Whether performed by a Big Four firm or a regional CPA, every statutory financial audit follows a rigorous methodology designed to provide reasonable assurance that the financial statements are free from material misstatement.

For CFOs, Controllers, and Audit Committee members, understanding the exact audit procedures the external team will perform is crucial. When management knows what the auditors are looking for, they can proactively prepare documentation, accelerate the timeline, and reduce billable hours.

This guide outlines the standard audit procedures checklist, dividing the engagement into risk assessment, tests of controls, and substantive testing.

Phase 1: Risk Assessment & Planning Procedures

Before looking at a single ledger entry, auditors must understand the business environment to determine where material misstatements are most likely to occur.

  • Industry Analysis: Reviewing macroeconomic factors, regulatory changes, and competitive pressures affecting the company’s specific sector.
  • Inquiries of Management: Interviewing the C-Suite and Audit Committee to understand corporate strategy, perceived risks, and the tone at the top regarding ethics and compliance.
  • Preliminary Analytical Procedures: Comparing high-level, un-audited financial data to prior years and budget forecasts to identify unexpected variances (e.g., an unexplained 40% spike in marketing expenses).
  • Materiality Calculation: Determining the quantitative threshold ($ amount) above which a misstatement would influence the economic decisions of users. Misstatements below this threshold are generally considered immaterial.
  • Fraud Risk Assessment (SAS 99 / ISA 240): Specifically brainstorming how management could hypothetically override controls or manipulate revenue recognition.

Phase 2: Tests of Internal Controls

Auditors must evaluate the design and operating effectiveness of the company’s internal controls. If controls are strong, auditors can rely on them and perform less substantive testing. If controls are weak, auditors must do significantly more manual verification.

Segregation of Duties

  • Observation: Watching employees perform their duties to ensure the person who cuts checks is not the same person who reconciles the bank statements.
  • System Access Review: Inspecting ERP user permissions to verify that only authorized personnel have write-access to the general ledger or vendor master file.

Authorization & Approval

  • Walkthroughs: Tracing a single transaction (e.g., buying a laptop) from the initial purchase order, through manager approval, receipt of goods, and final payment.
  • Sample Testing: Pulling 25 random disbursements over $10,000 and verifying that each contains a digital signature or dual-authorization as required by company policy.

IT General Controls (ITGC)

  • Change Management: Verifying that software patches and database changes are tested in a developer environment and approved before being pushed to production.
  • Backup & Recovery: Testing whether financial data is securely backed up and investigating the disaster recovery protocol.

Phase 3: Substantive Testing Procedures

Substantive procedures are the “heavy lifting” of the audit. This is where auditors look directly at the numbers to find misstatements. It is broken down into specific audit areas.

1. Cash and Cash Equivalents

  • Bank Confirmations: Sending standardized forms directly to the company’s banks to confirm ending balances, lines of credit, and any undisclosed loans. (Auditors require direct responses from the bank; they will never just trust management’s PDF statement).
  • Bank Reconciliation Testing: Reviewing the year-end bank reconciliation. Vouching “deposits in transit” and “outstanding checks” to the January bank statement to ensure they eventually cleared.

2. Accounts Receivable & Revenue

  • External Confirmations: Reaching out directly to the company’s largest clients to verify that they actually owe the amount listed on the A/R aging report.
  • Subsequent Cash Receipts: Checking February and March bank statements to see if the December 31st Receivables were actually paid.
  • Revenue Cut-off Testing: Selecting invoices from the last 5 days of December and the first 5 days of January. Reviewing shipping docs (Bill of Lading) to ensure revenue was recognized in the correct year according to shipping terms (FOB shipping point vs destination).

3. Inventory

  • Physical Inventory Count Observation: Actually visiting the warehouse on December 31st to observe management counting the boxes.
  • Sheet-to-Floor & Floor-to-Sheet: Picking items from the inventory ledger and finding them in the warehouse (testing existence). Picking boxes from the warehouse and ensuring they are on the ledger (testing completeness).
  • Valuation Testing (LCM): Reviewing older inventory to determine if it needs to be written down to “Lower of Cost or Market.” If the company has warehouses full of obsolete tech from 2021, the asset value must be impaired.

4. Accounts Payable & Expenses

  • Search for Unrecorded Liabilities (SUL): The most critical A/P test. Auditors review cash payments made in January and February. If a payment was for a service rendered in December, the auditor checks the December ledger. If it’s not accrued there, management understated their liabilities.
  • Expense Vouching: Selecting a random sample of large expenses (legal fees, marketing retainers, rent) and asking management to pull the original vendor invoices and proof of payment.

5. Fixed Assets (PP&E)

  • Vouching Additions: For any major new equipment purchased during the year, reviewing the invoice and capitalizing it rather than expensing it.
  • Depreciation Recalculation: Independently recalculating the straight-line or MACRS depreciation schedule to ensure expenses are recorded accurately.
  • Physical Inspection: Walking the corporate office to physically verify the existence of large capital assets (servers, company vehicles).

6. Payroll

  • Analytical Review: Comparing total payroll expense to the prior year, adjusted for headcount growth.
  • Ghost Employee Testing: Comparing the payroll register to active employee files in HR. Cross-referencing direct deposit bank account numbers to check if multiple “employees” share one bank account (a classic fraud indicator).

How the Audit Committee Uses This Checklist

The modern Audit Committee should not view external auditors as adversaries, but rather as an independent line of defense. By understanding these procedures, the Committee should:

  1. Set Expectations: Demand that management prepare the “PBC (Prepared By Client) List” items 30 days prior to field work.
  2. Challenge Exceptions: When auditors report variances or internal control deficiencies, the Committee must ensure management implements remediation plans immediately.
  3. Ensure Independence: Confirm that the external auditors have unrestricted access to all data and are performing robust, unpredictable tests rather than simply rolling forward last year’s workpapers.