The first stage is gain an understanding of the businesses operations and to determine the strength of the entity that is being audited by reviewing and auditing its internal procedures, policies and processes and adherence to these by staff and directors. Now this can include a wide range of audit procedures including but not limited to:
Interview of staff including directors, managers and supervisors as well as other levels.
Review of computer systems and software including whether licences are up to date, is data backed up and secure, are there disaster recovery procedures, etc
Review of internal controls and adherence to these controls.
Review of policies and adherence to policies.
This is the step of testing actual financial figures and financial information. The results of the initial testing noted at one above, will determine just how much of the financial figures will need to be tested and as such how intrusive the audit may be and how thorough. The higher the risk assessment in one above, the more testing that is required.
This testing involves taking samples of data and checking that they have been handled and processed correctly and then checking that they add back to a defined total figure represented within the financial statements of the entity. The financial statements of an entity may be as simple as a profit and loss and balance sheet or as complex as general purpose financial statements for a reporting entity.
This final step involves reaching a conclusion based on the information provided and obtained in one and two above. Ultimately the auditor is looking to determine if the accounts are free of material misstatement and in anyway misleading or incorrect. The auditor will at this time produce an audit report that will be provided to include with the financial statements.
The auditor will also produce a management report which will be provided to the directors and management of the entity for their review. This report will provide a far more detailed appraisal of all of the auditors’ findings and is intended to help the entity improve its operations and procedures.