Introduction
Audit procedures are the specific methods and techniques auditors use to collect sufficient and appropriate evidence during an audit engagement. They include inspection of documents and records, observation of processes, inquiry of management and staff, confirmation from third parties, recalculation of financial figures, re-performance of controls, and analytical review of data. The selection of audit procedures depends on the nature of the assertion being tested, the assessed level of risk, and the reliability of available evidence.
Audit procedures are an integral part of the auditing process, ensuring that financial statements are accurate, reliable, and compliant with applicable regulations. They serve as a systematic approach for auditors to gather sufficient evidence to express an opinion on the fairness of an organization's financial reporting. Whether it's verifying account balances, testing internal controls, or scrutinizing transaction details, audit procedures provide the backbone for robust financial accountability.
This article delves into the nuances of audit procedures, outlining their purpose, methodology, and the value they bring to organizations and stakeholders.
Key Takeaways
- Audit procedures are systematic steps auditors use to collect evidence during an audit.
- They play a critical role in ensuring the accuracy and reliability of financial statements.
- There are various types of audit procedures, including analytical, substantive, and control tests, each serving specific purposes.
- Timing and reliability of audit procedures can significantly impact the outcome of an audit.
- Selecting the right type of audit procedure depends on the audit's objectives and the reliability of available evidence.
What are Audit Procedures?
Audit procedures refer to the specific techniques and methods auditors employ to gather evidence about the accuracy, completeness, and validity of an organization's financial records. These procedures are designed to ensure compliance with accounting standards, regulatory requirements, and organizational policies.
Audit procedures are typically tailored to the unique risks and operations of the organization being audited. This customization ensures that the audit is efficient and effective in identifying potential discrepancies or irregularities.
Audit Procedure Steps
The audit process involves several structured steps that guide auditors from planning to reporting. These steps ensure a thorough examination of financial records and internal processes:
- Planning: The planning stage involves understanding the organization, its operations, and its internal control systems. Auditors identify key areas of risk and develop an audit plan that outlines the scope, objectives, and resources required for the audit.
- Risk Assessment: Auditors perform risk assessments to identify areas that may require closer scrutiny. This includes evaluating factors such as industry trends, financial performance, and historical issues.
- Developing an Audit Program: An audit program is a detailed plan of action that specifies the audit procedures to be performed. It serves as a roadmap, ensuring all critical areas are covered systematically.
- Executing Procedures: Auditors conduct the planned procedures, gathering evidence through methods such as inspections, observations, inquiries, and analytical reviews. This step involves both substantive and control testing to verify financial records.
- Analyzing Findings: The evidence collected is analyzed to identify inconsistencies, errors, or fraud. Auditors evaluate the impact of these findings on the financial statements and the overall audit opinion.
- Reporting: Auditors compile their findings into a formal audit report, providing insights into the organization's financial health and compliance. This report includes the auditor's opinion, highlighting whether the financial statements are free of material misstatements.
Audit Procedure Steps
| Step | Activity | Key Considerations | Article Section Reference |
| 1. Risk Assessment | Identify material misstatement risks and control risks across all in-scope areas | Informs audit program design; links directly to procedure selection, timing, and sample sizing | Covered in the article as a discrete step |
| 2. Audit Planning | Define audit scope, objectives, resources, and overall strategy based on risk assessment results | Includes understanding the organization, its operations, and its internal control systems | Covered in the article as the first step; risk assessment is treated as a sub-component |
| 3. Developing an Audit Program | Design a detailed plan specifying the procedures to be performed for each audit objective | Serves as a roadmap ensuring all critical areas are covered systematically; procedure type, timing, and sample size confirmed here | Covered in the article as a discrete step |
| 4. Evidence Gathering | Execute planned procedures and collect audit evidence across all in-scope areas | Document all procedures performed and results contemporaneously; applies both substantive and controls testing methods | Covered in the article as "Executing Procedures" |
| 5. Testing of Controls | Test whether internal controls are designed appropriately and operating effectively | Determines the degree of reliance on controls and the required extent of substantive testing | Included within "Executing Procedures" in the article; not a discrete step |
| 6. Substantive Testing | Test individual transactions, balances, and disclosures directly for material misstatement | Applied where controls are weak, absent, or where the risk of misstatement is assessed as high | Included within "Executing Procedures" in the article; not a discrete step |
| 7. Evaluation and Analysis | Assess whether the evidence obtained is sufficient in quantity and appropriate in quality; analyze findings for inconsistencies, errors, or indicators of fraud | Consider whether audit objectives have been met and evaluate the impact of findings on the audit opinion | Covered in the article as "Analyzing Findings" |
| 8. Documentation | Prepare working papers recording procedures performed, evidence obtained, and conclusions reached | Required by audit standards; constitutes the audit trail and supports the audit opinion | Not listed as a discrete step in the article |
| 9. Reporting | Communicate findings, exceptions, and the audit opinion to appropriate stakeholders | Internal report to management and Audit Committee, or external opinion for shareholders | Covered in the article as the final step |
How to Design Audit Procedures for a Specific Risk
Designing audit procedures for a specific risk requires a structured approach that connects each procedure directly to the assertion or objective being tested.
