There are several different ways to conduct testing, which may include:
- Observation or walkthrough, where auditors monitors the audit clients while they perform the duties or — if that is not possible — where the audits would simulate the transaction to be able to witness first-hand the process and controls as they take place.
- Inspection, which would include the auditor reviewing documents and records from relevant transactions. Examples of inspection include reviewing purchase orders, delivery notes, and invoices. This is the most common testing method.
- Reperformance or Recalculation, which is also a common testing method. It involves the auditor redoing the work from scratch to compare the auditor's results against the original results.
- Confirmations, which may include the auditor validating the results of internally generated documents against an independent source, such as comparing the internal cash ledger to the bank statement or comparing the receivables ledger to a statement of account provided by a supplier.
Internal controls testing usually aims to validate certain criteria about the test data, such as:
- Completeness, referring to whether the test data includes all relevant data, with no data omitted.
- Occurrence, validating that reported transactions actually took place and are not fictitious.
- Accuracy, to verify that the reported data is correct and is representative of the correct details of the transactions that occurred.
- Existence, ensuring that the transactions that took place are reflected in their physical capacity.
The type of test selected usually corresponds to the criteria being tested. Tests should be selected carefully so that they are able to generate results that would answer the query in question. A common error is conducting an irrelevant test. To avoid wasting audit resources and budget, the following considerations are helpful when planning audit testing:
- Start the test planning phase by clearly documenting the process to be tested and the internal controls that are related to it. This first step alone should provide insight as to whether the control is adequate.
- Before selecting and documenting audit tests, outline in writing the intended objective of the audit tests to verify that the objective can be fulfilled with the intended test.
- Include action points in the test plan using audit terminology such as "confirm" or "validate" and making testing procedures as detailed as possible rather than writing vague testing procedures such as "review" or "check."
The testing procedures should support the auditor in determining whether the control in question is indeed effective. The results of the testing procedures also will support the auditor's findings when the time comes to report observed audit exceptions.
Not having sufficient and accurate support to back up one's findings can compromise internal audit's credibility and professionalism. Ultimately, the soundness of the audit test may have an impact on whether the auditor and audit team is well-positioned as a trusted advisor for the audit client and the organization.