Question

How does the auditor determine the best tests to perform to achieve the audit objectives for a procedure? Please discuss and support your response with examples.

Answer 1

Service organizations bear a great responsibility when working with clients to fulfill service needs while ensuring protection of certain aspects of the client’s business.

For the Type 2 portion of both the SOC 1 and the SOC 2 audits, walkthroughs and testing of the controls set up at the service organization. Testing is crucial to Type II engagements to give the auditor more information to form an opinion on the suitability of the design, as well as the operating effectiveness of controls during the specified period under review.

During either SOC Type 2 audit, the auditor walks through and tests each control objective or criteria with a specific type of testing method or procedure.

The Five Types of Testing Methods Used During Audit Procedures

There are five core testing methods that auditors use to confirm the facts and answers that a business wants to attain during an audit. The nature of these test methods focuses on everything from asking probing questions to inspecting documents and re-performing calculations.

Each testing method helps the auditor issue a well-informed opinion, based on evidence. Further, it provides the auditor with the information needed to provided qualified conclusions, whether the business is operating optimally and managing risks properly.

Following are the five types of testing methods used during audits.

1. Inquiry
2. Observation
3. Examination or Inspection of Evidence
4. Re-performance
5. Computer Assisted Audit Technique

1. Inquiry

Inquiry is a fairly straightforward testing method wherein the auditors ask questions of the organization’s managers, accountants and any other key staff to help determine some relevant information. The auditor may ask about business processes and the appropriate recording of financial transactions to make sure the company is doing everything possible to avoid risks.

One example of inquiry commonly used is asking the business owner how the company’s financial records are stored. The auditor takes the responses into account—but does not accept the answers alone as confirmation—to establish additional testing criteria since this method is often used in conjunction with other, more reliable methods.

2. Observation

Another simple, basic and effective testing method involves an auditor’s observation of tasks, procedures and conditions. Management will declare that certain noted records have been appropriately secured in a locked drawer. Then, in order to verify that certain stated records have been securely stored in locked cabinets, the auditor will watch an employee unlock the specified drawer during normal daily activities and reveal the records. This testing method is most often used when there is no documentation of the operation of a control.

3. Examination or Inspection of Evidence

This testing method helps auditors determine whether manual controls are being consistently performed and properly documented. For example, an auditor may check to make sure that backups are scheduled to run on a regular basis. He or she will check to see if forms are being filled out correctly. Examination of evidence also includes the review of written documentation and records that might include visitor logs, employee manuals and system databases.

4. Re-performance

Re-performance is used when inquiry, observation, and physical examination and inspection have failed to provide the requisite assurance that a control is operating effectively. This method is also helpful in determining whether automated controls are operating effectively. It is the strongest type of testing to highlight the operating effectiveness of a control. Using this method, the auditor must manually execute the control in question, such as re-performing a calculation that is usually automated.

5. Computer Assisted Audit Technique (CAAT)

The CAAT method of testing is often used to analyze large volumes of data, but it can also be used to analyze every transaction, rather than just a sample of all performed transactions. There is a specially designed software used to perform a CAAT. The test can range from the use of a fairly simple spreadsheet to using highly specialized databases or additional software designed specifically for data analytics, such as IBM Analytics or Apache Hadoop.