Identify the assertion and assess the risk level
Define the specific objective being tested, such as completeness of revenue recognition or existence of inventory balances, and assess the associated risk level. High-risk assertions require more extensive procedures, larger sample sizes, and testing performed closer to period end.
Evaluate internal control effectiveness
Determine whether existing controls are designed and operating effectively. Strong controls may allow a reduction in the scope of substantive testing; weak or absent controls require a more extensive substantive approach regardless of other factors.
Select procedure types appropriate for the assertion
Choose procedures matched to what is being tested: inspection for existence, confirmation for valuation, and recalculation for mathematical accuracy. Each procedure type produces evidence of different reliability and should be selected based on the nature of the assertion and the level of risk identified.
Determine sample size and define timing
Set sample size based on the assessed risk level and the degree of reliance placed on controls. Higher risk and lower control reliance require larger samples. Define timing: some procedures are performed at interim; others must be performed at or near period end to maximize evidence reliability.
Document planned procedures in an audit program
Record each planned procedure before execution begins, ensuring it maps to a specific audit objective and assertion. The audit program serves as both a planning tool and an accountability record during fieldwork.
Execute procedures and document all results
Carry out each planned procedure and record results contemporaneously, including any deviations, exceptions, or items identified for follow-up. Complete documentation at this stage is required by audit standards and forms the evidential basis for conclusions.
- Evaluate the sufficiency and appropriateness of evidence Assess whether the evidence obtained is sufficient in quantity and appropriate in quality to support the conclusion for each assertion tested. Where evidence falls short, additional procedures must be performed before the objective can be signed off.
Types of Audit Procedures
Audit procedures can be broadly classified into several categories, each designed to address specific audit objectives:
- Risk Assessment Procedures: These procedures help auditors identify and evaluate risks of material misstatements in the financial statements. Examples include conducting interviews with management, observing operations, and reviewing prior audit reports.
- Substantive Procedures: Substantive procedures focus on verifying the accuracy and validity of financial transactions and account balances. They include:
- Test of Details: Examining individual transactions or balances for accuracy.
- Analytical Procedures: Comparing financial data to identify unusual trends or variances.
- Tests of Controls: These procedures evaluate the effectiveness of an organization’s internal controls. Auditors check whether controls are properly designed and implemented to prevent or detect errors.
- Compliance Procedures: These are used to ensure that the organization complies with laws, regulations, and internal policies. Auditors verify that financial activities adhere to applicable standards.
- Review Procedures: Review procedures involve a high-level examination of financial statements to ensure they are consistent and logical. This includes assessing overall trends and evaluating narrative disclosures.
