the financial reporting controls relevant to the audit and determine whether the client has implemented them properly.

Control activities relevant to any particular audit may vary depending on the client’s size, complexity, and the nature of its operations. The AICPA recommends that auditors consider issues such as risk, other components of the internal controls, and legal and regulatory requirements.

In addition to talking to company employees, the auditor must use additional procedures, such as inspections, observations, or tracing transactions through the information system, to understand the company’s internal controls. An auditor should use his or her professional judgment to identify the appropriate audit procedures.

Let’s take a look at these steps individually.

1. Inspection. In this phase, the auditor checks the accounts payable or receivable transactions for potential misstatements and other relevant reporting standards.
2. Observation. Then, the auditor may observe employees to assure they are performing their tasks according to the appropriate regulations and expectations.
3. Confirmation. In this phase, the auditor will confirm that any financial reporting and account balances match the internal financial statements to check for risks of material misstatement. Examples of these include control activities that are relevant to the risk of fraud or control activities over journal entries, such as unusual transactions, allocation of funds, or adjustments.
4. Recalculation. Then, the auditor will cross-check the information presented by the business for mathematical accuracy.
5. Reperformance. Last, the auditor will re-perform the process to assure that the results are valid and limit audit risk. For existing clients, an auditor may use information obtained from any previous experience with the company to ascertain any changes affecting the control environment.

How Automating Audit Preparation Can Help

Financial audit management requires a lot of planning and documentation.

Auditing software like ZenGRC can streamline the process for you by empowering you to gather and organize all the information needed, and to fulfill your requirements in one central location.

ZenGRC simplifies your audit plan with framework templates and a reporting dashboard that shows you what you have, and what documentation is still needed to be ready for your audit. The ZenGRC’s risk assessment modules can provide valuable insight on where your reporting is lacking so you can take quick action to compile the documentation you need.

Moreover, ZenGRC allows organizations to store their audit documentation in one location. Unlike shared drives, ZenGRC enables administrators to moderate user access efficiently. This moderation keeps records safe from tampering and also facilitates communication. While some employees require editing access, some merely need to view documents.

Worry-free financial audits are the ‘Zen’ way. Contact our team today to get your free ZenGRC consultation and demo.