This post is a very brief overview on the basic process to review audit test results, focusing on work done as part of a financial statement audit (FSA) or service organization controls (SOC) report.
While there are numerous different things to review and look for - all varying wildly depending on the report, client, and tester - this list serves as a solid base foundation for a reviewer.
I have used this throughout my career as a starting point to my reviews, and it has worked wonders for creating a consistent and objective template to my reviews. The goal is to keep this base high-level enough to be used on a wide variety of engagements, while still ensuring that all key areas are covered.
- Check all documents for spelling and grammar.
- Ensure all acronyms are fully explained upon first use.
- For all people referenced, use their full names and job titles upon first use.
- All supporting documents must cross-reference to the lead sheet and vice-versa.
Verify that the control has been adequately tested:
- Test of Design: Did the tester obtain information regarding how the control should perform normally and abnormally (e.g., emergency scenarios)?
- Test of Operating Effectiveness: Did the tester inquire, observe, inspect, or re-perform sufficient evidence to support their conclusion over the control? Inquiry alone is not adequate!
For any information used in the control, whether by the control
operator or by the tester, did the tester appropriately document the
source (system or person), extraction method, parameters, and
completeness and accuracy (C&A)?
- For any reports, queries, etc. used in the extraction, did the tester include a copy and notate C&A considerations?
- Did the tester document the specific criteria that the control is being tested against?
- Did the tester notate in the supporting documents where each criterion was satisfied?
If testing specific policies or procedures, are the documents
- e.g., a test to validate that a review of policy XYZ occurs periodically should also evaluate the sufficiency of the policy itself, if meant to cover the risk that such a policy does not exist and is not reviewed.
Does the test cover the appropriate period under review?
- If the test is meant to cover only a portion of the audit period, do other controls exist to mitigate the risks that exist for the remainder of the period?
- For any computer-aided audit tools (CAATs) or other automation techniques used in the test, is the use of such tools explained and appropriately documented?
- If prior-period documentation exists, are there any missing pieces of evidence that would further enhance the quality of the test?
- Was any information discovered during the walkthrough or inquiry phase that was not incorporated into the test?
- Are there new rules or expectations from your company's internal guidance or your regulatory bodies that would affect the audit approach for this control?
Was an exception, finding, or deficiency identified as a result
of this test?
- Was the control deficient in design, operation, or both?
- What was the root cause of the finding?
- Does the finding indicate other findings or potential fraud?
- What's the severity and scope of the finding?
- Do other controls exist as a form of compensation against the finding's severity, and do they mitigate the risk within the control objective?
- Does the finding exist at the end of the period, or was it resolved within the audit period?