Types of Audit Procedures and Their Evidence Reliability
The table below compares common audit procedures, their reliability, and the situations where they deliver the most effective audit evidence:
| Procedure Type | What It Involves | Evidence Reliability | Best Used When |
| Inspection | Examining documents, records, physical assets, or tangible items for existence, accuracy, or completeness | High | Verifying existence and completeness of records, contracts, invoices, or physical assets |
| Observation | Watching a process, control, or activity being performed in real time by the entity's personnel | Medium; captures only the moment of observation and cannot confirm performance at other times | Testing segregation of duties; process walkthroughs during planning or interim fieldwork |
| Inquiry | Asking questions of management, staff, or third parties to understand processes, controls, and risk areas | Low alone; must be corroborated by other procedures as representations from management carry limited reliability | Understanding operational processes; identifying risks during planning; supplementing other procedures |
| Confirmation | Obtaining direct written responses from independent third parties verifying balances, transactions, or facts | Very High; evidence comes directly from a source independent of the entity under audit | Accounts receivable, bank balances, legal liabilities, loan confirmations, and investment holdings |
| Recalculation | Independently rechecking mathematical computations in records, schedules, or financial statements | Very High; auditor performs the calculation independently, eliminating reliance on entity-prepared figures | Depreciation schedules, interest accruals, tax computations, and payroll calculations |
| Re-performance | Auditor independently re-executes a control or process to verify it operates as described in documentation | Very High; auditor performs the work directly rather than reviewing management's representations | IT access controls testing, transaction matching, authorization control verification |
| Analytical Procedures | Comparing financial or operational data against expectations, prior periods, industry benchmarks, or internal targets | Medium to High; depends on data quality, precision of the expectation developed, and the nature of the assertion | Identifying unusual trends; used at planning stage, interim, and during final review |
| Tests of Controls | Evaluating whether internal controls are designed appropriately and operating effectively throughout the period | Medium to High; determines the degree of reliance the auditor can place on controls for substantive testing | Assessing control environments where reduced substantive testing is planned |
| Compliance Procedures | Testing whether the organization adheres to applicable laws, regulations, policies, and contractual requirements | Medium; relies on a combination of inspection, inquiry, and re-performance depending on the requirement tested | Regulated industries requiring evidence of adherence to specific legal or regulatory obligations |
| Review Procedures | High-level examination of financial statements for consistency, logical flow, and alignment with narrative disclosures | Lower than substantive procedures; used to identify areas requiring further investigation rather than to confirm assertions | Overall consistency checks; evaluating narrative disclosures; identifying anomalies for follow-up |
Internal vs External Audit Procedures
While internal and external audits share similar methodologies, they differ significantly in objectives, scope, standards, independence requirements, and reporting responsibilities.
| Dimension | Internal Audit Procedures | External Audit Procedures |
| Primary Standard | IIA International Standards (IPPF) | GAAS / ISA (IAASB) or national equivalents |
| Primary Objective | Assess control effectiveness and identify opportunities for operational improvement | Provide an independent opinion on the accuracy of financial statements |
| Scope | Operational, compliance, financial, IT, and ESG audits across the organization | Primarily financial statements; may extend to internal controls over financial reporting (ICFR) |
| Evidence Standard | Sufficient, reliable, relevant, and useful (IIA Standard 2310) | Sufficient and appropriate (ISA 500) |
| Independence | Functionally independent; reports to the Audit Committee | Legally independent from the auditee |
| Reporting | Internal audit report issued to management and the Audit Committee | External audit opinion issued to shareholders or the public |
Audit Procedures in Practice: Industry Examples
External Financial Audit (IFRS/GAAS): Accounts Receivable Confirmation
When auditing accounts receivable under IFRS or GAAS, auditors use confirmation procedures, directly contacting customers to verify amounts owed. This is considered high-reliability evidence because it comes from independent third parties rather than from the entity being audited. Confirmation procedures are particularly important for assertions about the existence and valuation of receivable balances.
IT/SOC 2 Audit: Re-performance of Access Controls
In a SOC 2 audit, auditors use re-performance procedures, independently executing an access control process themselves to test whether it operates as described rather than simply reviewing management's documentation. Re-performance is considered among the highest-reliability evidence types because the auditor performs the work directly, eliminating reliance on entity-prepared records.
Internal Audit (IIA Standard 2310): Payroll Audit
Under IIA Standard 2310, auditors must gather sufficient, reliable, relevant, and useful information. For a payroll audit, this typically combines inquiry (the HR manager explains the payroll process), observation (the auditor watches a payroll run), and recalculation (the auditor independently verifies pay rates against employment contracts). This combination demonstrates how multiple procedure types work together to build sufficient, corroborated evidence across a single audit objective.
