An audit checklist provides a professional auditor with a group of instructions that they must follow when reviewing a company, department, business unit or operating process. A checklist helps an auditor perform evaluations in accordance with the audit plan, corporate policies, industry practices and generally accepted auditing standards, or GAAS.
Learn about Control Environment
An auditor must familiarize themselves with the operating environment in which a company conducts business. External elements and internal factors generally affect how a corporation operates. External factors include regulatory guidelines, competitors' initiatives, and economic trends. For instance, an insurance company's external environment includes regulations such as statutory directives from the National Association of Insurance Commissioners, or NAIC. Internal factors relate to corporate processes, personnel and mechanisms that affect its operations. To illustrate, a pharmaceutical firm's internal elements may include top leadership's managerial style and ethical values, human resources policies, and the firm's competitive standing in the industry.
Test Internal Controls
An auditor tests internal controls, guidelines and procedures to ensure that such controls are adequate, functional, and conform to top leadership's directives, regulatory guidelines and laws. A control is a set of instructions that department heads put into place to prevent operating losses owing to fraud, error, employee neglect, or carelessness as well as technological malfunction. A control is adequate if it clearly instructs employees on how to perform tasks, report problems and make decisions. A functional control provides appropriate solutions to internal control weaknesses, or problems.
Rank Controls and Risks
An auditor reviews internal controls and detects risks implicit in corporate operating processes. They usually review a business segment's "risk and control self-assessment," or RCSA, report to evaluate significant risks in an area. An RCSA is a document in which segment employees list operating controls, related risks and control ranks. In an RCSA, department heads rate risks as "high," "medium" or "low" based on loss expectation. An auditor generally focuses on high and medium risks, and discusses mitigation, or correction, efforts with senior managers as well as department heads. Segment chiefs usually provide corrective measures for low-rated risks.
Issue Final Report
If an auditor believes that top leaders and department chiefs provide adequate solutions to high-rated and medium-rated risks, they do not include these risks in a final audit report. Otherwise, the auditor provides a "risk and control" summary in an explanatory paragraph in the final report. An audit specialist also assesses how high-rated risks may affect a company's accounting and financial reporting systems. This assessment is a pivotal practice because financial statements that are not complete or accurate do not conform to generally accepted accounting principles, or GAAP, and international financial reporting standards, or IFRS.