4 Testing Methods Used During Audit Procedures 

What are Audit Testing Techniques?

Audit testing techniques are on-site or remote verification process, like inspecting or examining a system or process, to ensure it meets the required standards.

Auditors use four core audit testing techniques to confirm the facts and answers that a business wants to attain during an audit. These test methods focus on everything from probing questions to inspecting documents and re-performing calculations. 

Each audit procedure for review and tests of compliance helps the auditor issue a well-informed opinion based on evidence. Further, it gives the auditor the information needed to provide qualified conclusions on whether the business is operating optimally and managing potential risks properly. 

These are the four types of audit testing methods used during audit engagement. 

1. Inquiry 

Inquiry is a fairly straightforward testing method, using interview-style questioning with the point of contact for certain controls. Because the quality of the information gained from inquiry depends on the accuracy and truthfulness of the interviewee, it is considered a weaker form of testing, and should be combined with another form of testing procedure.. 

With inquiry as one of the audit techniques, auditors ask questions of the organization’s managers, accountants, and other key staff to help determine relevant information. The auditor may ask about business processes, IT processes and the appropriate financial transaction recording to ensure the company does everything possible to avoid higher risks. 

One commonly used inquiry is asking the business owner how the company’s financial and data security records are stored. The auditor considers the responses but does not accept the answers alone as confirmation.

2. Observation 

Another one of the simple and effective audit process methods involves an auditor’s observation of tasks, procedures, and conditions. This method is often used when there is no control operation documentation or when a control is automated.  

Traditionally, observation has been performed on-site during the evidence-gather phase of a SOC audit. For example, management at an audited organization may state that certain noted records have been appropriately secured in a locked drawer with proper business risk assessment. 

Then, to verify that certain records have been securely stored in locked cabinets, the auditor will watch an employee unlock the specified drawer during normal daily activities and remove the records.  

Even remotely, observation can ensure that a company has an air conditioning system capable of keeping its servers cool by checking the thermostat in the equipment room. We can also observe the configuration of IT systems to ensure that requirements are met. 

3. Examination or Inspection of Evidence 

This testing method helps auditors determine whether manual controls are consistently performed and properly documented. Inspection can be used to verify the implementation and tests of controls and check certain attributes of policies and substantive procedures.  

For example, an auditor may check to ensure that access rights are approved when a new hire starts their role. In these cases, the auditor can use inspection to verify that the access control has been designed and is operating effectively. They will also check to see if new hire access forms are being filled out correctly. 

Examining reliable evidence also includes reviewing written documentation and records, such as visitor logs, employee manuals, and system databases. 

Examining involves reviewing tangible or digital documentation to validate the design and operation of controls. This ensures that manual controls are consistently performed and documented.

On the other hand, observation directly watches tasks, conditions, or procedures as they occur in real-time. This method is applied when there is no or limited control operation documentation, or a control is automated.

4. Re-performance 

Re-performance requires the auditor to execute the effective internal control in question manually, such as re-performing a calculation that is usually automated. It is usually utilized when an external auditor is leveraging the work of an internal auditor.

The auditor can utilize the work done by an internal auditor and document it in work papers so that only a sample of the work needs to be re-tested to verify.  

The re-performance method helps decrease auditors’ workload and determine whether automated controls operate effectively. It is the strongest type of control testing method to highlight a control’s operating effectiveness.  

Organizations that benefit most from the re-performance method include:

• Financial institutions
• Technology companies
• Manufacturing firms
• Insurance providers
• Healthcare organizations
• Retail and E-commerce

Types of Audit Evidence You Need

Audit evidence is the information gathered during an audit to assess an organization’s regulatory compliance, accuracy, and overall financial health. Evidence can come in various forms depending on the nature of the audit. Here’s a breakdown of the different types:

• Company’s financial statements (income statements, balance sheets, and cash flow statements)
• Accounting or financial information (ledgers, journal entries, and trial balances) 
• Bank accounts (direct evidence of cash flow, account balances, and the legitimacy of transactions) 
• Management accounts
• Supporting documentation (contracts, receipts, purchase orders, and invoices that substantiate transactions)
• Operational records (inventory counts, production logs, or quality control reports)

How Do SOC Auditors Determine Which Testing Method to Use? 

The way that controls are tested for a SOC audit is always situation-based, according to Joe. Usually, the nature of the control determines how we test. For example, firewalls are always observed; that’s just how they need to be tested to ensure that we get reliable evidence during the engagement.

That’s why auditors working for credible firms—like IS Partners—always try to back up these weaker testing methods with another type of evidence.  

How Has SOC Testing Changed in Keeping with Technology? 

One recent development in our field is the move towards automation of the auditing process. Auditors have been largely responding to this increased demand. Automation has valuable advantages for audited entities because it can streamline evidence collection and make auditing smoother.  

“But what a lot of startups and companies that are new to compliance don’t always understand is that SOC testing and reporting really require a certified auditor. This is a huge issue in the market currently…Vanta and automated audit tools like that don’t do testing. 

Plus, what the tools tell you what to expect may not be what the auditor will ask of you during the actual audit. A lot of due diligence still needs to be done even if you sign up with one of these tools. 

Automated tools might be helpful for audit preparation if an organization has an internal person who knows what he/she is doing. However, to pass a SOC audit, the company needs to describe its environment’s controls or functions in detail. 

This can present major challenges if your organization doesn’t have that information on hand. There is no cookie-cutter testing approach; passing an audit requires real monitoring and a real control environment,” explains Joe. 

Another new development is the migration to cloud computing. “As our clients rely more heavily on cloud environments, the amount of testing related to physical access has largely decreased. 

As the responsibility for physical access shifts to CSPs, our clients can focus more on vendor monitoring. We remind our clients that they are still responsible for their data stored in the cloud and help them set up reliable ways of monitoring their third-party cloud vendors,” Ciancimino adds.

Receive Accurate Audit Tests From IS Partners

Accurate audit testing is the backbone of reliable compliance and risk management. Whether you’re preparing for a financial audit, a SOC 2 report, or cybersecurity assessment, selecting and executing the right testing methods is crucial to identify potential vulnerabilities, confirm operational effectiveness, and meet regulatory expectations. 

Without precision in testing, organizations risk gaps in compliance that could lead to financial losses, reputational damage, or regulatory penalties.

At IS Partners, we go beyond basic auditing. Our experienced auditors understand the intricacies of compliance standards, from AICPA guidelines to ISO frameworks. We work with you to identify the most effective testing methods tailored to your organization’s unique needs, ensuring:

• Tests are designed to align with your specific compliance goals.
• Controls are assessed for both design and operational effectiveness.
• Risk of material misstatements is effectively mitigated.

Our hands-on approach means you’ll work with real experts who take the time to clarify every step of the process, empowering your team to navigate audits with confidence.

Accurate audit testing is just a step away. Contact IS Partners to receive tailored audit solutions and ensure your organization is prepared for any compliance challenge.

FAQs

About The Author

Philip LaRocca

Philip joined IS Partners as a senior consultant in financial data management and IT auditing. He has worked his way up in the firm and earned numerous certifications, including CISA, CRISC, and AWS Certified Cloud Practitioner, and is a member of ISACA and the Institute of Internal Auditors.