When May Audit Procedures Be Performed?
Audit procedures can be performed at various stages of the audit process, depending on the objectives and requirements of the engagement:
- Interim Audit: During an interim audit, procedures are conducted partway through the financial year. This allows auditors to assess ongoing activities and address issues before the year-end audit. It is particularly useful for large organizations with complex operations.
- Year-End Audit: The year-end audit is performed after the financial year concludes. This stage focuses on finalizing the examination of financial records and issuing the audit report.
- Continuous Audit: In continuous audits, procedures are performed periodically throughout the year. This approach is common in organizations with real-time reporting requirements or high transaction volumes.
- Special Audits: Audit procedures may also be conducted outside of regular audit cycles, such as during mergers, acquisitions, or fraud investigations.
What Type of Audit Procedure is the Most Reliable?
The reliability of audit procedures depends on the nature and source of the evidence obtained. Evidence is deemed more reliable when it comes from independent, external sources or is generated through robust internal controls.
- Inspection of Tangible Assets: Inspecting physical assets, such as inventory or equipment, provides direct and highly reliable evidence.
- External Confirmations: Confirmations from third parties, such as banks or customers, offer strong evidence about account balances or transactions.
- Reperformance: Reperforming calculations or processes to verify accuracy ensures high reliability, as it involves independent verification by the auditor.
- Observation: Direct observation of processes, such as inventory counts or control implementation, provides reliable, first-hand evidence.
- Analytical Procedures: While analytical procedures are useful for identifying anomalies, they are less reliable than direct evidence and should be supplemented with other methods.
Under ISA 500 (Audit Evidence), audit evidence obtained directly by the auditor through re-performance and recalculation is more reliable than evidence provided by the entity being audited. External confirmations, when obtained directly from independent third parties, are also considered high-reliability evidence. ISA 500 requires auditors to assess whether the evidence obtained is sufficient in quantity and appropriate in quality before drawing audit conclusions.
Balancing Reliability and Cost
Auditors often balance the reliability of procedures with their cost and practicality. For instance, external confirmations, while highly reliable, may be time-consuming and expensive. A mix of high-reliability and cost-effective procedures is typically employed to achieve audit objectives efficiently.
Why MetricStream?
Audit procedures are the cornerstone of an effective audit, providing the structure and methodology for assessing an organization’s financial integrity.
Understanding the nuances of audit procedures — when to use them, how to execute them, and their relative reliability — empowers auditors and organizations alike to navigate the complex landscape of financial accountability. As auditing standards evolve, staying informed about these procedures will remain critical for ensuring robust and trustworthy financial reporting.
With MetricStream’s Internal Audit Management software, your organization has access to a flexible and advanced internal audit program, which helps meet business goals and be ready to tackle risks, all while being simple and efficient to use. For more information, request a personalized demo.
Audit procedures are the specific methods and techniques auditors use to collect sufficient and appropriate evidence during an audit engagement. They include inspection of documents and records, observation of processes, inquiry of management and staff, confirmation from third parties, recalculation of financial figures, re-performance of controls, and analytical review of data. The selection of audit procedures depends on the nature of the assertion being tested, the assessed level of risk, and the reliability of available evidence.
Audit procedures are an integral part of the auditing process, ensuring that financial statements are accurate, reliable, and compliant with applicable regulations. They serve as a systematic approach for auditors to gather sufficient evidence to express an opinion on the fairness of an organization's financial reporting. Whether it's verifying account balances, testing internal controls, or scrutinizing transaction details, audit procedures provide the backbone for robust financial accountability.
This article delves into the nuances of audit procedures, outlining their purpose, methodology, and the value they bring to organizations and stakeholders.
- Audit procedures are systematic steps auditors use to collect evidence during an audit.
- They play a critical role in ensuring the accuracy and reliability of financial statements.
- There are various types of audit procedures, including analytical, substantive, and control tests, each serving specific purposes.
