As an information systems auditor, your work produces opinions and assertions on the status of different controls that the management has instituted. But the auditor doesn’t make arbitrary opinions. Any final view that auditor expresses in their report is backed by evidence and powered by audit testing that they performed to reach their conclusions.
Doing risk assessment
Ideally an auditor would perform a risk assessment as part of the audit planning process and identify risks and then test internal controls related to these risks. If based on his sample of audit testing on controls, he is satisficed that the controls are present and sufficiently reliable, he will move on to next risk for audit tests.
Substantive Testing
But if he would suspect, as a result of his sample, that the controls are weak in relation to a risk, he will increase his sample and go for substantive testing.
Of course, it is vitally important that the auditor documents the results of audit testing as evidence because any audit opinion is only as powerful as the evidence resulting from auditor’s testing.
When Do You Use Which Audit Testing Procedures?
As I stated above, the auditor selects his type of test after reviewing the controls he wants to test. But the actual audit test he will perform will depend on different factors. For example, if he would want to test accuracy and effectiveness of a an automated control, he may opt for re-performing the calculations or processes that the automated control does.
But if he wants to verify the existence and effectiveness of an inspection control, he will select a sample of the population and review the existence, accuracy and completeness of the transactions.
Samples of populations are selected for testing based on the type of test being performed (i.e., a test of one would be completed for an automated control using re-performance, but a sample of the population would be selected for an inspection control). Additional considerations are the population size and the level of precision we want to achieve in the testing.
Based on the sample size and audit testing, the auditor will try to understand if the deviations he observes are isolated data entry issues or there are systemic issues related to controls present in the system.
Types of Audit Testing
Mainly the auditor uses five types of audit tests to evaluate controls, gain audit evidence and form his opinions which he will reflect in the audit report.
1. Inquiry
This is the simplest and most widely used audit testing procedure. The auditor ask questions from the clients managers and other staff to understand and get clarifications about the questions he has.
For example, one common inquiry that auditors almost universally use in information systems audits is to request management to provide complete data about hardware, software, applications, network diagrams etc.
The auditor doesn’t blindly rely on the response to inquiry. Rather he will evaluate the responses and design tests based on the risks he identifies from these responses.
2. Observation
This is an other effective audit testing method. The auditor would observe a business process or situation/area to verify that the assertions made by the management are also applied on the ground.
One very common observation audit testing used by information systems auditors is visit of the data center to verify physical access and environment controls related to data center environment.
3. Inspection of Evidence
This method is very frequently used during an auditor’s work. It will help the auditor in firming his opinion about whether the documented controls are consistently applied. Also examining documentation and inspecting implementation of the documented controls helps the auditor in gaining assurance about controls that should be present and working to control risks.
For example, a very useful audit test during an IS audit is to review documentation to make sure that backups are scheduled regularly and system administrators keep a track of any missed schedules or any errors in the backups.
Another test example is to inspect documentation that logs are being reviewed on a regular basis.
4. Re-performance
If the above three tests do not satisfy an auditor, he will use the reperformance to gain the level of assurance he requires about effectiveness of controls.
This is the most commonly used method to gauge effectiveness of automated controls. This audit testing procedures provides the highest level of assurance to the auditor because he will be preforming the whole process himself, most probably using automated software. For example, he might use a software to re-perform a calculation and compare his results with the results that have been recorded by the client.
5. Computer Assisted Audit Technique (CAAT)/Data Analytics
CAAT has been helping auditors for many decades now. One of the biggest advantage of this audit testing method is that the auditor is able to test large volumes of data and his work is not restricted to only sample transactions.
CAAT may range from simple spreadsheet software like to data analytics software. In fact, depending on capacity, the auditor may write his own scripts and routines to customize his audit tests. In fact, auditors have started using machine learning and artificial intelligence to gain deeper insights into big data.
In conclusion, there are several audit testing methods available to give assurance to the auditor. These methods can vary widely in terms of their complexity and sophistication. However, they all share some basic principles which include:
- They must be designed to address specific risk areas identified through analysis;
- They must be tailored to fit within the scope of the project;
- They must allow the auditor to exercise full control over the methodology employed;
- They must produce reliable evidence supporting conclusions drawn;