- Timing and reliability of audit procedures can significantly impact the outcome of an audit.
- Selecting the right type of audit procedure depends on the audit's objectives and the reliability of available evidence.
Audit procedures refer to the specific techniques and methods auditors employ to gather evidence about the accuracy, completeness, and validity of an organization's financial records. These procedures are designed to ensure compliance with accounting standards, regulatory requirements, and organizational policies.
Audit procedures are typically tailored to the unique risks and operations of the organization being audited. This customization ensures that the audit is efficient and effective in identifying potential discrepancies or irregularities.
The audit process involves several structured steps that guide auditors from planning to reporting. These steps ensure a thorough examination of financial records and internal processes:
- Planning: The planning stage involves understanding the organization, its operations, and its internal control systems. Auditors identify key areas of risk and develop an audit plan that outlines the scope, objectives, and resources required for the audit.
- Risk Assessment: Auditors perform risk assessments to identify areas that may require closer scrutiny. This includes evaluating factors such as industry trends, financial performance, and historical issues.
- Developing an Audit Program: An audit program is a detailed plan of action that specifies the audit procedures to be performed. It serves as a roadmap, ensuring all critical areas are covered systematically.
- Executing Procedures: Auditors conduct the planned procedures, gathering evidence through methods such as inspections, observations, inquiries, and analytical reviews. This step involves both substantive and control testing to verify financial records.
- Analyzing Findings: The evidence collected is analyzed to identify inconsistencies, errors, or fraud. Auditors evaluate the impact of these findings on the financial statements and the overall audit opinion.
- Reporting: Auditors compile their findings into a formal audit report, providing insights into the organization's financial health and compliance. This report includes the auditor's opinion, highlighting whether the financial statements are free of material misstatements.
Audit Procedure Steps
| Step | Activity | Key Considerations | Article Section Reference |
| 1. Risk Assessment | Identify material misstatement risks and control risks across all in-scope areas | Informs audit program design; links directly to procedure selection, timing, and sample sizing | Covered in the article as a discrete step |
| 2. Audit Planning | Define audit scope, objectives, resources, and overall strategy based on risk assessment results | Includes understanding the organization, its operations, and its internal control systems | Covered in the article as the first step; risk assessment is treated as a sub-component |
| 3. Developing an Audit Program | Design a detailed plan specifying the procedures to be performed for each audit objective | Serves as a roadmap ensuring all critical areas are covered systematically; procedure type, timing, and sample size confirmed here | Covered in the article as a discrete step |
| 4. Evidence Gathering | Execute planned procedures and collect audit evidence across all in-scope areas | Document all procedures performed and results contemporaneously; applies both substantive and controls testing methods | Covered in the article as "Executing Procedures" |
| 5. Testing of Controls | Test whether internal controls are designed appropriately and operating effectively | Determines the degree of reliance on controls and the required extent of substantive testing | Included within "Executing Procedures" in the article; not a discrete step |
| 6. Substantive Testing | Test individual transactions, balances, and disclosures directly for material misstatement | Applied where controls are weak, absent, or where the risk of misstatement is assessed as high | Included within "Executing Procedures" in the article; not a discrete step |
| 7. Evaluation and Analysis | Assess whether the evidence obtained is sufficient in quantity and appropriate in quality; analyze findings for inconsistencies, errors, or indicators of fraud | Consider whether audit objectives have been met and evaluate the impact of findings on the audit opinion | Covered in the article as "Analyzing Findings" |
| 8. Documentation | Prepare working papers recording procedures performed, evidence obtained, and conclusions reached | Required by audit standards; constitutes the audit trail and supports the audit opinion | Not listed as a discrete step in the article |
| 9. Reporting | Communicate findings, exceptions, and the audit opinion to appropriate stakeholders | Internal report to management and Audit Committee, or external opinion for shareholders | Covered in the article as the final step |
How to Design Audit Procedures for a Specific Risk
Designing audit procedures for a specific risk requires a structured approach that connects each procedure directly to the assertion or objective being tested.
Identify the assertion and assess the risk level
Define the specific objective being tested, such as completeness of revenue recognition or existence of inventory balances, and assess the associated risk level. High-risk assertions require more extensive procedures, larger sample sizes, and testing performed closer to period end.
Evaluate internal control effectiveness
Determine whether existing controls are designed and operating effectively. Strong controls may allow a reduction in the scope of substantive testing; weak or absent controls require a more extensive substantive approach regardless of other factors.
Select procedure types appropriate for the assertion
Choose procedures matched to what is being tested: inspection for existence, confirmation for valuation, and recalculation for mathematical accuracy. Each procedure type produces evidence of different reliability and should be selected based on the nature of the assertion and the level of risk identified.
Determine sample size and define timing
Set sample size based on the assessed risk level and the degree of reliance placed on controls. Higher risk and lower control reliance require larger samples. Define timing: some procedures are performed at interim; others must be performed at or near period end to maximize evidence reliability.
Document planned procedures in an audit program
Record each planned procedure before execution begins, ensuring it maps to a specific audit objective and assertion. The audit program serves as both a planning tool and an accountability record during fieldwork.
Execute procedures and document all results
Carry out each planned procedure and record results contemporaneously, including any deviations, exceptions, or items identified for follow-up. Complete documentation at this stage is required by audit standards and forms the evidential basis for conclusions.
- Evaluate the sufficiency and appropriateness of evidence Assess whether the evidence obtained is sufficient in quantity and appropriate in quality to support the conclusion for each assertion tested. Where evidence falls short, additional procedures must be performed before the objective can be signed off.
Audit procedures can be broadly classified into several categories, each designed to address specific audit objectives:
- Risk Assessment Procedures: These procedures help auditors identify and evaluate risks of material misstatements in the financial statements. Examples include conducting interviews with management, observing operations, and reviewing prior audit reports.
- Substantive Procedures: Substantive procedures focus on verifying the accuracy and validity of financial transactions and account balances. They include:
- Test of Details: Examining individual transactions or balances for accuracy.
- Analytical Procedures: Comparing financial data to identify unusual trends or variances.
- Tests of Controls: These procedures evaluate the effectiveness of an organization’s internal controls. Auditors check whether controls are properly designed and implemented to prevent or detect errors.
- Compliance Procedures: These are used to ensure that the organization complies with laws, regulations, and internal policies. Auditors verify that financial activities adhere to applicable standards.
- Review Procedures: Review procedures involve a high-level examination of financial statements to ensure they are consistent and logical. This includes assessing overall trends and evaluating narrative disclosures.
Types of Audit Procedures and Their Evidence Reliability
The table below compares common audit procedures, their reliability, and the situations where they deliver the most effective audit evidence:
| Procedure Type | What It Involves | Evidence Reliability | Best Used When |
| Inspection | Examining documents, records, physical assets, or tangible items for existence, accuracy, or completeness | High | Verifying existence and completeness of records, contracts, invoices, or physical assets |
| Observation | Watching a process, control, or activity being performed in real time by the entity's personnel | Medium; captures only the moment of observation and cannot confirm performance at other times | Testing segregation of duties; process walkthroughs during planning or interim fieldwork |
| Inquiry | Asking questions of management, staff, or third parties to understand processes, controls, and risk areas | Low alone; must be corroborated by other procedures as representations from management carry limited reliability | Understanding operational processes; identifying risks during planning; supplementing other procedures |
| Confirmation | Obtaining direct written responses from independent third parties verifying balances, transactions, or facts | Very High; evidence comes directly from a source independent of the entity under audit | Accounts receivable, bank balances, legal liabilities, loan confirmations, and investment holdings |
| Recalculation | Independently rechecking mathematical computations in records, schedules, or financial statements | Very High; auditor performs the calculation independently, eliminating reliance on entity-prepared figures | Depreciation schedules, interest accruals, tax computations, and payroll calculations |
| Re-performance | Auditor independently re-executes a control or process to verify it operates as described in documentation | Very High; auditor performs the work directly rather than reviewing management's representations | IT access controls testing, transaction matching, authorization control verification |
| Analytical Procedures | Comparing financial or operational data against expectations, prior periods, industry benchmarks, or internal targets | Medium to High; depends on data quality, precision of the expectation developed, and the nature of the assertion | Identifying unusual trends; used at planning stage, interim, and during final review |
| Tests of Controls | Evaluating whether internal controls are designed appropriately and operating effectively throughout the period | Medium to High; determines the degree of reliance the auditor can place on controls for substantive testing | Assessing control environments where reduced substantive testing is planned |
| Compliance Procedures | Testing whether the organization adheres to applicable laws, regulations, policies, and contractual requirements | Medium; relies on a combination of inspection, inquiry, and re-performance depending on the requirement tested | Regulated industries requiring evidence of adherence to specific legal or regulatory obligations |
| Review Procedures | High-level examination of financial statements for consistency, logical flow, and alignment with narrative disclosures | Lower than substantive procedures; used to identify areas requiring further investigation rather than to confirm assertions | Overall consistency checks; evaluating narrative disclosures; identifying anomalies for follow-up |
Internal vs External Audit Procedures
While internal and external audits share similar methodologies, they differ significantly in objectives, scope, standards, independence requirements, and reporting responsibilities.
| Dimension | Internal Audit Procedures | External Audit Procedures |
| Primary Standard | IIA International Standards (IPPF) | GAAS / ISA (IAASB) or national equivalents |
| Primary Objective | Assess control effectiveness and identify opportunities for operational improvement | Provide an independent opinion on the accuracy of financial statements |
| Scope | Operational, compliance, financial, IT, and ESG audits across the organization | Primarily financial statements; may extend to internal controls over financial reporting (ICFR) |
| Evidence Standard | Sufficient, reliable, relevant, and useful (IIA Standard 2310) | Sufficient and appropriate (ISA 500) |
| Independence | Functionally independent; reports to the Audit Committee | Legally independent from the auditee |
| Reporting | Internal audit report issued to management and the Audit Committee | External audit opinion issued to shareholders or the public |
Audit Procedures in Practice: Industry Examples
External Financial Audit (IFRS/GAAS): Accounts Receivable Confirmation
When auditing accounts receivable under IFRS or GAAS, auditors use confirmation procedures, directly contacting customers to verify amounts owed. This is considered high-reliability evidence because it comes from independent third parties rather than from the entity being audited. Confirmation procedures are particularly important for assertions about the existence and valuation of receivable balances.
IT/SOC 2 Audit: Re-performance of Access Controls
In a SOC 2 audit, auditors use re-performance procedures, independently executing an access control process themselves to test whether it operates as described rather than simply reviewing management's documentation. Re-performance is considered among the highest-reliability evidence types because the auditor performs the work directly, eliminating reliance on entity-prepared records.
Internal Audit (IIA Standard 2310): Payroll Audit
Under IIA Standard 2310, auditors must gather sufficient, reliable, relevant, and useful information. For a payroll audit, this typically combines inquiry (the HR manager explains the payroll process), observation (the auditor watches a payroll run), and recalculation (the auditor independently verifies pay rates against employment contracts). This combination demonstrates how multiple procedure types work together to build sufficient, corroborated evidence across a single audit objective.
Audit procedures can be performed at various stages of the audit process, depending on the objectives and requirements of the engagement:
- Interim Audit: During an interim audit, procedures are conducted partway through the financial year. This allows auditors to assess ongoing activities and address issues before the year-end audit. It is particularly useful for large organizations with complex operations.
- Year-End Audit: The year-end audit is performed after the financial year concludes. This stage focuses on finalizing the examination of financial records and issuing the audit report.
- Continuous Audit: In continuous audits, procedures are performed periodically throughout the year. This approach is common in organizations with real-time reporting requirements or high transaction volumes.
- Special Audits: Audit procedures may also be conducted outside of regular audit cycles, such as during mergers, acquisitions, or fraud investigations.
The reliability of audit procedures depends on the nature and source of the evidence obtained. Evidence is deemed more reliable when it comes from independent, external sources or is generated through robust internal controls.
- Inspection of Tangible Assets: Inspecting physical assets, such as inventory or equipment, provides direct and highly reliable evidence.
- External Confirmations: Confirmations from third parties, such as banks or customers, offer strong evidence about account balances or transactions.
- Reperformance: Reperforming calculations or processes to verify accuracy ensures high reliability, as it involves independent verification by the auditor.
- Observation: Direct observation of processes, such as inventory counts or control implementation, provides reliable, first-hand evidence.
- Analytical Procedures: While analytical procedures are useful for identifying anomalies, they are less reliable than direct evidence and should be supplemented with other methods.
Under ISA 500 (Audit Evidence), audit evidence obtained directly by the auditor through re-performance and recalculation is more reliable than evidence provided by the entity being audited. External confirmations, when obtained directly from independent third parties, are also considered high-reliability evidence. ISA 500 requires auditors to assess whether the evidence obtained is sufficient in quantity and appropriate in quality before drawing audit conclusions.
Balancing Reliability and Cost
Auditors often balance the reliability of procedures with their cost and practicality. For instance, external confirmations, while highly reliable, may be time-consuming and expensive. A mix of high-reliability and cost-effective procedures is typically employed to achieve audit objectives efficiently.
Audit procedures are the cornerstone of an effective audit, providing the structure and methodology for assessing an organization’s financial integrity.
Understanding the nuances of audit procedures — when to use them, how to execute them, and their relative reliability — empowers auditors and organizations alike to navigate the complex landscape of financial accountability. As auditing standards evolve, staying informed about these procedures will remain critical for ensuring robust and trustworthy financial reporting.
With MetricStream’s Internal Audit Management software, your organization has access to a flexible and advanced internal audit program, which helps meet business goals and be ready to tackle risks, all while being simple and efficient to use. For more information, request a personalized demo.
Frequently Asked Questions
Audit procedures are the specific techniques auditors use to obtain and evaluate evidence during an audit engagement. They include inspecting documents, observing processes, making inquiries, seeking external confirmations, recalculating figures, re-performing controls, and conducting analytical reviews to assess whether financial statements are accurate and compliant.
The seven types are inspection, observation, inquiry, confirmation, recalculation, re-performance, and analytical procedures. Each produces evidence of different reliability, with re-performance, recalculation, and external confirmation generally considered the strongest because the auditor either performs the work independently or obtains evidence directly from a third party.
Audit procedures are the specific actions an auditor executes during fieldwork; audit techniques are the broader methodological approaches that inform how those actions are carried out. Vouching, for example, is a technique executed through the inspection procedure — tracing recorded transactions back to source documents.
Reliability depends on the source of evidence, the nature of the procedure, and the auditor's independence from the entity under audit. Under ISA 500, evidence obtained directly by the auditor through re-performance or recalculation is more reliable than representations provided by management.
Substantive audit procedures are designed to detect material misstatements in financial statement assertions regardless of control strength. They divide into tests of detail, which examine individual transactions and balances, and substantive analytical procedures, which compare recorded amounts against independently developed expectations.
Compliance audit procedures test whether an organization adheres to applicable laws, regulations, policies, and contractual requirements. They include reviewing written policies, testing controls designed to ensure compliance, interviewing staff, and sampling transactions or records for evidence that specific regulatory requirements have been met.
Audit procedures are performed at three points: during planning for risk assessment, at an interim date for controls testing and early substantive work, and at or near period end for final substantive testing. Higher-risk areas generally require procedures performed at period end to maximize evidence reliability.
Tests of controls evaluate whether internal controls are designed and operating effectively, determining how much reliance the auditor can place on them. Substantive procedures directly test the accuracy of financial statement balances and transactions, and must be more extensive where controls are found to be weak or absent.
Data analytics tools now allow auditors to test entire transaction populations rather than samples, increasing anomaly and fraud detection rates. Audit management platforms like MetricStream streamline planning, evidence collection, documentation, and reporting, reducing cycle times while improving consistency and audit quality across engagements.
MetricStream's Internal Audit Management solution enables audit teams to design risk-based audit programs, assign procedures to auditors, record evidence and findings directly in the platform, and generate working papers that form a complete audit trail. Integration with controls and risk data ensures procedure design reflects current risk ratings.






